SlideShare a Scribd company logo

Data validation in web applications

Download as PPTX, PDF
S
srkirkland

The document discusses the importance of data validation in web applications, emphasizing that a significant security weakness stems from improper data input validation. It highlights the benefits of client-side and server-side validation, introduces HTML5 input types for better user experience, and provides pragmatic advice on effective validation techniques. The author encourages developers to utilize modern tools like JavaScript and polyfills to enhance validation functionalities across different browsers.

1 of 32
Downloaded 180 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
Data Validation in Web ApplicationsWelcome to:
Hi! I’m Scott KirklandSlinging code @ UCDavis for 8 yearsCurrently Sr. Application Architect for the College Of Agricultural and Environmental Sciences Dean’s OfficeOpen source coderhttps://github.com/srkirklandMvcHtml5, Data Annotations Extensions, ITSecuritySymposiumhttps://github.com/ucdavisUCDArch, Web ApplicationsCo-founded the local .NET User Group
Data Validation in Web ApplicationsWelcome to:
The most common web application security weakness is the failure to properly validate input from the client or environment. - OWASP[1]
Data validation in web applications
Aka: Trust No One Data
Input Validation
Topics:
Input Validation in Web FormsEnsure user supplied data is Strongly typedCorrect syntaxWithin length boundariesContains only permitted charactersOr that numbers are correctly signed and within range boundariesIs “business rule correct”
Client Side ValidationValidate data on the client firstProvides better feedback to the end userMakes your site feel more responsiveAlways validate on server-side as well!
JavaScript Validation“Current” solution, useful & widely supported (Probably about 95%)Any JavaScript errors and validation disappearsFairly difficult to implement, though libraries help[3]
JavaScript Validation: EmailIs this a good email regex?\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}\bYes, except when it isn’tNon-english, some TLDs not covered, no special charsHow about this (RFC 2822)?(?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*|"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\])Allows some crazy stuff, like \@scott\@=k@domain.com
Input Validation w/ HTML5
HTML5 Input ValidationTwo major form validation innovationsNew Input TypesConstraint Validation
HTML5 Input TypesNew input types were added to augment<input type=“text” />
HTML5 Input Typessearchtelurlemailnumberrangecolordatetimedatemonthweektimedatetime-local
HTML5 Input TypesGives semantic meaning to your formsEnable behaviors based on input type
DEMO: Html5 Input Types
HTML5 Input TypesSo, that was pretty coolSimply changing input types can add basic validationBenefits go beyond validationAdditive only – no drawbacks
HTML5 Input Types<input type=“email” /><input type=“url” />
HTML5 Input Types<input type=“tel” /><input type=“number” />
HTML5 Constraint ValidationRequiredPatternMaxLengthMin/Max
HTML5 Constraint ValidationRequired<input type=“text” required />MaxLength<input type=“text” maxlength=“10” />Pattern<input type=“text” pattern=“[0-9]{5}” />
DEMO: Html5 Constraints
Of course, this only works in HTML5 capable browsersOlder browsers will ignore these new attributesWith JavaScript you can “Polyfill” for “regressive” enhancement
One More Thing…
PolyfillA polyfill, or polyfiller, is a piece of code (or plugin) that provides the technology that you, the developer, expect the browser to provide nativelyGenerally, you test the browser for a feature. If it is not present natively, use JavaScript to add the feature
Develop for tomorrow… today!Great library called Modernizrhttp://www.modernizr.com/Helps with feature detection & media queriesAllows older browsers to work with Html5 elementsMuch more
DEMO: Polyfills
HTML5 Data Validation:Pragmatic Advice
Use the new input types They may do data validation for youMake your users happy (iOS & more)They will keep getting betterNative experience
Constraint ValidationUseful for “first line of defense” or backupYou should continue to use JavaScript for client validation

More Related Content

PPT
Information security and Attacks
Sachin Darekar
 
PPTX
Fundamentals of Network security
APNIC
 
PPTX
Hacking
Sitwat Rao
 
PPTX
Cybersecurity Attack Vectors: How to Protect Your Organization
TriCorps Technologies
 
PPTX
INFORMATION SECURITY
Ahmed Moussa
 
PPTX
DDoS ATTACKS
Anil Antony
 
PPTX
Brute force attack
joycruiser
 
PPTX
Ethics in-information-security
Milinda Wickramasinghe
 
Information security and Attacks
Sachin Darekar
 
Fundamentals of Network security
APNIC
 
Hacking
Sitwat Rao
 
Cybersecurity Attack Vectors: How to Protect Your Organization
TriCorps Technologies
 
INFORMATION SECURITY
Ahmed Moussa
 
DDoS ATTACKS
Anil Antony
 
Brute force attack
joycruiser
 
Ethics in-information-security
Milinda Wickramasinghe
 

What's hot (20)

PPTX
cyber security notes
SHIKHAJAIN163
 
PPTX
Cyber crime ppt
Gracy Joseph
 
PPTX
Cyber crime
Tarseam Singh
 
PPTX
Computer security
OZ Assignment help
 
PPTX
Cyber threats
kelsports
 
PPTX
Cyber espionage
harshitakhandelwal26
 
PDF
Types of Threat Actors and Attack Vectors
LearningwithRayYT
 
PPTX
Security Mechanisms
priya_trehan
 
PDF
Social Engineering.pdf
MeshalALshammari12
 
PPTX
Computer Security and Ethics
Mohsin Riaz
 
PDF
Cyber attacks
Anuradha Moti T
 
PPT
Network security
Gichelle Amon
 
PDF
Ethical Hacking Tools
Multisoft Virtual Academy
 
PDF
Computer Security Lecture 1: Overview
Mohamed Loey
 
PPTX
Buffer overflow attacks
Joe McCarthy
 
PPTX
Man in the middle attack .pptx
PradeepKumar728006
 
PPTX
Web security
Padam Banthia
 
PPT
Security models
LJ PROJECTS
 
PPTX
Cryptography and network security
shraddha mane
 
PPTX
Cyber Security Introduction.pptx
ANIKETKUMARSHARMA3
 
cyber security notes
SHIKHAJAIN163
 
Cyber crime ppt
Gracy Joseph
 
Cyber crime
Tarseam Singh
 
Computer security
OZ Assignment help
 
Cyber threats
kelsports
 
Cyber espionage
harshitakhandelwal26
 
Types of Threat Actors and Attack Vectors
LearningwithRayYT
 
Security Mechanisms
priya_trehan
 
Social Engineering.pdf
MeshalALshammari12
 
Computer Security and Ethics
Mohsin Riaz
 
Cyber attacks
Anuradha Moti T
 
Network security
Gichelle Amon
 
Ethical Hacking Tools
Multisoft Virtual Academy
 
Computer Security Lecture 1: Overview
Mohamed Loey
 
Buffer overflow attacks
Joe McCarthy
 
Man in the middle attack .pptx
PradeepKumar728006
 
Web security
Padam Banthia
 
Security models
LJ PROJECTS
 
Cryptography and network security
shraddha mane
 
Cyber Security Introduction.pptx
ANIKETKUMARSHARMA3
 
Ad

Viewers also liked (20)

PDF
Types of Data Validation
Metric Fox
 
PPTX
Data validation
Qamar Wajid
 
PPT
Validation for different kind of data
song_lachinhminh_smile
 
PPTX
Validation and Verification
mrmwood
 
PPTX
verification and validation
Dinesh Pasi
 
PPT
Data validation option
maheshwarpoloju
 
PDF
Data Verification
InfoCheckPoint
 
PPT
Validation and verification
De La Salle University-Manila
 
PPTX
PROCESS VALIDATION
Pharmaceutical
 
DOC
Audit logs for Security and Compliance
Anton Chuvakin
 
PPTX
Dynamic Data Validation Lists
Marc Rivait, PMP
 
PPSX
How to create a validation list in excel
Danny Wong
 
PPTX
Validation
COGS Presentations
 
PPTX
Wpf Validation
RookieOne
 
ODP
Annotation-Based Spring Portlet MVC
John Lewis
 
PPTX
Data validation - Excel
Yi Chiao Cheng
 
PDF
Model-Based Simulation of Legal Requirements: Experience from Tax Policy Simu...
Software Verification and Validation Laboratory - Software Verification and Validation Laboratory
 
PPT
Application Logging Good Bad Ugly ... Beautiful?
Anton Chuvakin
 
PDF
Validation verification
khair20
 
PDF
Verfication and validation of simulation models
De La Salle University-Manila
 
Types of Data Validation
Metric Fox
 
Data validation
Qamar Wajid
 
Validation for different kind of data
song_lachinhminh_smile
 
Validation and Verification
mrmwood
 
verification and validation
Dinesh Pasi
 
Data validation option
maheshwarpoloju
 
Data Verification
InfoCheckPoint
 
Validation and verification
De La Salle University-Manila
 
PROCESS VALIDATION
Pharmaceutical
 
Audit logs for Security and Compliance
Anton Chuvakin
 
Dynamic Data Validation Lists
Marc Rivait, PMP
 
How to create a validation list in excel
Danny Wong
 
Validation
COGS Presentations
 
Wpf Validation
RookieOne
 
Annotation-Based Spring Portlet MVC
John Lewis
 
Data validation - Excel
Yi Chiao Cheng
 
Model-Based Simulation of Legal Requirements: Experience from Tax Policy Simu...
Software Verification and Validation Laboratory - Software Verification and Validation Laboratory
 
Application Logging Good Bad Ugly ... Beautiful?
Anton Chuvakin
 
Validation verification
khair20
 
Verfication and validation of simulation models
De La Salle University-Manila
 
Ad

Similar to Data validation in web applications (20)

PDF
Input validation errors
manoharparakh
 
PPTX
Developing with HTML5
ptcu_systems_india
 
PPT
Test Automation Best Practices (with SOA test approach)
Leonard Fingerman
 
PDF
Creating a successful continuous testing environment by Eran Kinsbruner
QA or the Highway
 
PPT
Web Services Security
amiable_indian
 
PDF
Html5 guide
Prabhakar Tirumalasetti
 
PPT
Jan 2008 Allup
llangit
 
PPT
The Magic Of Application Lifecycle Management In Vs Public
David Solivan
 
PPT
Cost effective web application testing
Harinath Pudipeddi
 
PPT
Cost Effective Web Application Testing
Hari Pudipeddi
 
PPT
Cost effective web application testing
Harinath Pudipeddi
 
PPT
Software Development Trends 2010-2011
Charalampos Arapidis
 
PPTX
How to Add Test Automation to your Quality Assurance Toolbelt
Brett Tramposh
 
PDF
The Testing Planet Issue 2
Rosie Sherry
 
PPT
Application Security
nirola
 
PPTX
Brisbane MuleSoft Meetup #12 Integrate ChatGPT with MuleSoft to power busines...
BrianFraser29
 
PPTX
Ethical hacking Chapter 10 - Exploiting Web Servers - Eric Vanderburg
Eric Vanderburg
 
PPTX
#SPSOttawa introduction to the #microsoftGraph
Vincent Biret
 
PDF
Service Virtualization: What Testers Need to Know
TechWell
 
PDF
Introducing Keyword-Driven Test Automation
TechWell
 
Input validation errors
manoharparakh
 
Developing with HTML5
ptcu_systems_india
 
Test Automation Best Practices (with SOA test approach)
Leonard Fingerman
 
Creating a successful continuous testing environment by Eran Kinsbruner
QA or the Highway
 
Web Services Security
amiable_indian
 
Html5 guide
Prabhakar Tirumalasetti
 
Jan 2008 Allup
llangit
 
The Magic Of Application Lifecycle Management In Vs Public
David Solivan
 
Cost effective web application testing
Harinath Pudipeddi
 
Cost Effective Web Application Testing
Hari Pudipeddi
 
Cost effective web application testing
Harinath Pudipeddi
 
Software Development Trends 2010-2011
Charalampos Arapidis
 
How to Add Test Automation to your Quality Assurance Toolbelt
Brett Tramposh
 
The Testing Planet Issue 2
Rosie Sherry
 
Application Security
nirola
 
Brisbane MuleSoft Meetup #12 Integrate ChatGPT with MuleSoft to power busines...
BrianFraser29
 
Ethical hacking Chapter 10 - Exploiting Web Servers - Eric Vanderburg
Eric Vanderburg
 
#SPSOttawa introduction to the #microsoftGraph
Vincent Biret
 
Service Virtualization: What Testers Need to Know
TechWell
 
Introducing Keyword-Driven Test Automation
TechWell
 

Data validation in web applications

  • 1. Data Validation in Web ApplicationsWelcome to:
  • 2. Hi! I’m Scott KirklandSlinging code @ UCDavis for 8 yearsCurrently Sr. Application Architect for the College Of Agricultural and Environmental Sciences Dean’s OfficeOpen source coderhttps://github.com/srkirklandMvcHtml5, Data Annotations Extensions, ITSecuritySymposiumhttps://github.com/ucdavisUCDArch, Web ApplicationsCo-founded the local .NET User Group
  • 3. Data Validation in Web ApplicationsWelcome to:
  • 4. The most common web application security weakness is the failure to properly validate input from the client or environment. - OWASP[1]
  • 6. Aka: Trust No One Data
  • 9. Input Validation in Web FormsEnsure user supplied data is Strongly typedCorrect syntaxWithin length boundariesContains only permitted charactersOr that numbers are correctly signed and within range boundariesIs “business rule correct”
  • 10. Client Side ValidationValidate data on the client firstProvides better feedback to the end userMakes your site feel more responsiveAlways validate on server-side as well!
  • 11. JavaScript Validation“Current” solution, useful & widely supported (Probably about 95%)Any JavaScript errors and validation disappearsFairly difficult to implement, though libraries help[3]
  • 12. JavaScript Validation: EmailIs this a good email regex?\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}\bYes, except when it isn’tNon-english, some TLDs not covered, no special charsHow about this (RFC 2822)?(?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*|"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\])Allows some crazy stuff, like \@scott\@[email protected]
  • 14. HTML5 Input ValidationTwo major form validation innovationsNew Input TypesConstraint Validation
  • 15. HTML5 Input TypesNew input types were added to augment<input type=“text” />
  • 17. HTML5 Input TypesGives semantic meaning to your formsEnable behaviors based on input type
  • 19. HTML5 Input TypesSo, that was pretty coolSimply changing input types can add basic validationBenefits go beyond validationAdditive only – no drawbacks
  • 20. HTML5 Input Types<input type=“email” /><input type=“url” />
  • 21. HTML5 Input Types<input type=“tel” /><input type=“number” />
  • 23. HTML5 Constraint ValidationRequired<input type=“text” required />MaxLength<input type=“text” maxlength=“10” />Pattern<input type=“text” pattern=“[0-9]{5}” />
  • 25. Of course, this only works in HTML5 capable browsersOlder browsers will ignore these new attributesWith JavaScript you can “Polyfill” for “regressive” enhancement
  • 27. PolyfillA polyfill, or polyfiller, is a piece of code (or plugin) that provides the technology that you, the developer, expect the browser to provide nativelyGenerally, you test the browser for a feature. If it is not present natively, use JavaScript to add the feature
  • 28. Develop for tomorrow… today!Great library called Modernizrhttp://www.modernizr.com/Helps with feature detection & media queriesAllows older browsers to work with Html5 elementsMuch more
  • 31. Use the new input types They may do data validation for youMake your users happy (iOS & more)They will keep getting betterNative experience
  • 32. Constraint ValidationUseful for “first line of defense” or backupYou should continue to use JavaScript for client validation
  • 33. Recap: Validating Web FormsMakes the experience better for your usersResults in better, more reliable dataFirst line of defense against a plethora of vulnerabilities
  • 35. Thanks for listeningI’m Scott KirklandEmail: [email protected]: http://weblogs.asp.net/srkirkland/GitHub:Personal: https://github.com/srkirkland/UCDavis: https://github.com/ucdavis/Slides and demo:https://github.com/srkirkland/ITSecuritySymposium

Editor's Notes

  • #3: Scott Kirkland has been writing web applications at UC Davis for eight years, currently in his capacity as Senior Application Architect for the College of Agricultural and Environmental Sciences Dean&apos;s Office.  Scott has also created and released several open-source projects including the architectural framework UCDArch (https://github.com/ucdavis/UCDArch) for developing secure ASP.NET MVC applications at UC Davis, as well as DataAnnotationsExtensions (http://dataannotationsextensions.org) for extending client and server validation in .NET applications.  Scott enjoys educating other developers and co-founded the UC Davis .NET User Group and recently led a three day workshop about ASP.NET MVC for several dozen UC Davis developers.
  • #5: The most common web application security weakness is the failure to properly validate input from the client or environment. This weakness leads to almost all of the major vulnerabilities in applications, such as Interpreter Injection, locale/Unicode attacks, file system attacks and buffer overflows. Data from the client should never be trusted for the client has every possibility to tamper with the data.
  • #8: Possibly include Sql Injection, Xss,etc
  • #9: Possibly include Xss, depending on time
  • #10: https://www.owasp.org/index.php/Data_Validation#Data_Validation_and_Interpreter_Injection
  • #11: Might decrease bandwidth
  • #12: “Current” because it isn’t really going to go anywhere, but it is “all we have”Most frameworks don’t come with much in the way of help, and when they do its complex and they contain lots of messy JavaScript.
  • #13: May not want to use this slide…
  • #14: Html5 to the rescue?
  • #16: Type=“text” but what kind of text? HTML5 goes further
  • #17: Search – assistive technologies like screen reader
  • #18: Type=“text” but what kind of text? HTML5 goes further
  • #19: &lt;input type=&apos;text&apos; /&gt; Show output, looks like regular text box&lt;input type=&apos;email&apos; /&gt; Show output, looks the same, but show how iphone and opera treat it differently. Also, type=&apos;email&apos; validates email!Same thing with url &lt;input type=&apos;url&apos; /&gt;Same with number &lt;input type=&apos;number&apos; /&gt; Even can do min/max with number
  • #20: You could style them independently, different sizes for email, etc
  • #21: Also tel you get the keypad, number you get a special input tooScreenshots from http://diveintohtml5.org/forms.html
  • #22: Also tel you get the keypad, number you get a special input tooScreenshots from http://diveintohtml5.org/forms.html
  • #25: http://miketaylr.com/code/input-type-attr.htmlShow in FF, Chrome, Explorer (nothing breaks with explorer, completely additive)
  • #27: Html5 validation constraints
  • #28: http://remysharp.com/2010/10/08/what-is-a-polyfill/
  • #29: Widely used: Google, Twitter, Microsoft (ships with MVC)
  • #30: http://miketaylr.com/code/input-type-attr.htmlShow in FF, Chrome, Explorer (nothing breaks with explorer, completely additive)
  • #32: Really, no downside
  • #33: Really,no downside