March 23, 2009

how to create different project jar file and exclude some files or folders

In java projects sometimes we need setup dependencies among modules by sharing code via JAR files. In some cases its required that the some module for ex module_a is a dependency for two other modules, lets say module_b and module_c. module_b requires all the code in module_a except for the files in package /org/, similarly module_c requires all files/classes in module_a except in package /net/

Here is the sample ANT code to do that

Following ANT target creates a trimmed version of module_a classes, by excluding the org folder

<target name="make-jar-for-module-b" depends="compile-classes ,clean-jars">
<jar index="yes" jarfile="${}/module_a_for_b.jar" compress="true">
<fileset dir="${}">
<exclude name="**/org/**" />

Following ANT target creates a trimmed version of module_a classes, by excluding the net folder

<target name="make-jar-for-module-c" depends="compile-classes ,clean-jars">
<jar index="yes" jarfile="${}/module_a_for_c.jar" compress="true">
<fileset dir="${}">
<exclude name="**/net/**" />

Here we assume that you are already done with ANT targets for compiling classes and cleaning the jar folders.

On executing these targets you will get the required dependency jars by name module_a_for_c.jar and module_a_for_b.jar

How do I know if I have Sun Java Development Kit installed?

It normally happens that we need to check if JDK is installed on our system.

You can check it in a couple of ways as explained below:

For Windows:
  • If you are on windows and the kit was installed using the standard JDK installer you can find it in "Control Panel > Add Remove Programs".
  • Also check for directories in the windows installation drive. I am assuming its C:. The location can be C:\jdk.....<version>or c:\program files\java\<java version> this folder can also contain JRE, so check the folder name, if its prefixed/suffixed with jre, then its not the right one.
  • Other option is to see if environment var JAVA_HOME is set. For this just hit echo %JAVA_HOME% on command prompt. This will tell you the Java install dir.
  • In case nothing was found on JAVA_HOME var, you can also echo %PATH% variable to see, if its having java in it i.e. PATH variable points to the java bin folder having executables like java, javac, jar. So in case you find any thing on it. This will take you to java install dir.
  • If you have not installed using installer i.e. you have unzipped it. Then simplest is to do file search for java, javac etc. The folder holding these files will point you either to JRE or JDK
For Linux
  • If installed using some installer or linux tool like apt-get or yum then hit on shell $ whereis java it should show you available folders having java installed. for ex  /usr/bin/java /etc/java /usr/share/java
  • other wise just do a file search for javac, it should help like windows.

February 18, 2009

Java J2ee Struts Spring JSP Cross Side Scripting or XSS framework library tools

There are many ways to handle XSS or Cross side scripting problems in Java, J2EE, Struts, Spring and JSP. This post covers most popular tools and ways to do that. In this post I will explain about tools like

Ways to fix XSS issues in Java

  1. Servlet Filters: This is the most common way perhaps to have a inbound servlet filter, that intercepts each incoming request and wraps it in a HttpRequestWrapper that returns each parameter value cleaned from XSS possibilities. One can see the Code Snippet here. The approach shown in this example is pretty simple the request wrapper cleans the script tag and the < and > symbols. So this solution is not protecting you from SQL Injection attacks by default. So if one needs more secure filtering one can mix it with the libraries like Reform, XssProtect or AntiXss. So this mix and match solution will give you a good solution.
  2. JSP Printing: The other way to safeguard yourself is to not to use scriplets like <%= at all for printing any data that carries user inputted values. Instead of using scriplet one can use tags that escape the value printed in HTML, like c:out. This tag by default escapes all the XML tags. So even in some hacker has added some script or other malicious item in request data. You will be safe.
  3. Cookie: Its best to exchange cookies in secure mode. Try to use HTTPS/SSL only in case of public sites with crucial transactions. So if one is using HTTPS and cookies, the java Cookie object's "setSecure()"  method should be called to ensure that "the browser will send the cookie using a secure protocol only, such as HTTPS or SSL".
  4. ViewHelpers / Renders: If one is preparing some HTML to be rendered in View Helper/Renders. One can use libraries like Reform. this will ensure that any this risky is properly encoded and cleaned to be written as HTML.

