[
{
"path": ".github/dependabot.yml",
"content": "# To get started with Dependabot version updates, you'll need to specify which\n# package ecosystems to update and where the package manifests are located.\n# Please see the documentation for all configuration options:\n# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates\n\nversion: 2\nupdates:\n - package-ecosystem: \"maven\" # See documentation for possible values\n directory: \"/\" # Location of package manifests\n schedule:\n interval: \"daily\"\n"
},
{
"path": ".github/workflows/maven.yml",
"content": "name: Build\n\non:\n push:\n pull_request:\n branches: [ main ]\n\njobs:\n build:\n runs-on: ubuntu-latest\n name: JavaWebSecurity Build\n steps:\n - name: Checkout\n uses: actions/checkout@v5\n - name: Configure Java for Build\n uses: actions/setup-java@v5\n with:\n distribution: 'temurin'\n java-version: '17'\n cache: 'maven'\n - name: Build with Maven\n run: mvn -B package --file pom.xml\n"
},
{
"path": ".gitignore",
"content": "*.class\n.idea\n.classpath\n.project\n.DS_Store\n*/target*\ntarget/\n.settings*\n# Package Files #\n*.jar\n*.war\n*.ear\n*.iml\n*.log\n*.lck\n.pmd\n.forge_settings\naccountsDB.properties\ncustomerDB.properties"
},
{
"path": "Ch04_OutputEscaping/pom.xml",
"content": "\n\t4.0.0\n\t\n\t\tde.dominikschadow.javawebsecurity\n\t\tjavawebsecurity\n\t\t1.0.0\n\t\n\tCh04_OutputEscaping\n\twar\n\tChapter 04 - Output Escaping\n\thttps://github.com/dschadow/Java-Web-Security\n\tChapter 4 Output Escaping sample project. Requires a server like Apache Tomcat or the Maven Tomcat plugin. After starting, open the web application in your browser at http://localhost:8080/Ch04_OutputEscaping\n\n\t\n\t\t\n javax.servlet\n javax.servlet-api\n \n\t\t\n\t\t\torg.owasp.esapi\n\t\t\tesapi\n\t\t\n\t\n\t\n\t\n\t\tCh04_OutputEscaping\n tomcat7:run-war\n\t\t\n\t\t\t\n org.apache.maven.plugins\n\t\t\t\tmaven-compiler-plugin\n\t\t\t\n\t\t\t\n\t\t\t\torg.apache.tomcat.maven\n\t\t\t\ttomcat7-maven-plugin\n\t\t\t\n \n org.apache.maven.plugins\n maven-war-plugin\n \n false\n \n \n\t\t\n\t\n"
},
{
"path": "Ch04_OutputEscaping/src/main/resources/ESAPI.properties",
"content": "# Logging\nLogger.ApplicationName=Ch04_OutputEscaping"
},
{
"path": "Ch04_OutputEscaping/src/main/webapp/index.jsp",
"content": "<%@ page language=\"java\" contentType=\"text/html; charset=UTF-8\" pageEncoding=\"UTF-8\"%>\n\n\n\n\t\n\t\n\tChapter 04 - Output Escaping\n\n\n\t
Chapter 04 - Output Escaping
\n\n\t
This demo application shows how JavaServer Pages (JSP) can be extended with safe output escaping provided by the\n OWASP Enterprise Security API (ESAPI). Feel free to enter any attack data like\n <script>alert('XSS')</script>.
The provided input is printed output escaped. Output escaping is done by the Enterprise Security API (ESAPI) for\n different contexts. Only HTML is the correct context here, the others are provided for reference only. The input\n is printed into [] to show its position.
