-
Notifications
You must be signed in to change notification settings - Fork 3
InputValidation
Data sent to a program needs to be validated. If not properly checked, input data may cause illegal or malicious behavior especially if it is intepreted. Interpreted data may be queries (SQL, XML, LDAP), commands, scripts, regular expressions, format strings.
We take a look into ways of abusing/attacking Java programs that do not properly validate their inputs.
program inputs: standard input, sockets, forms, IPC, files, environment
intepreting program inputs
sanitization vs validation (admitting and rejecting input)
injection attacks
denial of service attacks due to malformed input
Enter the 03-input-validation/sql-injection/
subfolder in the repository. Think of ways of abusing the program and leak entries in the database. You need to abuse the database query by providing invalid input. Fix the issue.
To be able to run the program you need to download the SQLite JDBC jar file from here.
You run the program by using a command such as below
java -cp .:sqlite-jdbc-3.27.2.1.jar SQLiteJDBC aionescu iej0eixeTail
Based on: IDS00
Hint: You can "abuse" the password argument.
Enter the 03-input-validation/xml-injection/
subfolder in the repository. Think of ways of abusing the XMLInjection
program by providing input as shown in the comments. Use the XMLReader
program to read and parse the XML file. Fix the issue.
Based on: IDS16
See documentation of XML parsing in Java here.
Enter the 03-input-validation/xml-bomb/
subfolder in the repository. See what happens when you run the XMLReader
program. Fix the issue by uncommenting the lines at the beginning of the main()
method.
This is an example of the Billion laughs attack.
Discussions on prevening the attack are here.
Enter the 03-input-validation/xxe/
subfolder in the repository. See what happens when you run the XMLReader
program. Fix the issue by uncommenting the lines at the beginning of the main()
method.
See a description of the attack here.
Discussions on prevening the attack are here.
Enter the 03-input-validation/format/
subfolder in the repository. Check the source code, find the issue with it, leak information that is not otherwise available. Fix the issue.
Based on: IDS07
A summary of the format()
method is here. Check the Date and Time Formatting
section and the Argument Index
section.