SIT 218/738: Secure coding

Pass task 4.1P: Injection attack preventions using hibernate validator

Note: Complete the steps provided in "Ontrack Task4.1P Start Activity" on CloudDeakin

before completing this task.

Objective

In this task you will learn about whitelisting and blacklisting in input validations. In the class

activity you tested a regex validation to prevent injected script. When validating you need to

use the most efficient method to prevent any malicious user who may bypass your input

validation techniques.

Overview

In 05-coachwebapp-spring web app we implemented the regex pattern to prevent users from

entering the scripts or tagged input values in the format <>'. This prevented many of the XSS attack

input patterns. These filters can be bypassed using more clever inputs that do not get caught in the

validations done earlier like the examples given below. Try to enter the below value in the name field

and record the output from the webapp.

1) name ""

2)

href=javascript:alert(1)>ClickMe

3)

Discuss why these are getting bypassed.

Submission Requirements:

Submit one PDF file containing the following information:

1. Screenshots showing the bypassing of the filters for the three cases

2. Identify the type of validations that you performed in the 05-coachwebapp, (i.e.

whitelisting or blacklisting?)

3. A brief explanation why these are still getting bypassed.

Submission Due

The due for each task has been stated via its OnTrack task information dashboard.