\n\n"
},
{
"path": "Ch04_OutputEscapingJSF/pom.xml",
"content": "\n\t4.0.0\n\t\n\t\tde.dominikschadow.javawebsecurity\n\t\tjavawebsecurity\n\t\t1.0.0\n\t\n\tCh04_OutputEscapingJSF\n\twar\n\tChapter 04 - JSF Output Escaping\n\thttps://github.com/dschadow/Java-Web-Security\n Chapter 4 JSF Output Escaping sample project. Requires a server like Apache Tomcat or the Maven Tomcat plugin. After starting, open the web application in your browser at http://localhost:8080/Ch04_OutputEscapingJSF\n\n\t\n\t\t\n\t\t\tcom.sun.faces\n\t\t\tjsf-api\n\t\t\n\t\t\n\t\t\tcom.sun.faces\n\t\t\tjsf-impl\n\t\t\n\t\n\n\t\n\t\tCh04_OutputEscapingJSF\n tomcat7:run-war\n\t\t\n\t\t\t\n org.apache.maven.plugins\n\t\t\t\tmaven-compiler-plugin\n\t\t\t\n\t\t\t\n\t\t\t\torg.apache.tomcat.maven\n\t\t\t\ttomcat7-maven-plugin\n\t\t\t\n\t\t\n\t\n"
},
{
"path": "Ch04_OutputEscapingJSF/src/main/java/de/dominikschadow/webappsecurity/ContactController.java",
"content": "/*\n * Copyright (C) 2015 Dominik Schadow, info@dominikschadow.de\n *\n * This file is part of the Java-Web-Security project.\n * \n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * \n * http://www.apache.org/licenses/LICENSE-2.0\n * \n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\npackage de.dominikschadow.webappsecurity;\n\nimport javax.faces.bean.ManagedBean;\nimport javax.faces.bean.SessionScoped;\nimport java.io.Serial;\nimport java.io.Serializable;\n\n/**\n * Bean representing user input (no additional security related attributes).\n * \n * @author Dominik Schadow\n */\n@ManagedBean(name = \"contact\")\n@SessionScoped\npublic class ContactController implements Serializable {\n @Serial\n private static final long serialVersionUID = 4083596061570021965L;\n\n private String firstname;\n private String lastname;\n\n public String getFirstname() {\n return firstname;\n }\n\n public void setFirstname(String firstname) {\n this.firstname = firstname;\n }\n\n public String getLastname() {\n return lastname;\n }\n\n public void setLastname(String lastname) {\n this.lastname = lastname;\n }\n}"
},
{
"path": "Ch04_OutputEscapingJSF/src/main/webapp/WEB-INF/faces-config.xml",
"content": "\n\n"
},
{
"path": "Ch04_OutputEscapingJSF/src/main/webapp/WEB-INF/web.xml",
"content": "\n\n Ch04_OutputEscapingJSF\n\n \n javax.faces.PROJECT_STAGE\n Development\n \n\n \n Faces Servlet\n javax.faces.webapp.FacesServlet\n 1\n \n\n \n Faces Servlet\n *.xhtml\n \n\n \n index.xhtml\n \n"
},
{
"path": "Ch04_OutputEscapingJSF/src/main/webapp/contact.xhtml",
"content": "\n\n\n\n \n Chapter 04 - JSF Output Escaping\n\n\n
This demo application shows how JavaServer Faces (JSF) handle output escaping with direct value expressions and normal elements/\n attributes. Feel free to enter any attack data like <script>alert('XSS')</script>.
