http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2014-12-30 07:41:42 - John Melton's Weblog : Overview I ve already written a bit about frameworks, both about using others and about building your own This post will look at using existing frameworks a bit more, specifically around interesting security features Most of the discussion in the security area as it relates to frameworks is about CVEs Common Vulnerabilities and Exposures That s reasonable, http://www.secuobs.com/revue/news/552299.shtmlhttp://www.secuobs.com/revue/news/552299.shtml Secuobs.com : 2013-01-08 06:37:17 - John Melton's Weblog - Year Of Security for Java This will serve as the conclusion to a year-long series on security topics for Java Let s first look at the original motivations from the series introduction There are several motivations for this series 1 Get some old topics written down 2 Research some new technologies 3 Write 4 Learn 5 http://www.secuobs.com/revue/news/420353.shtmlhttp://www.secuobs.com/revue/news/420353.shtml Secuobs.com : 2013-01-08 06:37:17 - John Melton's Weblog - As part of wrapping up the past year-long series, I decided to put all of the posts into a single PDF All of them will remain posted on the site, but you can grab all of the content in one convenient place Hope you enjoy Year of Security for Java Complete Series PDF http://www.secuobs.com/revue/news/420352.shtmlhttp://www.secuobs.com/revue/news/420352.shtml Secuobs.com : 2012-12-29 07:09:55 - John Melton's Weblog - What is it and why should I care Information security is a quickly growing field that is changing rapidly in many ways We are tasked with securing all sorts of technologies and those technologies are moving quickly The implication here is that even to maintain the status quo requires significant work However, we don t want http://www.secuobs.com/revue/news/419097.shtmlhttp://www.secuobs.com/revue/news/419097.shtml Secuobs.com : 2012-12-23 03:52:46 - John Melton's Weblog - What is it and why should I care As I mentioned last week, this series is comming to a close I also said that I have two concepts that I find myself sharing more than any others The first I shared last week was to Think This week I ll briefly cover the second topic http://www.secuobs.com/revue/news/418449.shtmlhttp://www.secuobs.com/revue/news/418449.shtml Secuobs.com : 2012-12-13 08:34:04 - John Melton's Weblog - What is it and why should I care With the current series coming to a close wow, finally , I m going to do a bit of wrap-up While all the posts in the series hopefully have something to offer, I ve saved my 2 most oft-repeated pieces of advice for last Actually, neither is specific to http://www.secuobs.com/revue/news/416770.shtmlhttp://www.secuobs.com/revue/news/416770.shtml Secuobs.com : 2012-12-09 06:08:00 - John Melton's Weblog - What is it and why should I care Today s topic is about two of the areas that are weakest in application security data collection and sharing We do a pretty terrible job as an industry in both areas, though there have been some marked improvements in the last couple of years that bring hope http://www.secuobs.com/revue/news/415905.shtmlhttp://www.secuobs.com/revue/news/415905.shtml Secuobs.com : 2012-12-02 06:30:50 - John Melton's Weblog - What is it and why should I care You will get hacked That is not meant to be a sensationalist line, but rather a functional reality in the environment we currently occupy There are a few reasons I feel safe in stating that assumption - Many have already been openly hacked, including those that are http://www.secuobs.com/revue/news/414608.shtmlhttp://www.secuobs.com/revue/news/414608.shtml Secuobs.com : 2012-11-25 06:01:35 - John Melton's Weblog - What is it and why should I care Encryption specifically talking symmetric encryption here is a critical component of many applications, and the storage of the encryption key can be tricky to get right Encryption falls under that area of secure programming that you don t come into contact with casually, hence you might not be http://www.secuobs.com/revue/news/413237.shtmlhttp://www.secuobs.com/revue/news/413237.shtml Secuobs.com : 2012-11-17 08:45:19 - John Melton's Weblog - What is it and why should I care Note 1 I ve actually wanted to finish this post for quite a while, but every time I tried, I would do some more research and find more rabbit holes to enter At this point, I m going to cut my losses, and post what I have now