Posts

Showing posts from 2014

A XSS filter for Java EE web apps

Cross Site Scripting, or XSS, is a fairly common vector used to attack web sites. It involves user generated code being redisplayed by a website with all the privileges and security rights that a browser assigns to code originating from the current host. If the user code is something like <script>doEvil();</script>, then you have a problem.

OWASP is an organisation that provides guidance on web security, and they have a page that provides a suggested method for avoiding XSS in JavaEE web app. You can read this document at https://www.owasp.org/index.php/How_to_add_validation_logic_to_HttpServletRequest.

The library being demonstrated here is based off the ideas presented in that article, but fleshed out to be more flexible and easy to deploy. We call this library the (unimaginatively named) Parameter Validation Filter, or PVF.

PVF is implemented as a Servlet filter that intercepts requests to web pages, runs submitted parameters through a configurable sequence of validati…

Three Daily Things

Image
Three Daily Things is a new, free website that I have put together based on a motivation app that I have had great personal success with.

The reason why I wrote this app is best explained with a story about myself.
Like most people, I want to be fit an healthy. To achieve this, I sign up to my local gym. But it doesn't take long for the unknowns to start rattling around in my brain. How many reps and set should I do? Should I do cardio before or after resistance training? Should I be taking supplements? Is it best to work out in the morning or afternoon? Which exercises are best?
All these unknowns start to weigh heavily in my mind. I begin to wonder if I am wasting my time. I skip a few sessions, and before I know it I haven't visited the gym in weeks.
So many beneficial aspirations in my life have followed this path. I like the idea, I try it out, I get overwhelmed by the unknowns and eventually I give up.
So I asked myself, what was it that I really wanted out of my gym mem…

RHEL 7 VirtualBox Guest Additions Patched

Image
If you have tried to used RHEL 7 in VirtualBox, and run into the issue with the guest additions not compiling (see https://www.virtualbox.org/ticket/12638 for details), you can download this tar file, extract it, and run

sudo ./install.sh

The tar file is just the guest additions pre patched to work with RHEL 7.

Scroll to the bottom of log files in web pages

We use supervisord on our systems, which has a handy browser based 'tail -f' feature. The problem is that the end of the log file appears off the bottom of the screen, and the browser won't scroll to the bottom automatically. This bookmarklet will keep the end of the page in view.

javascript:scroll=function(){setTimeout(function(){window.scrollTo(0,document.body.scrollHeight);scroll();},100);};scroll();

If you are a knowledge gatekeeper, the game is changing

"We take comfort from Charles Darwin's observation that it's not the strongest species that survives, nor the most intelligent, but the ones most responsive to change. We just need to be adaptable." - Gary Pruitt, then the CEO of McClatchy Newspapers and now CEO of the Associated Press (http://www.slate.com/blogs/future_tense/2012/11/12/google_ad_revenue_tops_entire_us_print_media_industry_chart.html).
I recently spent some time looking into the stats for web content we were responsible for and noticed two things. The first was that the majority of visitors were viewing chunked versions of our books, where each individual web page aligned roughly with an entry in the table of contents. The second was that most visitors were spending only a couple of minutes reading the content in any given session.
This observation aligned very closely with my own information gathering process. Once or twice a year I'll make time to sit down and read a technical book from start …

Your grandkids are going to laugh at the notion of "searching the web"

Image
In the next 5 - 10 years our good friend and faithful digital companion, the search bar, is going to ride off into the sunset.

Googling has forever changed how we find answers to almost anything we could ever want to know, because the answer is most likely there buried in the first 10 links brought up in response to anything you type into the search bar.

When you think about it though, having to trawl through those 10 links is actually not a great way to answer a question. If you were to ask your mechanic what was making that noise in your engine, you want the answer, not rambling descriptions and discussions on engine design and maintenance. But that is exactly what you get if you were to ask Google the same question: pages of forum posts when you only want the last one that actually has the answer; a blog post where that engine noise is coincidentally mentioned in the comments; or a 10 minute YouTube video where the information you want is 9 minutes in.

That is all about to change.…