Before the big recalculation:
(That's 4595 !)
and after:
(That's 3636 !)
Enjoy!
Ideas and thoughts about Microsoft Identity, C# development, cabbages and kings and random flotsam on the incoming tide
Tuesday, March 23, 2010
Misc : Can't login to Stack Overflow with Blogger OpenID
Suddenly couldn't login to Stack Overflow or it's "family" (Meta, ServerFault, SuperUser etc.) using my Blogger OpenID. (Cue: Major panic).
Mr. Google to the rescue - the answer is here in this article How to upgrade your Blogger OpenID to a decent one.
Note: I did not get the length error reported in some posts but the above sorted out my problem.
Tip: To ensure this doesn't happen again, get an alternate OpenID - I used Google. Just click on your user name at the top of the StackOverflow screen and then click "Change OpenID" (next to the "Edit" hyperlink). You then get an "openid" and a "alt openid" and you can swap the two around using the "swap" hyperlink.
Enjoy!
Mr. Google to the rescue - the answer is here in this article How to upgrade your Blogger OpenID to a decent one.
Note: I did not get the length error reported in some posts but the above sorted out my problem.
Tip: To ensure this doesn't happen again, get an alternate OpenID - I used Google. Just click on your user name at the top of the StackOverflow screen and then click "Change OpenID" (next to the "Edit" hyperlink). You then get an "openid" and a "alt openid" and you can swap the two around using the "swap" hyperlink.
Enjoy!
Wednesday, March 10, 2010
Preventing Cross-Site scripting in Java
You can read about XSS here: Cross-site scripting
Been trying to figure out how to disable it using html encoding and what Java libraries are available.
OWASP's site has an article on this: http://www.owasp.org/index.php/How_to_perform_HTML_entity_encoding_in_Java
To quote:
"Injection attacks rely on the fact that interpreters take data and execute it as commands. If an attacker can modify the data that's sent to an interpreter, they may be able to make it misbehave. One way to help prevent this from happening is to encode the attacker's data in such a way that the interpreter will not get confused. HTML entity encoding is just such an encoding mechanism for many interpreters."
There are two ways to encode the data viz. entity reference and numeric reference:
From Wikipedia:
http://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references
An entity reference uses the "&" symbol:
& quot; (double) quotation mark
& amp; ampersand
& apos; apostrophe (= apostrophe-quote)
& lt; less-than sign
& gt; greater-than sign
A numeric character reference refers to a character by its Universal Character Set/Unicode code point, and uses the format
nnnn;
or
hhhh;
where nnnn is the code point in decimal form, and hhhh is the code point in hexadecimal form
Although the OWASP article mentioned above talks about entity references, the code sample enclosed actually uses numeric entity encoding i.e.
<script></script>
encodes as:
&hash60;script&hash62;&hash60;&hash47;script&hash62;
where "hash" = the "#" character
Some further research around this issue leads to:
AntiXSS for Java which is a port to Java of the Microsoft Anti-Cross Site Scripting (AntiXSS) library for .NET applications
and to:
Open Web Application Security Project (OWASP)
which has a:
Enterprise Security API (ESAPI)
Click on the "Java EE" tab. There are two ways to invoke the functionality. One uses the classes directly:
Note: ESAPI canonicalizes input before validation to prevent bypassing filters with encoded attacks. Failure to canonicalize input is a very common mistake when implementing validation schemes. Canonicalization is automatic when using the ESAPI Validator.
and the other uses the wrapper:
They both convert <script></script> to andlt;scriptandgt;andlt;&hashx2f;scriptandgt;
where "and" is the "&" character.
Interestingly, this is a combination of both reference types.
Just to note: The example at the top converted the "/" to &hash47; whereas ESAPI converts it to &hashx2f; This is because one is decimal and one is hex!
Asides:
Refer to:
XSS (Cross Site Scripting) Prevention Cheat Sheet
Refer to my SO question:
Java - XSS - HTML encoding - Character entity reference vs. Numeric entity reference
Enjoy!
