Skip to content

Category Archives: Secure Coding

GC Labs: Mitigating XML Entity Expansion Attacks with Xerces

Here are a few typical questions from my “assessment runbook” that I ask for an app that accepts and parses XML data that can be controlled by an attacker (think file uploads, web services, stored XML content made up of inputs from an external user, etc.):
(1) Is there a check to enforce a maximum number [...]

Posted 20 March 2010 mikeware § GC Labs § XML Entity Expansion § XML Processing Comments (0) ° Tagged: , ,

Are your regular expressions anchored?

I recently found a SQL injection vulnerability in a J2EE app where a request parameter is used to construct a dynamic JDBC query via string concatenation. When I discussed the issue with the developer, he became confused and said “Wait, I’m validating this field against a white list like you said a few weeks ago, [...]

Posted 26 February 2010 mikeware § Input Validation Comments (0) ° Tagged: ,

OWASP XSS cheat sheet

OWASP has published a very well written XSS cheat sheet.

Posted 02 April 2009 mikeware § Cross-site Scripting Comments (3) ° Tagged:

IO Chokepoints: J2EE Filters

This is the first post in a series covering tactics for implementing input and output chokepoints in J2EE. My goal is to describe different techniques in separate posts and then summarize the tradeoffs involved in putting them in place in a final post. In this first post, I’ll show you how to setup a J2EE servlet filter to perform HTML escaping on multiple servlet-related input sources.

Posted 14 January 2009 mikeware § Secure Design Comments (0) ° Tagged: ,