SlideShare una empresa de Scribd logo

Data validation in web applications

Descargar como PPTX, PDF
S
srkirkland

Presentation on HTML5 Data Validation Techniques (Input Types, Constraints) for the UC Davis 2011 IT Security Symposium. Accompanying demo code at https://github.com/srkirkland/ITSecuritySymposium

1 de 32
Data Validation in Web Applications Welcome to:
Hi! I’m Scott Kirkland Slinging code @ UCDavis for 8 years Currently Sr. Application Architect for the College Of Agricultural and Environmental Sciences Dean’s Office Open source coder https://github.com/srkirkland MvcHtml5, Data Annotations Extensions, ITSecuritySymposium https://github.com/ucdavis UCDArch, Web Applications Co-founded the local .NET User Group
Data Validation in Web Applications Welcome to:
The most common web application security weakness is the failure to properly validate input from the client or environment. - OWASP[1]
Aka: Trust No One Data
Input Validation
Topics:
Input Validation in Web Forms Ensure user supplied data is Strongly typed Correct syntax Within length boundaries Contains only permitted characters Or that numbers are correctly signed and within range boundaries Is “business rule correct”
Client Side Validation Validate data on the client first Provides better feedback to the end user Makes your site feel more responsive Always validate on server-side as well!
JavaScript Validation “Current” solution, useful & widely supported (Probably about 95%) Any JavaScript errors and validation disappears Fairly difficult to implement, though libraries help[3]
JavaScript Validation: Email Is this a good email regex? [A-Z0-9._%+-]+@[A-Z0-9.-]+[A-Z]{2,4} Yes, except when it isn’t Non-english, some TLDs not covered, no special chars How about this (RFC 2822)? (?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*|"(?:[01-080b0c0e-1f2123-5b5d-7f]|[01-090b0c0e-7f])*")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?|[a-z0-9-]*[a-z0-9]:(?:[01-080b0c0e-1f21-5a53-7f]|[01-090b0c0e-7f])+)) Allows some crazy stuff, like scott=k@domain.com
Input Validation w/ HTML5
HTML5 Input Validation Two major form validation innovations New Input Types Constraint Validation
HTML5 Input Types New input types were added to augment <input type=“text” />
HTML5 Input Types search tel url email number range color datetime date month week time datetime-local
HTML5 Input Types Gives semantic meaning to your forms Enable behaviors based on input type
DEMO: Html5 Input Types
HTML5 Input Types So, that was pretty cool Simply changing input types can add basic validation Benefits go beyond validation Additive only – no drawbacks
HTML5 Input Types <input type=“email” /> <input type=“url” />
HTML5 Input Types <input type=“tel” /> <input type=“number” />
HTML5 Constraint Validation Required Pattern MaxLength Min/Max
HTML5 Constraint Validation Required <input type=“text” required /> MaxLength <input type=“text” maxlength=“10” /> Pattern <input type=“text” pattern=“[0-9]{5}” />
DEMO: Html5 Constraints
Of course, this only works in HTML5 capable browsers Older browsers will ignore these new attributes With JavaScript you can “Polyfill” for “regressive” enhancement
One More Thing…
Polyfill A polyfill, or polyfiller, is a piece of code (or plugin) that provides the technology that you, the developer, expect the browser to provide natively Generally, you test the browser for a feature. If it is not present natively, use JavaScript to add the feature
Develop for tomorrow… today! Great library called Modernizr http://www.modernizr.com/ Helps with feature detection & media queries Allows older browsers to work with Html5 elements Much more
DEMO: Polyfills
HTML5 Data Validation:Pragmatic Advice
Use the new input types They may do data validation for you Make your users happy (iOS & more) They will keep getting better Native experience
Constraint Validation Useful for “first line of defense” or backup You should continue to use JavaScript for client validation

Recomendados

Security & Compliance in AWS
Security & Compliance in AWSSecurity & Compliance in AWS
Security & Compliance in AWS
Amazon Web Services
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injection
ashish20012
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Netsparker
 
What is Cloud Computing with Amazon Web Services?
What is Cloud Computing with Amazon Web Services?What is Cloud Computing with Amazon Web Services?
What is Cloud Computing with Amazon Web Services?
Amazon Web Services
 
Microsoft Azure Cloud Services
Microsoft Azure Cloud ServicesMicrosoft Azure Cloud Services
Microsoft Azure Cloud Services
David J Rosenthal
 
AWS EC2 and ELB troubleshooting
AWS EC2 and ELB troubleshootingAWS EC2 and ELB troubleshooting
AWS EC2 and ELB troubleshooting
Shiva Narayanaswamy
 
Amazon Macie Demo
Amazon Macie DemoAmazon Macie Demo
Amazon Macie Demo
Amazon Web Services
 
Aws ppt
Aws pptAws ppt
Aws ppt
RamyaG50
 

Recomendados

Security & Compliance in AWS
Security & Compliance in AWSSecurity & Compliance in AWS
Security & Compliance in AWS
Amazon Web Services
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injection
ashish20012
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Netsparker
 
What is Cloud Computing with Amazon Web Services?
What is Cloud Computing with Amazon Web Services?What is Cloud Computing with Amazon Web Services?
What is Cloud Computing with Amazon Web Services?
Amazon Web Services
 
Microsoft Azure Cloud Services
Microsoft Azure Cloud ServicesMicrosoft Azure Cloud Services
Microsoft Azure Cloud Services
David J Rosenthal
 
AWS EC2 and ELB troubleshooting
AWS EC2 and ELB troubleshootingAWS EC2 and ELB troubleshooting
AWS EC2 and ELB troubleshooting
Shiva Narayanaswamy
 
Amazon Macie Demo
Amazon Macie DemoAmazon Macie Demo
Amazon Macie Demo
Amazon Web Services
 
Aws ppt
Aws pptAws ppt
Aws ppt
RamyaG50
 
DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)
Soham Kansodaria
 
Azure vm introduction
Azure vm introductionAzure vm introduction
Azure vm introduction
Lalit Rawat
 
IAM Introduction and Best Practices
IAM Introduction and Best PracticesIAM Introduction and Best Practices
IAM Introduction and Best Practices
Amazon Web Services
 
Sql injection
Sql injectionSql injection
Sql injection
Zidh
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Anoop T
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
Nahidul Kibria
 
A10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsA10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and Forwards
Shane Stanley
 
SQL injection
SQL injectionSQL injection
SQL injection
Raj Parmar
 
Difference between-web-designing-and-web-development
Difference between-web-designing-and-web-developmentDifference between-web-designing-and-web-development
Difference between-web-designing-and-web-development
Global Media Insight
 
Brute force-attack presentation
Brute force-attack presentationBrute force-attack presentation
Brute force-attack presentation
Mahmoud Ibra
 
virtual hosting and configuration
virtual hosting and configurationvirtual hosting and configuration
virtual hosting and configuration
HAMZA AHMED
 
Role based access control - RBAC
Role based access control - RBACRole based access control - RBAC
Role based access control - RBAC
Ajit Dadresa
 
BDA301 An Introduction to Amazon Rekognition
BDA301 An Introduction to Amazon RekognitionBDA301 An Introduction to Amazon Rekognition
BDA301 An Introduction to Amazon Rekognition
Amazon Web Services
 
Authentication and Authorization in Asp.Net
Authentication and Authorization in Asp.NetAuthentication and Authorization in Asp.Net
Authentication and Authorization in Asp.Net
Shivanand Arur
 
Wordpress
WordpressWordpress
Wordpress
Moorthy Haribabu
 
How to identify and prevent SQL injection
How to identify and prevent SQL injection How to identify and prevent SQL injection
How to identify and prevent SQL injection
Eguardian Global Services
 
How to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech Talks
How to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech TalksHow to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech Talks
How to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech Talks
Amazon Web Services
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAM
Amazon Web Services
 
Amazon API Gateway
Amazon API GatewayAmazon API Gateway
Amazon API Gateway
Amazon Web Services
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
DARSHANBHAVSAR14
 
Types of Data Validation
Types of Data ValidationTypes of Data Validation
Types of Data Validation
Metric Fox
 
Data validation
Data validationData validation
Data validation
Qamar Wajid
 

Más contenido relacionado

La actualidad más candente

IAM Introduction and Best Practices
IAM Introduction and Best PracticesIAM Introduction and Best Practices
IAM Introduction and Best Practices
Amazon Web Services
 

La actualidad más candente (20)

DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)
 
Azure vm introduction
Azure vm introductionAzure vm introduction
Azure vm introduction
 
IAM Introduction and Best Practices
IAM Introduction and Best PracticesIAM Introduction and Best Practices
IAM Introduction and Best Practices
 
Sql injection
Sql injectionSql injection
Sql injection
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
A10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsA10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and Forwards
 
SQL injection
SQL injectionSQL injection
SQL injection
 
Difference between-web-designing-and-web-development
Difference between-web-designing-and-web-developmentDifference between-web-designing-and-web-development
Difference between-web-designing-and-web-development
 
Brute force-attack presentation
Brute force-attack presentationBrute force-attack presentation
Brute force-attack presentation
 
virtual hosting and configuration
virtual hosting and configurationvirtual hosting and configuration
virtual hosting and configuration
 
Role based access control - RBAC
Role based access control - RBACRole based access control - RBAC
Role based access control - RBAC
 
BDA301 An Introduction to Amazon Rekognition
BDA301 An Introduction to Amazon RekognitionBDA301 An Introduction to Amazon Rekognition
BDA301 An Introduction to Amazon Rekognition
 
Authentication and Authorization in Asp.Net
Authentication and Authorization in Asp.NetAuthentication and Authorization in Asp.Net
Authentication and Authorization in Asp.Net
 
Wordpress
WordpressWordpress
Wordpress
 
How to identify and prevent SQL injection
How to identify and prevent SQL injection How to identify and prevent SQL injection
How to identify and prevent SQL injection
 
How to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech Talks
How to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech TalksHow to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech Talks
How to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech Talks
 
Deep dive into AWS IAM
Deep dive into AWS IAMDeep dive into AWS IAM
Deep dive into AWS IAM
 
Amazon API Gateway
Amazon API GatewayAmazon API Gateway
Amazon API Gateway
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
 

Destacado

Validation and Verification
Validation and VerificationValidation and Verification
Validation and Verification
mrmwood
 
verification and validation
verification and validationverification and validation
verification and validation
Dinesh Pasi
 
Model-Based Simulation of Legal Requirements: Experience from Tax Policy Simu...
Model-Based Simulation of Legal Requirements: Experience from Tax Policy Simu...Model-Based Simulation of Legal Requirements: Experience from Tax Policy Simu...
Model-Based Simulation of Legal Requirements: Experience from Tax Policy Simu...
Software Verification and Validation Laboratory - Software Verification and Validation Laboratory
 
Validation verification
Validation verificationValidation verification
Validation verification
khair20
 

Destacado (20)

Types of Data Validation
Types of Data ValidationTypes of Data Validation
Types of Data Validation
 
Data validation
Data validationData validation
Data validation
 
Validation for different kind of data
Validation for different kind of dataValidation for different kind of data
Validation for different kind of data
 
Validation and Verification
Validation and VerificationValidation and Verification
Validation and Verification
 
verification and validation
verification and validationverification and validation
verification and validation
 
Data validation option
Data validation optionData validation option
Data validation option
 
Data Verification
Data VerificationData Verification
Data Verification
 
Validation and verification
Validation and verificationValidation and verification
Validation and verification
 
PROCESS VALIDATION
PROCESS VALIDATIONPROCESS VALIDATION
PROCESS VALIDATION
 
Audit logs for Security and Compliance
Audit logs for Security and ComplianceAudit logs for Security and Compliance
Audit logs for Security and Compliance
 
Dynamic Data Validation Lists
Dynamic Data Validation ListsDynamic Data Validation Lists
Dynamic Data Validation Lists
 
How to create a validation list in excel
How to create a validation list in excelHow to create a validation list in excel
How to create a validation list in excel
 
Validation
ValidationValidation
Validation
 
Wpf Validation
Wpf ValidationWpf Validation
Wpf Validation
 
Annotation-Based Spring Portlet MVC
Annotation-Based Spring Portlet MVCAnnotation-Based Spring Portlet MVC
Annotation-Based Spring Portlet MVC
 
Data validation - Excel
Data validation - ExcelData validation - Excel
Data validation - Excel
 
Model-Based Simulation of Legal Requirements: Experience from Tax Policy Simu...
Model-Based Simulation of Legal Requirements: Experience from Tax Policy Simu...Model-Based Simulation of Legal Requirements: Experience from Tax Policy Simu...
Model-Based Simulation of Legal Requirements: Experience from Tax Policy Simu...
 
Application Logging Good Bad Ugly ... Beautiful?
Application Logging Good Bad Ugly ... Beautiful?Application Logging Good Bad Ugly ... Beautiful?
Application Logging Good Bad Ugly ... Beautiful?
 
Validation verification
Validation verificationValidation verification
Validation verification
 
Verfication and validation of simulation models
Verfication and validation of simulation modelsVerfication and validation of simulation models
Verfication and validation of simulation models
 

Similar a Data validation in web applications

Cost effective web application testing
Cost effective web application testingCost effective web application testing
Cost effective web application testing
Harinath Pudipeddi
 
How to Add Test Automation to your Quality Assurance Toolbelt
How to Add Test Automation to your Quality Assurance ToolbeltHow to Add Test Automation to your Quality Assurance Toolbelt
How to Add Test Automation to your Quality Assurance Toolbelt
Brett Tramposh
 
The Testing Planet Issue 2
The Testing Planet Issue 2The Testing Planet Issue 2
The Testing Planet Issue 2
Rosie Sherry
 
Application Security
Application SecurityApplication Security
Application Security
nirola
 
Service Virtualization: What Testers Need to Know
Service Virtualization: What Testers Need to KnowService Virtualization: What Testers Need to Know
Service Virtualization: What Testers Need to Know
TechWell
 
Introducing Keyword-Driven Test Automation
Introducing Keyword-Driven Test AutomationIntroducing Keyword-Driven Test Automation
Introducing Keyword-Driven Test Automation
TechWell
 

Similar a Data validation in web applications (20)

Input validation errors
Input validation errorsInput validation errors
Input validation errors
 
Developing with HTML5
Developing with HTML5Developing with HTML5
Developing with HTML5
 
Test Automation Best Practices (with SOA test approach)
Test Automation Best Practices (with SOA test approach)Test Automation Best Practices (with SOA test approach)
Test Automation Best Practices (with SOA test approach)
 
Creating a successful continuous testing environment by Eran Kinsbruner
Creating a successful continuous testing environment by Eran KinsbrunerCreating a successful continuous testing environment by Eran Kinsbruner
Creating a successful continuous testing environment by Eran Kinsbruner
 
Web Services Security
Web Services SecurityWeb Services Security
Web Services Security
 
Html5 guide
Html5 guideHtml5 guide
Html5 guide
 
Jan 2008 Allup
Jan 2008 AllupJan 2008 Allup
Jan 2008 Allup
 
The Magic Of Application Lifecycle Management In Vs Public
The Magic Of Application Lifecycle Management In Vs PublicThe Magic Of Application Lifecycle Management In Vs Public
The Magic Of Application Lifecycle Management In Vs Public
 
Cost Effective Web Application Testing
Cost Effective Web Application TestingCost Effective Web Application Testing
Cost Effective Web Application Testing
 
Cost effective web application testing
Cost effective web application testingCost effective web application testing
Cost effective web application testing
 
Cost effective web application testing
Cost effective web application testingCost effective web application testing
Cost effective web application testing
 
Software Development Trends 2010-2011
Software Development Trends 2010-2011Software Development Trends 2010-2011
Software Development Trends 2010-2011
 
How to Add Test Automation to your Quality Assurance Toolbelt
How to Add Test Automation to your Quality Assurance ToolbeltHow to Add Test Automation to your Quality Assurance Toolbelt
How to Add Test Automation to your Quality Assurance Toolbelt
 
The Testing Planet Issue 2
The Testing Planet Issue 2The Testing Planet Issue 2
The Testing Planet Issue 2
 
Application Security
Application SecurityApplication Security
Application Security
 
Brisbane MuleSoft Meetup #12 Integrate ChatGPT with MuleSoft to power busines...
Brisbane MuleSoft Meetup #12 Integrate ChatGPT with MuleSoft to power busines...Brisbane MuleSoft Meetup #12 Integrate ChatGPT with MuleSoft to power busines...
Brisbane MuleSoft Meetup #12 Integrate ChatGPT with MuleSoft to power busines...
 
Ethical hacking Chapter 10 - Exploiting Web Servers - Eric Vanderburg
Ethical hacking Chapter 10 - Exploiting Web Servers - Eric VanderburgEthical hacking Chapter 10 - Exploiting Web Servers - Eric Vanderburg
Ethical hacking Chapter 10 - Exploiting Web Servers - Eric Vanderburg
 
#SPSOttawa introduction to the #microsoftGraph
#SPSOttawa introduction to the #microsoftGraph#SPSOttawa introduction to the #microsoftGraph
#SPSOttawa introduction to the #microsoftGraph
 
Service Virtualization: What Testers Need to Know
Service Virtualization: What Testers Need to KnowService Virtualization: What Testers Need to Know
Service Virtualization: What Testers Need to Know
 
Introducing Keyword-Driven Test Automation
Introducing Keyword-Driven Test AutomationIntroducing Keyword-Driven Test Automation
Introducing Keyword-Driven Test Automation
 

Data validation in web applications

  • 1. Data Validation in Web Applications Welcome to:
  • 2. Hi! I’m Scott Kirkland Slinging code @ UCDavis for 8 years Currently Sr. Application Architect for the College Of Agricultural and Environmental Sciences Dean’s Office Open source coder https://github.com/srkirkland MvcHtml5, Data Annotations Extensions, ITSecuritySymposium https://github.com/ucdavis UCDArch, Web Applications Co-founded the local .NET User Group
  • 3. Data Validation in Web Applications Welcome to:
  • 4. The most common web application security weakness is the failure to properly validate input from the client or environment. - OWASP[1]
  • 5.
  • 6. Aka: Trust No One Data
  • 9. Input Validation in Web Forms Ensure user supplied data is Strongly typed Correct syntax Within length boundaries Contains only permitted characters Or that numbers are correctly signed and within range boundaries Is “business rule correct”
  • 10. Client Side Validation Validate data on the client first Provides better feedback to the end user Makes your site feel more responsive Always validate on server-side as well!
  • 11. JavaScript Validation “Current” solution, useful & widely supported (Probably about 95%) Any JavaScript errors and validation disappears Fairly difficult to implement, though libraries help[3]
  • 12. JavaScript Validation: Email Is this a good email regex? [A-Z0-9._%+-]+@[A-Z0-9.-]+[A-Z]{2,4} Yes, except when it isn’t Non-english, some TLDs not covered, no special chars How about this (RFC 2822)? (?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*|"(?:[01-080b0c0e-1f2123-5b5d-7f]|[01-090b0c0e-7f])*")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?|[a-z0-9-]*[a-z0-9]:(?:[01-080b0c0e-1f21-5a53-7f]|[01-090b0c0e-7f])+)) Allows some crazy stuff, like scott=k@domain.com
  • 14. HTML5 Input Validation Two major form validation innovations New Input Types Constraint Validation
  • 15. HTML5 Input Types New input types were added to augment <input type=“text” />
  • 16. HTML5 Input Types search tel url email number range color datetime date month week time datetime-local
  • 17. HTML5 Input Types Gives semantic meaning to your forms Enable behaviors based on input type
  • 19. HTML5 Input Types So, that was pretty cool Simply changing input types can add basic validation Benefits go beyond validation Additive only – no drawbacks
  • 20. HTML5 Input Types <input type=“email” /> <input type=“url” />
  • 21. HTML5 Input Types <input type=“tel” /> <input type=“number” />
  • 22. HTML5 Constraint Validation Required Pattern MaxLength Min/Max
  • 23. HTML5 Constraint Validation Required <input type=“text” required /> MaxLength <input type=“text” maxlength=“10” /> Pattern <input type=“text” pattern=“[0-9]{5}” />
  • 25. Of course, this only works in HTML5 capable browsers Older browsers will ignore these new attributes With JavaScript you can “Polyfill” for “regressive” enhancement
  • 27. Polyfill A polyfill, or polyfiller, is a piece of code (or plugin) that provides the technology that you, the developer, expect the browser to provide natively Generally, you test the browser for a feature. If it is not present natively, use JavaScript to add the feature
  • 28. Develop for tomorrow… today! Great library called Modernizr http://www.modernizr.com/ Helps with feature detection & media queries Allows older browsers to work with Html5 elements Much more
  • 31. Use the new input types They may do data validation for you Make your users happy (iOS & more) They will keep getting better Native experience
  • 32. Constraint Validation Useful for “first line of defense” or backup You should continue to use JavaScript for client validation
  • 33. Recap: Validating Web Forms Makes the experience better for your users Results in better, more reliable data First line of defense against a plethora of vulnerabilities
  • 34.
  • 35. Thanks for listening I’m Scott Kirkland Email: srkirkland@ucdavis.edu Web: http://weblogs.asp.net/srkirkland/ GitHub: Personal: https://github.com/srkirkland/ UCDavis: https://github.com/ucdavis/ Slides and demo: https://github.com/srkirkland/ITSecuritySymposium

