Keep 'Em Separated
Posted by editor on September 20, 2005 at 6:21 AM PDT
Keep malicious code out of your web app
In the first installment of his series on web app security and validating input, Stephen Enright showed some surprisingly effective attacks that could be carried out by sending SQL statements in HTML form values. But of course, the server is only one half of the security story. The browser also offers opportunities for mischief.
In the Feature Article, Handling Java Web Application Input, Part 2, he takes a look at cross-site scripting, which describes a variety of attacks to insert code from an external source, often using the <script> tag, but potentially launchable from images, objects, anchors, and other content. Even the <body> tag offers an avenue for attack. After showing the broad variety of possible attacks, Stephen shows how filtering and encoding practices can be used to thwart attackers:
The appearance of automated tools and the incorporation of new features into the various specifications and web browsers has resulted in attackers finding new and innovative ways to exploit an application through application input. An attacker can initiate an attack through a web browser by constructing attack strings, sending them via a HTTP get request through URL tampering, via a HTTP post request through HTML forms, or by other means. It is therefore critical that any possibility for data being input into an application from an external source is carefully analyzed, and secure coding practices put in place to meet the specific validation needs of an application in order to neutralize any threats.
Oyvind Bakksjo kicks off today's Weblogs with some
Java Exception Handling Patterns (Part 1)
"Recommendations and best practices for exception handling in Java. General rule: Write separate classes for all your exceptional conditions. Declare for each method exactly which of these are thrown. Do not declare to throw some big, fat, one-exception-to-rule-them-all."
Ed Burns is working on
Clearing Up JSF 1.2 JSF 1.1 and MyFaces Confusion:
"A couple of weeks ago, Rick Hightower asked some pointed questions and made some interesting assertions about JSF 1.2, JSF 1.1 and MyFaces in his blog . This blog entry is a response to that blog."
The demise of The JavaCast comes as a disappointment to blogger Simon Brown:
"Having just come back from holiday, I fired up iTunes hoping to get a new JavaCast that I could listen to on the way to work. Unfortunately, this wasn't going to be the case."
TheServerSide is asking readers How Should Tutorials Be Written? "Tutorials are hard to write. If you make them too short, they tend not to convey the information people need; if you make them too long, people lose patience and stop reading them. Likewise, examples need to be real-world, but real-world examples tend to be too complex to communicate in a tutorial." Three trouble spots identified by TSS include inadequately-scoped tutorials, overly-complex API's that don't lend themselves to tutorial treatment, or inappropriate level of abstraction.
The O'Reilly Network Databases site notes the opening of the ODBMS.org site. A news release for ODBMS.ORG says it "provides the most up-to-date collection of free materials on object database technology on the Internet. ODBMS.ORG was created to serve faculty and students at educational and research institutions as well as OO software developers in the open source community or at commercial companies. It is designed to meet the fast-growing need for resources focusing on object database technology and the integration of object-oriented programming and databases. All materials and downloads are free and anonymous."
In Projects and
Communities,
the Linux Community home page notes the progress of GNU Classpath: "A week ago the developers of Classpath, a F/OSS replacement for the J2SE class library, reached 90% of all API implemented and working. Interested readers should also visit Planet Classpath for info about when the updates will be availabe on major F/OSS JVMs."
The most recent Java Tools Community Newsletter discusses challenges and offers advice for dealing with varying character encodings and shared source: "This is particularly troublesome for open source projects, where people from all over the world, working in different languages and operating systems, share a single codebase."
In today's Forums,
ochkarik calls for
FS extended attributes and FS notifications in Java:
"There exists a class of problems that cannot be given a scalable solution with current J2SE. These include, for example, an enterprise file management solution, and a desktop search engine. Imagine we have to develop a web-based interface for file uploading, with metadata storage (author, public/private flag, category, keywords), and with concurrent access to the file repository as a regular filesystem, for further categorization, renaming/moving, sorting, FTP access (important!). Due to missing filesystem extended attributes and filesystem notification support, a J2SE solution is going to be extremely inefficient. (I'm going to explain this further if there is an interest.)"
arnaud_roques has some design ideasRe: Immutable java.lang.DateTime class:
"A lot of people agree that Date should be immutable. We understand that it's not easy to define new classes as DateTime in future release of Java. But here idea of what can be easily done: 1) Put @Deprecated on setTime() of the java.util.Date class. 2) Like the java.util.Collections class, having something like java.util.Dates class, with public static Date unmodifiableDate(Date date): Returns an unmodifiable view of the specified Date. This method allows modules to provide users with "read-only" Date and attempts to modify the returned Date result in an UnsupportedOperationException. What do you think about it?"
In today's java.net
News Headlines :
- JBoss
EJB RC2 & Embeddable Container Alpha 2 - Jetty 6.00
alpha 3 - Magnolia CMS -
Adds Digital Media Editing - Compiler Allows C
Programs on Java Accelerator Chip
Registered users can submit news items for the
news submission
form. All submissions go through an editorial review before being
posted to the site. You can also subscribe to the
feed.
Current and upcoming Java
Events :
- September 20-21, 2005 - JCP Program Training and Communication sessions
- September 20, 21, 22, 28, and 29, 2005 - DataDirect Design Previews (five events: Washington DC, New York, Boston MA, Santa Clara CA, and Irvine CA)
- September 21-23, 2005 - BelJungle 2005
- September 22, 2005 - Hong Kong JUG - Monitoring and Managing in Java SE 5
- September 23-25, 2005 - New England Software Symposium 2005: Fall Edition
- September 26-27, 2005 - JXTA Kitchen
- September 28, 2005 - Lucent Developer Focus Event at CTIA Wireless Conference
- September 30-October 2, 2005 - Western Canada Java Software Symposium 2005
- October 5-7, 2005 - Java in Action
- October 7-9, 2005 - Greater Nebraska Software Symposium
- October 14-16, 2005 - Pacific Northwest Software Symposium
- October 16-20, 2005 - OOPSLA 2005
- October 17, 2005 - Workshop Eclipse RCP
- October 19-20, 2005 - 9th Jini Community Meeting
- October 21-23, 2005 - Greater Atlanta Software Symposium
- October 28-30, 2005 - Northern Virginia Software Symposium
- November 1-4, 2005 - Enterprise Java Architecture Workshop: San Francisco
- November 4-6, 2005 - Lone Star Software Symposium 2005: Dallas Edition
- December 7-10, 2005 - The Spring Experience 2005
- December 10-14, 2005 - ApacheCon 2005
- December 12-16, 2005 - JavaPolis 2005
Registered users can submit event listings for the
All submissions go through an editorial review before being posted to the
site.
Archives and Subscriptions: This blog is delivered weekdays as
the Java
Today RSS feed. Also, once this page is no longer featured as the
front page of java.net it will be
archived along with other past issues in the
Keep malicious code out of your web app
Blog Links >>
- Login or register to post comments
- Printer-friendly version
- editor's blog
- 510 reads