Unfortunately, http://www.secuobs.com/revue/news/411976.shtmlhttp://www.secuobs.com/revue/news/411976.shtml Secuobs.com : 2012-11-09 09:14:36 - John Melton's Weblog - What is it and why should I care After the last post covering secure the concept of a secure SDLC, this week we ll look at a specific activity recommended by the various secure SDLC models threat modeling From the view of the secure SDLC, this is an activity that takes place fairly early in the http://www.secuobs.com/revue/news/410508.shtmlhttp://www.secuobs.com/revue/news/410508.shtml Secuobs.com : 2012-11-03 07:21:53 - John Melton's Weblog - What is it and why should I care Software development has taken an interesting path over the short lifetime of the field It began as a deeply technical field where only the best and brightest could participate, which is not unusual since it was born out of engineering, a very technical and structured field itself http://www.secuobs.com/revue/news/409316.shtmlhttp://www.secuobs.com/revue/news/409316.shtml Secuobs.com : 2012-10-27 07:56:36 - John Melton's Weblog - What is it and why should I care This will admittedly be a short post because it s a pretty simple concept Here s the simple idea in bullet form - Developers are builders of software and security systems and even documentation sometimes - There is a need for software docs - Developers build software http://www.secuobs.com/revue/news/408156.shtmlhttp://www.secuobs.com/revue/news/408156.shtml Secuobs.com : 2012-10-19 07:42:33 - John Melton's Weblog - What is it and why should I care Breaking something legally, of course is one of the best ways to learn how it works Software is no different Breaking software is sometimes trivial and sometimes extremely complex, but either way is a great exercise In particular for developers, it forces you out of the mindset http://www.secuobs.com/revue/news/406581.shtmlhttp://www.secuobs.com/revue/news/406581.shtml Secuobs.com : 2012-10-12 08:25:28 - John Melton's Weblog - What is it and why should I care In the last post, I gave some justifications for getting security people into your organization, as well as reasons to have them closely knitted into your team In this post, I d like to move the attention to the developers already on your team Let s say you ve got http://www.secuobs.com/revue/news/405230.shtmlhttp://www.secuobs.com/revue/news/405230.shtml Secuobs.com : 2012-10-05 07:39:21 - John Melton's Weblog - What is it and why should I care I spend a good bit of time talking about both development and security I spend a lot of time working with other developers and other security people There are a precious few that I know of that excel at both development and security This is a sentiment http://www.secuobs.com/revue/news/403769.shtmlhttp://www.secuobs.com/revue/news/403769.shtml Secuobs.com : 2012-09-28 05:48:03 - John Melton's Weblog - What is it and why should I care This is a bit of a follow-up to my last post with a bit of a different viewpoint In that post, I specifically looked at code reuse from the perspective of creating an internal framework to centralize code related to security functionality This week, I want to http://www.secuobs.com/revue/news/402304.shtmlhttp://www.secuobs.com/revue/news/402304.shtml Secuobs.com : 2012-09-21 07:04:27 - John Melton's Weblog - What is it and why should I care Software reuse is a ubiquitous practice in software development One study says that 80pourcents of the code in today s applications comes from libraries and frameworks That s a lot There is already a lot of research about software reuse and its benefits While the research exists, there s no http://www.secuobs.com/revue/news/400989.shtmlhttp://www.secuobs.com/revue/news/400989.shtml Secuobs.com : 2012-09-12 07:22:12 - John Melton's Weblog - What is it and why should I care Cross-Site Scripting XSS is another issue that is caused because of poor code data separation The general issue is that a developer intends the user input to be interpreted as data, but an attacker can manipulate the input to cause the browser to interpret the input as tags http://www.secuobs.com/revue/news/399097.shtmlhttp://www.secuobs.com/revue/news/399097.shtml Secuobs.com : 2012-09-07 06:54:37 - John Melton's Weblog - What is it and why should I care SQL Injection SQLi is an issue that is caused because of poor code data separation The general issue is that a developer intends the user input to be interpreted as data, but an attacker can manipulate