![Page 1: Use to Implement: Input validation Page-Level authorization Session Management Audit Logging Use to Implement: Input validation Page-Level authorization](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e605503460f94b5a6e1/html5/thumbnails/1.jpg)
Use to Implement:• Input validation• Page-Level authorization• Session Management• Audit Logging
Avoid:• Relying Only on Blacklist Validation• Output Encoding in Filter• Overly Generous Whitelist Validation• XML Denial of Service• Logging Arbitrary HTTP Parameters
Intercepting Filter
![Page 2: Use to Implement: Input validation Page-Level authorization Session Management Audit Logging Use to Implement: Input validation Page-Level authorization](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e605503460f94b5a6e1/html5/thumbnails/2.jpg)
Avoid:• Physical Resource Mapping• Unhandled Mappings in Multiplexed Resource Mapping strategy• Logging of Arbitrary HTTP Parameters• Duplicating Common Logic Across Multiple Front Controllers
Avoid:• Invoking Commands Without Sufficient Authorization
Front Controller
Use to Implement:• Logical Resource Mapping• Session Management• Audit Logging
![Page 3: Use to Implement: Input validation Page-Level authorization Session Management Audit Logging Use to Implement: Input validation Page-Level authorization](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e605503460f94b5a6e1/html5/thumbnails/3.jpg)
Use to Implement:• Whitelist Input Validation• Flagging Tainted Variables
Avoid:• Context Auto-Population Strategy• Assuming Security Context Reflects All Security Concerns
Context Object
![Page 4: Use to Implement: Input validation Page-Level authorization Session Management Audit Logging Use to Implement: Input validation Page-Level authorization](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e605503460f94b5a6e1/html5/thumbnails/4.jpg)
Use to Implement:• Synchronization Tokens as Anti-CSRF Mechanism• Page-level Authorization
Avoid:• Unauthorized Commands
Avoid:• Unhandled Commands
Avoid:• XSLT and Xpath Vulnerabilities• XML Denial of Service•Disclosure of Information in Soap Faults•Publishing WSDL files
Application Controller
![Page 5: Use to Implement: Input validation Page-Level authorization Session Management Audit Logging Use to Implement: Input validation Page-Level authorization](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e605503460f94b5a6e1/html5/thumbnails/5.jpg)
Use to Implement:• Output Encoding in Custom Tag Helper
Avoid:• XSLT and Xpath Vulnerabilities•Unencoded User Supplied Data
View Helper
![Page 6: Use to Implement: Input validation Page-Level authorization Session Management Audit Logging Use to Implement: Input validation Page-Level authorization](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e605503460f94b5a6e1/html5/thumbnails/6.jpg)
Use to Implement:• Output Encoding in Custom Tags
Avoid:• XSLT and Xpath Vulnerabiliites
Avoid:• Skipping Authorization Check Within SubViews
Composite View
![Page 7: Use to Implement: Input validation Page-Level authorization Session Management Audit Logging Use to Implement: Input validation Page-Level authorization](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e605503460f94b5a6e1/html5/thumbnails/7.jpg)
Avoid:•Dispatching Error Pages Without a Default Error Handler
Service to Worker
![Page 8: Use to Implement: Input validation Page-Level authorization Session Management Audit Logging Use to Implement: Input validation Page-Level authorization](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e605503460f94b5a6e1/html5/thumbnails/8.jpg)
Avoid:•Using User Supplied Forward Values• Assuming User’s Navigation History
Dispatcher View
![Page 9: Use to Implement: Input validation Page-Level authorization Session Management Audit Logging Use to Implement: Input validation Page-Level authorization](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e605503460f94b5a6e1/html5/thumbnails/9.jpg)
Use to Implement:• Whitelist Input Validation
Business Delegate
![Page 10: Use to Implement: Input validation Page-Level authorization Session Management Audit Logging Use to Implement: Input validation Page-Level authorization](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e605503460f94b5a6e1/html5/thumbnails/10.jpg)
Avoid:•Memory Leaks in Caching
Avoid:•Open Access to UDDIs
Service Locator
![Page 11: Use to Implement: Input validation Page-Level authorization Session Management Audit Logging Use to Implement: Input validation Page-Level authorization](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e605503460f94b5a6e1/html5/thumbnails/11.jpg)
Use to Implement:• Middle-tier Authorization
Avoid:• Unauthenticated Client Calls• Deserializing Objects from Untrusted Sources
Session Facade
![Page 12: Use to Implement: Input validation Page-Level authorization Session Management Audit Logging Use to Implement: Input validation Page-Level authorization](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e605503460f94b5a6e1/html5/thumbnails/12.jpg)
Avoid:•Unauthenticated Client Calls
Application Service
![Page 13: Use to Implement: Input validation Page-Level authorization Session Management Audit Logging Use to Implement: Input validation Page-Level authorization](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e605503460f94b5a6e1/html5/thumbnails/13.jpg)
Business Object
![Page 14: Use to Implement: Input validation Page-Level authorization Session Management Audit Logging Use to Implement: Input validation Page-Level authorization](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e605503460f94b5a6e1/html5/thumbnails/14.jpg)
Avoid:•Plaintext Transmission of Confidential Data
Composite Entity
Avoid:•Interpreter Injection
![Page 15: Use to Implement: Input validation Page-Level authorization Session Management Audit Logging Use to Implement: Input validation Page-Level authorization](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e605503460f94b5a6e1/html5/thumbnails/15.jpg)
Avoid:•Plaintext Transmission of Confidential Data
Transfer Object
![Page 16: Use to Implement: Input validation Page-Level authorization Session Management Audit Logging Use to Implement: Input validation Page-Level authorization](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e605503460f94b5a6e1/html5/thumbnails/16.jpg)
Transfer Object Assembler
![Page 17: Use to Implement: Input validation Page-Level authorization Session Management Audit Logging Use to Implement: Input validation Page-Level authorization](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e605503460f94b5a6e1/html5/thumbnails/17.jpg)
Value List Handler
![Page 18: Use to Implement: Input validation Page-Level authorization Session Management Audit Logging Use to Implement: Input validation Page-Level authorization](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e605503460f94b5a6e1/html5/thumbnails/18.jpg)
Avoid:• Interpreter Injection• Improper Resource Closing• Unencrypted Connection String Storage
Data Access Object
![Page 19: Use to Implement: Input validation Page-Level authorization Session Management Audit Logging Use to Implement: Input validation Page-Level authorization](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e605503460f94b5a6e1/html5/thumbnails/19.jpg)
Service Activator
Avoid:• Denial of Service in Message Queues• Unauthenticated Messages• Unauthorized Messages• Dynamic SQL in Database Response Strategy• Unvalidated Email Addresses in Email Response Strategy
![Page 20: Use to Implement: Input validation Page-Level authorization Session Management Audit Logging Use to Implement: Input validation Page-Level authorization](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e605503460f94b5a6e1/html5/thumbnails/20.jpg)
Domain Store
Avoid:• Interpreter Injection• Improper Closing of Resources• Unencrypted Storage of Connection Strings
![Page 21: Use to Implement: Input validation Page-Level authorization Session Management Audit Logging Use to Implement: Input validation Page-Level authorization](https://reader035.vdocuments.mx/reader035/viewer/2022062407/56649e605503460f94b5a6e1/html5/thumbnails/21.jpg)
Avoid:• Sending stack trace and other detailed information in SOAP faults• Publishing WSDL files• Using DTDs• Unauthenticated or unauthorized web service requests• Using user-supplied data without input validation• Excessively large XML messages
Web Services Broker