Credit task 4.2C: Injection attack preventions using hibernate validator (Part 2) Objective A poor regex for input validation can be easily bypassed and is also susceptible to resource exhaustion attacks. In this task you will build correct regex expression to reject script input and will focus on generating whitelist regex expression that can allow acceptable values and rejects all other values. Overview In 05-coachwebapp-spring web app we implemented the regex pattern to prevent users from entering the scripts or tagged input values in the format '<'. This prevented many of the XSS attack input patterns. These filters can be bypassed using more clever inputs that do not get caught in the filters like the examples given below. Try to enter the below value in the name field and record the output from the webapp. 1) name "<script>alert("XSS"); </script>" 2) <a aa aaa aaaa aaaaa aaaaaa aaaaaªaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=j&#97v&#97script:&#97lert(1)>ClickMe 3) <script x> alert(1) </script 1=2 The regex expression does not prevent the above listed input types. Correct the regex expression that can block these patterns as well but allows normal input like 'bob' to pass through. Navigate to https://regex101.com/. Use the screenshot below, follow the step numbers in the image below. Select the Flavor as Java 8 (stpe-1), enter the regex pattern given in (stpe-2) and enter the patterns you want to detect in (stpe-3) as shown below: → regex 101.com H egular expressions™ SAVE & SHARE FLAVOR <> PCREZ (PHP>=7.3) <PCRE (PHP <7.3) VÀ ECMASCR LANOPE Python Golang Jovas (1) NET(C#) Rust FUNCTION Example: Step-1: Select Java 8 ✪ REGULAR EXPRESSION / Insert your regular expression here (2) TEST STRING insert your test string here m discord @regex101 $ do 3 no match gm/nStep-2: Enter the Regular Expression as .[^<>] Step-3: Enter the test string as <script>alert("Hacked");</script> REGULAR EXPRESSION " .[^<>] TEST STRING <script>alert("Hacked"); </script> 1 match (0.1ms) gm The part of the inserted string that is highlighted in blue color is the match and will pass the regex filter and the un-highlighted part of the string will get rejected. So, in the first example, if the user input has the pattern ending with it will get blocked. Now enter the test string as: name "<script>alert("XSS"); </script>" By changing the input slightly our regex does not block the script input as you can see the test string is completely highlighted in blue and will get bypassed. REGULAR EXPRESSION ".[^<>] TEST STRING name="<script>alert("XSS"); </script>" Task1: Now change the regular expression to below regex patterns: • .[^<>] . [^<>].* [^<>]+ [a-zA-Z]+ 1 match (0.0ms) "gm Among the given patterns which pattern(s) will block the characters in pattern like name "<script>alert("XSS"); </script>" Task2: Whitelisting is preferred approach to only permit allowed characters and block everything else by default more on this here (read approach https://owasp.deteact.com/cheat/cheatsheets/Input Validation Cheat Sheet.html). Among the given regex patterns which pattern is a whitelist pattern. Once you selected the correct whitelist pattern, change the regex pattern in the 05-coachwebapp-spring web app in the Eclipse IDE running on the provided KaliVM (see the figure below)/nProject Explorer 3401-coachwebapp (secure-coding-course-sources main 3402-v-coachwebapp(secure-coding-course-sources man >05-coachwebapp-spring [secure-coding-course-sources main Deployment Descriptor: 05-coachwebapp-spring JAX-WS Web Services Java Resources Reference Libraries -> >dealin 218 ->coachwebapp Centja CentController.ja >CoachController.java ->05-coach Gento + Deployme Show In Age: 45 Submit JAX-WSVGpy SimpleSocketClient.javaCoachController.java package edu.deakin.sit28.coachwebapp: Sport javax.validation constraints. Maxi import org.emate.validator.ceestraints public class Client { src Save the changes and run the web application on the server and highlighted below: import javax.val //import org.hib public class Cli main ja 25-08-sessio Client Registration Form ResoCopy Qualified Name NotNullOmessage is required") sizelis 3, message is required") Pattersregexp protected String *Delete BuildPath Source Refactor Expert //message"Is required") //intvalue-18, message //x-120, message protected istage; public String getane () { return name public void sete(string) ( } Close Project Close Unrelated Projects Coverage As Bun As Debug As Shift+A+W Ciri-C message incorrect format) Ctrl+V Shift-All-S SI-AT "you must be 18 years old or older") "Vampires are not allowed") FS 13 14 15 16 13 18 19 20 esilmin. Pattern re protected St //@tull //intvalue Maxivalce protected in public Strin return public void this.nam Runon Server Application O localhost:8080/05-coachwebapp-spring/client/showForm Kali Forums Kali NetHunter Exploit-DB Google Hackin Kali Linux Kali Tools Kali Docs Name: In the webapp enter the name as "bob" and age 45 and confirm if this is not blocked. Next enter the input as name "<script>alert("XSS"); </script>" and test if it is getting blocked. Record screenshots add to the submission. Submission Requirements: Submit one PDF file containing the following information: 1. The correct regex pattern(s) that blocks these injected data 2. Whitelisting regex and screenshots showing it is working correctly, when it throws exception. You also need to provide screenshot of code section where you have made changes.