the input to cause the database to interpret the input as commands http://www.secuobs.com/revue/news/398200.shtmlhttp://www.secuobs.com/revue/news/398200.shtml Secuobs.com : 2012-08-30 07:44:35 - John Melton's Weblog - What is it and why should I care This article and several of those remaining in the series is not so much technical in nature, but rather deals more with processes related to security problem solving It s a fact of life in most development and or security shops that there are those fire-drill days, and that http://www.secuobs.com/revue/news/396674.shtmlhttp://www.secuobs.com/revue/news/396674.shtml Secuobs.com : 2012-08-22 05:22:39 - John Melton's Weblog - What is it and why should I care The idea of separating administrative functionality may strike some as odd By administrative functionality, I m just grouping those higher criticality functions generally user group role management that have the characteristic of affecting the application at large, generally through privilege escalation The idea here is this - I have some http://www.secuobs.com/revue/news/395005.shtmlhttp://www.secuobs.com/revue/news/395005.shtml Secuobs.com : 2012-08-15 04:59:14 - John Melton's Weblog - What is it and why should I care We defined access control in part 1 of the access control sub-series, so let s move on to talk more about what we do about it What should I do about it In part 1 we discussed limiting your users interactions with your application by functionality In part http://www.secuobs.com/revue/news/393644.shtmlhttp://www.secuobs.com/revue/news/393644.shtml Secuobs.com : 2012-08-08 06:11:54 - John Melton's Weblog - What is it and why should I care We defined access control in part 1 of the access control sub-series, so let s move on to talk more about what we do about it What should I do about it In part 1 we discussed limiting your users interactions with your application by functionality This time http://www.secuobs.com/revue/news/392302.shtmlhttp://www.secuobs.com/revue/news/392302.shtml Secuobs.com : 2012-08-03 06:11:43 - John Melton's Weblog - What is it and why should I care Access control, also known as authorization, is the step that comes after authentication Access control is the process of mediating access to resources on the basis of identity from here It assumes you have determined the identity of the user whether known or anonymous and are now http://www.secuobs.com/revue/news/391434.shtmlhttp://www.secuobs.com/revue/news/391434.shtml Secuobs.com : 2012-07-26 05:10:24 - John Melton's Weblog - What is it and why should I care Authentication is the process of verifying that someone is who they say they are Essentially a user claims an identity and then must provide some form of proof of identity In most systems, the identity is some form of username and the proof is a password In http://www.secuobs.com/revue/news/389922.shtmlhttp://www.secuobs.com/revue/news/389922.shtml Secuobs.com : 2012-07-18 05:36:24 - John Melton's Weblog - What is it and why should I care Resource management has been an issue in programming for a very long time, and it s one of those issues that affects the A Availability of the classical C-I-A triad in information security It s effectively where you gain access to some generally expensive resource think database connection, file http://www.secuobs.com/revue/news/388037.shtmlhttp://www.secuobs.com/revue/news/388037.shtml Secuobs.com : 2012-07-11 08:27:20 - John Melton's Weblog - What is it and why should I care Unit testing is the term generally associated with the process of writing code specifically purposed for testing your application functionality You write test code to run your functional application code and verify the results Note Unit testing is actually a specific subset of this idea focused on http://www.secuobs.com/revue/news/386542.shtmlhttp://www.secuobs.com/revue/news/386542.shtml Secuobs.com : 2012-07-05 08:04:56 - John Melton's Weblog - What is it and why should I care Penetration testing is a process of evaluating the security of a computer system or network by simulating an attack The process involves an active analysis of the system for any potential vulnerabilities, is carried out from the position of a potential attacker and can involve active exploitation http://www.secuobs.com/revue/news/385521.shtmlhttp://www.secuobs.com/revue/news/385521.shtml Secuobs.com : 2012-06-28 05:58:07 - John Melton's Weblog - What is it and why should I care Code