The Source for Java Technology Collaboration
User: Password:
Register | Login help    

Search

Online Books:
java.net on MarkMail:

Keep 'Em Separated

Posted by editor on September 20, 2005 at 6:21 AM PDT

Keep malicious code out of your web app

In the first installment of his series on web app security and validating input, Stephen Enright showed some surprisingly effective attacks that could be carried out by sending SQL statements in HTML form values. But of course, the server is only one half of the security story. The browser also offers opportunities for mischief.

In the Feature Article, Handling Java Web Application Input, Part 2, he takes a look at cross-site scripting, which describes a variety of attacks to insert code from an external source, often using the <script> tag, but potentially launchable from images, objects, anchors, and other content. Even the <body> tag offers an avenue for attack. After showing the broad variety of possible attacks, Stephen shows how filtering and encoding practices can be used to thwart attackers:

The appearance of automated tools and the incorporation of new features into the various specifications and web browsers has resulted in attackers finding new and innovative ways to exploit an application through application input. An attacker can initiate an attack through a web browser by constructing attack strings, sending them via a HTTP get request through URL tampering, via a HTTP post request through HTML forms, or by other means. It is therefore critical that any possibility for data being input into an application from an external source is carefully analyzed, and secure coding practices put in place to meet the specific validation needs of an application in order to neutralize any threats.

Oyvind Bakksjo kicks off today's Weblogs with some Java Exception Handling Patterns (Part 1) "Recommendations and best practices for exception handling in Java. General rule: Write separate classes for all your exceptional conditions. Declare for each method exactly which of these are thrown. Do not declare to throw some big, fat, one-exception-to-rule-them-all."

Ed Burns is working on Clearing Up JSF 1.2 JSF 1.1 and MyFaces Confusion: "A couple of weeks ago, Rick Hightower asked some pointed questions and made some interesting assertions about JSF 1.2, JSF 1.1 and MyFaces in his blog . This blog entry is a response to that blog."

The demise of The JavaCast comes as a disappointment to blogger Simon Brown: "Having just come back from holiday, I fired up iTunes hoping to get a new JavaCast that I could listen to on the way to work. Unfortunately, this wasn't going to be the case."

In Also in Java Today, TheServerSide is asking readers How Should Tutorials Be Written? "Tutorials are hard to write. If you make them too short, they tend not to convey the information people need; if you make them too long, people lose patience and stop reading them. Likewise, examples need to be real-world, but real-world examples tend to be too complex to communicate in a tutorial." Three trouble spots identified by TSS include inadequately-scoped tutorials, overly-complex API's that don't lend themselves to tutorial treatment, or inappropriate level of abstraction.

The O'Reilly Network Databases site notes the opening of the ODBMS.org site. A news release for ODBMS.ORG says it "provides the most up-to-date collection of free materials on object database technology on the Internet. ODBMS.ORG was created to serve faculty and students at educational and research institutions as well as OO software developers in the open source community or at commercial companies. It is designed to meet the fast-growing need for resources focusing on object database technology and the integration of object-oriented programming and databases. All materials and downloads are free and anonymous."

In Projects and Communities, the Linux Community home page notes the progress of GNU Classpath: "A week ago the developers of Classpath, a F/OSS replacement for the J2SE class library, reached 90% of all API implemented and working. Interested readers should also visit Planet Classpath for info about when the updates will be availabe on major F/OSS JVMs."

The most recent Java Tools Community Newsletter discusses challenges and offers advice for dealing with varying character encodings and shared source: "This is particularly troublesome for open source projects, where people from all over the world, working in different languages and operating systems, share a single codebase."

In today's Forums, ochkarik calls for FS extended attributes and FS notifications in Java: "There exists a class of problems that cannot be given a scalable solution with current J2SE. These include, for example, an enterprise file management solution, and a desktop search engine. Imagine we have to develop a web-based interface for file uploading, with metadata storage (author, public/private flag, category, keywords), and with concurrent access to the file repository as a regular filesystem, for further categorization, renaming/moving, sorting, FTP access (important!). Due to missing filesystem extended attributes and filesystem notification support, a J2SE solution is going to be extremely inefficient. (I'm going to explain this further if there is an interest.)"

arnaud_roques has some design ideas Re: Immutable java.lang.DateTime class: "A lot of people agree that Date should be immutable. We understand that it's not easy to define new classes as DateTime in future release of Java. But here idea of what can be easily done: 1) Put @Deprecated on setTime() of the java.util.Date class. 2) Like the java.util.Collections class, having something like java.util.Dates class, with public static Date unmodifiableDate(Date date): Returns an unmodifiable view of the specified Date. This method allows modules to provide users with "read-only" Date and attempts to modify the returned Date result in an UnsupportedOperationException. What do you think about it?"

In today's java.net News Headlines :

Registered users can submit news items for the java.net News Page using our news submission form. All submissions go through an editorial review before being posted to the site. You can also subscribe to thejava.net News RSS feed.

Current and upcoming Java Events :

Registered users can submit event listings for the java.net Events Page using our events submission form. All submissions go through an editorial review before being posted to the site.

Archives and Subscriptions: This blog is delivered weekdays as the Java Today RSS feed. Also, once this page is no longer featured as the front page of java.net it will be archived along with other past issues in the java.net Archive.



Keep malicious code out of your web app
»
Comments
Comments are listed in date ascending order (oldest first)




 

Feedback  | FAQ  | Terms of Use
Privacy  |  Trademarks | Site Map
 
Your use of this web site or any of its content or software indicates your agreement to be bound by these Terms of Participation.
 
Copyright © 1995-2008 Sun Microsystems, Inc.
Collabnet Logo Cognisync Communities
Powered by Sun Microsystems, Inc.,
CollabNet and Cognisync