XSS in the HTTP Header's Accept Language when using Struts 1.2

1
At my work, we have a policy of using HP's WebInspect to scan our applications before they are allowed to go into production and I just got an interesting finding this week. The WebInspect scanner tried to perform a XSS (cross site scripting) attack by putting something into the HTTP header's Accept Language! Now, I'm not really sure how exploitable this is (perhaps some security expert can comment?) since all our traffic is via https, so there's really no way to inject some scripts into the http header unless the host machine making the request has been compromised?

This was the http request used....

GET /programmingPanda/someUrl.jsp HTTP/1.1
Accept: */*
Referer: https:///programmingPanda/someUrl
Accept-Language: "><script>alert('hi')</script>
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Host: www.programmingPandaHost.com
Pragma: no-cache
Connection: Keep-Alive
Cookie:
JSESSIONID=0021w1Z_9Fg27Vg1xhKHDgX1YLR:1244ioqb0;CustomCookie=WebInspect30127ZXC16B0
44F25944608B21BBFFEC74B3453YE540


and the end result was this....


<html xmlns:"http://www.w3.org/1999/xhtml" lang=""><script>alert('hi')</script>" xml:lang=""><script>alert('hi')</script>">


Anyways, I was tasked with checking this out. After some digging, I found that the html tag in our application was being generated by the struts taglib's html tag. According to the specifications, it seems that the lang attribute of the html tag has the following behaviour...


Renders a lang attribute with the locale stored in the user's session.
If not found in the session, the language from the Accept-Language HTTP header is used.
If still not found, the default language for the server is used.


So with the Accept-Language not being validated for special characters, we were getting XSS-ed!

The solution? In this case, we used a filter to provide a default locale into the user's session if non is detected to avoid using the Accept-Language in the HTTP header. This may not be the best or most correct solution, but it is one that fits our needs and timeline.


//provide some default locale and set it into the struts defined attribute, Globals.LOCALE_KEY
session.setAttribute(Globals.LOCALE_KEY, locale);

downloading documents via SSL connection on IE

0
I ran into a pretty interesting issue today. (This is a follow up of my earlier post ). I was trying to download some text file from our application using IE6. Suddenly I get a very unexpected error:
Internet Explorer was not able to open this Internet site. The requested site is either unavailable or cannot be found. Please try again later.

I was super surprised because I was 100% the file was there. Did some research online, and it seems to be related to this issue
http://support.microsoft.com/default.aspx?scid=KB;EN-US;q316431&



It seems that when you download from an SSL session, and IE6 can't save it temporarily to disk locally, it has issues. Lucky for me, this is an internal application, and I could just my users to ensure their browser settings are as below.


You can get to here from Tools > Internet Options > Advanced. Scroll down to the bottom in the Security section. And look for “Do not save encrypted pages to disk”. Make sure this is turned OFF



Recipe: Spring + JPA Annotation + Hibernate

1
Modern OO applications use a lot of Models to present the business domain object. It is often that we have to write a matching data access object for each models, and in most cases they are just normal CRUD operations.

What I am trying to do here is to create a generic way to create DAO from POJO that uses JPA as mapping tool to simplify the repeating tasks. The following example uses hibernate for DB connectivity.

Of course you can simply use EJB 3.0 and remove all this completely by using method like entityManager.persist(), but if we want to stay away from EJB and persistence model, this should give you a very good place to start. (I am using JPA as my mapping tool only because of my personal preference, you can use hibernate annotation, and it should work exactly the same way).

Step 1 - Create the Generic class
I am using the sample from the "Don't repeat the DAO". I think this is pretty neat.

GenericDao Interface

package com.blogspot.programmingpanda.commons

import java.io.Serializable;
import java.util.Collection;

public interface GenericDao&ls;T, PK extends Serializable> {
Collection<T> listAll();
}


The implementation...
GenericDaoHibernateImpl

package com.blogspot.programmingpanda.commons

import java.io.Serializable;
import java.util.Collection;
import org.springframework.orm.hibernate3.support.HibernateDaoSupport;

public class GenericDaoHibernateImpl<T, PK extends Serializable> extends HibernateDaoSupport implements GenericDao<T, PK> {

private Class<T> type;

public GenericDaoHibernateImpl(Class<T> type){
this.type = type;
}

public Collection<T> listAll() {
return this.getHibernateTemplate().loadAll(this.type);
}

/**
* @return the type
*/
public Class<T> getType() {
return type;
}

/**
* @param type the type to set
*/
public void setType(Class<T> type) {
this.type = type;
}
}


Once we have the generic DAO class, we can use spring to inject the model into the DAO.