reviews are an important process whereby developers have their code systematically examined by another set s of eyes in order to find defects It s a simple concept double-check my work , but surprisingly effective Studies show that you can detect 20-75pourcents of defects with code review range varies http://www.secuobs.com/revue/news/384286.shtmlhttp://www.secuobs.com/revue/news/384286.shtml Secuobs.com : 2012-06-20 07:45:07 - John Melton's Weblog - What is it and why should I care Dynamic analysis is the analysis of computer software that is performed by executing programs built from that software system on a real or virtual processor Essentially, it s automated execution of an application Note While dynamic analysis has no actual ties to security per-se, I ll be referencing it s http://www.secuobs.com/revue/news/382589.shtmlhttp://www.secuobs.com/revue/news/382589.shtml Secuobs.com : 2012-06-14 05:39:55 - John Melton's Weblog - What is it and why should I care Static analysis is the analysis of software that is performed without actually executing programs built from that software Essentially, it s automated inspection of source code There are varying levels of complexity achieved by the different static analysis tools available I will roughly group them into a couple http://www.secuobs.com/revue/news/381486.shtmlhttp://www.secuobs.com/revue/news/381486.shtml Secuobs.com : 2012-06-06 06:47:37 - John Melton's Weblog - What is it and why should I care HTTP Header Injection is a specific injection attack that affects HTTP headers It involves being able to manipulate the header data to cause various problems response splitting, CRLF injection, cache poisoning, XSS, etc In general, it s a lesser known and understood attack, which is usually a recipe http://www.secuobs.com/revue/news/379766.shtmlhttp://www.secuobs.com/revue/news/379766.shtml Secuobs.com : 2012-06-01 06:08:43 - John Melton's Weblog - What is it and why should I care HTTP Parameter Pollution HPP is a technique that allows you to override or add HTTP GET POST parameters by injecting query string delimiters This term was created and popularized by a 2009 paper that showed you could tinker with request parameters, specifically by sending the same parameter multiple http://www.secuobs.com/revue/news/378901.shtmlhttp://www.secuobs.com/revue/news/378901.shtml Secuobs.com : 2012-05-23 06:56:09 - John Melton's Weblog - What is it and why should I care Caching is a mechanism by which browsers and proxy servers store local copies of remote objects in order to improve performance of the system by not having to fetch these items repeatedly That s actually a decent description of caching in general Caching is wonderful for performance, assuming http://www.secuobs.com/revue/news/377123.shtmlhttp://www.secuobs.com/revue/news/377123.shtml Secuobs.com : 2012-05-16 07:39:19 - John Melton's Weblog - What is it and why should I care While trust spawns interesting philosophical discussions, here I want to discuss the implications of trust within the applications we build Trust is a funny thing in that we implicitly give it frequently without considering what we re trusting A simple example bad bad do not use executeDbQuery select http://www.secuobs.com/revue/news/375783.shtmlhttp://www.secuobs.com/revue/news/375783.shtml Secuobs.com : 2012-05-09 07:06:45 - John Melton's Weblog - What is it and why should I care Reducing the attack surface of an application or system means reducing the ways that you can interact with the application, and may involve reducing the functionality the application provides To most business folks, this sounds very, very bad However, at its core, it s really just a matter http://www.secuobs.com/revue/news/374449.shtmlhttp://www.secuobs.com/revue/news/374449.shtml Secuobs.com : 2012-05-02 06:39:01 - John Melton's Weblog - What is it and why should I care Application layer intrusion detection is a simple concept that I believe is very, very powerful when it comes to protecting applications Most of the topics I ve covered thus far have focused on the development portion of the software life-cycle, but this topic really covers the entire span http://www.secuobs.com/revue/news/373074.shtmlhttp://www.secuobs.com/revue/news/373074.shtml Secuobs.com : 2012-04-27 17:57:12 - John Melton's Weblog - What is it and why should I care A session timeout is an important security control for any application It specifies the length of time that an