Prof. Stefano Bistarelli

Slides:



Advertisements
Presentazioni simili
Primary Italian Saying How You Are.
Advertisements

Trieste, 26 novembre © 2005 – Renato Lukač Using OSS in Slovenian High Schools doc. dr. Renato Lukač LinuxDay Trieste.
Preposizioni semplici e articolate
I numeri, l’ora, I giorni della settimana
Giovanni Falcone & Paolo Borsellino.
L’esperienza di un valutatore nell’ambito del VII FP Valter Sergo
Cache Memory Prof. G. Nicosia University of Catania
Teoria e Tecniche del Riconoscimento
They will read I will study She will walk the dog You guys will win the game!
Relaunching eLene Who are we now and which are our interests.
1.E un algoritmo ricorsivo: Tutti le istanze di oggetti raggiungibili da un oggetto persistente diventano anchessi persistenti.
piacere The verb to like does not have a direct equivalent in Italian.
© and ® 2011 Vista Higher Learning, Inc.4B.1-1 Punto di partenza Italian uses two principal tenses to talk about events in the past: the passato prossimo.
Cancer Pain Management Guidelines
Che ore è? Che ore Sono?.
L’albero della famiglia
© and ® 2011 Vista Higher Learning, Inc.4B.2-1 Punto di partenza The verbs conoscere and sapere both mean to know. The choice of verb depends on its context.
Punto di partenza Reciprocal verbs are reflexives that express a shared or reciprocal action between two or more people or things. In English we often.
© and ® 2011 Vista Higher Learning, Inc.10A.1-1 Punto di partenza Infinitive constructions consisting of a conjugated verb and an infinitive are common.
Il presente del congiuntivo (the present subjunctive)
Il presente del congiuntivo (the present subjunctive)
Raffaele Cirullo Head of New Media Seconda Giornata italiana della statistica Aziende e bigdata.
J0 1 Marco Ronchetti - Corso di Formazione Sodalia – Febbraio 2001 – Modulo Web Programming Tomcat configuration.
prompt> java SumAverage
C Consiglio Nazionale delle Ricerche - Pisa Iit Istituto per lInformatica e la Telematica Reasoning about Secure Interoperation using Soft Constraints.
UNIVERSITÀ DI PERUGIA DIPARTIMENTO DI MATEMATICA E INFORMATICA Master di I° livello in Sistemi e Tecnologie per la sicurezza dell'Informazione e della.
Biometry to enhance smart card security (MOC using TOC protocol)
Costruzione di Interfacce Lezione 10 Dal Java al C++ parte 1
2000 Prentice Hall, Inc. All rights reserved. 1 Capitolo 3 - Functions Outline 3.1Introduction 3.2Program Components in C++ 3.3Math Library Functions 3.4Functions.
Magnetochimica AA Marco Ruzzi Marina Brustolon
Queuing or Waiting Line Models
Chistmas is the most loved holiday of the years. Adults and children look forward to Chistmas and its magical atmosphere. It is traditional to decorate.
Le regole Giocatori: da 2 a 10, anche a coppie o a squadre Scopo del gioco: scartare tutte le carte per primi Si gioca con 108 carte: 18 carte.
Players: 3 to 10, or teams. Aim of the game: find a name, starting with a specific letter, for each category. You need: internet connection laptop.
25/09/2009 In un bar italiano Un ripasso Vocabolario Pagina 28.
Alcuni, qualche, un po’ di
Guardate le seguenti due frasi:
Italian Regular Verbs Italian Regular Verbs Regular or irregular?? Italian verbs are either regular or irregular. Italian irregular verbs MUST be memorized…
Motor Sizing.
My Italian Experience By Ryan Davidson. My daily routine in Urbino If there was no field trip in the morning, my daily routine in Urbino was very basic.
La Gioconda was painted by which Italian renaissance artist? a) Raphael b) Leonardo da Vinci c) Caravaggio d) Michelangelo.
Funzioni stringhe. chr Restituisce il carattere di un valore ascii dato. Per vedere lelenco dei codici ascii clicca QQQQ uuuu iiiiEsempio
Tutor: Elisa Turrini Mail:
Enzo anselmo ferrari By: Orazio Nahar.
Hi! What period is it?. What is the UK made up of?
Obesity surgery triples among U.S. teens Long-term outcomes unknown, especially for patients as young as 12 Surgeons to carry out plastic surgery on obese.
EMPOWERMENT OF VULNERABLE PEOPLE An integrated project.
The Beatles. Love, love, Love. Love, Love, Love. Love, Love, Love. There's nothing you can do that can't be done. Nothing you can sing that can't be sung.
LA WEB RADIO: UN NUOVO MODO DI ESSERE IN ONDA.
Teorie e tecniche della Comunicazione di massa Lezione 7 – 14 maggio 2014.
You’ve got a friend in me!
A PEACEFUL BRIDGE BETWEEN THE CULTURES TROUGH OLYMPICS OLYMPIC CREED: the most significant thing in the olympic games is not to win but to take part OLYMPIC.
Passato Prossimo. What is it?  Passato Prossimo is a past tense and it is equivalent to our:  “ed” as in she studied  Or “has” + “ed” as in she has.
Saluti ed espressioni Greetings in Italian.
Italian 1 -- Capitolo 2 -- Strutture
William Wordsworth Memory & Inspiration “And as I mounted up the hill
Buon giorno Io sono Professoressa Kachmar. Buon giorno Io sono Professoressa Kachmar.
I Want To Hold Your Hand Beatles.
Buon giorno, ragazzi oggi è il quattro aprile duemilasedici.
MSc in Communication Sciences Program in Technologies for Human Communication Davide Eynard Facoltà di scienze della comunicazione Università della.
Do You Want To Pass Actual Exam in 1 st Attempt?.
AusTel by taha.a.
Cyber Safety.
Il condizionale.
La Grammatica Italiana Avanti! p
Proposal for the Piceno Lab on Mediterranean Diet
Accesso al corpus it. / ing. parola cercata sintagmi preposizioni.
The Behavioral Insight Team
The effects of leverage in financial markets Zhu Chenge, An Kenan, Yang Guang, Huang Jiping. Department of Physics, Fudan University, Shanghai, ,
Transcript della presentazione:

