SDEV 460 – Homework 4
Input Validation and Business Logic Security Controls
Overview:
This homework will demonstrate your knowledge of testing security controls aligned with Input
validation and business logic. You will also use the recommended OWASP testing guide reporting format
to report your test findings.
Assignment: Total 100 points
Using the readings from weeks 7 and 8 as a baseline provide the following test and analysis descriptions
or discussion:
1. Testing for Reflected Cross site scripting (OTG-INPVAL-001)
The OWASP site list multiple approaches and examples for blackbox testing reflected XSS
vulnerabilities. In your own words, describe Reflected Cross Site scripting. Then, List and
describe 4 different examples that could be used for testing. Be sure to conduct additional
research for each example to provide your own unique test example. This most likely means you
will need to conduct some research on Javascript to make sure your syntax is correct.
2. Testing for Stored Cross site scripting (OTG-INPVAL-002)
The OWASP site list multiple approaches and examples for blackbox testing Stored XSS
vulnerabilities. In your own words, describe Stored Cross Site scripting. Then, List and describe 2
different examples that could be used for testing. Be sure to conduct additional research for
each example to provide your own unique test example. This most likely means you will need to
conduct some research on Javascript to make sure your syntax is correct.
3. Testing for SQL Injection (OTG-INPVAL-005)
SQL Injection remains a problem in applications yet could easily fixed. The following SQL
statement is in an HTML form as code with the $ variables directly input from the user.
SELECT * FROM Students WHERE EMPLID=’$EMPLID’ AND EMAIL=’$email’
Would a form or application that includes this code be susceptible to SQL Injection? Why?
What specific tests would you perform to determine if the applications was vulnerable?
How would you fix this problem? Be specific be providing the exact code in a Language of your choice.
(e.g. Java, PHP, Python …)
4. Test business logic data validation (OTG-BUSLOGIC-001)
While reviewing some Java code, an analysis provided the following code snippets that contain
logic errors. For each example, describe the issue and provide code that would fix the logical
error:
a.
2
int x; x = x + 1; System.out.println(“X = ” + x);
b.
for (i=1; i<=5; i++) ; { System.out.println(“Number is ” + i); }
c.
if ( z > d) ; { System.out.println(“Z is bigger”); }
d.
String m1=”one”;
String m2=”two”;
if(m1 == m2) {
System.out.println(“M1 is equal to M2”);
}
e. The formula for the area of a trapezoid is:
A = (b1+b2)/2 * h
The following Java code is the implementation. Fix the logical error
double area;
double base1 = 2.3;
double base2 = 4.8;
double height = 12.5;
area = base1 + base2/2.0 * height;
Demonstrate your fixed code work as anticipated with a couple different test
cases.
5. Test integrity checks (OTG-BUSLOGIC-003)
Conduct some additional research on Business Logic errors related to OTG-BUSLOGIC-003. In
your own words describe and provide 2 unique examples of integrity checks. For your
examples, provide specific testing methods for each case.
6. Test defenses against Circumvention of Work Flows (OTG-BUSLOGIC-006)
3
Conduct some additional research on Business Logic errors related to OTG-BUSLOGIC-006. In
your own words describe and provide 2 unique examples of circumvention of work flow. For
your examples, provide specific testing methods for each case.
You should document the results for the tests and your comments, and recommendations for improved
security for each security control tested in a word or PDF document. Discuss any issues found and
possible mitigations.
Deliverables:
You should submit your document by the due date. Your document should be well-organized, include all
references used and contain minimal spelling and grammar errors.
Grading Rubric:
Attribute Meets
Reflected Cross site scripting
10 points Describes Reflected Cross Site scripting. Then, Lists and describes 4 different examples that could be used for testing. Conducts additional research for each example to provide your own unique test example.
Stored Cross site scripting
10 points Describes Stored Cross Site scripting. Then, Lists and describes 2 different examples that could be used for testing. Conducts additional research for each example to provide your own unique test example.
SQL Injection 25 points Answers: would a form or application that includes this code be susceptible to SQL Injection? Why? Answers: What specific tests would you perform to determine if the applications was vulnerable? Answers: How would you fix this problem? Provides the exact code in a Language of your choice.
Business logic data validation
15 points For each example, describes the issue and provides code that would fix the logical error.
Integrity checks 10 points Conducts research on Business Logic errors related to OTG-BUSLOGIC-003. In your own words describes and provides 2 unique examples of integrity checks. Provides specific testing methods for each case.
Defenses against workflow intervention
10 points Conducts research on Business Logic errors related to OTG-BUSLOGIC-006. In your own words describes and provides 2 unique examples of circumvention of work flow. Provides specific testing methods for each case.
Documentation and Submission
20 points Your document should be well-organized, include all references used and contain minimal spelling and grammar errors.
Why Choose Us
Top quality papers
We always make sure that writers follow all your instructions precisely. You can choose your academic level: high school, college/university or professional, and we will assign a writer who has a respective degree.
Professional academic writers
We have hired a team of professional writers experienced in academic and business writing. Most of them are native speakers and PhD holders able to take care of any assignment you need help with.
Free revisions
If you feel that we missed something, send the order for a free revision. You will have 10 days to send the order for revision after you receive the final paper. You can either do it on your own after signing in to your personal account or by contacting our support.
On-time delivery
All papers are always delivered on time. In case we need more time to master your paper, we may contact you regarding the deadline extension. In case you cannot provide us with more time, a 100% refund is guaranteed.
Original & confidential
We use several checkers to make sure that all papers you receive are plagiarism-free. Our editors carefully go through all in-text citations. We also promise full confidentiality in all our services.
24/7 Customer Support
Our support agents are available 24 hours a day 7 days a week and committed to providing you with the best customer experience. Get in touch whenever you need any assistance.
Try it now!
How it works?
Follow these simple steps to get your paper done
Place your order
Fill in the order form and provide all details of your assignment.
Proceed with the payment
Choose the payment system that suits you most.
Receive the final file
Once your paper is ready, we will email it to you.
Our Services
No need to work on your paper at night. Sleep tight, we will cover your back. We offer all kinds of writing services.
Essays
You are welcome to choose your academic level and the type of your paper. Our academic experts will gladly help you with essays, case studies, research papers and other assignments.
Admissions
Admission help & business writing
You can be positive that we will be here 24/7 to help you get accepted to the Master’s program at the TOP-universities or help you get a well-paid position.
Reviews
Editing your paper
Our academic writers and editors will help you submit a well-structured and organized paper just on time. We will ensure that your final paper is of the highest quality and absolutely free of mistakes.
Reviews
Revising your paper
Our academic writers and editors will help you with unlimited number of revisions in case you need any customization of your academic papers