Input Data Validation for Web Applications d e

Input Data Validation for Web Applications d e g r e m , ss a l c 2 3 4 r e t f e t A : a F e 0 r 2 c 0 2 o nt o i t a d i l g Jeff Offutt a n i t s e T input v s s a p y b T V -I A 3 1 c e L 32 4 d e t a https: //www. cs. gmu. edu/~offutt/ d t u o is k c e d e This slid SWE 432 Design and Implementation of Software for the Web

Validating inputs 26 December 2021 © Offutt 2

Validating inputs Input validation Deciding if input values can be processed by the software • How should a program recognize invalid inputs ? • What should a program do with invalid inputs ? • It is easy to write input validators – but also easy to make mistakes ! 26 December 2021 © Offutt 3

Representing input domains • Goal domains are often irregular • Goal domain for credit cards† – – First digit is the Major Industry Identifier First 6 digits and length specify the issuer Final digit is a “check digit” Other digits identify a specific account • Common specified domain – First digit is in { 3, 4, 5, 6 } (travel and banking) – Length is between 13 and 16 • Common implemented domain digits numeric – All digits areare numeric † More 26 December 2021 details are on : http: //www. merriampark. com/anatomycc. htm © Offutt 4

Representing input domains Desired inputs (goal domain) Described inputs (specified domain) This region is a rich source of software errors … … and security vulnerabilities !!! Accepted inputs (implemented domain) 26 December 2021 © Offutt 5

Users can bypass client validation • Client-side HTML and Javascript can enforce constraints – JS checks on input values – HTML restrictions such as max. Length – Implicit restrictions such as dropdown menus and radio boxes • Users can violate constraints (accidentally and intentionally): – When automating execution – URL rewriting – Turning JS off – To attack your software 26 December 2021 © Offutt 6

Example User Name: Age: Version to purchase: 26 December 2021 Small Medium Large $150 $250 $500 © Offutt 7

Client side checking Invalid data, please correct … User Name: Alan<Turing Username should be plain text only. Age: 500 Age should be between 18 and 150. Version to purchase: 26 December 2021 Small Medium Large $150 $250 $500 © Offutt 8

<form> Abbreviated HTML <input Type=“text” Name=“username” Size=20> <input Type=“text” Name=“age” Size=3 Maxlength=3> <p> Version to purchase: Constraint s … <input Type=“radio” Name=“version” Value=“ 150” Checked> <input Type=“radio” Name=“version” Value=“ 250”> <input Type=“radio” Name=“version” Value=“ 500”> <input Type="submit" on. Click="return check. Info(this. form)"> <input Type=“hidden” is. Logged. In=“no”> </form> 26 December 2021 © Offutt 9

<form> Saved & modified HTML <input Type=“text” Name=“username” Size=20> <input Type=“text” Name=“age” Size=3 Maxlength=3> <p> Version to purchase: … Allows an input with arbitrary age, no checking, cost=$25 … ‘<‘ can crash an XML parser <input Type=“radio” Name=“version” Value=“ 150”> Text fields can have SQL <input Type=“radio” Name=“version” Value=“ 250”> statements <input Type=“radio” Name=“version” Value=“ 500” 25 Checked> <input Type=“submit” on. Click=“return check. Info(this. form)”> <input Type=“hidden” is. Logged. In= yes “no” > </form> 26 December 2021 © Offutt 10

SQL injection User Name: turing’ OR ‘ 1’=‘ 1 Password: enigma’ OR ‘ 1’=‘ 1 Original SQL: SELECT username FROM adminuser WHERE username=‘turing’ AND password =‘enigma’ “injected” SQL: SELECT username FROM adminuser WHERE username=‘turing’ OR ‘ 1’ = ‘ 1’ AND password =‘enigma’ OR ‘ 1’ = ‘ 1’ 26 December 2021 © Offutt 11

Handling exceptions 26 December 2021 © Offutt 12

Managing exceptions • Language exception handling features allow programmers to separate functional logic from error condition handling try { A computation that can produce exception } catch (Bad. Exception e) { log it and recover } • Java compiler verifies exceptions handled in program • Some languages do not support this • Checked exceptions force engineers to handle errors 26 December 2021 © Offutt 13

Catch low—If you can recover • Have a sensible recovery strategy – File. Not. Found. Exception : Ask user for another file name – System. Out. Of. Memory. Exception : Probably kill the process • Catching “low” means you have more information to recover with – But do not catch just to catch – If you don’t know what to do with the exception, let somebody else take it • What does the user need to know ? • Make sure you catch all exceptions at the top level – A web app should NEVER throw exceptions to users 26 December 2021 © Offutt 14

This is really bad! Application: photosprintshop. Web Error: java. lang. Illegal. State. Exception exception Reason: java. lang. Illegal. State. Exception: An Exception occurred while generating the Exception page 'WOException. Page'. This is most likely due to an error in WOException. Page itself. Below are the logs of first the Exception in WOException. Page, second the Exception in Application that triggered everything. com. webobjects. foundation. NSForward. Exception [com. webobjects. jdbcadaptor. JDBCAdaptor. Exception] date. Information of type java. lang. String is not a valid Date type. You must use java. sql. Timestamp, java. sql. Date, or java. sql. Time: <Session> failed instantiation. Exception raised : com. webobjects. jdbcadaptor. JDBCAdaptor. Exception: date. Information of type java. lang. String is not a valid Date type. You must use java. sql. Timestamp, java. sql. Date, or java. sql. Time Original Exception: com. webobjects. jdbcadaptor. JDBCAdaptor. Exception: date. Information of type java. lang. String is not a valid Date type. You must use java. sql. Timestamp, java. sql. Date, or java. sql. Time 26 December 2021 © Offutt 15

Summary Don’t trust users Don’t bother users Usable security says we can have both 26 December 2021 © Offutt 16

In-class exercise Validating data If the software lets invalid data get stored into the database, what information security concept has been violated? 26 December 2021 © Offutt 17