Prof. Stefano Bistarelli Input validation Prof. Stefano Bistarelli C Consiglio Nazionale delle Ricerche Iit Istituto di Informatica e Telematica - Pisa Università “G. d’Annunzio” Dipartimento di Scienze, Pescara

S. Bistarelli - Metodologie di Secure Programming A1. Unvalidated Input (2) E’ necessario avere una classificazione ben precisa di ciò che sia permesso o meno per ogni singolo parametro dell’applicativo Ciò include una protezione adeguata per tutti i tipi di dati ricevuti da una HTTP request, inclusi le URL, i form, i cookie, le query string, gli hidden field e i parametri. OWASP WebScarab permette di manipolare tutte le informazioni da e verso il web browser OWASP Stinger HTTP request è stato sviluppato da OWASP per gli ambienti J2EE (motore di validazione) S. Bistarelli - Metodologie di Secure Programming

A1. Unvalidated Input – esempio (1) Manipolazione dei parametri inviati: Hidden Field Manipulation Le informazioni ricevute a seguito di una richiesta, non vengono validate dall’applicazione web. Questa tecnica può essere utilizzata per accedere alla parte di backend attraverso l’applicazione web in questione. S. Bistarelli - Metodologie di Secure Programming

A1. Unvalidated Input – esempio (2) Altero il valore in 4.999 S. Bistarelli - Metodologie di Secure Programming

A1. Unvalidated Input – esempio (3) S. Bistarelli - Metodologie di Secure Programming

A1. Unvalidated Input – esempio (4) S. Bistarelli - Metodologie di Secure Programming

S. Bistarelli - Metodologie di Secure Programming 1 regola! Per evitare XSS (SQL) injection Cookie poisoning Ma anche Arithmetic overflow e buffer overrun che vedremo!! INPUT VALIDATION!! S. Bistarelli - Metodologie di Secure Programming

Input validation in php <?php function validateEmail($email) { $hasAtSymbol = strpos($email, "@"); $hasDot = strpos($email, "."); if($hasAtSymbol && $hasDot) return true; else return false; } echo validateEmail("mitchell@devarticles.com"); ?> S. Bistarelli - Metodologie di Secure Programming

S. Bistarelli - Metodologie di Secure Programming Oppure cosi’? <?php function validateEmail($email) { return ereg("^[a-zA-Z]+@[a-zA-Z]+\.[a-zA-Z]+$", $email); } echo validateEmail("mitchell@devarticles.com"); ?> S. Bistarelli - Metodologie di Secure Programming

