SlideShare une entreprise Scribd logo

Struts validation framework - Part1 [null Bangalore] [Dec 2013 meet]

n|u - The Open Security Community
n|u - The Open Security Community

null Bangalore 14th Dec 2013 meet

TechnologieFormation
1  sur  19
Télécharger pour lire hors ligne
Disclaimer opinions expressed here are my own and are a result of the way in which my mind interprets a particular situation or concept.
Courtesy Google for Images…. Slide share for Slides… Wikipedia for text…
Struts validation framework WEB Application Security
Structure what why how - MVC ? Concept and Origin Execution Process what why how - Web framework? Features what why how Validation framework?
Attacker’s – why should I care.. Applications are getting smarter Applications are getting tougher Old strategy may not work.. Strategy – outside inn to inside out Understanding of internals Defenders how to write/suggest defensive programming
SOFTWARE EVOLUTION Fist Prototype of a Computer Mouse 1979 Introduction of graphic “views” in computing Early Apple GUI Formulated by Norwegian computer scientist Trygve Reenskaug for Graphic User Interphase (GUI) software design, the MVC architecture was one of the primary outcomes of GUI development.
Software Architecture Pattern Separates representation of information from user interaction. Promotes: • Code Reusability • Separation of Concerns
Code Reusability Separation of Concerns • Shortens development • Improves code clarity and organization • Code Libraries • Design Patterns • Frameworks • Helps troubleshooting by isolating issues • Allows for multiple teams to develop simultaneously
Big Picture Design Patterns MVC Frameworks Struts Validation Framework Spring Validation Framework
Opportunity to attack Without framework With framework • XSS • XSS • SQL injection • SQL injection • Command Injection • Command Injection • Xml injection • Xml injection
Types of MVC Frameworks ASP.NET PHP (Zend, Symfony, CakePHP, CodeIgniter) Javascript ( Backbone.js, Ember.js, JavascriptMVC) Java (Struts, Spring, Expresso, Stripes, JSF, Tapestry, Wicket…) ASP.NET 4.0 Framework
Controller – Mediates input and commands for the model or view Model – Application data, business rules, logic, and functions. View – Output and representation of data MVC Execution Process
Advantages MVC • • • • • Easier to Manage Complexity Does not use view state or server based forms Rich Routing Structure Support for Test-Driven Development Supports Large Teams Well
Data-validation Framework
Inputs Filters • Headers • Input form fields – Text, button, select, ratio, hidden, Browse • URL • Session / Cookie
Output filter • Response object • Automatic HTML entity encoding (spring)
Validation Strategy • Centralize the data flow : Struts-config.xml – List the address of the input form • Control each piece of field(data) :Validation form – List each Include all input fields • Assign validation logic to each field:Validation.xml – For each field, specify one or more validation rules • Define validation logic : Validation-rules.xml – Max length, min length, knowngood validation • Bind each field to a Regular expression
Regex ^[a-z0-9_-]{3,15}$ Characters allowed a to z (only small case) Numbers allowed 0123456789 Special Chars allowed Underscore and Hyphen Max length 15 Min length 3
End.. Slides --- will be uploaded to null site and slide share… Need hands on… Scream for a bachaav session… I am open to take a session…

Recommandé

Struts validation framework Part 2
Struts validation framework Part 2Struts validation framework Part 2
Struts validation framework Part 2n|u - The Open Security Community
 
Virtual Networking Security - Network Security
Virtual Networking Security - Network SecurityVirtual Networking Security - Network Security
Virtual Networking Security - Network SecurityEng Teong Cheah
 
Core Impact Pro R1-Release Overview
Core Impact Pro R1-Release OverviewCore Impact Pro R1-Release Overview
Core Impact Pro R1-Release OverviewCore Security
 
[Wroclaw #6] Introduction to desktop browser add-ons
[Wroclaw #6] Introduction to desktop browser add-ons[Wroclaw #6] Introduction to desktop browser add-ons
[Wroclaw #6] Introduction to desktop browser add-onsOWASP
 
SSecuring Your MongoDB Deployment
SSecuring Your MongoDB DeploymentSSecuring Your MongoDB Deployment
SSecuring Your MongoDB DeploymentMongoDB
 
