Spartan Java

Afraid of malicious injections in your web app requests, heres a simple way to improve your application security. Push every request parameter through a filtering function before it’s feeded to your application code.

Such a function can be as simple as:

1
2
3
4
5
6
7
8
9
10

private String cleanParameter(String value) {
   if (value != null) {
      value = value.replaceAll("<", "&lt;").replaceAll(">", "&gt;");
      value = value.replaceAll("\\(", "&#40;").replaceAll("\\)", "&#41;");
      value = value.replaceAll("'", "&#39;");
      value = value.replaceAll("eval\\((.*)\\)", "");
      value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
   }
   return value;
}

This will escape/remove potentially dangerous Javascript code and HTML/XML tags.

You can implement this on a web filter or a struts interceptor or a DWR filter depending on the technology you use for you app.

I’ve faced this problem a few times before, but this time I decided to find a generic solution to it. I needed to prevent users from clicking action links in a web application multiple times and therefore triggering some server side action a lot of times when only one time was enough/needed.

After looking around for a few hours for an elegant solution I just couldn’t find one, all the articles/answers I found required controls on each link and/or special handling on the server side code that reacted to them.
(continue reading…)

I decided to try out the new Java based version of Google Appengine. So i wrote a very simple web app that allows the user to generate one time passwords (OTP) using the HMAC-SHA1 algortihm (see OATH).

You can check it out at http://obovweb.appspot.com. As the name suggests its based on my obov library.
(continue reading…)

There are many commercial SSH client libraries for Java, but it was hard to find a good open source one. Finally I stumbled upon SSHTools and I have to say it works wonderfully and the API is clean and simple.
(continue reading…)

I recently faced the problem of encrypting something in PHP and decrypting it using Java, this proved to be a little more of a challenge than what it initially seemed like. (continue reading…)

A new version of obov is available for download. Some nice new features were added:

• Methods to generate passwords using the HMAC-SHA1 algorithm
• A handy utility method to generate secret keys (seeds) based on any given string

Go get it!

obov stands for OATH Based OTP validator. It’s a 100% pure Java library that provides simple to use methods to validate (and related utilities) one time passwords generated by OATH compliant devices.
(continue reading…)

The folks at IBM have a nice API to use i5/OS (AS400) stuff from Java code. Check it out at http://www-03.ibm.com/systems/i/software/toolbox/index.html.

What I particularly find very useful and have used often is to validate user names and passwords with the AS400 authentication services. The following code validates a userName and password.
(continue reading…)

If you ever deployed an application in a corporate environment, where an IT Security officer likes to keep a tight leash on who knows each system password, you probably needed to figure out some sort of security mechanism to store the passwords your application needs to connect to some database, access a web service, etc.

The most obvious and straightforward approach is to use a symmetric algorithm, like 3DES or AES, with an encryption password hard coded in your application to decrypt/encrypt the sensitive credentials. This has several cons:

1. Anyone with access to the source code of the application can decrypt all sensitive data, ie you can’t guarantee the security officer that someone from your team/company won’t abuse this
2. Anyone with access to the binary files of the application and a good de-compiler can decrypt all sensitive data, ie the security officer can’t even trust his IT production staff
3. To change the encryption password you have to re-deploy the application

And these are just the 3 most important issues that come to mind in 5 minutes…

(continue reading…)