\n\n \n \n \n \n\n \n \n \n \n \n\n"
},
{
"path": "Ch04_OutputEscapingJSF/src/main/webapp/resources/css/styles.css",
"content": "h1 {\n font-size: 1.5em;\n}\n\nh2 {\n font-size: 1.2em;\n}\n"
},
{
"path": "Ch04_OutputEscapingJSP/pom.xml",
"content": "\n 4.0.0\n \n de.dominikschadow.javawebsecurity\n javawebsecurity\n 1.0.0\n \n Ch04_OutputEscapingJSP\n war\n Chapter 04 - JSP Output Escaping\n https://github.com/dschadow/Java-Web-Security\n Chapter 4 JSP Output Escaping sample project. Requires a server like Apache Tomcat or the Maven Tomcat plugin. After starting, open the web application in your browser at http://localhost:8080/Ch04_OutputEscapingJSP\n\n \n \n org.springframework\n spring-webmvc\n \n \n javax.servlet\n javax.servlet-api\n \n \n javax.servlet.jsp\n javax.servlet.jsp-api\n \n \n javax.servlet\n jstl\n \n \n ch.qos.logback\n logback-classic\n \n \n org.springframework\n spring-test\n \n \n org.junit.jupiter\n junit-jupiter-engine\n \n \n org.hamcrest\n hamcrest-library\n \n \n\n \n Ch04_OutputEscapingJSP\n tomcat7:run-war\n \n \n org.apache.maven.plugins\n maven-compiler-plugin\n \n \n org.apache.maven.plugins\n maven-war-plugin\n \n false\n \n \n \n org.apache.tomcat.maven\n tomcat7-maven-plugin\n \n \n \n"
},
{
"path": "Ch04_OutputEscapingJSP/src/main/java/de/dominikschadow/webappsecurity/OutputEscapingWebAppInitializer.java",
"content": "/*\n * Copyright (C) 2015 Dominik Schadow, info@dominikschadow.de\n *\n * This file is part of the Java-Web-Security project.\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\npackage de.dominikschadow.webappsecurity;\n\nimport org.springframework.web.servlet.support.AbstractAnnotationConfigDispatcherServletInitializer;\n\n/**\n *\n * @author Dominik Schadow\n */\npublic class OutputEscapingWebAppInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {\n @Override\n protected Class[] getRootConfigClasses() {\n return null;\n }\n\n @Override\n protected Class[] getServletConfigClasses() {\n return new Class[]{WebConfig.class};\n }\n\n @Override\n protected String[] getServletMappings() {\n return new String[]{\"/\"};\n }\n}\n"
},
{
"path": "Ch04_OutputEscapingJSP/src/main/java/de/dominikschadow/webappsecurity/WebConfig.java",
"content": "/*\n * Copyright (C) 2015 Dominik Schadow, info@dominikschadow.de\n *\n * This file is part of the Java-Web-Security project.\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\npackage de.dominikschadow.webappsecurity;\n\nimport org.springframework.context.annotation.Bean;\nimport org.springframework.context.annotation.ComponentScan;\nimport org.springframework.context.annotation.Configuration;\nimport org.springframework.web.servlet.ViewResolver;\nimport org.springframework.web.servlet.config.annotation.DefaultServletHandlerConfigurer;\nimport org.springframework.web.servlet.config.annotation.EnableWebMvc;\nimport org.springframework.web.servlet.config.annotation.WebMvcConfigurer;\nimport org.springframework.web.servlet.view.InternalResourceViewResolver;\n\n/**\n * @author Dominik Schadow\n */\n@Configuration\n@EnableWebMvc\n@ComponentScan(\"de.dominikschadow.webappsecurity.controller\")\npublic class WebConfig implements WebMvcConfigurer {\n @Bean\n public ViewResolver viewResolver() {\n InternalResourceViewResolver resolver = new InternalResourceViewResolver();\n resolver.setPrefix(\"/WEB-INF/views/\");\n resolver.setSuffix(\".jsp\");\n resolver.setExposeContextBeansAsAttributes(true);\n return resolver;\n }\n\n @Override\n public void configureDefaultServletHandling(DefaultServletHandlerConfigurer configurer) {\n configurer.enable();\n }\n}\n"
},
{
"path": "Ch04_OutputEscapingJSP/src/main/java/de/dominikschadow/webappsecurity/controller/ContactController.java",