application will allow a user to remain logged in before forcing the user to re-authenticate There are 2 types Soft Session Timeouts last week s topic and Hard Session http://www.secuobs.com/revue/news/372447.shtmlhttp://www.secuobs.com/revue/news/372447.shtml Secuobs.com : 2012-04-18 06:19:19 - John Melton's Weblog - What is it and why should I care A session timeout is an important security control for any application It specifies the length of time that an application will allow a user to remain logged in before forcing the user to re-authenticate There are 2 types Soft Session Timeouts today s topic and Hard Session Timeouts http://www.secuobs.com/revue/news/370551.shtmlhttp://www.secuobs.com/revue/news/370551.shtml Secuobs.com : 2012-04-11 06:37:36 - John Melton's Weblog - What is it and why should I care Auditing security related events includes two basic concepts, so we ll begin by treating them individually Auditing Auditing is a key part of any real software system Many people treat logging and auditing as the same idea, though they re actually different Definitions might vary, but mine boils down http://www.secuobs.com/revue/news/369278.shtmlhttp://www.secuobs.com/revue/news/369278.shtml Secuobs.com : 2012-04-04 05:20:35 - John Melton's Weblog - What is it and why should I care Java Server Pages JSPs is an extremely common UI view technology used in J2EE development JSPs represent the interface the end user interacts with while using an application JSPs also usually include some business logic, and frequently there are portions of a page protected by some authorization http://www.secuobs.com/revue/news/367907.shtmlhttp://www.secuobs.com/revue/news/367907.shtml Secuobs.com : 2012-03-30 06:27:53 - John Melton's Weblog - What is it and why should I care Libraries and frameworks are a reality for every J2EE developer pretty much any developer, actually out there We use them for MVC, DB, logging, web services, security, XML processing, as well as a host of other features We rely on them in our production apps every single http://www.secuobs.com/revue/news/367089.shtmlhttp://www.secuobs.com/revue/news/367089.shtml Secuobs.com : 2012-03-21 04:09:14 - John Melton's Weblog - What is it and why should I care Log forging is an issue that can occur if you allow un-trusted data to be written to a log storage mechanism The intent of the attacker using log forging is to cover his tracks in the logs or at least make understanding what he was doing more http://www.secuobs.com/revue/news/365022.shtmlhttp://www.secuobs.com/revue/news/365022.shtml Secuobs.com : 2012-03-14 03:07:14 - John Melton's Weblog - What is it and why should I care X-XSS-Protection is a Microsoft IE technology used to help prevent reflected XSS attacks in IE Note 1 This is not a panacea for XSS There is no excuse for not developing your site in a secure manner to prevent XSS This however is a protection offered by http://www.secuobs.com/revue/news/363355.shtmlhttp://www.secuobs.com/revue/news/363355.shtml Secuobs.com : 2012-03-07 05:17:43 - John Melton's Weblog - What is it and why should I care X-Content-Type-Options is an HTTP header that can help prevent browser content-type sniffing problems The content-type for a given resource should match the type too obvious of the resource For example, an HTML page would use text html , a PNG image would use image png , and a CSS document would http://www.secuobs.com/revue/news/361858.shtmlhttp://www.secuobs.com/revue/news/361858.shtml Secuobs.com : 2012-02-29 06:15:24 - John Melton's Weblog - What is it and why should I care X-Frame-Options moving towards just Frame-Options in a draft spec dropping the X- is a new technology that allows an application to specify whether or not specific pages of the site can be framed This is meant to help deal with the clickjacking problem The technology is http://www.secuobs.com/revue/news/360532.shtmlhttp://www.secuobs.com/revue/news/360532.shtml Secuobs.com : 2012-02-22 05:45:29 - John Melton's Weblog - What is it and why should I care HTTP Strict Transport Security HSTS is a new ish technology that allows an application to force browsers to only use SSL TLS HTTPS, not HTTP when visiting their application This occurs when the application sets an HSTS specific HTTP response header Browsers that support HSTS recognize the response header http://www.secuobs.com/revue/news/359191.shtmlhttp://www.secuobs.com/revue/news/359191.shtml Secuobs.com : 2012-02-15 06:11:25 - John