Download Input Validation – “All input is evil” CS0 Background Summary: Any

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
Document related concepts
no text concepts found
Transcript 
Input Validation – “All input is evil”
CS0
Background
Summary: Any program input – such as a user typing at a keyboard or a network
connection – can potentially be the source of security vulnerabilities and disastrous
bugs. All input should be treated as potentially dangerous.
Description: Determined attackers can use carefully crafted input to cause programs to
run unauthorized commands. This technique can be used to delete or damage data, run
malicious programs, or obtain sensitive information.
Risk – How can it happen? All program inputs are a potential source of problems. If
external data is not validated to ensure that it contains the right type of information, the
right amount of information, and the right structure of information, it can cause
problems.
Example of Occurrence: Web applications are highly vulnerable to input validation
errors. Inputting the invalid entry "!@#$%^&*()" on a vulnerable e-commerce site may
cause performance issues or denial of service on a vulnerable system or invalid
passwords such as "pwd’" or "1=1— " may result in unauthorized access.
http://www.processor.com/editorial/article.asp?article=articles%2Fp3112%2F32p12%2F32p12%2F32p12.asp&guid=&searc
htype=&WordList=&bJumpTo=True
The site xssed.com lists nearly 13,000 vulnerable Web pages, including sites such as
yahoo.com, google.com, msn.com, facebook.com, craigslist.com and cnn.com.
How can I properly validate input? Functions are useful for input validation. The following
sample function shows input validation for a test score:
static int getValidNum(int min, int max)
{
Scanner console = new Scanner(System.in);
int value =
console.nextInt();
while ((value < min || value > max))
{
System.out.println("Enter number between ["+ min + "," + max + "]");
value =
console.nextInt();
}
return value;
}
Recover Appropriately: A robust program will respond to invalid input in a manner that is
appropriate, correct, and secure. When your program runs across invalid input, it should
recover as much as possible, and then repeat the request, or otherwise continue on.
Arbitrary decisions such as truncating or otherwise reformatting data to “make it fit”
should be avoided.
Input Validation/CS0/Java/Functions
Laboratory/Homework Assignment:
import java.util.*;
public class WhileEx
{
public static void main(String[] args)
{
Scanner console = new Scanner(System.in);
int value =
console.nextInt();
String name, ans;
int age, total = 0, cnt = 0;
System.out.println("Enter names(y/n)?" );
ans = console.next();
while ((ans == "y") || (ans == "Y"))
{
System.out.println("Please enter name: ");
name= console.next();
System.out.println("Please enter age: ");
age = console.nextInt();
total = total + age;
cnt++;
System.out.println("Enter names(y/n)?" );
ans = console.next();
}
if (cnt != 0)
System.out.println("average age is " + (float)total/cnt);
}
}
1.
2.
3.
4.
Complete the checklist below for this program
Add a function and the appropriate call to validate age above.
Could integer overflow occur for the variable total? How? What about cnt?
How could you prevent this?
Security Checklist
Vulnerability
Improper Input Validation
Course
Task – Check each line of code
CS0
Completed
Mark with a V each variable that is input.
For each input variable, which of the following is applicable: Yes N/A
1.
2.
3.
4.
Check length
Check range (reasonableness?)
Check format
Check type
Shaded areas indicate vulnerabilities
Input Validation/CS0/Java/Functions
Discussion Question:
1.
2.
3.
4.
Explain the input validation you added to the previous program.
What other input validation could be included?
What are the challenges of adding input validation to your programs?
Another important security strategy is "defense in depth". Explain what you think this
means. How could this relate to input validation?
Input Validation/CS0/Java/Functions
Related documents
jmp_cv - Creative Wisdom
jmp_cv - Creative Wisdom
Unit 3 Practice Test
Unit 3 Practice Test
04b-if_return
04b-if_return
Discussion questions for week 13
Discussion questions for week 13
Chapter 4 Practice
Chapter 4 Practice
Topic 11 Scanner object, conditional execution
Topic 11 Scanner object, conditional execution
Extensive Report on Data Mining (Word Document)
Extensive Report on Data Mining (Word Document)
topic11_scanner_conditional_execution
topic11_scanner_conditional_execution
CS110D Programming Language I
CS110D Programming Language I
slides5
slides5
Practice_Questions
Practice_Questions
13-ch05-2-random - Building Java Programs
13-ch05-2-random - Building Java Programs
Monitoring Equipment to Support MOD-033
Monitoring Equipment to Support MOD-033
while loops - CIS @ Temple University
while loops - CIS @ Temple University
09-ch03-3-scanner
09-ch03-3-scanner
More loop variations
More loop variations
Scanner console
Scanner console
Fencepost loops “How do you build a fence?”
Fencepost loops “How do you build a fence?”
09-ch03-3-scanner
09-ch03-3-scanner
Sighted, Visually Impaired, Blind
Sighted, Visually Impaired, Blind
Analytical Method Validation Develop Protocols that Survive the
Analytical Method Validation Develop Protocols that Survive the
cshtp3_03_IMIntroduction
cshtp3_03_IMIntroduction