SIT 218/738: Secure coding

Distinction task 4.3D: Develop your own injection attack preventions using

hibernate validator

Objective

Input validations is an important function to prevent many forms of web application attacks.

But various business requirements or application functionalities can make input validations a

complex task. Especially when you need to provide functionalities for users to enter

comments or fields that accepts special characters. In this task you will modify an existing we

application by adding more input fields and develop correct validation mechanisms to prevent

injection attacks. Furthermore, input validations can be applied both at the client-side or

server-side. Client-side validations use HTML code to validate user input and are done on the

client's browser saving server resources. However, secure application incorporates both

client-side and server-side validations to secure the web application. In this task you will

incorporate both the client-side and server-side input validations.

Overview

In the previous task, we implemented the regex pattern to prevent users from entering the scripts or

tagged input values in the format '<>' for 05-coachwebapp-spring web app in your SIT218 VM. This

prevented many of the XSS attack input patterns.

Now add two additional input fields to the web app "05-coachwebapp-spring in your SIT218 VM" that

asks user to enter their email address and a text area that allows users to send a custom request to

the coach.

SIT218 Secure Coding

Kali Linux Kali Tools

Name: Bob

Age: 55

Email: bob@domain.com

Message

Submit

Client Registration Form

O

Kali Docs Kali Forums Kali NetHunter Exploit-DB Google Ha

localhost:8080/05-coachwebapp-spring/client/showForn

This is custom message to the coach!

When the user clicks the Submit button, the email address and user's message should be displayed as

shown below:/nSITZ18Secure Coding

sit218 SecureCoding-First

OD localhost:8080/05-coachwebapp-spring/workout/processForm

Kali Linus Kali Tools Kali Docs Kali ForumsKali NetHunter Exploit-DB Google Hacking DB Offec

Bob, please, run for 30 min

Your message "This is a custom mesage to the coach!" was received and you

will be contacted via your email: bob@doamin.com for further information.

Add the correct input validations with regular expressions to prevent any XSS both at the clients-side

and server-side. The email address should contain appropriate characters such as '@' and 'com' but

other special characters should be blocked. The text area should contain only maximum 200 characters

and allow common special characters like (!@#*).

Use this https://www.geeksforgeeks.org/spring-mvc-textarea/ as reference for adding the text area

to the spring app. Use this https://developer.mozilla.org/en-US/docs/Learn/Forms/Form validation

for client-side html validations.

Submission Requirements:

Submit one PDF file containing the following information:

1. The correct regex pattern that blocks these injected data in all the fields

2. Screenshot of the updated app and screenshots showing its correct working along with

blocking unexpected characters.

3. Updated Client.java code added to the submission document.

4. Updated Coach Controller.java code added to the submission document.

5. Updated HTML code which includes client validations added to the submission document.

Submission Due

The due for each task has been stated via its OnTrack task information dashboard.