Creating a Single View Part 3: Securing Your Deployment
Creating a Single View Part 3: Securing Your DeploymentCreating a Single View Part 3: Securing Your Deployment
Creating a Single View Part 3: Securing Your DeploymentMongoDB
 
Webinar: Creating a Single View: Securing Your Deployment
Webinar: Creating a Single View: Securing Your DeploymentWebinar: Creating a Single View: Securing Your Deployment
Webinar: Creating a Single View: Securing Your DeploymentMongoDB
 
Mod security
Mod securityMod security
Mod securityShruthi Kamath
 

Recommandé

Struts validation framework Part 2
Struts validation framework Part 2Struts validation framework Part 2
Struts validation framework Part 2n|u - The Open Security Community
 
Virtual Networking Security - Network Security
Virtual Networking Security - Network SecurityVirtual Networking Security - Network Security
Virtual Networking Security - Network SecurityEng Teong Cheah
 
Core Impact Pro R1-Release Overview
Core Impact Pro R1-Release OverviewCore Impact Pro R1-Release Overview
Core Impact Pro R1-Release OverviewCore Security
 
[Wroclaw #6] Introduction to desktop browser add-ons
[Wroclaw #6] Introduction to desktop browser add-ons[Wroclaw #6] Introduction to desktop browser add-ons
[Wroclaw #6] Introduction to desktop browser add-onsOWASP
 
SSecuring Your MongoDB Deployment
SSecuring Your MongoDB DeploymentSSecuring Your MongoDB Deployment
SSecuring Your MongoDB DeploymentMongoDB
 
Creating a Single View Part 3: Securing Your Deployment
Creating a Single View Part 3: Securing Your DeploymentCreating a Single View Part 3: Securing Your Deployment
Creating a Single View Part 3: Securing Your DeploymentMongoDB
 
Webinar: Creating a Single View: Securing Your Deployment
Webinar: Creating a Single View: Securing Your DeploymentWebinar: Creating a Single View: Securing Your Deployment
Webinar: Creating a Single View: Securing Your DeploymentMongoDB
 
Mod security
Mod securityMod security
Mod securityShruthi Kamath
 
Web Application firewall-Mod security
Web Application firewall-Mod securityWeb Application firewall-Mod security
Web Application firewall-Mod securityRomansh Yadav
 
Single Sign-on Framework in Tizen
Single Sign-on Framework in TizenSingle Sign-on Framework in Tizen
Single Sign-on Framework in TizenRyo Jin
 
OSSIM User Training: Get Improved Security Visibility with OSSIM
OSSIM User Training: Get Improved Security Visibility with OSSIMOSSIM User Training: Get Improved Security Visibility with OSSIM
OSSIM User Training: Get Improved Security Visibility with OSSIMAlienVault
 
Hacker techniques for bypassing existing antivirus solutions & how to build a...
Hacker techniques for bypassing existing antivirus solutions & how to build a...Hacker techniques for bypassing existing antivirus solutions & how to build a...
Hacker techniques for bypassing existing antivirus solutions & how to build a...BeyondTrust
 
Finacle - Secure Coding Practices
Finacle - Secure Coding PracticesFinacle - Secure Coding Practices
Finacle - Secure Coding PracticesInfosys Finacle
 
mod_security introduction at study2study #3
mod_security introduction at study2study #3mod_security introduction at study2study #3
mod_security introduction at study2study #3Naoya Nakazawa
 
Web Application Firewall
Web Application FirewallWeb Application Firewall
Web Application FirewallChandrapal Badshah
 
Microsoft Ignite session: Explore adventures in the underland: forensic techn...
Microsoft Ignite session: Explore adventures in the underland: forensic techn...Microsoft Ignite session: Explore adventures in the underland: forensic techn...
Microsoft Ignite session: Explore adventures in the underland: forensic techn...Paula Januszkiewicz
 
Best Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationBest Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationAlienVault
 
Kevin wharram
Kevin wharramKevin wharram
Kevin wharramKevin Wharram
 
12 steps to_cloud_security
12 steps to_cloud_security12 steps to_cloud_security
12 steps to_cloud_securityWisecube AI
 
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...OWASP Delhi
 
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5AlienVault
 
[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security Architectures[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security ArchitecturesOWASP
 
Mod Security
Mod SecurityMod Security
Mod SecurityAbhishek Singh
 
Secure Coding - Are we doing it wrong
Secure Coding - Are we doing it wrongSecure Coding - Are we doing it wrong
Secure Coding - Are we doing it wrongbryns
 
QualysGuard InfoDay 2013 - Web Application Firewall
QualysGuard InfoDay 2013 - Web Application FirewallQualysGuard InfoDay 2013 - Web Application Firewall
QualysGuard InfoDay 2013 - Web Application FirewallRisk Analysis Consultants, s.r.o.
 
