Tuesday, March 23, 2010

StackOverflow : There goes my rep!

Before the big recalculation:




(That's 4595 !)
and after:




(That's 3636 !)
Enjoy!

Misc : Can't login to Stack Overflow with Blogger OpenID

Suddenly couldn't login to Stack Overflow or it's "family" (Meta, ServerFault, SuperUser etc.) using my Blogger OpenID. (Cue: Major panic).

Mr. Google to the rescue - the answer is here in this article How to upgrade your Blogger OpenID to a decent one.

Note: I did not get the length error reported in some posts but the above sorted out my problem.

Tip: To ensure this doesn't happen again, get an alternate OpenID - I used Google. Just click on your user name at the top of the StackOverflow screen and then click "Change OpenID" (next to the "Edit" hyperlink). You then get an "openid" and a "alt openid" and you can swap the two around using the "swap" hyperlink.

Enjoy!

Wednesday, March 10, 2010

Preventing Cross-Site scripting in Java

You can read about XSS here: Cross-site scripting

Been trying to figure out how to disable it using html encoding and what Java libraries are available.

OWASP's site has an article on this: http://www.owasp.org/index.php/How_to_perform_HTML_entity_encoding_in_Java

To quote:

"Injection attacks rely on the fact that interpreters take data and execute it as commands. If an attacker can modify the data that's sent to an interpreter, they may be able to make it misbehave. One way to help prevent this from happening is to encode the attacker's data in such a way that the interpreter will not get confused. HTML entity encoding is just such an encoding mechanism for many interpreters."

There are two ways to encode the data viz. entity reference and numeric reference:

From Wikipedia:
http://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references

An entity reference uses the "&" symbol:

& quot; (double) quotation mark
& amp; ampersand
& apos; apostrophe (= apostrophe-quote)
& lt; less-than sign
& gt; greater-than sign

A numeric character reference refers to a character by its Universal Character Set/Unicode code point, and uses the format

&#nnnn;
or

&#xhhhh;
where nnnn is the code point in decimal form, and hhhh is the code point in hexadecimal form

Although the OWASP article mentioned above talks about entity references, the code sample enclosed actually uses numeric entity encoding i.e.

<script></script>

encodes as:

&hash60;script&hash62;&hash60;&hash47;script&hash62;

where "hash" = the "#" character

Some further research around this issue leads to:
AntiXSS for Java which is a port to Java of the Microsoft Anti-Cross Site Scripting (AntiXSS) library for .NET applications

and to:
Open Web Application Security Project (OWASP)

which has a:
Enterprise Security API (ESAPI)

Click on the "Java EE" tab. There are two ways to invoke the functionality. One uses the classes directly:



import org.owasp.esapi.codecs.HTMLEntityCodec;

public static StringBuilder esapiCodecHtml (String s)
{
HTMLEntityCodec hec = new HTMLEntityCodec();
StringBuilder b = new StringBuilder(s.length());
char[] immune = { ',', '.', '-', '_', ' ' };
String returnStr = "";

String clean = ESAPI.encoder().canonicalize(s);
System.out.println ("Cleaned result is " + clean);

for (int i = 0; i < s.length(); i++)
{
char ch = s.charAt(i);
returnStr = hec.encodeCharacter(immune, ch);
b.append(returnStr);
}

return b;
}


Note: ESAPI canonicalizes input before validation to prevent bypassing filters with encoded attacks. Failure to canonicalize input is a very common mistake when implementing validation schemes. Canonicalization is automatic when using the ESAPI Validator.

and the other uses the wrapper:



import org.owasp.esapi.ESAPI;

public static String esapiEncodeForHTML (String s)
{
String returnStr = "";

String clean = ESAPI.encoder().canonicalize(s);
System.out.println ("Cleaned result is " + clean);
returnStr = ESAPI.encoder().encodeForHTML(s);

return returnStr;
}


They both convert <script></script> to andlt;scriptandgt;andlt;&hashx2f;scriptandgt;

where "and" is the "&" character.

Interestingly, this is a combination of both reference types.

Just to note: The example at the top converted the "/" to &hash47; whereas ESAPI converts it to &hashx2f; This is because one is decimal and one is hex!

Asides:

Refer to:

XSS (Cross Site Scripting) Prevention Cheat Sheet

Refer to my SO question:

Java - XSS - HTML encoding - Character entity reference vs. Numeric entity reference

Enjoy!

Thursday, March 04, 2010

IE : Enter won't submit the form

Wasted hours trying to fix this problem with IE. Firefox works A-OK.

Using JSP and if you have a form with one input field and the Submit button is not labelled Submit, then IE will not submit the form data on Enter. You have to click the "Submit" button to get it to work.

So jumped into Stack Overflow and here's the answer to my question
here.

Enjoy!