Struts validation frameworkWEB Application Security

By Satish Govindappa

Structure

what why how - MVC ?Concept and OriginExecution Process

what why how - Web framework?Features

what why how Validation framework?

Pentesters..Applications are getting smarter

Applications are getting tougher Old strategy may not work..

Strategy – outside inn to inside out Understanding of internals

Defenders how to write/suggest defensive programming

Big Picture

MVC

Frameworks

Struts

Validation Framework

Spring

Validation Framework

Advantages MVC

• Easier to Manage Complexity• Does not use view state or server based forms• Rich Routing Structure• Support for Test-Driven Development• Supports Large Teams Well

Data-validation Framework

Validation Strategy• Centralize the data flow : Struts-config.xml

– List the address of the input form

• Control each piece of field(data) :Validation form– List each Include all input fields

• Assign validation logic to each field:Validation.xml– For each field, specify one or more validation rules

• Define validation logic : Validation-rules.xml– Max length, min length, knowngood validation

• Bind each field to a Regular expression

Max length

Min Length

Knowngood

Max length

Min Length

Known good

Web App with out framework

Max length

Min Length

Knowngood

Sturts-config.x

ml

Validation.xml

^[0-9a-zA-Z]*$

0123456789abcdefghijklmnopqrstuvwxyz

ABCDEFGHIJKLMNOPQRSTUVWXYZ

null123

‘--1

Abx12p

@!#$%

null123

Abx12p

null123

Abx12p

Max length

Min Length

Knowngood

Web App with out framework

Regex^[a-z0-9_-]{3,15}$

Characters alloweda to z (only small case)

Numbers allowed0 1 2 3 4 5 6 7 8 9

Special Chars allowedUnderscore and Hyphen

Max length 15

Min length 3

End..

Slides --- will be uploaded to null site and slide share…

Need hands on…Scream for a bachaav session…

I am open to take a session…