[OWASP-GUIDE] Source Code Examples

Gene McKenna mckenna at bluedot.com
Mon Jan 6 01:26:28 EST 2003

Hi Gang,

I made an outline of some source code examples I'd like to add
to the Guide. I did this based on the contents of version 1.1.1
of the Guide. I haven't had time to read all the great new stuff
that's coming for the next version (1.2, I assume). So feel 
free to suggest new stuff.

I can only do examples in Java (which I'll do with a J2EE focus)
and in Perl. If someone else wants to contribute .NET examples
from the Microsoft world, that would be great. 

Here is a rough outline of the code samples I will add.

  validating all input
	show how the input data is obtained from the framework (J2EE, Perl)
	a simple example of how it can be inspected (J2EE, Perl)
	a simple example of how to reject input and throw an error (J2EE, Perl)
	a simple example of how to sanitize and accept data (J2EE, Perl)
	reference to suitable libraries? (J2EE, Perl)

	* Note, I want to keep these examples simple and short.
	They are not intended to be a real solution for anyone's
	needs. Finding the right solution for your applications
	needs in the area of data input validation is not a 
	simple task. The single greatest thing to show, in my view,
	is how to get the input data in one central place so that
	all requests are examined.

  SQL queries
	constructing JDBC queries using PreparedStatement (J2EE)
	constructing queries using DBI in Perl (Perl)
	centralizing query execution in a single or small set
	   of methods to enable inspection of data post-query.

	* Again, just simple examples to show the right way to do
	it. The explanation of why it is the right way is already
	in the 1.1 version of the text. Actually, come to think
	of it, there is no text saying why your queries should
	be executed from a common function or small set of 
	functions. I think this is important and will add some
	text to the SQL portion explaining why.

  Session management (J2EE)
	detecting a new session 
	reinstating a session based on a cookie
	* Of course the decision to reinstate a session based on
	data saved in a persistent cookie is one that must be
	made carefully.

  Detecting parameter manipulation 
	via inclusion of a form digest (J2EE)

	* Most of the techniques for avoiding parameter manipulation
	involve keeping sensitive parameters out of the HTML source.
	Showing examples of how to keep things out of the source
	is probably not that interesting. However, an example of how
	to detect if a parameter that should not have been altered
	was altered is interesting and not entirely trivial.

My intention was to put the samples in an appendix (or two) and
refer to them at relevant points in the text.

Comments, suggestions, criticisms, welcome.


More information about the Owasp-guide mailing list