Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Input Validation – “All input is evil” CS0 Background Summary: Any program input – such as a user typing at a keyboard or a network connection – can potentially be the source of security vulnerabilities and disastrous bugs. All input should be treated as potentially dangerous. Description: Determined attackers can use carefully crafted input to cause programs to run unauthorized commands. This technique can be used to delete or damage data, run malicious programs, or obtain sensitive information. Risk – How can it happen? All program inputs are a potential source of problems. If external data is not validated to ensure that it contains the right type of information, the right amount of information, and the right structure of information, it can cause problems. Example of Occurrence: Web applications are highly vulnerable to input validation errors. Inputting the invalid entry "!@#$%^&*()" on a vulnerable e-commerce site may cause performance issues or denial of service on a vulnerable system or invalid passwords such as "pwd’" or "1=1— " may result in unauthorized access. http://www.processor.com/editorial/article.asp?article=articles%2Fp3112%2F32p12%2F32p12%2F32p12.asp&guid=&searc htype=&WordList=&bJumpTo=True The site xssed.com lists nearly 13,000 vulnerable Web pages, including sites such as yahoo.com, google.com, msn.com, facebook.com, craigslist.com and cnn.com. How can I properly validate input? Functions are useful for input validation. The following sample function shows input validation for a test score: static int getValidNum(int min, int max) { Scanner console = new Scanner(System.in); int value = console.nextInt(); while ((value < min || value > max)) { System.out.println("Enter number between ["+ min + "," + max + "]"); value = console.nextInt(); } return value; } Recover Appropriately: A robust program will respond to invalid input in a manner that is appropriate, correct, and secure. When your program runs across invalid input, it should recover as much as possible, and then repeat the request, or otherwise continue on. Arbitrary decisions such as truncating or otherwise reformatting data to “make it fit” should be avoided. Input Validation/CS0/Java/Functions Laboratory/Homework Assignment: import java.util.*; public class WhileEx { public static void main(String[] args) { Scanner console = new Scanner(System.in); int value = console.nextInt(); String name, ans; int age, total = 0, cnt = 0; System.out.println("Enter names(y/n)?" ); ans = console.next(); while ((ans == "y") || (ans == "Y")) { System.out.println("Please enter name: "); name= console.next(); System.out.println("Please enter age: "); age = console.nextInt(); total = total + age; cnt++; System.out.println("Enter names(y/n)?" ); ans = console.next(); } if (cnt != 0) System.out.println("average age is " + (float)total/cnt); } } 1. 2. 3. 4. Complete the checklist below for this program Add a function and the appropriate call to validate age above. Could integer overflow occur for the variable total? How? What about cnt? How could you prevent this? Security Checklist Vulnerability Improper Input Validation Course Task – Check each line of code CS0 Completed Mark with a V each variable that is input. For each input variable, which of the following is applicable: Yes N/A 1. 2. 3. 4. Check length Check range (reasonableness?) Check format Check type Shaded areas indicate vulnerabilities Input Validation/CS0/Java/Functions Discussion Question: 1. 2. 3. 4. Explain the input validation you added to the previous program. What other input validation could be included? What are the challenges of adding input validation to your programs? Another important security strategy is "defense in depth". Explain what you think this means. How could this relate to input validation? Input Validation/CS0/Java/Functions