"content": "/*\n * Copyright (C) 2015 Dominik Schadow, info@dominikschadow.de\n *\n * This file is part of the Java-Web-Security project.\n * \n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * \n * http://www.apache.org/licenses/LICENSE-2.0\n * \n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\npackage de.dominikschadow.webappsecurity.controller;\n\nimport de.dominikschadow.webappsecurity.domain.Contact;\nimport org.slf4j.Logger;\nimport org.slf4j.LoggerFactory;\nimport org.springframework.stereotype.Controller;\nimport org.springframework.ui.Model;\nimport org.springframework.web.bind.annotation.ModelAttribute;\nimport org.springframework.web.bind.annotation.RequestMapping;\nimport org.springframework.web.bind.annotation.RequestMethod;\nimport org.springframework.web.bind.annotation.SessionAttributes;\n\n/**\n * \n * @author Dominik Schadow\n */\n@Controller\n@SessionAttributes\npublic class ContactController {\n private static final Logger LOGGER = LoggerFactory.getLogger(ContactController.class);\n\n @RequestMapping(value = \"/addContact\", method = RequestMethod.POST)\n public String addContact(@ModelAttribute Contact contact, Model model) {\n LOGGER.info(\"Contact first name: {}, last name: {}\", contact.getFirstname(), contact.getLastname());\n\n model.addAttribute(\"contact\", contact);\n\n return \"contact\";\n }\n}\n"
},
{
"path": "Ch04_OutputEscapingJSP/src/main/java/de/dominikschadow/webappsecurity/controller/IndexController.java",
"content": "/*\n * Copyright (C) 2015 Dominik Schadow, info@dominikschadow.de\n *\n * This file is part of the Java-Web-Security project.\n * \n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * \n * http://www.apache.org/licenses/LICENSE-2.0\n * \n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\npackage de.dominikschadow.webappsecurity.controller;\n\nimport org.springframework.stereotype.Controller;\nimport org.springframework.web.bind.annotation.RequestMapping;\n\nimport static org.springframework.web.bind.annotation.RequestMethod.GET;\n\n/**\n * Controller to handle GET requests for the home page.\n *\n * @author Dominik Schadow\n */\n@Controller\n@RequestMapping(value = \"/\")\npublic class IndexController {\n @RequestMapping(method = GET)\n public String index() {\n return \"index\";\n }\n}\n"
},
{
"path": "Ch04_OutputEscapingJSP/src/main/java/de/dominikschadow/webappsecurity/domain/Contact.java",
"content": "/*\n * Copyright (C) 2015 Dominik Schadow, info@dominikschadow.de\n *\n * This file is part of the Java-Web-Security project.\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\npackage de.dominikschadow.webappsecurity.domain;\n\n/**\n * \n * @author Dominik Schadow\n */\npublic class Contact {\n private String firstname;\n private String lastname;\n\n public String getFirstname() {\n return firstname;\n }\n\n public void setFirstname(String firstname) {\n this.firstname = firstname;\n }\n\n public String getLastname() {\n return lastname;\n }\n\n public void setLastname(String lastname) {\n this.lastname = lastname;\n }\n}\n"
},
{
"path": "Ch04_OutputEscapingJSP/src/main/resources/logback.xml",
"content": "\n \n \n %d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n\n \n \n\n \n \n \n"
},
{
"path": "Ch04_OutputEscapingJSP/src/main/webapp/WEB-INF/views/contact.jsp",
"content": "<%@ page language=\"java\" contentType=\"text/html; charset=UTF-8\" pageEncoding=\"UTF-8\"%>\n<%@ taglib prefix=\"c\" uri=\"http://java.sun.com/jsp/jstl/core\" %>\n<%@ taglib prefix=\"s\" uri=\"http://www.springframework.org/tags\" %>\n\n \n \n \" >\n Chapter 04 - JSP Output Escaping\n \n \n
Chapter 04 - JSP Output Escaping
\n\n
Input displayed as direct value expression
\n
${contact.firstname} ${contact.lastname}
\n\n
Input displayed as out element
\n
\n\n
Input displayed inside Spring escapeBody element as direct value expression
This demo application shows how JavaServer Pages (JSP) handle output escaping with direct value expressions and\n normal elements/ attributes. Feel free to enter any attack data like <script>alert('XSS')</script>.