Melton's Weblog - What is it and why should I care Content Security Policy CSP is a new ish technology put together by Mozilla that web apps can use as an additional layer of protection against Cross Site Scripting XSS , which is the primary goal of the technology A secondary goal is to protect against clickjacking XSS is quite http://www.secuobs.com/revue/news/357900.shtmlhttp://www.secuobs.com/revue/news/357900.shtml Secuobs.com : 2012-02-08 06:10:25 - John Melton's Weblog - What is it and why should I care Cross Site Request Forgery CSRF is an attack wherein a victim is forced to execute unknown and or undesired requests to a website at which he she is currently authenticated It exploits the fact that the credentials needed to perform a function on a website are generally loaded into http://www.secuobs.com/revue/news/356600.shtmlhttp://www.secuobs.com/revue/news/356600.shtml Secuobs.com : 2012-02-03 06:15:22 - John Melton's Weblog - What is it and why do I care Clickjacking is a type of web framing or UI redressing attack What that simply means in practice is that 1 A user victim is shown an innocuous, but enticing web page think watch online video 2 Another web page that generally does something important think add http://www.secuobs.com/revue/news/355717.shtmlhttp://www.secuobs.com/revue/news/355717.shtml Secuobs.com : 2012-01-25 07:06:41 - John Melton's Weblog - What is it and why do I care Session cookies or the cookie containing the JSESSIONID to Java folks are the cookies used to perform session management for web applications These cookies hold the reference to the session identifier for a given user, and the same identifier is maintained server-side along with any session scoped http://www.secuobs.com/revue/news/353967.shtmlhttp://www.secuobs.com/revue/news/353967.shtml Secuobs.com : 2012-01-18 05:18:19 - John Melton's Weblog - What is it and why do I care Session cookies or the cookie containing the JSESSIONID to Java folks are the cookies used to perform session management for web applications These cookies hold the reference to the session identifier for a given user, and the same identifier is maintained server-side along with any session scoped http://www.secuobs.com/revue/news/352607.shtmlhttp://www.secuobs.com/revue/news/352607.shtml Secuobs.com : 2012-01-12 14:57:17 - John Melton's Weblog - This is usually a Java-only site, but I thought this paper was fairly interesting, so thought I d do a quick post The implementation is NET, but the concepts are transferrable The good folks at Microsoft Research have come up with a clever new technique for XSS prevention called ScriptGard The paper is located here Looks http://www.secuobs.com/revue/news/351698.shtmlhttp://www.secuobs.com/revue/news/351698.shtml Secuobs.com : 2012-01-11 05:25:14 - John Melton's Weblog - What is it and why do I care I ve already discussed this particular entry in more detail as it s part of the OWASP Top 10, so you can find more detail here http wwwjtmeltoncom 2010 06 02 the-owasp-top-ten-and-esapi-part-7-information-leakage-and-improper-error-handling In this article, I ll just cover the important bits Error or exception handling is an important, often ignored, part of any http://www.secuobs.com/revue/news/351392.shtmlhttp://www.secuobs.com/revue/news/351392.shtml Secuobs.com : 2012-01-03 05:20:30 - John Melton's Weblog - Year Of Security for Java This will serve as the introduction for a new series that will have roughly 1 article per week for a year This series will be different from my last series OWASP Top Ten Java in that each article will be pretty short and focused There are several motivations for http://www.secuobs.com/revue/news/349987.shtmlhttp://www.secuobs.com/revue/news/349987.shtml Secuobs.com : 2012-01-03 05:20:30 - John Melton's Weblog - What is it and why do I care Session fixation, by most definitions, is a subclass of session hijacking The most common basic flow is 1 attacker gets a valid session ID from an application 2 attacker forces the victim to use that same session ID 3 attacker knows the session ID that the victim http://www.secuobs.com/revue/news/349986.shtmlhttp://www.secuobs.com/revue/news/349986.shtml Secuobs.com : 2011-02-03 07:19:22 - John Melton's Weblog - Please forgive the title, but today s topic is something to be wary of if you write or use any access control authorization type code in web-based j2ee apps HTTP URL path parameters Many people are unfamiliar with them as