Entries tagged as xss
Apr 19: Building WebApps with JEE
For a university project I have to develop a web based application using Java Enterprise Edition which will be based on Apache Tomcat. Afterdoing some initial setup on my development machine I did some simple tests to see whether everything works. So my first JSP file looked something like this:
<html>
<body>
<%
out.println(request.getParameter("foo"));
%>
</body>
</html>Coming from web security I knew this being a XSS security problem since the user data is directly given to the output stream. Of course this is simple test code but as a self proclaqimed web security expert I havbe to think about such issues before even starting with implementation of the real app - even though the real app is just for university. So I browsed through the JEE documentation to find some method to encode HTML output so I asked a few friends with more Java experience and the only solution I found was using Apache Commons' org.apache.commons.lang.StringEscapeUtils which is no part of the JEE framework, a framework which was created with web apps in mind. How can that be? Are JSP based applications supposed to be unsafe? - And people say PHP was unsafe, which really was made for "solving the web problem" and offers all the things you need in it's core API.
Apr 21: Back from Lithuania
This night I came back from a trip to Kaunas (Lithuania) where my friend Johann and me gave some security consulting. Although I didn't see much of the country (basically I just saw the Hotel, some office building and a shopping mall) it was a nice trip which also produced some media attention in the Lithuanian press.