Skip to main content

Don't Wanna Be Like That

Posted by editor on September 8, 2005 at 10:38 AM EDT

Eliminating glaring security holes

When you're developing a system, you can't help but imagine it being used in the proper way, the way that you offer it to your users. And that means that when you have a "First Name" field, you expect to get back something like Jane or Omar.

Not something like Jane' or 1=1 --

But, surprise, that's exactly what a nefarious user might do, and if you've set up your application to tack the name onto the end of an SQL statement like select * from customers where name = ', then the above code allows an attacker to see all the records in the database. Or crash it by returning far more records than you ever expected to handle.

Either way: oops.

What you need to do, argues Stephen Enright, is to validate your input. And in today's Feature Article, Handling Java Web Application Input, Part 1, he shows how just trying to catch invalid input will never be enough. Instead, he calls for a server-side strategy of screening to accept only valid data, rather than screening to reject invalid data. "The criterion here is that there will most likely be a case you simply cannot perceive... Moreover, by checking for validity, you reduce the potential for exploits through data masquerading. Data masquerading is the process by which insecure data is represented in a way to make it look secure.

In Also in Java Today, Application Development Trends magazine has posted a summary of Enterprise Systems' 2005 Salary Survey, providing links to each of the four parts of the detailed survey. ADT says "Overall, there is a cautious optimism about new and ongoing opportunities in IT which may translate into increased compensation... The IT job market has been strengthening over the past year, but many organizations have been aggressively cost cutting, keeping their IT departments lean and mean, according to a new salary survey of 1,170 enterprise IT sites conducted by Enterprise Systems." Looking specifically at how Java skills fare in different positions (see Part 1 of the detailed survey), Java is in the middle of the pack for Programmer Analyst salaries, ahead of VB and COBOL, but behind C/C++ and CICS. For Applications Programmers, Java trails only C/C++, but is at the back of the pack for Systems Programmers.

One of the most ambitious Java desktop applications fares poorly in a recent NewsForge review. In ThinkFree Office? Think Again, Bruce Byfield writes: "Running on GNU/Linux, ThinkFree Office performs far better than many people would expect a Java application to run." However, he criticizes its mimicry of the Microsoft Office GUI layout, instability with large documents, and problems when importing MS Office documents.

In Projects and Communities, the Flying Saucer team has announced Release 5 of their pure-Java XHTML/CSS renderer. Aside from performance improvements, they've also improved absolute positioning, float and clear support, and :hover and rollover support. Release 5 also provides directory listing in the browser, image browsing, proper DTD support, and more.

The bindmark project provides a comparison of open-source and commercial XML-to-Java binding libraries. While subjective factors like ease-of-use are detailed, most of the development is for performance comparisons. A recent update to the test schema improved the fairness of how certain numeric items are handled.

Kohsuke Kawaguchi has tips on in today's Weblogs: "FastInfoset is an alternative way to represent/transfer XML infoset, which is generally much smaller and faster than textual XML representation. Some people asked in the forums how to use FastInfoset with JAXB. This is how."

Ben Galbraith shows off My Ultimate Home Office: "Over the past few years, I've been doing a lot of consulting out of my home office, and the trend will continue for at least the next year. Recently I decided, "Hey, if I'm going to be spending a lot of time in here, I might as well spruce up the place a bit." Over the past few weeks, I've upgraded. Let me tell you what I've got, why I like it, and in some cases, why I still haven't found nirvana yet"

In Easier to access GlassFish, Carla Mott announces: "We removed click-through and just made it easier to participate in project GlassFish."

There's more forward-looking posts in today's Forums. In Re: #region like what is in C#, euxx writes: "By the way, code-level annotations would allow to hint UML tools that is doung roundtripping for non-class diagrams (e.g. sequence and activity). For instance, stick labels and other UML info to the code. Actually I love how it is been done for class diagrams in Together, but code-level annotations would allow to move things even further."

jitu has some ideas Re: Deployment of a Web Service: "JAXWS 2.0 spec won't define deployment but 109.next would specify deployment requirements for JAXWS services. I think there is way to do deployment without descriptors in some cases on 109-aware containers. JAXWS RI works in non-109-aware containers and it has a proprietary deployment descriptor."

In today's java.net News Headlines :

Registered users can submit news items for the java.net News Page using our news submission form. All submissions go through an editorial review before being posted to the site. You can also subscribe to thejava.net News RSS feed.

Current and upcoming Java Events :

Registered users can submit event listings for the java.net Events Page using our events submission form. All submissions go through an editorial review before being posted to the site.

Archives and Subscriptions: This blog is delivered weekdays as the Java Today RSS feed. Also, once this page is no longer featured as the front page of java.net it will be archived along with other past issues in the java.net Archive.



Eliminating glaring security holes
Blog Links >>