In many of today's web applications input validation is either non-existent, only occurs on the client via JavaScript, or in a few cases actually happens on the server (where it should be regardless of whether it occurs on the client side or not). So you may say, "Ok I have mine on the server so I am ok right?". Well, the real answer is maybe. The reason I say maybe is because that complex logic that you have is of no use if it is not maintainable.
This brings me to my first issue with the way most input validation is implemented today. The problem is that all of this input validation is not centralized in the application. On the contrary, it is tightly coupled with the business logic, oftentimes located in the same class as the business logic implementation. So, I hear you asking, "Why is this bad?" and "That is just good OOP principles to have the validation logic in the same object that controls and manipulates the data. Its called Object Relevance". Well, I let me offer a slightly different perspective on that. Tightly coupling the validation logic with the business logic and/or data also violates a key principle of OOP: Single Responsibility. The problem with this tight integration is that you now have duplicate logic throughout your application, which inevitably will become a nightmare to maintain when the time arises. Secondly and also attributed to the distribution of validation logic, multiple endpoints in the application are trapping and reporting back errors to the user. With all the endpoints, this reporting can become very difficult and many times impossible to keep consistent throughout the application. This becomes highly apparent in large scale enterprise applications when user testing starts. Lastly, these same endpoints are also most likely logging potential security related exceptions such as failed login attempts and database exceptions to the application's audit logs. (You do have audit logs don't you?) So, where should all of this validation occur? The answer is surprisingly simple and draws on those OOP principles you so tightly clung to earlier. Validation should exist in its own set of classes that are externally configurable (properties files, xml config files, etc), are extensible (they can be customized to what the application needs), and be generic enough to be used across multiple applications. If you are looking for a word to sum up all of these characteristics, it is framework. In my opinion, a framework is the only way to go and there are some good ones out there already. One of my personal favorites is the Struts Validator <http://struts.apache.org/1.3.8/faqs/validator.html> Framework. More information on Struts can be found here <http://struts.apache.org/> . Another great framework that has validation as one of its primary tenets is the OWASP ESAPI <http://www.owasp.org/index.php/ESAPI> . This framework provides a complete set of functionality that any developer would need to implement to fully secure their application. The ESAPI not only provides great input validation, but also offers secure session management, robust access control solutions, as well as security logging features just to name a few. For applications that are already built and deployed and are just looking to beef up on input validation, Stinger <http://www.owasp.org/index. php/Category:OWASP_Stinger_Project> is another solution also offered by the OWASP Project. Stinger is part of the OWASP <http://www.owasp.org/index.php/Category:OWASP_Validation_Project> Validation Project. Lastly, and always an option, is for developers to write their own custom validation engine, though this is not recommended due to the time and effort required and the fact that so many proven systems already exist. So, what is the overall point to all of this: Input Validation is the first line of defense when protecting your application from attacks. It must be done, and it must be done right. Posted by Matt Presson at <http://coding-insecurity.blogspot.com/2008/05/simple-robust-input-validatio n.html> 9:03 PM [Ph4nt0m] <http://www.ph4nt0m.org/> [Ph4nt0m Security Team] <http://blog.ph4nt0m.org/> [EMAIL PROTECTED] Email: [EMAIL PROTECTED] PingMe: <http://cn.pingme.messenger.yahoo.com/webchat/ajax_webchat.php?yid=hanqin_wu hq&sig=9ae1bbb1ae99009d8859e88e899ab2d1c2a17724> === V3ry G00d, V3ry Str0ng === === Ultim4te H4cking === === XPLOITZ ! === === #_# === #If you brave,there is nothing you cannot achieve.# --~--~---------~--~----~------------~-------~--~----~ 要向邮件组发送邮件,请发到 [email protected] 要退订此邮件,请发邮件至 [EMAIL PROTECTED] -~----------~----~----~----~------~----~------~--~---
<<inline: image001.gif>>