Tools to fix XSS issues in Java

  1. HDIV : If you are having a MVC based J2EE App that uses either Struts or Spring the best solution available today is HDIV, this tool is complaint with all possible standards laid out by OWASP. The cipher and hash mechanism employed ensures that each tampered request is always detected and failed to do any security breach.  This library requires very less integration effort, because it overrides the existing tags in both spring and struts. So one can just keep on using the existing code after doing the minimal setup. One can also use HDIV with plain JSTL tags, it overrides the CORE library for c:url and c:redirect tags.
  2. Reform : This library is released by OWASP for Java. Its basically useful for encoding various HTML stuff like HTML Code, attributes, javascript stuff.
  3. XssProtect : This library is available at google code project. Its a pluggable filter based mechanism that supports addition of custom filters too. This library developers say that its tested against all tests mentioned in
  4. Anti XSS For Java : This library is port of Microsoft Anti Xss Library to Java. So is anyone is familiar with Microsoft version and will  be more comfortable to use this library. It again gives a couple of methods useful for encoding HTML code, attributes and script stuff against XSS.

February 13, 2009

XSS Testing Acceptance Tools Software Frameworks comparison

This post covers the free or paid tools and software available for XSS or Cross Side Scripting testing. These tools are not specific to any programming language and can used with any of .NET, Java, J2EE, PHP, Ruby or Python web applications.

These days I was researching around good tools to test XSS vulnerability on a given website. I came across a couple of tools foolowing are the results of my experience with them.
  • Paid Tools
  1. IBM App Scan:  App Scan looks like a good tool, but its free editions are only available for testing with the IBM's test site. So it was again of no use for me. But the companies with money to spend, it looks like a good solution as Salesforce is using it.
  2. WebInspect : This looks like a good product from HP. But the problem is its not for free and the dependencies on Ms SQL Server 2005 makes it even more difficult to install and use. But the companies with money to spend, it looks like a good solution as Salesforce is using it.
  • FREE Tools (Automatic/semi automatic)
  1. Firefox GreaseMonkey plugin with  user script provided by whiteacid. This solution didn't worked at all for me, I tried to hit "User Script Commands > Start XSSing Forms" on my required forms. But nothing happened.
  2. Nikto : Its a good tool for scanning web servers for problems. Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3500 potentially dangerous files/CGIs, versions on over 900 servers, and version specific problems on over 250 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired). This can be useful to test your webservers for various port and known security limitations. Its used by Salesforce for there security checks, so you can be assured on its quality and  its for free :).
  3. Xss Me : This tool is a Firefox plugin.  Its the one I enjoyed most working with. Its pretty simple to use, you can make a XSS test on any web form opened in firefox, merely by right clicking and selecting "Open XSS Me SideBar" and hitting "Test All forms with all attacks". The scanning reports are good and pretty detailed too. Its a great tool to use and its for free.
  4. Sql Inject Me : Again from same company as of Xss Me. Its for testing SQL Injection with a similar interface as of XSS Me. Definitely a tool that I would recommend to use. Again its for free.
  • FREE Proxy based manual testing tools
  1. Burp Proxy : Burp Proxy is an interactive HTTP/S proxy server for attacking and testing web applications. It operates as a man-in-the-middle between the end browser and the target web server, and allows the user to intercept, inspect and modify the raw traffic passing in both directions. So its again a manual testing tool and its for free.
  2. Fiddler : Fiddler is a HTTP Debugging Proxy which logs all HTTP traffic between your computer and the Internet. Fiddler allows you to inspect all HTTP Traffic, set breakpoints, and "fiddle" with incoming or outgoing data. Fiddler includes a powerful event-based scripting subsystem, and can be extended using any .NET language. Fiddler is freeware and can debug traffic from virtually any application, including Internet Explorer, Mozilla Firefox, Opera, and thousands more.
  3. Paros ProxyParos is a good tool for manually tampering the get and post requests. So one can modify any outgoing request params with javascript xss stuff  like script, eval etc for testing. The only issue with this is your need to change your proxy settings in browser to point to Paros to make it working.
  4. OWASP WebScarab Project : Its a proxy based testing tool from OWASP. Its written in Java and allows you to intercept and modify HTTP and HTTPS requests.
  5. WebScarab (Next Generation) Project : WebScarab-NG is a complete rewrite of the old WebScarab application, with a special focus on making the application more user-friendly. To this end, WebScarab-NG makes use of the Spring Rich Client Platform  to provide the user interface features.
  6. etc

