TK-Student: October 2011

Tuesday, October 11, 2011

XSS-Reflected critical error detected by Fority, as follows:

JSP Page1 transmits some parameters to JSP page2, then page2 displays these parameters by <%=para1%> method. However, Forfity will detect some XSS Reflected critical errors

Example:

<a href="logmgt.jsp?orderName=<%=orderName%>&cateName=<%=cateName%>">Go to Another Page</a>

where, orderName and cateName come from Pasge1

References:

Recommendations from above references: Using the structured output mechanism (such as <bean:write ……> or JSTL(<c:outvalue=”……”/>) instead of using (<%=……%>)

Hence, the above source code can be recoded, as follows:

<a href="logmgt.jsp?orderName=<%c:out value="${param.orderName}"/>&cateName=<c:out value="${param.cateName}"/>">Go to Another Page</a>

Difference:

<%=orderName%> ------- <%c:out value="${param.orderName}"/>

where, the orderName can be save into request.setAttribute("orderName",request.getParameter("orderName"))

Finally, all the XSS-Reflected errors have been solved by JSTL tag.

How to use JSTL:

1. Download the required jar files (jstl-impl-1.2.jar, jstl-api-1.2.jar) from http://jstl.java.net/download.html

2. Put these jar files into WEB-INF/lib folder

3. To define the tag (<%c/> ), you should add this line (<%@ taglib prefix="c" uri="http://java.sun.com/jstl/core_rt" %>) in the top of your page

Monday, October 3, 2011

Install rubyinstaller-1.9.2-p290.exe from http://www.rubyinstaller.org (make sure to check the boxes to add the ruby directory to your command path)
In console mode, Type: gem install vmc
If you are behind a firewall, you will get a nasty error message:
ERROR: Could not find a valid gem 'vmc' (>=0) in any repository
Install vmc gem through a proxy server, type:
gem install --http-proxy http://proxy.vmware.com:3128 (this proxy url is proxy server of your company) vmc
Tell Cloud Foundry which cloud you want to connect to. Type:
vmc target api.cloudfoundry.com (in general, you have to set the hosts info in your hosts document)

the hosts document located in C:\Windows\System32\drivers\hosts
add localhost name and its DNS, for example
11.111.111.22 api.cf-controller.test.com.tw
11.111.111.22 test.cf-controller.test.com.tw

To communicate with Cloud Foundry through a proxy server, set the environment variable "http_proxy". In the command window, type
set http_proxy=http://proxy.vmware.com:3128 (this proxy url is proxy server of your company) vmc target api.cloudfoundry.com
Login to Cloud Foundry
vmc login
Enter your email address and password
Create a simple Ruby application.
- c:\> md helloTest
- c:\> cd helloTest
- c:\helloTest\> copy nul helloTest.rb
- type the following sample code in helloTest.rb using a test editor :
- require 'sinatra'
  get '/' do
  "Hello from Cloud Foundry"
  end
Publish the application to the cloud. Type:
- c:\helloTest>vmc push helloTest (helloTest only without extension (.rb))
Would you like to deploy from the current directory? [Yn]: y
- Application Deployed URL: 'helloTest.cf-controller.cht.com.tw'? y
- Detected a Sinatra Application, is this correct? [Yn]: y
- Memory Reservation [Default:128M] (64M, 128M, 256M, 512M or 1G)
- Creating Application: OK
- Would you like to bind any services to 'helloTest'? [yN]: n
- Uploading Application:
- Checking for available resources: OK
- Packing application: OK
- Uploading (0K): OK
- Push Status: OK
- Staging Application: OK
- Starting Application: OK
modify C:\Windows\System32\drivers\hosts and add your application info:
- 11.111.111.22 helloTest.cf-controller.testcom.tw
Launch a web browser and go to your Application Deployment URL (helloTest.cf-controller.testcom.tw)

Reference: