SlideShare une entreprise Scribd logo

WhiteList Checker: An Eclipse Plugin to Improve Application Security

G
guest032fe5

1) WhiteList Checker is an Eclipse plugin that aims to improve application security by helping developers perform proper input validation. 2) It identifies untrusted input sources like user-submitted parameters and interactively notifies developers to insert validation code using predefined validation rules. 3) These rules include syntactic rules using regular expressions to validate inputs like emails and filenames, as well as semantic rules that are type-specific like restricting files to a certain directory.

Technologie
1  sur  11
Télécharger pour lire hors ligne
WhiteList Checker: An Eclipse Plugin to Improve Application Security Bill Chu, Jing Xie, Will Stranathan University of North Carolina at Charlotte
Motivation  Lack of proper input validation is a cause of many software vulnerabilities  XSS, SQL injection, File inclusion, Log forging, Path Manipulation etc.  White list vs. Black list validation  White list input validation is not easy to do, even for common input types (e.g. names)  Support for input validation can be baked into IDE
WhiteList Checker • Identify untrusted input String username = request.getParameter(“username”); • Interactively notify developer (similar to syntax String username = request.getParameter(“username”); try{ Validation.validate(username, “safe_text”); error) }catch(InputValidationException e) { username = “safe text”; } • Present choice of input types • Insert validation code
Trust boundary definition  API calls  HttpServletRequest.getParameter()  Parameters / variables  main (String[] args)
Input validation rules  WhiteList Checker is initialized with a set of regular expressions developed by OWASP for input validation  Syntactic rules  Regular expressions  e.g. email, full path file name  Semantic rules  Specific to input type  e.g. files under /usr/billchu  User defined rules
Building a data dictionary  Identify all input times and where they are input to the application  Answer queries:  How many places in this application we accept credit card numbers from the user?  Does this application accept sensitive information from the customer?
Generate customized rules for static analysis  Fortify Example  Generate rules that removes taints to reduce false positives
Future work  Dataflow analysis for input of composite type  Implement semantic validation rules  Dynamic languages  Evaluation including user studies

Recommandé

Unique Features of SQL Injection in PHP Assignment
Unique Features of SQL Injection in PHP AssignmentUnique Features of SQL Injection in PHP Assignment
Unique Features of SQL Injection in PHP Assignment
Lesa Cote
 
Resharper - Next Steps
Resharper - Next StepsResharper - Next Steps
Resharper - Next Steps
Timmy Kokke
 
Furore devdays2017 tdd-2-advanced
Furore devdays2017 tdd-2-advancedFurore devdays2017 tdd-2-advanced
Furore devdays2017 tdd-2-advanced
DevDays
 
Type Checking in Javascript with Flow
Type Checking in Javascript with FlowType Checking in Javascript with Flow
Type Checking in Javascript with Flow
Yos Riady
 
Validate your entities with symfony validator and entity validation api
Validate your entities with symfony validator and entity validation apiValidate your entities with symfony validator and entity validation api
Validate your entities with symfony validator and entity validation api
Raffaele Chiocca
 
JetBrains ReSharper
JetBrains ReSharperJetBrains ReSharper
JetBrains ReSharper
Dennis Loktionov
 
JetBrains ReSharper
JetBrains ReSharperJetBrains ReSharper
JetBrains ReSharper
Sorin Oboroceanu
 
Mule soft meetup_4_mty_online_oct_2020
Mule soft meetup_4_mty_online_oct_2020Mule soft meetup_4_mty_online_oct_2020
Mule soft meetup_4_mty_online_oct_2020
Veyra Celina
 

Recommandé

Unique Features of SQL Injection in PHP Assignment
Unique Features of SQL Injection in PHP AssignmentUnique Features of SQL Injection in PHP Assignment
Unique Features of SQL Injection in PHP Assignment
Lesa Cote
 
Resharper - Next Steps
Resharper - Next StepsResharper - Next Steps
Resharper - Next Steps
Timmy Kokke
 
Furore devdays2017 tdd-2-advanced
Furore devdays2017 tdd-2-advancedFurore devdays2017 tdd-2-advanced
Furore devdays2017 tdd-2-advanced
DevDays
 
Type Checking in Javascript with Flow
Type Checking in Javascript with FlowType Checking in Javascript with Flow
Type Checking in Javascript with Flow
Yos Riady
 
Validate your entities with symfony validator and entity validation api
Validate your entities with symfony validator and entity validation apiValidate your entities with symfony validator and entity validation api
Validate your entities with symfony validator and entity validation api
Raffaele Chiocca
 
JetBrains ReSharper
JetBrains ReSharperJetBrains ReSharper
JetBrains ReSharper
Dennis Loktionov
 
JetBrains ReSharper
JetBrains ReSharperJetBrains ReSharper
JetBrains ReSharper
Sorin Oboroceanu
 
Mule soft meetup_4_mty_online_oct_2020
Mule soft meetup_4_mty_online_oct_2020Mule soft meetup_4_mty_online_oct_2020
Mule soft meetup_4_mty_online_oct_2020
Veyra Celina
 
ReSharper Presentation for NUGs
ReSharper Presentation for NUGsReSharper Presentation for NUGs
ReSharper Presentation for NUGs
Dmitri Nesteruk
 
Microsoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable CodeMicrosoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable Code
Aleksandar Bozinovski
 
Introduction to Core Java Programming
Introduction to Core Java ProgrammingIntroduction to Core Java Programming
Introduction to Core Java Programming
Raveendra R
 
Code quality
Code qualityCode quality
Code quality
Hussain Mansoor
 
Executable specifications for xtext
Executable specifications for xtextExecutable specifications for xtext
Executable specifications for xtext
meysholdt
 
Security for developers
Security for developersSecurity for developers
Security for developers
Abdelrhman Shawky
 
Static analysis for security
Static analysis for securityStatic analysis for security
Static analysis for security
Fadi Abdulwahab
 
Module 9 : using reference type variables
Module 9 : using reference type variablesModule 9 : using reference type variables
Module 9 : using reference type variables
Prem Kumar Badri
 
S5-Authorization
S5-AuthorizationS5-Authorization
S5-Authorization
zakieh alizadeh
 
Crafting Software with Illegal States Unrepresentable
Crafting Software with Illegal States UnrepresentableCrafting Software with Illegal States Unrepresentable
Crafting Software with Illegal States Unrepresentable
Scott Nimrod
 
WhiteList Checker: An Eclipse Plugin to Improve Application Security
WhiteList Checker: An Eclipse Plugin to Improve Application SecurityWhiteList Checker: An Eclipse Plugin to Improve Application Security
WhiteList Checker: An Eclipse Plugin to Improve Application Security
guest56b7565
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
bilcorry
 
Defending against Injections
Defending against InjectionsDefending against Injections
Defending against Injections
Blueinfy Solutions
 
Secure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago HenriquesSecure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago Henriques
Tiago Henriques
 
Secure Dot Net Programming
Secure Dot Net ProgrammingSecure Dot Net Programming
Secure Dot Net Programming
Adam Getchell
 
Ebu class edgescan-2017
Ebu class edgescan-2017Ebu class edgescan-2017
Ebu class edgescan-2017
Eoin Keary
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure coding
Haitham Raik
 
FORENSIC PRESTTN
FORENSIC PRESTTNFORENSIC PRESTTN
FORENSIC PRESTTN
Rufa'i Mustapha
 
Application Security Part 1 Threat Defense In Client Server Applications ...
Application Security Part 1 Threat Defense In Client Server Applications ...Application Security Part 1 Threat Defense In Client Server Applications ...
Application Security Part 1 Threat Defense In Client Server Applications ...
Greg Sohl
 
QA Lab: тестирование ПО. Станислав Шмидт: "Self-testing REST APIs with API Fi...
QA Lab: тестирование ПО. Станислав Шмидт: "Self-testing REST APIs with API Fi...QA Lab: тестирование ПО. Станислав Шмидт: "Self-testing REST APIs with API Fi...
QA Lab: тестирование ПО. Станислав Шмидт: "Self-testing REST APIs with API Fi...
GeeksLab Odessa
 
Input validation errors
Input validation errorsInput validation errors
Input validation errors
manoharparakh
 
Session3 data-validation
Session3 data-validationSession3 data-validation
Session3 data-validation
zakieh alizadeh
 

Contenu connexe

Tendances

Executable specifications for xtext
Executable specifications for xtextExecutable specifications for xtext
Executable specifications for xtext
meysholdt
 

Tendances (10)

ReSharper Presentation for NUGs
ReSharper Presentation for NUGsReSharper Presentation for NUGs
ReSharper Presentation for NUGs
 
Microsoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable CodeMicrosoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable Code
 
Introduction to Core Java Programming
Introduction to Core Java ProgrammingIntroduction to Core Java Programming
Introduction to Core Java Programming
 
Code quality
Code qualityCode quality
Code quality
 
Executable specifications for xtext
Executable specifications for xtextExecutable specifications for xtext
Executable specifications for xtext
 
Security for developers
Security for developersSecurity for developers
Security for developers
 
Static analysis for security
Static analysis for securityStatic analysis for security
Static analysis for security
 
Module 9 : using reference type variables
Module 9 : using reference type variablesModule 9 : using reference type variables
Module 9 : using reference type variables
 
S5-Authorization
S5-AuthorizationS5-Authorization
S5-Authorization
 
Crafting Software with Illegal States Unrepresentable
Crafting Software with Illegal States UnrepresentableCrafting Software with Illegal States Unrepresentable
Crafting Software with Illegal States Unrepresentable
 

Similaire à WhiteList Checker: An Eclipse Plugin to Improve Application Security

WhiteList Checker: An Eclipse Plugin to Improve Application Security
WhiteList Checker: An Eclipse Plugin to Improve Application SecurityWhiteList Checker: An Eclipse Plugin to Improve Application Security
WhiteList Checker: An Eclipse Plugin to Improve Application Security
guest56b7565
 
Secure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago HenriquesSecure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago Henriques
Tiago Henriques
 
Secure Dot Net Programming
Secure Dot Net ProgrammingSecure Dot Net Programming
Secure Dot Net Programming
Adam Getchell
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure coding
Haitham Raik
 
QA Lab: тестирование ПО. Станислав Шмидт: "Self-testing REST APIs with API Fi...
QA Lab: тестирование ПО. Станислав Шмидт: "Self-testing REST APIs with API Fi...QA Lab: тестирование ПО. Станислав Шмидт: "Self-testing REST APIs with API Fi...
QA Lab: тестирование ПО. Станислав Шмидт: "Self-testing REST APIs with API Fi...
GeeksLab Odessa
 
Session3 data-validation
Session3 data-validationSession3 data-validation
Session3 data-validation
zakieh alizadeh
 
Protecting web apps
Protecting web appsProtecting web apps
Protecting web apps
Omkar Parab
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
Marco Morana
 

Similaire à WhiteList Checker: An Eclipse Plugin to Improve Application Security (20)

WhiteList Checker: An Eclipse Plugin to Improve Application Security
WhiteList Checker: An Eclipse Plugin to Improve Application SecurityWhiteList Checker: An Eclipse Plugin to Improve Application Security
WhiteList Checker: An Eclipse Plugin to Improve Application Security
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
Defending against Injections
Defending against InjectionsDefending against Injections
Defending against Injections
 
Secure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago HenriquesSecure coding - Balgan - Tiago Henriques
Secure coding - Balgan - Tiago Henriques
 
Secure Dot Net Programming
Secure Dot Net ProgrammingSecure Dot Net Programming
Secure Dot Net Programming
 
Ebu class edgescan-2017
Ebu class edgescan-2017Ebu class edgescan-2017
Ebu class edgescan-2017
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure coding
 
FORENSIC PRESTTN
FORENSIC PRESTTNFORENSIC PRESTTN
FORENSIC PRESTTN
 
Application Security Part 1 Threat Defense In Client Server Applications ...
Application Security Part 1 Threat Defense In Client Server Applications ...Application Security Part 1 Threat Defense In Client Server Applications ...
Application Security Part 1 Threat Defense In Client Server Applications ...
 
QA Lab: тестирование ПО. Станислав Шмидт: "Self-testing REST APIs with API Fi...
QA Lab: тестирование ПО. Станислав Шмидт: "Self-testing REST APIs with API Fi...QA Lab: тестирование ПО. Станислав Шмидт: "Self-testing REST APIs with API Fi...
QA Lab: тестирование ПО. Станислав Шмидт: "Self-testing REST APIs with API Fi...
 
Input validation errors
Input validation errorsInput validation errors
Input validation errors
 
Session3 data-validation
Session3 data-validationSession3 data-validation
Session3 data-validation
 
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
 
Protecting web apps
Protecting web appsProtecting web apps
Protecting web apps
 
Web Application Penetration Testing Checklist.pdf
Web Application Penetration Testing Checklist.pdfWeb Application Penetration Testing Checklist.pdf
Web Application Penetration Testing Checklist.pdf
 
Web Application Penetration Testing Checklist.pdf
Web Application Penetration Testing Checklist.pdfWeb Application Penetration Testing Checklist.pdf
Web Application Penetration Testing Checklist.pdf
 
Web Application Penetration Testing Checklist
Web Application Penetration Testing ChecklistWeb Application Penetration Testing Checklist
Web Application Penetration Testing Checklist
 
Session3 data-validation-sql injection
Session3 data-validation-sql injectionSession3 data-validation-sql injection
Session3 data-validation-sql injection
 
ieee
ieeeieee
ieee
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
 

Dernier

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

Dernier (20)

Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

WhiteList Checker: An Eclipse Plugin to Improve Application Security

  • 1. WhiteList Checker: An Eclipse Plugin to Improve Application Security Bill Chu, Jing Xie, Will Stranathan University of North Carolina at Charlotte
  • 2. Motivation  Lack of proper input validation is a cause of many software vulnerabilities  XSS, SQL injection, File inclusion, Log forging, Path Manipulation etc.  White list vs. Black list validation  White list input validation is not easy to do, even for common input types (e.g. names)  Support for input validation can be baked into IDE
  • 3. WhiteList Checker • Identify untrusted input String username = request.getParameter(“username”); • Interactively notify developer (similar to syntax String username = request.getParameter(“username”); try{ Validation.validate(username, “safe_text”); error) }catch(InputValidationException e) { username = “safe text”; } • Present choice of input types • Insert validation code
  • 4.
  • 5.
  • 6.
  • 7. Trust boundary definition  API calls  HttpServletRequest.getParameter()  Parameters / variables  main (String[] args)
  • 8. Input validation rules  WhiteList Checker is initialized with a set of regular expressions developed by OWASP for input validation  Syntactic rules  Regular expressions  e.g. email, full path file name  Semantic rules  Specific to input type  e.g. files under /usr/billchu  User defined rules
  • 9. Building a data dictionary  Identify all input times and where they are input to the application  Answer queries:  How many places in this application we accept credit card numbers from the user?  Does this application accept sensitive information from the customer?
  • 10. Generate customized rules for static analysis  Fortify Example  Generate rules that removes taints to reduce false positives
  • 11. Future work  Dataflow analysis for input of composite type  Implement semantic validation rules  Dynamic languages  Evaluation including user studies