For a university project I have to develop a web based application using Java Enterprise Edition which will be based on Apache Tomcat. Afterdoing some initial setup on my development machine I did some simple tests to see whether everything works. So my first JSP file looked something like this:
Coming from web security I knew this being a XSS security problem since the user data is directly given to the output stream. Of course this is simple test code but as a self proclaqimed web security expert I havbe to think about such issues before even starting with implementation of the real app - even though the real app is just for university. So I browsed through the JEE documentation to find some method to encode HTML output so I asked a few friends with more Java experience and the only solution I found was using Apache Commons' org.apache.commons.lang.StringEscapeUtils which is no part of the JEE framework, a framework which was created with web apps in mind. How can that be? Are JSP based applications supposed to be unsafe? - And people say PHP was unsafe, which really was made for "solving the web problem" and offers all the things you need in it's core API.
This night I came back from a trip to Kaunas (Lithuania) where my friend Johann and me gave some security consulting. Although I didn't see much of the country (basically I just saw the Hotel, some office building and a shopping mall) it was a nice trip which also produced somemediaattention in the Lithuanianpress.
Since I don't know much about C# and .Net I often discover little things while working with it. I want to use this place to collect a few of them. Must people in my environment know that I know quite some things about HTTP and network communication. So I was recently asked by one of my relatives to assist in a test where they were putting two different systems together for te first time, since the guy responsible for that communication part wasn't available on that day. One system ("we") was written using C# ASPX the other ("they") was an SAP system developed in ABAP. The specification wasn' that complicated and read something like "Their systems does a HTTP POST request to our system, sending an XML document, which can be validated using an XSD schema to us and doesn't care about returned values or anything." Since I'm curious how such things work I built a short test application... Read More