Security
Protecting web requests
by ricardoz on Jul.15, 2011, under JavaScript, Security, Tips, Web related
Afraid of malicious injections in your web app requests, heres a simple way to improve your application security. Push every request parameter through a filtering function before it’s feeded to your application code.
Such a function can be as simple as:
1 2 3 4 5 6 7 8 9 10 | private String cleanParameter(String value) { if (value != null) { value = value.replaceAll("<", "<").replaceAll(">", ">"); value = value.replaceAll("\\(", "(").replaceAll("\\)", ")"); value = value.replaceAll("'", "'"); value = value.replaceAll("eval\\((.*)\\)", ""); value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\""); } return value; } |
This will escape/remove potentially dangerous Javascript code and HTML/XML tags.
You can implement this on a web filter or a struts interceptor or a DWR filter depending on the technology you use for you app.
Asynchronous logging with log4j
by ricardoz on Nov.25, 2009, under Articles, Performance, Security
In case you are not doing it already, using asynchronous logging is generally a good idea. You don’t want your application to slow down if the server IO is a little behind flushing all that logging to the filesystem. By making it asynchronous your application can continue running without having to wait for the log lines to be written to their final destination.
My personal choice for Java logging is log4j, there are a lot of different frameworks (including Suns own logging API), but log4j works great and is extremely flexible.
(continue reading…)
Obovweb source code – a Google Appengine sample
by ricardoz on Oct.20, 2009, under Security, Tips, Web related
Someone asked me about the implementation details of the Google Appengine sample I published a few weeks ago (http://obovweb.appspot.com/). Well, you can get a hold of the source code here.
There’s not much to tell, apart from the specific HMAC-SHA1 implementation (which you can check out in Obovs source code) it’s a very simple JSP/DWR application.
Blocking multiple clicks real easy
by ricardoz on Aug.10, 2009, under JavaScript, Performance, Security, Web related
I’ve faced this problem a few times before, but this time I decided to find a generic solution to it. I needed to prevent users from clicking action links in a web application multiple times and therefore triggering some server side action a lot of times when only one time was enough/needed.
After looking around for a few hours for an elegant solution I just couldn’t find one, all the articles/answers I found required controls on each link and/or special handling on the server side code that reacted to them.
(continue reading…)
Trying out Google Appengine – OTP generation app
by ricardoz on Jul.15, 2009, under Security, Web related
I decided to try out the new Java based version of Google Appengine. So i wrote a very simple web app that allows the user to generate one time passwords (OTP) using the HMAC-SHA1 algortihm (see OATH).
You can check it out at http://obovweb.appspot.com. As the name suggests its based on my obov library.
(continue reading…)
Using SSH or SFTP resources from a Java app
by ricardoz on May.22, 2009, under Security
There are many commercial SSH client libraries for Java, but it was hard to find a good open source one. Finally I stumbled upon SSHTools and I have to say it works wonderfully and the API is clean and simple.
(continue reading…)
PHP & Java interoperable encryption
by ricardoz on Jan.16, 2009, under Articles, Security, Tips
I recently faced the problem of encrypting something in PHP and decrypting it using Java, this proved to be a little more of a challenge than what it initially seemed like. (continue reading…)
obov v1.1.0 released
by ricardoz on Aug.04, 2008, under Security
A new version of obov is available for download. Some nice new features were added:
- Methods to generate passwords using the HMAC-SHA1 algorithm
- A handy utility method to generate secret keys (seeds) based on any given string
Go get it!
obov v1.0.0 released
by ricardoz on Jun.27, 2008, under Security
obov stands for OATH Based OTP validator. It’s a 100% pure Java library that provides simple to use methods to validate (and related utilities) one time passwords generated by OATH compliant devices.
(continue reading…)
Authenticate users using i5/OS (AS400) credentials
by ricardoz on May.12, 2008, under Security, Tips
The folks at IBM have a nice API to use i5/OS (AS400) stuff from Java code. Check it out at http://www-03.ibm.com/systems/i/software/toolbox/index.html.
What I particularly find very useful and have used often is to validate user names and passwords with the AS400 authentication services. The following code validates a userName and password.
(continue reading…)