February 10, 2009

IE javascript table createElement tr not working error cells[0] undefined

In IE, if one tries to create a javascript table object followed by creation of row and cell objects it doesn't works. The document.createElement() API is not working error for Internet Explorer and one gets the cells[0] undefined error.

The complete scenario is as follows:

I recently faced this error on Internet Explorer only. I created table, rows and cells using JS as follows
// Utility function to create Tag in browser neutral way
function createTag(parent,tag) {
var createdTag = null;
if(isIE) {
createdTag =  document.createElement("<" + tag + ">");
} else {
createdTag  = document.createElement(tag);
if(parent) {
parent.appendChild(createdTag );
return createdTag;

// Code snippet that creates a Table Row and then cell inside the table row. This was failing in IE (Internet explorer)

var tblBody =document.getElementById("tblObjId");
var tr = createTag(tblBody, "tr");
var td = createTag(tr, "td");
// error was coming for this line
tr.cells[0].innerHTML = "<i>First cell</i>";
In IE javascript error undefined started coming when I tried to access the row cell using  tr.cells[0].
This code snippet was working well in all other browsers. The simple fix to this problem is to fix it as follows.

var tblBody =document.getElementById("tblObjId");
// 1. Create a <tbody> tag inside table object first
var tbody = createTag(tblBody, "tbody");
// 2. Create all the required rows inside the TBODY object
var tr = createTag(tbody, "tr");
var td = createTag(tr, "td");
// Now this code will work fine on any browser
tr.cells[0].innerHTML = "<i>First cell</i>";

February 9, 2009

Javascript IE setAttribute("class", or getAttribute("class") className error

In Internet explorer the Javascript setAttribute("class", ) or getAttribute("class") method doesn't works or gives error in some versions. So instead of that one case use the "className" attribute for a given DOM element.

Code Snippet and description for this is following

To change "class" attribute of a HTML DOM element we usually use the following syntax

DOMObject.setAttribute("class", "NewCSSClassName");

where "NewCSSClassName" is the name of new CSS class for the HTML DOM element.

This thing works fine in all browsers except IE. In IE to read or write "class" attribute to a HTML DOM element use "className" attribute instead. This "className" attribute works well in all browsers.

So the above code snippet after changing the property will look as below:

DOMObject.className = "NewCSSClassName";

January 2, 2009

JavaScript IE anchor.text property undefined error issue

In Internet explorer, using Javascript one can't access the anchor object's "text" property. The work around for this is to use "innerHTML" property. However this works in all other browsers.

Complete description with code snippet is shown below

HTML DOM Anchor object has a "text" property that gives the text between opening and closing anchor tags for ex.

<a href="" id="lnkId" &gt; Show Google &lt;/a>

This property words well in all browsers except IE. On IE you get a Java Script error "undefined" on accessing this property.
The solution to this is shown in code snippet below. This script will look for an anchor with id "lnkId" and will show an alert window with the Text between the opening and closing tags

<script language="javascript" type="text/javascript">

var anchorObj = document.getElementById("lnkId");

// For all browsers except IE

// For IE