Question

Credit task 4.2C: Injection attack preventions using hibernate validator (Part 2) Objective A poor regex for input validation can be easily bypassed and is also susceptible to resource exhaustion attacks. In this task you will build correct regex expression to reject script input and will focus on generating whitelist regex expression that can allow acceptable values and rejects all other values. Overview In 05-coachwebapp-spring web app we implemented the regex pattern to prevent users from entering the scripts or tagged input values in the format '<'. This prevented many of the XSS attack input patterns. These filters can be bypassed using more clever inputs that do not get caught in the filters like the examples given below. Try to enter the below value in the name field and record the output from the webapp. 1) name "<script>alert("XSS"); </script>" 2) <a aa aaa aaaa aaaaa aaaaaa aaaaaªaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=j&#97v&#97script:&#97lert(1)>ClickMe 3) <script x> alert(1) </script 1=2 The regex expression does not prevent the above listed input types. Correct the regex expression that can block these patterns as well but allows normal input like 'bob' to pass through. Navigate to https://regex101.com/. Use the screenshot below, follow the step numbers in the image below. Select the Flavor as Java 8 (stpe-1), enter the regex pattern given in (stpe-2) and enter the patterns you want to detect in (stpe-3) as shown below: → regex 101.com H egular expressions™ SAVE & SHARE FLAVOR <> PCREZ (PHP>=7.3) <PCRE (PHP <7.3) VÀ ECMASCR LANOPE Python Golang Jovas (1) NET(C#) Rust FUNCTION Example: Step-1: Select Java 8 ✪ REGULAR EXPRESSION / Insert your regular expression here (2) TEST STRING insert your test string here m discord @regex101 $ do 3 no match gm/nStep-2: Enter the Regular Expression as .*[^<>] Step-3: Enter the test string as <script>alert("Hacked");</script> REGULAR EXPRESSION " .*[^<>] TEST STRING <script>alert("Hacked"); </script> 1 match (0.1ms) gm The part of the inserted string that is highlighted in blue color is the match and will pass the regex filter and the un-highlighted part of the string will get rejected. So, in the first example, if the user input has the pattern ending with it will get blocked. Now enter the test string as: name "<script>alert("XSS"); </script>" By changing the input slightly our regex does not block the script input as you can see the test string is completely highlighted in blue and will get bypassed. REGULAR EXPRESSION ".*[^<>] TEST STRING name="<script>alert("XSS"); </script>" Task1: Now change the regular expression to below regex patterns: • .*[^<>] . [^<>].* [^<>]+ [a-zA-Z]+ 1 match (0.0ms) "gm Among the given patterns which pattern(s) will block the characters in pattern like name "<script>alert("XSS"); </script>" Task2: Whitelisting is preferred approach to only permit allowed characters and block everything else by default more on this here (read approach https://owasp.deteact.com/cheat/cheatsheets/Input Validation Cheat Sheet.html). Among the given regex patterns which pattern is a whitelist pattern. Once you selected the correct whitelist pattern, change the regex pattern in the 05-coachwebapp-spring web app in the Eclipse IDE running on the provided KaliVM (see the figure below)/nProject Explorer 3401-coachwebapp (secure-coding-course-sources main 3402-v-coachwebapp(secure-coding-course-sources man >05-coachwebapp-spring [secure-coding-course-sources main Deployment Descriptor: 05-coachwebapp-spring JAX-WS Web Services Java Resources Reference Libraries -> >dealin 218 ->coachwebapp Centja CentController.ja >CoachController.java ->05-coach Gento + Deployme Show In Age: 45 Submit JAX-WSVGpy SimpleSocketClient.javaCoachController.java package edu.deakin.sit28.coachwebapp: Sport javax.validation constraints. Maxi import org.emate.validator.ceestraints public class Client { src Save the changes and run the web application on the server and highlighted below: import javax.val //import org.hib public class Cli main ja 25-08-sessio Client Registration Form ResoCopy Qualified Name NotNullOmessage is required") sizelis 3, message is required") Pattersregexp protected String *Delete BuildPath Source Refactor Expert //message"Is required") //intvalue-18, message //x-120, message protected istage; public String getane () { return name public void sete(string) ( } Close Project Close Unrelated Projects Coverage As Bun As Debug As Shift+A+W Ciri-C message incorrect format) Ctrl+V Shift-All-S SI-AT "you must be 18 years old or older") "Vampires are not allowed") FS 13 14 15 16 13 18 19 20 esilmin. Pattern re protected St //@tull //intvalue Maxivalce protected in public Strin return public void this.nam Runon Server Application O localhost:8080/05-coachwebapp-spring/client/showForm Kali Forums Kali NetHunter Exploit-DB Google Hackin Kali Linux Kali Tools Kali Docs Name: In the webapp enter the name as "bob" and age 45 and confirm if this is not blocked. Next enter the input as name "<script>alert("XSS"); </script>" and test if it is getting blocked. Record screenshots add to the submission. Submission Requirements: Submit one PDF file containing the following information: 1. The correct regex pattern(s) that blocks these injected data 2. Whitelisting regex and screenshots showing it is working correctly, when it throws exception. You also need to provide screenshot of code section where you have made changes.

Get Instant Homework HelpOn Your Mobile

Get Instant Homework HelpOn Your Mobile