Espressioni Regolari: - Put a sequence of characters in brackets, and it defines a set of characters, any one of which matches [abcd] - Dashes can be used to specify spans of characters in a class [a-z] - A caret at the left end of a class definition means the opposite [^0-9] S. Bistarelli - Metodologie di Secure Programming

S. Bistarelli - Metodologie di Secure Programming - Quantifiers - Quantifiers in braces Quantifier Meaning {n} exactly n repetitions {m,} at least m repetitions {m, n} at least m but not more than n repetitions - Other quantifiers (just abbreviations for the most commonly used quantifiers) - * means zero or more repetitions e.g., \d* means zero or more digits - + means one or more repetitions e.g., \d+ means one or more digits - ? Means zero or one e.g., \d? means zero or one digit S. Bistarelli - Metodologie di Secure Programming

S. Bistarelli - Metodologie di Secure Programming anchor - Anchors - The pattern can be forced to match only at the left end with ^; at the end with $ e.g., /^Lee/ matches "Lee Ann" but not "Mary Lee Ann" /Lee Ann$/ matches "Mary Lee Ann", but not "Mary Lee Ann is nice" - The anchor operators (^ and $) do not match characters in the string--they match positions, at the beginning or end S. Bistarelli - Metodologie di Secure Programming

S. Bistarelli - Metodologie di Secure Programming Syntax continued Beginning of string: To search from the beginning of a string, use ^. For example, <?php echo ereg("^hello", "hello world!"); ?> Would return true, however <?php echo ereg("^hello", "i say hello world"); ?> would return false, because hello wasn't at the beginning of the string. End of string: To search at the end of a string, use $. For example, <?php echo ereg("bye$", "goodbye"); ?> Would return true, however <?php echo ereg("bye$", "goodbye my friend"); ?> would return false, because bye wasn't at the very end of the string. S. Bistarelli - Metodologie di Secure Programming

S. Bistarelli - Metodologie di Secure Programming Any single character: To search for any character, use the dot. For example, <?php echo ereg(".", "cat"); ?> would return true, however <?php echo ereg(".", ""); ?> would return false, because our search string contains no characters. You can optionally tell the regular expression engine how many single characters it should match using curly braces. If I wanted a match on five characters only, then I would use ereg like this: <?php echo ereg(".{5}$", "12345"); ?> The code above tells the regular expression engine to return true if and only if at least five successive characters appear at the end of the string. We can also limit the number of characters that can appear in successive order: <?php echo ereg("a{1,3}$", "aaa"); ?> In the example above, we have told the regular expression engine that in order for our search string to match the expression, it should have between one and three 'a' characters at the end. <?php echo ereg("a{1,3}$", "aaab"); ?> The example above wouldn't return true, because there are three 'a' characters in the search string, however they are not at the end of the string. If we took the end-of-string match $ out of the regular expression, then the string would match. We can also tell the regular expression engine to match at least a certain amount of characters in a row, and more if they exist. We can do so like this: <?php echo ereg("a{3,}$", "aaaa"); ?> S. Bistarelli - Metodologie di Secure Programming

S. Bistarelli - Metodologie di Secure Programming Repeat character zero or more times To tell the regular expression engine that a character may exist, and can be repeated, we use the * character. Here are two examples that would return true: <?php echo ereg("t*", "tom"); ?> <?php echo ereg("t*", "fom"); ?> Even though the second example doesn't contain the 't' character, it still returns true because the * indicates that the character may appear, and that it doesn't have to. In fact, any normal string pattern would cause the second call to ereg above to return true, because the 't' character is optional. Repeat character one or more times To tell the regular expression engine that a character must exist and that it can be repeated more than once, we use the + character, like this: <?php echo ereg("z+", "i like the zoo"); ?> The following example would also return true: <?php echo ereg("z+", "i like the zzzzzzoo!"); ?> Repeat character zero or one times We can also tell the regular expression engine that a character must either exist just once, or not at all. We use the ? character to do so, like this: <?php echo ereg("c?", "cats are fuzzy"); ?> If we wanted to, we could even entirely remove the 'c' from the search string shown above, and this expression would still return true. The '?' means that a 'c' may appear anywhere in the search string, but doesn't have to. S. Bistarelli - Metodologie di Secure Programming