Now we have to create the model and use JPA to do the O/R Mapping

Step 2 - Create the model and map it to the database

package com.blogspot.programmingpanda.commons.models;

import java.io.Serializable;
import javax.persistence.Column;
import javax.persistence.Entity;
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;
import javax.persistence.Table;

@Entity
@Table(name="myschema.model")
public class MyModel implements Serializable {

private Integer id;
private String col1;
private String col2;

/**
* @return the id
*/
@Id
@Column(name="id")
@GeneratedValue(strategy = GenerationType.AUTO)
public Integer getId() {
return id;
}

@Column(name="col1")
public String getCol1() {
return col1;
}

@Column(name="col2")
public String getCol2() {
return col2;
}

/** And all those setter method **/



Step 3 - Spring Config
After the Model and GenericDao class, all we have to do is to
i) Let the session factory know the class(es) to map

<!-- Annotation Session Factory Bean -->
<bean id="sessionFactory"
class="org.springframework.orm.hibernate3.annotation.AnnotationSessionFactoryBean">
<property name="dataSource" ref="mysqlDataSource"/>
<property name="hibernateProperties">
<props>
<prop key="hibernate.dialect">org.hibernate.dialect.MySQL5Dialect</prop>
</props>
</property>
<property name="annotatedClasses">
<list>

<value>com.blogspot.programmingpanda.commons.models.MyModel</value>
</list>

</property>
</bean>

ii) Create the dao by injecting the class into the GenericDao

<!-- This bean will replace the actual Dao class -->
<bean id="myModelDao" class="com.blogspot.programmingpanda.commons.GenericDaoHibernateImpl" autowire="byName">
<constructor-arg>
<value>com.blogspot.programmingpanda.commons.models.MyModel</value>
</constructor-arg>
</bean>


The full applicationContext.xml will look something like this

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:tx="http://www.springframework.org/schema/tx"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-2.0.xsd
http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-2.0.xsd">

<bean id="propertyConfigurer"
class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<property name="locations">
<list>
<value>/WEB-INF/spring-config/dev.properties</value>
</list>
</property>
</bean>

<bean id="systemPlaceholderConfigurer" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer" />

<!-- MySql DS -->
<bean id="mysqlDataSource"
class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<property name="driverClassName" value="com.mysql.jdbc.Driver" />
<property name="url" value="${mysql.url}" />
<property name="username" value="${mysql.username}" />
<property name="password" value="${mysql.password}" />
</bean>

<!-- Annotation Session Factory Bean -->
<bean id="sessionFactory"
class="org.springframework.orm.hibernate3.annotation.AnnotationSessionFactoryBean">
<property name="dataSource" ref="mysqlDataSource"/>
<property name="hibernateProperties">
<props>
<prop key="hibernate.dialect">org.hibernate.dialect.MySQL5Dialect</prop>
</props>
</property>
<property name="annotatedClasses">
<list>

<value>com.blogspot.programmingpanda.commons.models.MyModel</value>
</list>

</property>
</bean>
<!--sessionFactory will get autowired-->
<bean id="hibernateInterceptor"
class="org.springframework.orm.hibernate3.HibernateInterceptor"
autowire="byName" />

<!-- This bean will replace the actual Dao class -->
<bean id="myModelDao" class="com.blogspot.programmingpanda.commons.GenericDaoHibernateImpl" autowire="byName">
<constructor-arg>
<value>com.blogspot.programmingpanda.commons.models.MyModel</value>
</constructor-arg>
</bean>

<!-- Inject the Dao to an action -->
<bean id="action" class="actions.ListAction">
<property name="myModelDao" ref="myModelDao" />
</bean>

</beans>


Conclusion
This is only a minimal example demonstrating how we can use spring, JPA annotation and a generic dao template to avoid writing DAO class for each model we create in our application. You can always extend the GenericDao class to include your own method(s) other than the generic CRUD methods.

Working from the list and reviewing remember the milk

0
i've been reading the pragamtic programmer series for the last few years now. i've been trying to incorporate their ideas into my daily work routine whenever i get a chance.

i was reminded of one this week when i realized my todo list at work was getting a little out of control and consisted of a piece of paper with my ugly hand writing on it. Having a todo list is definitely the first step in getting organized, but i was not doing one thing correctly. One of the rules (from Pragmatic Programmers: Ship It!), was that the list must be publically available and easy to update/publish. So, here I have this massive list of things to do, and my team wasn't aware of it.

to correct this grave mistake, i signed myself up for a Remember the Milk account. It is a simple to do list manager that allows multiple lists, tagging, notes, calendar integration, rss feeds, sync-ing with smart devices (if u pay for pro) on top of the standard to do list features. so far, i've found this quite easy to pick up. i'm still poking around, so i'm a little slow at putting in my massive list into the system, but there are a lot of keyboard shortcuts that I'm sure will make things lightning fast when i manage to remember them. One other cool thing is that it supports Google Gears! the only thing that i dont like about right now is... when i add a priority to an item, it automatically updates the list to keep it sorted (the default sort is by priority). however, i feel like i "lost" my item, b/c i dont know where it is in my list anymore. i would much rather that I have a manual refresh button that i could click when i'm ready to re-sort the list.

i guess a simple test of the product's effectiveness is if i'm still using it 4 wks later? stay tuned to find out!!!

By the way...here are the tips for maintaining a good list as per the author of "Ship it!".

Tips:
  • Organize whatever daily task list you do have into a formal copy of The List.
  • Prioritize your work and add rough time estimates.
  • Start working on the highest-priority item on The List. no cheating! If some crisis forces a lower-priority item higher, record it. You should be using your list to help you determine what you are working on next.
  • Add all new work to The List, make sure it is an accurate reflection of your current tasks.
  • Move items to your finished list as you complete tasks (this makes surviving status reports and "witch-hunts" much easier).
  • Review The List every morning (aka updated daily)
  • Make sure the list is publically available
  • Maintaining The List should not require too much effort.
Signs you are doing it wrong
  • You're too busy to update the list or it takes too long.
  • The list gets outdated because you don't update it frequently enough.
  • It takes a long time to complete one item on the list (the items are too large)
  • No one else knows about your list or there are mulitple versions