Disclaimer

opinions expressed here are my own and are a result of the way in which my mind interprets a particular situation or concept.

Courtesy

Google for Images….

Slide share for Slides…

Wikipedia for text…

Struts validation frameworkWEB Application Security

Structure

what why how - MVC ?Concept and OriginExecution Process

what why how - Web framework?Features

what why how Validation framework?

Attacker’s – why should I care..Applications are getting smarter

Applications are getting tougher Old strategy may not work..

Strategy – outside inn to inside out Understanding of internals

Defenders how to write/suggest defensive programming

1979

Formulated by Norwegian computer scientist Trygve Reenskaugfor Graphic User Interphase (GUI) software design, the MVC architecture was one of the primary outcomes of GUI development.

Fist Prototype of a Computer Mouse

Early Apple GUIIntroduction of graphic

“views” in computing

SOFTWARE EVOLUTION

Software Architecture Pattern

Separates representation of information from user interaction.

Promotes:

• Code Reusability• Separation of Concerns

Separation of Concerns

• Shortens development

• Code Libraries

• Design Patterns

• Frameworks

Code Reusability

• Improves code clarity and organization

• Helps troubleshooting by isolating issues

• Allows for multiple teams to develop simultaneously

Application A Application B

Big Picture

Design Patterns

MVC

Frameworks

Struts

Validation Framework

Spring

Validation Framework

With framework

• XSS

• SQL injection

• Command Injection

• Xml injection

Without framework

Opportunity to attack

Types of MVC Frameworks

ASP.NET

PHP (Zend, Symfony, CakePHP, CodeIgniter)

Javascript ( Backbone.js, Ember.js, JavascriptMVC)

Java (Struts, Spring, Expresso, Stripes, JSF, Tapestry, Wicket…)ASP.NET 4.0 Framework

MVC Execution Process

Controller – Mediates input and commands for the model or view

Model – Application data, business rules, logic, and functions.

View – Output and representation of data

Advantages MVC

• Easier to Manage Complexity• Does not use view state or server based forms• Rich Routing Structure• Support for Test-Driven Development• Supports Large Teams Well

Data-validation Framework

Inputs Filters

• Headers

• Input form fields– Text, button, select, ratio, hidden, Browse

• URL

• Session / Cookie

Output filter

• Response object

• Automatic HTML entity encoding (spring)

Validation Strategy• Centralize the data flow : Struts-config.xml

– List the address of the input form

• Control each piece of field(data) :Validation form

– List each Include all input fields

• Assign validation logic to each field:Validation.xml

– For each field, specify one or more validation rules

• Define validation logic : Validation-rules.xml

– Max length, min length, knowngood validation

• Bind each field to a Regular expression

Max length

Min Length

Knowngood

Max length

Min Length

Known good

Web App with out framework

Max length

Min Length

Knowngood

Sturts-config.x

ml

Validation.xml

^[0-9a-zA-Z]*$

0123456789abcdefghijklmnopqrstuvwxyz

ABCDEFGHIJKLMNOPQRSTUVWXYZ

null123

‘--1

Abx12p

@!#$%

null123

Abx12p

null123

Abx12p

Max length

Min Length

Knowngood

Web App with out framework

Sturts-config.xml

Chars Encoding

< &lt;

> &gt;

& &amp;

null<xyz>123&

null&lt;xyz&gt;123&amp;

Regex^[a-z0-9_-]{3,15}$

Characters alloweda to z (only small case)

Numbers allowed0 1 2 3 4 5 6 7 8 9

Special Chars allowedUnderscore and Hyphen

Max length 15

Min length 3

End..

Slides --- will be uploaded to null site and slide share…

Need hands on…Scream for a bachaav session…

I am open to take a session…