S. Bistarelli - Metodologie di Secure Programming The space character To match the space character in a search string, we use the predefined Posix class, [[:space:]]. The square brackets indicate a related set of sequential characters, and ":space:" is the actual class to match (which, in this case, is any white space character). White spaces include the tab character, the new line character, and the space character. Alternatively, you could use one space character (" ") if the search string must contain just one space and not a tab or new line character. In most circumstances I prefer to use ":space:" because it signifies my intentions a bit better than a single space character, which can easy be overlooked. There are several Posix-standard predefined classes that we can match as part of a regular expression, including [:alnum:], [:digit:], [:lower:], etc. A complete list is available here. We can match a single space character like this: <?php echo ereg("Mitchell[[:space:]]Harper", "Mitchell Harper"); ?> We could also tell the regular expression engine to match either no spaces or one space by using the ? character after the expression, like this: <?php echo ereg("Mitchell[[:space:]]?Harper", "MitchellHarper"); ?> S. Bistarelli - Metodologie di Secure Programming

S. Bistarelli - Metodologie di Secure Programming Grouping patterns Related patterns can be grouped together between square brackets. It's really easy to specify that a lower case only or upper case only sequence of characters should exist as part of the search string using [a-z] and [A-Z], like this: <?php // Require all lower case characters from first to last echo ereg("^[a-z]+$", "johndoe"); // Returns true ?> or like this: <?php // Require all upper case characters from first to last ereg("^[A-Z]+$", "JOHNDOE"); // Returns true? > We can also tell the regular expression engine that we expect either lower case or upper case characters. We do this by joining the [a-z] and [A-Z] patterns: <?php echo ereg("^[a-zA-Z]+$", "JohnDoe"); ?> In the example above, it would make sense if we could match "John Doe," and not "JohnDoe." We can use the following regular expression to do so: ^[a-zA-Z]+[[:space:]]{1}[a-zA-Z]+$ It's just as easy to search for a numerical string of characters: <?php echo ereg("^[0-9]+$", "12345"); ?> S. Bistarelli - Metodologie di Secure Programming

S. Bistarelli - Metodologie di Secure Programming Grouping terms It's not only search patterns that can be grouped together. We can also group related search terms together using parentheses: <?php echo ereg("^(John|Jane).+$", "John Doe"); ?> In the example above, we have a beginning of string character, followed by "John" or "Jane", at least one other character, and then the end of string character. So ... <?php echo ereg("^(John|Jane).+$", "Jane Doe"); ?> ... would also match our search pattern. Special character circumstances Because several characters are used to actually specify the grouping or syntax of a search pattern, such as the parentheses in (John|Jane), we need a way to tell the regular expression engine to ignore these characters and to process them as if they were part of the string being searched and not part of the search expression. The method we use to do this is called "character escaping" and involves propending any "special symbols" with a backslash. So, for example, if I wanted to include the or symbol '|' in my search, then I could do so like this: <?php echo ereg("^[a-zA-z]+\|[a-zA-z]+$", "John|Jane"); ?> There are only a handful of symbols that you have to escape. You must escape ^, $, (, ), ., [, |, *, ?, +, \ and {. Hopefully you've now gotten a bit of a feel for just how powerful regular expressions actually are. Let's now take a look at two examples of using regular expressions to validate a string of data. S. Bistarelli - Metodologie di Secure Programming

Esempio: valid PG phone number <?php function isValidPhone($phoneNum) { echo ereg("^\+39 [[:space:]075]-[1-9] [0-9]{7}$", $phoneNum); } ?> S. Bistarelli - Metodologie di Secure Programming

S. Bistarelli - Metodologie di Secure Programming Ma guardiamo un tool (piu’ facile) tool-regex\RegexBuddy.exe Oppure questo generato con visualstudio: lab-regular-expression\RegEx\before\RegexBench\bin\Debug\RegexBench.exe S. Bistarelli - Metodologie di Secure Programming

S. Bistarelli - Metodologie di Secure Programming Lab: regex in asp Matchare Una email Un numero telefonico Un cap Per casa Il codice fiscale S. Bistarelli - Metodologie di Secure Programming

S. Bistarelli - Metodologie di Secure Programming Codice asp Dare una occhiata alle primitive per match di regex: lab-regular-expression\RegEx\after\RegexLab.sln if (!Regex.IsMatch(userInput, pattern, RegexOptions.IgnorePatternWhitespace)) { throw new ValidationException("Malformed zip code"); S. Bistarelli - Metodologie di Secure Programming