Been trying to figure out how to disable it using html encoding and what Java libraries are available.
OWASP's site has an article on this: http://www.owasp.org/index.php/How_to_perform_HTML_entity_encoding_in_Java
To quote:
"Injection attacks rely on the fact that interpreters take data and execute it as commands. If an attacker can modify the data that's sent to an interpreter, they may be able to make it misbehave. One way to help prevent this from happening is to encode the attacker's data in such a way that the interpreter will not get confused. HTML entity encoding is just such an encoding mechanism for many interpreters."
There are two ways to encode the data viz. entity reference and numeric reference:
From Wikipedia:
http://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references
An entity reference uses the "&" symbol:
& quot; (double) quotation mark
& amp; ampersand
& apos; apostrophe (= apostrophe-quote)
& lt; less-than sign
& gt; greater-than sign
A numeric character reference refers to a character by its Universal Character Set/Unicode code point, and uses the format
nnnn;
or
hhhh;
where nnnn is the code point in decimal form, and hhhh is the code point in hexadecimal form
Although the OWASP article mentioned above talks about entity references, the code sample enclosed actually uses numeric entity encoding i.e.
<script></script>
encodes as:
&hash60;script&hash62;&hash60;&hash47;script&hash62;
where "hash" = the "#" character
Some further research around this issue leads to:
AntiXSS for Java which is a port to Java of the Microsoft Anti-Cross Site Scripting (AntiXSS) library for .NET applications
and to:
Open Web Application Security Project (OWASP)
which has a:
Enterprise Security API (ESAPI)
Click on the "Java EE" tab. There are two ways to invoke the functionality. One uses the classes directly:
import org.owasp.esapi.codecs.HTMLEntityCodec;
public static StringBuilder esapiCodecHtml (String s)
{
HTMLEntityCodec hec = new HTMLEntityCodec();
StringBuilder b = new StringBuilder(s.length());
char[] immune = { ',', '.', '-', '_', ' ' };
String returnStr = "";
String clean = ESAPI.encoder().canonicalize(s);
System.out.println ("Cleaned result is " + clean);
for (int i = 0; i < s.length(); i++)
{
char ch = s.charAt(i);
returnStr = hec.encodeCharacter(immune, ch);
b.append(returnStr);
}
return b;
}
Note: ESAPI canonicalizes input before validation to prevent bypassing filters with encoded attacks. Failure to canonicalize input is a very common mistake when implementing validation schemes. Canonicalization is automatic when using the ESAPI Validator.
and the other uses the wrapper:
import org.owasp.esapi.ESAPI;
public static String esapiEncodeForHTML (String s)
{
String returnStr = "";
String clean = ESAPI.encoder().canonicalize(s);
System.out.println ("Cleaned result is " + clean);
returnStr = ESAPI.encoder().encodeForHTML(s);
return returnStr;
}
They both convert <script></script> to andlt;scriptandgt;andlt;&hashx2f;scriptandgt;
where "and" is the "&" character.
Interestingly, this is a combination of both reference types.
Just to note: The example at the top converted the "/" to &hash47; whereas ESAPI converts it to &hashx2f; This is because one is decimal and one is hex!
Asides:
Refer to:
XSS (Cross Site Scripting) Prevention Cheat Sheet
Refer to my SO question:
Java - XSS - HTML encoding - Character entity reference vs. Numeric entity reference
Enjoy!
Thursday, March 04, 2010
IE : Enter won't submit the form
Wasted hours trying to fix this problem with IE. Firefox works A-OK.
Using JSP and if you have a form with one input field and the Submit button is not labelled Submit, then IE will not submit the form data on Enter. You have to click the "Submit" button to get it to work.
So jumped into Stack Overflow and here's the answer to my question
here.
Enjoy!
Using JSP and if you have a form with one input field and the Submit button is not labelled Submit, then IE will not submit the form data on Enter. You have to click the "Submit" button to get it to work.
So jumped into Stack Overflow and here's the answer to my question
here.
Enjoy!
Subscribe to:
Posts (Atom)