ASP.NET security vulnerabilities
ASP.NET security vulnerabilitiesASP.NET security vulnerabilities
ASP.NET security vulnerabilitiesAleksandar Bozinovski
 
Virtual Networking Security - Perimeter Security
Virtual Networking Security - Perimeter SecurityVirtual Networking Security - Perimeter Security
Virtual Networking Security - Perimeter SecurityEng Teong Cheah
 
Uniface Web Application Security
Uniface Web Application SecurityUniface Web Application Security
Uniface Web Application SecurityUniface
 
Security Onion - Introduction
Security Onion - IntroductionSecurity Onion - Introduction
Security Onion - Introductionn|u - The Open Security Community
 
Security Onion - Brief
Security Onion - BriefSecurity Onion - Brief
Security Onion - BriefAshley Deuble
 

Contenu connexe

Tendances

Web Application firewall-Mod security
Web Application firewall-Mod securityWeb Application firewall-Mod security
Web Application firewall-Mod securityRomansh Yadav
 
Single Sign-on Framework in Tizen
Single Sign-on Framework in TizenSingle Sign-on Framework in Tizen
Single Sign-on Framework in TizenRyo Jin
 
OSSIM User Training: Get Improved Security Visibility with OSSIM
OSSIM User Training: Get Improved Security Visibility with OSSIMOSSIM User Training: Get Improved Security Visibility with OSSIM
OSSIM User Training: Get Improved Security Visibility with OSSIMAlienVault
 
Hacker techniques for bypassing existing antivirus solutions & how to build a...
Hacker techniques for bypassing existing antivirus solutions & how to build a...Hacker techniques for bypassing existing antivirus solutions & how to build a...
Hacker techniques for bypassing existing antivirus solutions & how to build a...BeyondTrust
 
Finacle - Secure Coding Practices
Finacle - Secure Coding PracticesFinacle - Secure Coding Practices
Finacle - Secure Coding PracticesInfosys Finacle
 
mod_security introduction at study2study #3
mod_security introduction at study2study #3mod_security introduction at study2study #3
mod_security introduction at study2study #3Naoya Nakazawa
 
Microsoft Ignite session: Explore adventures in the underland: forensic techn...
Microsoft Ignite session: Explore adventures in the underland: forensic techn...Microsoft Ignite session: Explore adventures in the underland: forensic techn...
Microsoft Ignite session: Explore adventures in the underland: forensic techn...Paula Januszkiewicz
 
Best Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationBest Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationAlienVault
 
12 steps to_cloud_security
12 steps to_cloud_security12 steps to_cloud_security
12 steps to_cloud_securityWisecube AI
 
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...OWASP Delhi
 
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5AlienVault
 
[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security Architectures[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security ArchitecturesOWASP
 
Secure Coding - Are we doing it wrong
Secure Coding - Are we doing it wrongSecure Coding - Are we doing it wrong
Secure Coding - Are we doing it wrongbryns
 
Virtual Networking Security - Perimeter Security
Virtual Networking Security - Perimeter SecurityVirtual Networking Security - Perimeter Security
Virtual Networking Security - Perimeter SecurityEng Teong Cheah
 
Uniface Web Application Security
Uniface Web Application SecurityUniface Web Application Security
Uniface Web Application SecurityUniface
 

Tendances (20)

Web Application firewall-Mod security
Web Application firewall-Mod securityWeb Application firewall-Mod security
Web Application firewall-Mod security
 
Single Sign-on Framework in Tizen
Single Sign-on Framework in TizenSingle Sign-on Framework in Tizen
Single Sign-on Framework in Tizen
 
OSSIM User Training: Get Improved Security Visibility with OSSIM
OSSIM User Training: Get Improved Security Visibility with OSSIMOSSIM User Training: Get Improved Security Visibility with OSSIM
OSSIM User Training: Get Improved Security Visibility with OSSIM
 
Hacker techniques for bypassing existing antivirus solutions & how to build a...
Hacker techniques for bypassing existing antivirus solutions & how to build a...Hacker techniques for bypassing existing antivirus solutions & how to build a...
Hacker techniques for bypassing existing antivirus solutions & how to build a...
 