\n\n\t\n\n"
},
{
"path": "Ch04_OutputEscapingJSP/src/main/webapp/resources/styles.css",
"content": "h1 {\n font-size: 1.5em;\n}\n\nh2 {\n font-size: 1.2em;\n}\n\nfieldset {\n width: 600px;\n font-size: 1.2em;\n margin-top: 20px;\n}\n\ninput {\n display: inline-block;\n vertical-align: middle;\n width: 150px;\n}\n\ninput[type=submit] {\n width: 75px;\n height: 20px;\n margin-left: 10px;\n}\n\nlabel {\n margin-right: 10px;\n}\n"
},
{
"path": "Ch04_OutputEscapingJSP/src/test/java/de/dominikschadow/webappsecurity/controller/ContactControllerTest.java",
"content": "/*\n * Copyright (C) 2015 Dominik Schadow, info@dominikschadow.de\n *\n * This file is part of the Java-Web-Security project.\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\npackage de.dominikschadow.webappsecurity.controller;\n\nimport org.junit.jupiter.api.Test;\nimport org.springframework.test.web.servlet.MockMvc;\n\nimport static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;\nimport static org.springframework.test.web.servlet.result.MockMvcResultMatchers.view;\nimport static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;\n\n/**\n *\n * @author Dominik Schadow\n */\npublic class ContactControllerTest {\n @Test\n public void testContactPage() throws Exception {\n ContactController controller = new ContactController();\n MockMvc mockMvc = standaloneSetup(controller).build();\n\n mockMvc.perform(post(\"/addContact\")).andExpect(view().name(\"contact\"));\n }\n}\n"
},
{
"path": "Ch04_OutputEscapingJSP/src/test/java/de/dominikschadow/webappsecurity/controller/IndexControllerTest.java",
"content": "/*\n * Copyright (C) 2015 Dominik Schadow, info@dominikschadow.de\n *\n * This file is part of the Java-Web-Security project.\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\npackage de.dominikschadow.webappsecurity.controller;\n\nimport org.junit.jupiter.api.Test;\nimport org.springframework.test.web.servlet.MockMvc;\n\nimport static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;\nimport static org.springframework.test.web.servlet.result.MockMvcResultMatchers.view;\nimport static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;\n\n/**\n *\n * @author Dominik Schadow\n */\npublic class IndexControllerTest {\n @Test\n public void testIndexPage() throws Exception {\n IndexController controller = new IndexController();\n MockMvc mockMvc = standaloneSetup(controller).build();\n\n mockMvc.perform(get(\"/\")).andExpect(view().name(\"index\"));\n }\n}\n"
},
{
"path": "Ch05_AccessReferenceMaps/pom.xml",
"content": "\n\t4.0.0\n\t\n\t\tde.dominikschadow.javawebsecurity\n\t\tjavawebsecurity\n\t\t1.0.0\n\t\n\tCh05_AccessReferenceMaps\n\twar\n\tChapter 05 - Access Reference Maps\n\thttps://github.com/dschadow/Java-Web-Security\n Chapter 5 Access Reference sample project. Requires a server like Apache Tomcat or the Maven Tomcat plugin. After starting, open the web application in your browser at http://localhost:8080/Ch05_AccessReferenceMaps\n\n \n \n com.sun.faces\n jsf-api\n \n \n com.sun.faces\n jsf-impl\n \n\t\t\n\t\t\torg.owasp.esapi\n\t\t\tesapi\n\t\t\n\t\t\n com.h2database\n h2\n\t\t\n \n org.hibernate\n hibernate-core\n \n \n ch.qos.logback\n logback-classic\n \n\t\n\t\n\t\n Ch05_AccessReferenceMaps\n tomcat7:run-war\n\t\t\n \n org.apache.maven.plugins\n maven-compiler-plugin\n \n \n org.apache.tomcat.maven\n tomcat7-maven-plugin\n \n ${project.basedir}/src/main/resources/context.xml\n \n \n\t\t\n\t\n"
},
{
"path": "Ch05_AccessReferenceMaps/src/main/java/de/dominikschadow/webappsecurity/AccountController.java",