they are uncommon , but they are something you should be aware of A nice simple http://www.secuobs.com/revue/news/282655.shtmlhttp://www.secuobs.com/revue/news/282655.shtml Secuobs.com : 2010-11-10 08:44:39 - John Melton's Weblog - Introduction This article is a basic introduction to AppSensor, an OWASP project that s been gaining a lot of traction recently It s a fairly simple concept, and one that I think and hope will be implemented in lots of applications in the near future If you d rather watch a video about AppSensor, here is a good http://www.secuobs.com/revue/news/263803.shtmlhttp://www.secuobs.com/revue/news/263803.shtml Secuobs.com : 2010-09-22 07:07:24 - John Melton's Weblog - This article will provide a quick overview of log forging and discuss a couple simple solutions to prevent it First, what is log forging Logging is one of the most common things that an application does Logging is a very generic term that can mean lots of different things, from debug style logging for the http://www.secuobs.com/revue/news/250568.shtmlhttp://www.secuobs.com/revue/news/250568.shtml Secuobs.com : 2010-09-17 02:05:31 - John Melton's Weblog - This article will describe how to protect your J2EE application from Insecure Communications attacks using ESAPI and other techniques As with all of the detail articles in this series, if you need a refresher on OWASP or ESAPI, please see the intro article The OWASP Top Ten and ESAPI What s the problem What does Insecure http://www.secuobs.com/revue/news/247982.shtmlhttp://www.secuobs.com/revue/news/247982.shtml Secuobs.com : 2010-09-17 02:05:31 - John Melton's Weblog - This article will describe how to protect your J2EE application from Failure to Restrict URL Access attacks using ESAPI and other techniques As with all of the detail articles in this series, if you need a refresher on OWASP or ESAPI, please see the intro article The OWASP Top Ten and ESAPI What s the problem http://www.secuobs.com/revue/news/247981.shtmlhttp://www.secuobs.com/revue/news/247981.shtml Secuobs.com : 2010-09-17 02:05:31 - John Melton's Weblog - Ok, well now we ve been through all the issues listed in the 2007 version of the Top Ten The new 2010 version is very similar with a couple discrepancies I may follow up on those couple of issues at a later time Hopefully you ve seen through all the articles in this series that ESAPI specifically http://www.secuobs.com/revue/news/247980.shtmlhttp://www.secuobs.com/revue/news/247980.shtml Secuobs.com : 2010-07-20 17:24:40 - John Melton's Weblog - This article will describe how to protect your J2EE application from Insecure Cryptographic Storage issues using ESAPI and other techniques As with all of the detail articles in this series, if you need a refresher on OWASP or ESAPI, please see the intro article The OWASP Top Ten and ESAPI What s the problem First, let me http://www.secuobs.com/revue/news/242093.shtmlhttp://www.secuobs.com/revue/news/242093.shtml Secuobs.com : 2010-06-17 06:36:52 - John Melton's Weblog - This article will describe how to protect your J2EE application from Broken Authentication and Session Management issues using ESAPI and other techniques As with all of the detail articles in this series, if you need a refresher on OWASP or ESAPI, please see the intro article The OWASP Top Ten and ESAPI What s the problem What http://www.secuobs.com/revue/news/232340.shtmlhttp://www.secuobs.com/revue/news/232340.shtml Secuobs.com : 2010-06-03 05:56:58 - John Melton's Weblog - This article will describe how to protect your J2EE application from Information Leakage and Improper Error Handling attacks using ESAPI and other techniques As with all of the detail articles in this series, if you need a refresher on OWASP or ESAPI, please see the intro article The OWASP Top Ten and ESAPI What s the http://www.secuobs.com/revue/news/228129.shtmlhttp://www.secuobs.com/revue/news/228129.shtml Secuobs.com : 2010-05-17 06:40:10 - John Melton's Weblog - This article will describe how to protect your J2EE application from Cross Site Request Forgery CSRF XSRF attacks using ESAPI As with all of the detail articles in this series, if you need a refresher on OWASP or ESAPI, please see the intro article The OWASP Top Ten and ESAPI What s the problem What is Cross Site http://www.secuobs.com/revue/news/222709.shtmlhttp://www.secuobs.com/revue/news/222709.shtml Secuobs.com : 2010-05-11 09:47:41 - John Melton's Weblog - This article will tell you a fairly simple way