Secure Coding Practices for Java Web Applications - Secure Java: For Web Application Development

Java Reference

In-Depth Information

Figure 10.2

Malicious JavaScript is executed because of the lack of output encoding.

Figure 10.3

encoded output in Java Web application converts JavaScript into an encoded

string.

10.2.2 User Input Validation for Java Web Applications

We have delved into the need for input validation and output encoding for Web applications and

we have also discussed, briely, how Java provides capability to implement efective validation of

input and encoding of output. We will now explore the practical implementation of input valida-

tion and output encoding. here are three signiicant factors:

◾

Success factors for input validation

◾

Use of regular expressions

◾

Whitelist vs. blacklist input validation

10.2.2.1 Success Factors for Input Validation

Validation of input is a secure coding practice that needs to be present for a Web applications han-

dling user input. Architects and developers should always remember that user input can never be

trusted because most Web application attacks are by Web application users who target and attack

other users of the Web application.

he irst action item for the developers and architects is to identify all areas of user input in

an application and apply input validation routines for the inputs coming from there. It is essential

to ensure that all inputs are validated. his includes text-based input ields as well as other inputs

like option-based inputs, radio buttons, and checkboxes as well. Very often, input validation is

performed inconsistently by not applying it to these forms of input, which can be manipulated by

attackers using a simple Web application proxy. he manipulation of input ields other than text-

based inputs is exempliied in Figure 10.4.

It is imperative that the validation of input be done at the server side. Developers usually

perform input validation using JavaScript. We have all seen the alert boxes pop up with a mes-

sage of “Please enter valid characters in the input ield” or something to that efect. JavaScript

validation, as many of us know, is client-side validation and can be easily bypassed with Web

application proxies and sometimes (in the case of badly written JavaScript) just by disabling

JavaScript in the browser. his would nullify the efect of the validation and data would go

Search WWH ::

Custom Search

Home