"content": "/*\n * Copyright (C) 2015 Dominik Schadow, info@dominikschadow.de\n *\n * This file is part of the Java-Web-Security project.\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\npackage de.dominikschadow.webappsecurity;\n\nimport de.dominikschadow.webappsecurity.domain.Account;\n\nimport javax.faces.bean.ManagedBean;\nimport javax.faces.bean.SessionScoped;\nimport java.io.Serializable;\nimport java.util.ArrayList;\nimport java.util.List;\n\n/**\n * Managed bean to access an account by account id. Does not verify the given account id and therefore does not\n * provide any protection.\n *\n * @author Dominik Schadow\n */\n@ManagedBean(name = \"account\")\n@SessionScoped\npublic class AccountController implements Serializable {\n private Account account;\n private int userId = 42;\n private int accountId = 1;\n private transient AccountsDAO dao;\n private List accountReferences = new ArrayList<>();\n\n public int getAccountId() {\n return accountId;\n }\n\n public void setAccountId(int accountId) {\n this.accountId = accountId;\n }\n\n public int getUserId() {\n return userId;\n }\n\n public Account getAccount() {\n return account;\n }\n\n public List getAccountReferences() {\n return accountReferences;\n }\n\n public AccountController() {\n dao = new AccountsDAO();\n\n accountReferences = dao.getAccountsForUser(userId);\n }\n\n public String show() {\n account = dao.loadAccount(accountId);\n\n return \"account\";\n }\n}\n"
},
{
"path": "Ch05_AccessReferenceMaps/src/main/java/de/dominikschadow/webappsecurity/AccountIntegerController.java",
"content": "/*\n * Copyright (C) 2015 Dominik Schadow, info@dominikschadow.de\n *\n * This file is part of the Java-Web-Security project.\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\npackage de.dominikschadow.webappsecurity;\n\nimport de.dominikschadow.webappsecurity.domain.Account;\nimport de.dominikschadow.webappsecurity.domain.User;\n\nimport javax.faces.bean.ManagedBean;\nimport javax.faces.bean.SessionScoped;\nimport java.io.Serializable;\nimport java.util.ArrayList;\nimport java.util.List;\n\n/**\n * Managed bean to access an account by account reference (IntegerAccessReferenceMap). Only accounts belonging to the\n * current user are contained in this map.\n *\n * @author Dominik Schadow\n */\n@ManagedBean(name = \"accountInteger\")\n@SessionScoped\npublic class AccountIntegerController implements Serializable {\n private List accountReferences = new ArrayList<>();\n private int iaAccountId = 1;\n private int userId = 42;\n private transient AccountsIntegerDAO dao;\n\n public int getIaAccountId() {\n return iaAccountId;\n }\n\n public void setIaAccountId(int iaAccountId) {\n this.iaAccountId = iaAccountId;\n }\n\n public int getUserId() {\n return userId;\n }\n\n public Account getAccount() {\n return dao.retrieveAccount(iaAccountId);\n }\n\n public List getAccountReferences() {\n return accountReferences;\n }\n\n public AccountIntegerController() {\n User currentUser = new User();\n currentUser.setUserId(userId);\n\n dao = new AccountsIntegerDAO();\n accountReferences = dao.loadAccountsForUser(currentUser);\n }\n\n public String show() {\n return \"accountInteger\";\n }\n}\n"
},
{
"path": "Ch05_AccessReferenceMaps/src/main/java/de/dominikschadow/webappsecurity/AccountRandomController.java",
"content": "/*\n * Copyright (C) 2015 Dominik Schadow, info@dominikschadow.de\n *\n * This file is part of the Java-Web-Security project.\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\npackage de.dominikschadow.webappsecurity;\n\nimport de.dominikschadow.webappsecurity.domain.Account;\nimport de.dominikschadow.webappsecurity.domain.User;\n\nimport javax.faces.bean.ManagedBean;\nimport javax.faces.bean.SessionScoped;\nimport java.io.Serializable;\nimport java.util.ArrayList;\nimport java.util.List;\n\n/**\n * Managed bean to access an account by account reference (RandomAccessReferenceMap). Only accounts belonging to the\n * current user are contained in this map.\n *\n * @author Dominik Schadow\n */\n@ManagedBean(name = \"accountRandom\")\n@SessionScoped\npublic class AccountRandomController implements Serializable {\n private List accountReferences = new ArrayList<>();\n private String raAccountId = \"\";\n private int userId = 42;\n private transient AccountsRandomDAO dao;\n\n public String getRaAccountId() {\n return raAccountId;\n }\n\n public void setRaAccountId(String raAccountId) {\n this.raAccountId = raAccountId;\n }\n\n public int getUserId() {\n return userId;\n }\n\n public Account getAccount() {\n return dao.retrieveAccount(raAccountId);\n }\n\n public List getAccountReferences() {\n return accountReferences;\n }\n\n public AccountRandomController() {\n User currentUser = new User();\n currentUser.setUserId(userId);\n\n dao = new AccountsRandomDAO();\n accountReferences = dao.loadAccountsForUser(currentUser);\n }\n\n public String show() {\n return \"accountRandom\";\n }\n}\n"