Finacle - Secure Coding Practices
Finacle - Secure Coding PracticesFinacle - Secure Coding Practices
Finacle - Secure Coding Practices
 
mod_security introduction at study2study #3
mod_security introduction at study2study #3mod_security introduction at study2study #3
mod_security introduction at study2study #3
 
Web Application Firewall
Web Application FirewallWeb Application Firewall
Web Application Firewall
 
Microsoft Ignite session: Explore adventures in the underland: forensic techn...
Microsoft Ignite session: Explore adventures in the underland: forensic techn...Microsoft Ignite session: Explore adventures in the underland: forensic techn...
Microsoft Ignite session: Explore adventures in the underland: forensic techn...
 
Best Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationBest Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM Installation
 
Kevin wharram
Kevin wharramKevin wharram
Kevin wharram
 
12 steps to_cloud_security
12 steps to_cloud_security12 steps to_cloud_security
12 steps to_cloud_security
 
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
 
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
 
[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security Architectures[OWASP Poland Day] Web App Security Architectures
[OWASP Poland Day] Web App Security Architectures
 
Mod Security
Mod SecurityMod Security
Mod Security
 
Secure Coding - Are we doing it wrong
Secure Coding - Are we doing it wrongSecure Coding - Are we doing it wrong
Secure Coding - Are we doing it wrong
 
QualysGuard InfoDay 2013 - Web Application Firewall
QualysGuard InfoDay 2013 - Web Application FirewallQualysGuard InfoDay 2013 - Web Application Firewall
QualysGuard InfoDay 2013 - Web Application Firewall
 
ASP.NET security vulnerabilities
ASP.NET security vulnerabilitiesASP.NET security vulnerabilities
ASP.NET security vulnerabilities
 
Virtual Networking Security - Perimeter Security
Virtual Networking Security - Perimeter SecurityVirtual Networking Security - Perimeter Security
Virtual Networking Security - Perimeter Security
 
Uniface Web Application Security
Uniface Web Application SecurityUniface Web Application Security
Uniface Web Application Security
 

En vedette

Security Onion - Brief
Security Onion - BriefSecurity Onion - Brief
Security Onion - BriefAshley Deuble
 
Security Onion Conference - 2015
Security Onion Conference - 2015Security Onion Conference - 2015
Security Onion Conference - 2015DefensiveDepth
 
Security Operation Center - Design & Build
Security Operation Center - Design & BuildSecurity Operation Center - Design & Build
Security Operation Center - Design & BuildSameer Paradia
 

En vedette (7)

Security Onion - Introduction
Security Onion - IntroductionSecurity Onion - Introduction
Security Onion - Introduction
 
Security Onion - Brief
Security Onion - BriefSecurity Onion - Brief
Security Onion - Brief
 
Security Onion
Security OnionSecurity Onion
Security Onion
 
Suricata
SuricataSuricata
Suricata
 
Security Onion
Security OnionSecurity Onion
Security Onion
 
Security Onion Conference - 2015
Security Onion Conference - 2015Security Onion Conference - 2015
Security Onion Conference - 2015
 
Security Operation Center - Design & Build
Security Operation Center - Design & BuildSecurity Operation Center - Design & Build
Security Operation Center - Design & Build
 

Similaire à Struts validation framework - Part1 [null Bangalore] [Dec 2013 meet]

Whats New In 2010 (Msdn & Visual Studio)
Whats New In 2010 (Msdn & Visual Studio)Whats New In 2010 (Msdn & Visual Studio)
Whats New In 2010 (Msdn & Visual Studio)Steve Lange
 
RAHUL_Updated( (2)
RAHUL_Updated( (2)RAHUL_Updated( (2)
RAHUL_Updated( (2)Rahul Singh
 
Jesy George_CV_LATEST
Jesy George_CV_LATESTJesy George_CV_LATEST
Jesy George_CV_LATESTJesy George
 