to put a custom access control framework in place for your J2EE application that will let you integrate it with the struts framework role based access control protection mechanisms There are a few pieces to this solution 1 A storage mechanism for the accesses roles per http://www.secuobs.com/revue/news/220881.shtmlhttp://www.secuobs.com/revue/news/220881.shtml Secuobs.com : 2010-05-11 09:47:41 - John Melton's Weblog - Exception handling in Struts is a very simple concept to grasp, once you know the tool that Struts has put in place to handle it This tool is the orgapachestrutsactionExceptionHandler The ExceptionHandler mechanism allows you to configure it in the struts-configxml file and then Struts will automagically pass any exception type http://www.secuobs.com/revue/news/220880.shtmlhttp://www.secuobs.com/revue/news/220880.shtml Secuobs.com : 2010-05-11 09:47:41 - John Melton's Weblog - This is a quick example of a servlet that will tell you the size of your session This is helpful if you don t have the tools built into your development suite to give you this information I found this laying around that I had written a while back It essentially is a http://www.secuobs.com/revue/news/220879.shtmlhttp://www.secuobs.com/revue/news/220879.shtml Secuobs.com : 2010-05-11 09:47:41 - John Melton's Weblog - This post is to show an example of a simple multi-threaded Java HTTP Proxy Server This sample is not fully functional for every application It s very simple and works fine for HTTP GET requests, but is not coded to properly handle HTTP POST requests nor any other HTTP methods This is strictly http://www.secuobs.com/revue/news/220878.shtmlhttp://www.secuobs.com/revue/news/220878.shtml Secuobs.com : 2010-05-11 09:47:41 - John Melton's Weblog - The Spring framework supports AOP very elegantly Though it does not offer some of the features that AspectJ offers, it also is typically a simpler configuration to get going This post is just an example of doing a very simple task logging , a cross-cutting concern in AOP lingo, using the Spring framework This example http://www.secuobs.com/revue/news/220877.shtmlhttp://www.secuobs.com/revue/news/220877.shtml Secuobs.com : 2010-05-11 09:47:41 - John Melton's Weblog - This article will be the first in an 11-part series yes eleven about the OWASP Top 10 and ESAPI Enterprise Security API This article will be a general introduction to the topic, while the follow-on articles will each cover one of the Top Ten web application security vulnerabilities and the associated usage of ESAPI http://www.secuobs.com/revue/news/220876.shtmlhttp://www.secuobs.com/revue/news/220876.shtml Secuobs.com : 2010-05-11 09:47:41 - John Melton's Weblog - This article will describe how to protect your J2EE application from XSS using ESAPI As with all of the detail articles in this series, if you need a refresher on OWASP or ESAPI, please see the intro article The OWASP Top Ten and ESAPI OK, so on to XSS Here is a slightly modified http://www.secuobs.com/revue/news/220875.shtmlhttp://www.secuobs.com/revue/news/220875.shtml Secuobs.com : 2010-05-11 09:47:41 - John Melton's Weblog - This article will describe how to protect your J2EE application from injection SQL and others attacks using ESAPI As with all of the detail articles in this series, if you need a refresher on OWASP or ESAPI, please see the intro article The OWASP Top Ten and ESAPI What s the problem Now to discuss injection http://www.secuobs.com/revue/news/220874.shtmlhttp://www.secuobs.com/revue/news/220874.shtml Secuobs.com : 2010-05-11 09:47:41 - John Melton's Weblog - This article will describe how to protect your J2EE application from malicious file execution attacks using ESAPI As with all of the detail articles in this series, if you need a refresher on OWASP or ESAPI, please see the intro article The OWASP Top Ten and ESAPI What s the problem So what exactly is malicious file http://www.secuobs.com/revue/news/220873.shtmlhttp://www.secuobs.com/revue/news/220873.shtml Secuobs.com : 2010-05-11 09:47:41 - John Melton's Weblog - This article will describe how to protect your J2EE application from direct object reference DOR attacks using ESAPI As with all of the detail articles in this series, if you need a refresher on OWASP or ESAPI, please see the intro article The OWASP Top Ten and ESAPI What s the problem What is direct object reference http://www.secuobs.com/revue/news/220872.shtmlhttp://www.secuobs.com/revue/news/220872.shtml