Skip to content

InputValidation

Jump to bottom
Razvan Deaconescu edited this page Jun 4, 2019 · 2 revisions

Input Validation

Data sent to a program needs to be validated. If not properly checked, input data may cause illegal or malicious behavior especially if it is intepreted. Interpreted data may be queries (SQL, XML, LDAP), commands, scripts, regular expressions, format strings.

We take a look into ways of abusing/attacking Java programs that do not properly validate their inputs.

Concepts

program inputs: standard input, sockets, forms, IPC, files, environment

intepreting program inputs

sanitization vs validation (admitting and rejecting input)

injection attacks

denial of service attacks due to malformed input

Tasks

SQL Injection

Enter the 03-input-validation/sql-injection/ subfolder in the repository. Think of ways of abusing the program and leak entries in the database. You need to abuse the database query by providing invalid input. Fix the issue.

To be able to run the program you need to download the SQLite JDBC jar file from here.

You run the program by using a command such as below

java -cp .:sqlite-jdbc-3.27.2.1.jar SQLiteJDBC aionescu iej0eixeTail

Based on: IDS00

Hint: You can "abuse" the password argument.

XML Injection

Enter the 03-input-validation/xml-injection/ subfolder in the repository. Think of ways of abusing the XMLInjection program by providing input as shown in the comments. Use the XMLReader program to read and parse the XML file. Fix the issue.

Based on: IDS16

See documentation of XML parsing in Java here.

XML Bomb

Enter the 03-input-validation/xml-bomb/ subfolder in the repository. See what happens when you run the XMLReader program. Fix the issue by uncommenting the lines at the beginning of the main() method.

This is an example of the Billion laughs attack.

Discussions on prevening the attack are here.

XML External Entity (XXE)

Enter the 03-input-validation/xxe/ subfolder in the repository. See what happens when you run the XMLReader program. Fix the issue by uncommenting the lines at the beginning of the main() method.

See a description of the attack here.

Discussions on prevening the attack are here.

Format String

Enter the 03-input-validation/format/ subfolder in the repository. Check the source code, find the issue with it, leak information that is not otherwise available. Fix the issue.

Based on: IDS07

A summary of the format() method is here. Check the Date and Time Formatting section and the Argument Index section.

Clone this wiki locally