Building an enterprise app in silverlight 4 and NHibernate
Building an enterprise app in silverlight 4 and NHibernateBuilding an enterprise app in silverlight 4 and NHibernate
Building an enterprise app in silverlight 4 and NHibernatebwullems
 
Mcv design patterns
Mcv design patternsMcv design patterns
Mcv design patternsRob Paok
 
Modern ASP.NET Webskills
Modern ASP.NET WebskillsModern ASP.NET Webskills
Modern ASP.NET WebskillsCaleb Jenkins
 
What is ASP.NET MVC
What is ASP.NET MVCWhat is ASP.NET MVC
What is ASP.NET MVCBrad Oyler
 
Getting started with MVC 5 and Visual Studio 2013
Getting started with MVC 5 and Visual Studio 2013Getting started with MVC 5 and Visual Studio 2013
Getting started with MVC 5 and Visual Studio 2013Thomas Robbins
 
Asp.net mvc basic introduction
Asp.net mvc basic introductionAsp.net mvc basic introduction
Asp.net mvc basic introductionBhagath Gopinath
 
04 test controlling and tracking
04 test controlling and tracking04 test controlling and tracking
04 test controlling and trackingClemens Reijnen
 
Azure presentation nnug dec 2010
Azure presentation nnug dec 2010Azure presentation nnug dec 2010
Azure presentation nnug dec 2010Ethos Technologies
 
Actively looking for an opportunity to work as a challenging Dot Net Developer
Actively looking for an opportunity to work as a challenging Dot Net DeveloperActively looking for an opportunity to work as a challenging Dot Net Developer
Actively looking for an opportunity to work as a challenging Dot Net DeveloperKarthik Reddy
 
Actively looking for an opportunity to work as a challenging Dot Net Developer
Actively looking for an opportunity to work as a challenging Dot Net DeveloperActively looking for an opportunity to work as a challenging Dot Net Developer
Actively looking for an opportunity to work as a challenging Dot Net DeveloperKarthik Reddy
 

Similaire à Struts validation framework - Part1 [null Bangalore] [Dec 2013 meet] (20)

Profile_Ahmad2
Profile_Ahmad2Profile_Ahmad2
Profile_Ahmad2
 
Struts validationframework
Struts validationframeworkStruts validationframework
Struts validationframework
 
Whats New In 2010 (Msdn & Visual Studio)
Whats New In 2010 (Msdn & Visual Studio)Whats New In 2010 (Msdn & Visual Studio)
Whats New In 2010 (Msdn & Visual Studio)
 
RAHUL_Updated( (2)
RAHUL_Updated( (2)RAHUL_Updated( (2)
RAHUL_Updated( (2)
 
Ram Prasad P.S.S
Ram Prasad P.S.SRam Prasad P.S.S
Ram Prasad P.S.S
 
Trinada pabolu profile
Trinada pabolu profileTrinada pabolu profile
Trinada pabolu profile
 
Trinada pabolu profile
Trinada pabolu profileTrinada pabolu profile
Trinada pabolu profile
 
Jesy George_CV_LATEST
Jesy George_CV_LATESTJesy George_CV_LATEST
Jesy George_CV_LATEST
 
Building an enterprise app in silverlight 4 and NHibernate
Building an enterprise app in silverlight 4 and NHibernateBuilding an enterprise app in silverlight 4 and NHibernate
Building an enterprise app in silverlight 4 and NHibernate
 
Arun Kumar(7.8Yrs).DOC
Arun Kumar(7.8Yrs).DOCArun Kumar(7.8Yrs).DOC
Arun Kumar(7.8Yrs).DOC
 
Mcv design patterns
Mcv design patternsMcv design patterns
Mcv design patterns
 
Modern ASP.NET Webskills
Modern ASP.NET WebskillsModern ASP.NET Webskills
Modern ASP.NET Webskills
 
What is ASP.NET MVC
What is ASP.NET MVCWhat is ASP.NET MVC
What is ASP.NET MVC
 
Getting started with MVC 5 and Visual Studio 2013
Getting started with MVC 5 and Visual Studio 2013Getting started with MVC 5 and Visual Studio 2013
Getting started with MVC 5 and Visual Studio 2013
 
Asp.net mvc basic introduction
Asp.net mvc basic introductionAsp.net mvc basic introduction
Asp.net mvc basic introduction
 
04 test controlling and tracking
04 test controlling and tracking04 test controlling and tracking
04 test controlling and tracking
 
Azure presentation nnug dec 2010
Azure presentation nnug dec 2010Azure presentation nnug dec 2010
Azure presentation nnug dec 2010
 
Chinnasamy Manickam
Chinnasamy ManickamChinnasamy Manickam
Chinnasamy Manickam
 
Actively looking for an opportunity to work as a challenging Dot Net Developer
Actively looking for an opportunity to work as a challenging Dot Net DeveloperActively looking for an opportunity to work as a challenging Dot Net Developer
Actively looking for an opportunity to work as a challenging Dot Net Developer
 
Actively looking for an opportunity to work as a challenging Dot Net Developer
Actively looking for an opportunity to work as a challenging Dot Net DeveloperActively looking for an opportunity to work as a challenging Dot Net Developer
Actively looking for an opportunity to work as a challenging Dot Net Developer
 

Plus de n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

Plus de n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Dernier

Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Karmanjay Verma
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...amber724300
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Nikki Chapple
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 

Dernier (20)

Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 

Struts validation framework - Part1 [null Bangalore] [Dec 2013 meet]

  • 1. Disclaimer opinions expressed here are my own and are a result of the way in which my mind interprets a particular situation or concept.
  • 2. Courtesy Google for Images…. Slide share for Slides… Wikipedia for text…
  • 3. Struts validation framework WEB Application Security
  • 4. Structure what why how - MVC ? Concept and Origin Execution Process what why how - Web framework? Features what why how Validation framework?
  • 5. Attacker’s – why should I care.. Applications are getting smarter Applications are getting tougher Old strategy may not work.. Strategy – outside inn to inside out Understanding of internals Defenders how to write/suggest defensive programming
  • 6. SOFTWARE EVOLUTION Fist Prototype of a Computer Mouse 1979 Introduction of graphic “views” in computing Early Apple GUI Formulated by Norwegian computer scientist Trygve Reenskaug for Graphic User Interphase (GUI) software design, the MVC architecture was one of the primary outcomes of GUI development.
  • 7. Software Architecture Pattern Separates representation of information from user interaction. Promotes: • Code Reusability • Separation of Concerns
  • 8. Code Reusability Separation of Concerns • Shortens development • Improves code clarity and organization • Code Libraries • Design Patterns • Frameworks • Helps troubleshooting by isolating issues • Allows for multiple teams to develop simultaneously
  • 10. Opportunity to attack Without framework With framework • XSS • XSS • SQL injection • SQL injection • Command Injection • Command Injection • Xml injection • Xml injection
  • 11. Types of MVC Frameworks ASP.NET PHP (Zend, Symfony, CakePHP, CodeIgniter) Javascript ( Backbone.js, Ember.js, JavascriptMVC) Java (Struts, Spring, Expresso, Stripes, JSF, Tapestry, Wicket…) ASP.NET 4.0 Framework
  • 12. Controller – Mediates input and commands for the model or view Model – Application data, business rules, logic, and functions. View – Output and representation of data MVC Execution Process
  • 13. Advantages MVC • • • • • Easier to Manage Complexity Does not use view state or server based forms Rich Routing Structure Support for Test-Driven Development Supports Large Teams Well
  • 15. Inputs Filters • Headers • Input form fields – Text, button, select, ratio, hidden, Browse • URL • Session / Cookie
  • 16. Output filter • Response object • Automatic HTML entity encoding (spring)
  • 17. Validation Strategy • Centralize the data flow : Struts-config.xml – List the address of the input form • Control each piece of field(data) :Validation form – List each Include all input fields • Assign validation logic to each field:Validation.xml – For each field, specify one or more validation rules • Define validation logic : Validation-rules.xml – Max length, min length, knowngood validation • Bind each field to a Regular expression
  • 18. Regex ^[a-z0-9_-]{3,15}$ Characters allowed a to z (only small case) Numbers allowed 0123456789 Special Chars allowed Underscore and Hyphen Max length 15 Min length 3
  • 19. End.. Slides --- will be uploaded to null site and slide share… Need hands on… Scream for a bachaav session… I am open to take a session…