The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws


Chapter 2  ■ Core Defense Mechanisms



Download 5,76 Mb.
Pdf ko'rish
bet55/875
Sana01.01.2022
Hajmi5,76 Mb.
#293004
1   ...   51   52   53   54   55   56   57   58   ...   875
Bog'liq
3794 1008 4334

Chapter 2 



Core Defense Mechanisms



19

70779c02.qxd:WileyRed  9/14/07  3:12 PM  Page 19



where, and defending against malicious input is often not as straightforward as

it sounds.



Varieties of Input

A typical web application processes user-supplied data in a range of different

forms. Some kinds of input validation may not be feasible or desirable for all

of these forms of input. Figure 2-4 shows the kind of input validation often

performed by a user registration function.

In many cases, an application may be able to impose very stringent valida-

tion checks on a specific item of input. For example, a username submitted to

a login function may be required to have a maximum length of eight charac-

ters and contain only alphabetical letters. 

In other cases, the application must tolerate a wider range of possible input.

For example, an address field submitted to a personal details page might legit-

imately contain letters, numbers, spaces, hyphens, apostrophes, and other char-

acters. For this item, there are still restrictions that can feasibly be imposed,

however. The data should not exceed a reasonable length limit (such as 50 char-

acters), and should not contain any HTML mark-up.

In some situations, an application may need to accept completely arbitrary

input from users. For example, a user of a blogging application may create a

blog whose subject is web application hacking. Posts and comments made to

the blog may quite legitimately contain explicit attack strings that are being

discussed. The application may need to store this input within a database,

write it to disk, and display it back to users in a safe way. It cannot simply

reject the input because it looks potentially malicious without substantially

diminishing the value of the application to some of its user base.

Figure 2-4: An application performing input validation

In addition to the various kinds of input that is entered by users via the

browser interface, a typical application also receives numerous items of data

that began their life on the server and that are sent to the client so that the client




Download 5,76 Mb.

Do'stlaringiz bilan baham:
1   ...   51   52   53   54   55   56   57   58   ...   875



Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©hozir.org 2024
ma'muriyatiga murojaat qiling
kiriting | ro'yxatdan o'tish
    Bosh sahifa
юртда тантана
Боғда битган
Бугун юртда
Эшитганлар жилманглар
Эшитмадим деманглар
битган бодомлар
Yangiariq tumani
qitish marakazi
Raqamli texnologiyalar
ilishida muhokamadan
tasdiqqa tavsiya
tavsiya etilgan
iqtisodiyot kafedrasi
steiermarkischen landesregierung
asarlaringizni yuboring
o'zingizning asarlaringizni
Iltimos faqat
faqat o'zingizning
steierm rkischen
landesregierung fachabteilung
rkischen landesregierung
hamshira loyihasi
loyihasi mavsum
faolyatining oqibatlari
asosiy adabiyotlar
fakulteti ahborot
ahborot havfsizligi
havfsizligi kafedrasi
fanidan bo’yicha
fakulteti iqtisodiyot
boshqaruv fakulteti
chiqarishda boshqaruv
ishlab chiqarishda
iqtisodiyot fakultet
multiservis tarmoqlari
fanidan asosiy
Uzbek fanidan
mavzulari potok
asosidagi multiservis
'aliyyil a'ziym
billahil 'aliyyil
illaa billahil
quvvata illaa
falah' deganida
Kompyuter savodxonligi
bo’yicha mustaqil
'alal falah'
Hayya 'alal
'alas soloh
Hayya 'alas
mavsum boyicha

yuklab olish