Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 1.The need of input validation
- availability
- -dos attacked, crashed, exited, restarted
- integrity
- -steal,read,change
- integrity
- -modification to the control flow,execute arbitary commands
- 2.Data validation techniques
- -preventing attack that happens with invalid inputs
- -canonicalization -normalization
- -avoid characters that have special meaning
- -normal control characters, value less than 32 and value higher than 127,metacharacters
- -encode known bad, accept exact match, reject known bad, use known good
- -use frameworks and apis for validation
- -javaframework
- -javaapi
- -use open source validation frameworks
- -example: oVal-validates java objects as per user request
- -user servlet filter if possible as the implementation is easy
- 3.Strut1 data validation
- -can validate both client and server side
- -called commonsvalidator
- -avoid duplication form names
- -implement strut validator class
- -validatorform,validatoractionform....
- -implement validate function
- -must call super.validate
- -enable strut validator in the action form mapping
- -check for similar number of fields in the action form and validation form
- -validate parameter must be set to true in the action mapping
- Strut2
- -implements XWork frameworks
- -separates the actual validation logic and application code
- -can handle both client and server side
- 4.Spring data validation
- -it uses support method to check if target class can be validated and validate method to validate
- -uses the error object to provide information on the errors
- -custom validator by using Validator interface for condition based validations-age must be between 18-60
- 5.Common input validation errors
- -improper sanitization of untrusted data
- -leads to SQL injection
- 6.Common secure coding practises for input validation
- -use preparedstatement
- -use StoredProcedures
- -use whitelisting and blacklisting
- -use getcanonicalpath() instead of getabsolutepath()
- -
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement