[OWASP-GUIDE] Source Code Examples
mckenna at bluedot.com
Mon Jan 6 01:26:28 EST 2003
I made an outline of some source code examples I'd like to add
to the Guide. I did this based on the contents of version 1.1.1
of the Guide. I haven't had time to read all the great new stuff
that's coming for the next version (1.2, I assume). So feel
free to suggest new stuff.
I can only do examples in Java (which I'll do with a J2EE focus)
and in Perl. If someone else wants to contribute .NET examples
from the Microsoft world, that would be great.
Here is a rough outline of the code samples I will add.
validating all input
show how the input data is obtained from the framework (J2EE, Perl)
a simple example of how it can be inspected (J2EE, Perl)
a simple example of how to reject input and throw an error (J2EE, Perl)
a simple example of how to sanitize and accept data (J2EE, Perl)
reference to suitable libraries? (J2EE, Perl)
* Note, I want to keep these examples simple and short.
They are not intended to be a real solution for anyone's
needs. Finding the right solution for your applications
needs in the area of data input validation is not a
simple task. The single greatest thing to show, in my view,
is how to get the input data in one central place so that
all requests are examined.
constructing JDBC queries using PreparedStatement (J2EE)
constructing queries using DBI in Perl (Perl)
centralizing query execution in a single or small set
of methods to enable inspection of data post-query.
* Again, just simple examples to show the right way to do
it. The explanation of why it is the right way is already
in the 1.1 version of the text. Actually, come to think
of it, there is no text saying why your queries should
be executed from a common function or small set of
functions. I think this is important and will add some
text to the SQL portion explaining why.
Session management (J2EE)
detecting a new session
reinstating a session based on a cookie
* Of course the decision to reinstate a session based on
data saved in a persistent cookie is one that must be
Detecting parameter manipulation
via inclusion of a form digest (J2EE)
* Most of the techniques for avoiding parameter manipulation
involve keeping sensitive parameters out of the HTML source.
Showing examples of how to keep things out of the source
is probably not that interesting. However, an example of how
to detect if a parameter that should not have been altered
was altered is interesting and not entirely trivial.
My intention was to put the samples in an appendix (or two) and
refer to them at relevant points in the text.
Comments, suggestions, criticisms, welcome.
More information about the Owasp-guide