Question

(1) Does the below example employ input validation? (2) Why or why not. (3) From a secure coding perspective, why would we want to validate input? (4) Post the OWASP guidance URL on input validation

.

private static final Pattern zipPattern = Pattern.compile("^\d{5}(-\d{4})?$");

public void doPost( HttpServletRequest request, HttpServletResponse response) {   

try { String zipCode = request.getParameter( "zip" );        

if ( !zipPattern.matcher( zipCode ).matches() {            

throw new YourValidationException( "Improper zipcode format." );        

} // do what you want here, after its been validated ..    

} catch(YourValidationException e ) {        

response.sendError( response.SC_BAD_REQUEST, e.getMessage() );    

} }

Answer 1

1. The given code doesn't employ input validation.

2. Reasons for the error:

• Please find below code for reference.
• As regex is throwing "illegal escape character" error so instead of '\' in regex we should use '\\'.
• User defined exception i.e. YourValidationException is not defined in the given code.
• No imports are used for regular expressions, http request and servlet.

3. From secure coding perspective,

• It is important to handle the input validations.
• For example. if we are not validating the input validation for the above code, zipcode might be wrong and its imposible to deliver the product or response to particular area.
• Zipcode helps us to deliver some product or message to the exact area or right destinations. So correct zipcode helps us to send the message to the right person and right place.

4. OWASP URL for input validations:

• It is important to encode the URLparameters because unauthorized user can:
  Alter the look and functionality of the page
  Access private user data associated with the site
  Perform actions on the user's behalf
• Multiple user defined strings were rendered on the page:
  The title URL parameter
  Username field
  Message field
• For example:
  http://url/entries?title=<script>alert("1");</script>
• Page source returned to the victim
  <html>...<div>
  <script>alert("1");</script>
  </div>...</html>
• An attacker crafts a URL and gets people to click on it.
• HTML output will be:
  <H1>Thank you for signing my <script>alert("1");</script></H1>

The modified code for input validation is :

import java.util.regex.*;
   //Used to handle regex operations.
   import javax.servlet.http.*;
   //used to handle servlet opeartions
   import java.io.*;

   //User defined exception declaration

       class YourValidationException extends Exception
       {
           public YourValidationException(String s)
           {
               // Call constructor of parent Exception
               super(s);
           }
       }

       public class Main
       {

            //Modified regular expression.
           private static final Pattern zipPattern = Pattern.compile("^\\d{5}(-\\d{4})?$");
           //added static key to call the method from main method. as static method cannot access not static method.

          public static void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException {   
           try {
               String zipCode = request.getParameter( "zip" );
          if( !zipPattern.matcher( zipCode ).matches()) {
          
               throw new YourValidationException( "Improper zipcode format." );
          
          } // do what you want here, after its been validated ..
      
         }  catch(YourValidationException e ) {
      
               response.sendError( response.SC_BAD_REQUEST, e.getMessage() );
           }
      
       }
       public Main() {
           // TODO Auto-generated constructor stub
               System.out.println("Inside constructor");
   }
      
       public static void main(String[] args) throws IOException {
   //creating a dummy variables for request and response.

   HttpServletRequest req ;
           HttpServletResponse res;
           String zip = "123456";
           String zipCode = req.getParameter(zip);
           doPost(req, res);
           }

   }