Notas del editor

  1. Scott Kirkland has been writing web applications at UC Davis for eight years, currently in his capacity as Senior Application Architect for the College of Agricultural and Environmental Sciences Dean&apos;s Office.  Scott has also created and released several open-source projects including the architectural framework UCDArch (https://github.com/ucdavis/UCDArch) for developing secure ASP.NET MVC applications at UC Davis, as well as DataAnnotationsExtensions (http://dataannotationsextensions.org) for extending client and server validation in .NET applications.  Scott enjoys educating other developers and co-founded the UC Davis .NET User Group and recently led a three day workshop about ASP.NET MVC for several dozen UC Davis developers.
  2. The most common web application security weakness is the failure to properly validate input from the client or environment. This weakness leads to almost all of the major vulnerabilities in applications, such as Interpreter Injection, locale/Unicode attacks, file system attacks and buffer overflows. Data from the client should never be trusted for the client has every possibility to tamper with the data.
  3. Possibly include Sql Injection, Xss,etc
  4. Possibly include Xss, depending on time
  5. https://www.owasp.org/index.php/Data_Validation#Data_Validation_and_Interpreter_Injection
  6. Might decrease bandwidth
  7. “Current” because it isn’t really going to go anywhere, but it is “all we have”Most frameworks don’t come with much in the way of help, and when they do its complex and they contain lots of messy JavaScript.
  8. May not want to use this slide…
  9. Html5 to the rescue?
  10. Type=“text” but what kind of text? HTML5 goes further
  11. Search – assistive technologies like screen reader
  12. Type=“text” but what kind of text? HTML5 goes further
  13. &lt;input type=&apos;text&apos; /&gt; Show output, looks like regular text box&lt;input type=&apos;email&apos; /&gt; Show output, looks the same, but show how iphone and opera treat it differently. Also, type=&apos;email&apos; validates email!Same thing with url &lt;input type=&apos;url&apos; /&gt;Same with number &lt;input type=&apos;number&apos; /&gt; Even can do min/max with number
  14. You could style them independently, different sizes for email, etc
  15. Also tel you get the keypad, number you get a special input tooScreenshots from http://diveintohtml5.org/forms.html
  16. Also tel you get the keypad, number you get a special input tooScreenshots from http://diveintohtml5.org/forms.html
  17. http://miketaylr.com/code/input-type-attr.htmlShow in FF, Chrome, Explorer (nothing breaks with explorer, completely additive)
  18. Html5 validation constraints
  19. http://remysharp.com/2010/10/08/what-is-a-polyfill/
  20. Widely used: Google, Twitter, Microsoft (ships with MVC)
  21. http://miketaylr.com/code/input-type-attr.htmlShow in FF, Chrome, Explorer (nothing breaks with explorer, completely additive)
  22. Really, no downside
  23. Really,no downside