},
{
"path": "Ch05_AccessReferenceMaps/src/main/java/de/dominikschadow/webappsecurity/AccountsDAO.java",
"content": "/*\n * Copyright (C) 2015 Dominik Schadow, info@dominikschadow.de\n *\n * This file is part of the Java-Web-Security project.\n * \n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * \n * http://www.apache.org/licenses/LICENSE-2.0\n * \n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\npackage de.dominikschadow.webappsecurity;\n\nimport de.dominikschadow.webappsecurity.domain.Account;\nimport org.hibernate.HibernateException;\nimport org.hibernate.Session;\nimport org.hibernate.query.Query;\nimport org.slf4j.Logger;\nimport org.slf4j.LoggerFactory;\n\nimport java.util.ArrayList;\nimport java.util.List;\n\nimport static de.dominikschadow.webappsecurity.HibernateUtil.getSessionFactory;\n\n/**\n * Loads accounts from the in-memory-database for the unprotected managed bean.\n *\n * @author Dominik Schadow\n * @see AccountController\n */\npublic class AccountsDAO {\n private static final Logger LOGGER = LoggerFactory.getLogger(AccountsDAO.class);\n\n public List getAccountsForUser(int userId) {\n return queryAccounts(userId);\n }\n\n public Account loadAccount(int id) {\n return queryAccount(id);\n }\n\n private Account queryAccount(int id) {\n try (Session session = getSessionFactory().openSession()) {\n Query query = session.createQuery(\"FROM Account WHERE accountId = :id\");\n query.setParameter(\"id\", id);\n\n return (Account) query.uniqueResult();\n } catch (HibernateException ex) {\n LOGGER.error(ex.getMessage(), ex);\n }\n\n return null;\n }\n\n private List queryAccounts(int userId) {\n List accountReferences = new ArrayList<>();\n\n try (Session session = getSessionFactory().openSession()) {\n Query query = session.createNativeQuery(\"SELECT accountId FROM account WHERE ownerId = :id\");\n query.setParameter(\"id\", userId);\n\n accountReferences = query.list();\n\n LOGGER.info(\"Found {} account references\", accountReferences.size());\n } catch (HibernateException ex) {\n LOGGER.error(ex.getMessage(), ex);\n }\n\n return accountReferences;\n }\n}\n"
},
{
"path": "Ch05_AccessReferenceMaps/src/main/java/de/dominikschadow/webappsecurity/AccountsIntegerDAO.java",
"content": "/*\n * Copyright (C) 2015 Dominik Schadow, info@dominikschadow.de\n *\n * This file is part of the Java-Web-Security project.\n * \n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * \n * http://www.apache.org/licenses/LICENSE-2.0\n * \n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\npackage de.dominikschadow.webappsecurity;\n\nimport de.dominikschadow.webappsecurity.domain.Account;\nimport de.dominikschadow.webappsecurity.domain.User;\nimport org.owasp.esapi.errors.AccessControlException;\nimport org.owasp.esapi.reference.IntegerAccessReferenceMap;\nimport org.slf4j.Logger;\nimport org.slf4j.LoggerFactory;\n\nimport java.util.ArrayList;\nimport java.util.List;\n\nimport static de.dominikschadow.webappsecurity.HibernateUtil.queryUserAccounts;\n\n/**\n * Loads accounts from the in-memory-database for the protected managed bean.\n *\n * @author Dominik Schadow\n * @see AccountIntegerController\n */\npublic class AccountsIntegerDAO {\n private IntegerAccessReferenceMap accounts = new IntegerAccessReferenceMap();\n private static final Logger LOGGER = LoggerFactory.getLogger(AccountsIntegerDAO.class);\n\n public Account retrieveAccount(int accountId) {\n String accountReference = String.valueOf(accountId);\n\n try {\n return accounts.getDirectReference(accountReference);\n } catch (AccessControlException ex) {\n LOGGER.error(\"Access to \" + accountReference + \" denied\", ex);\n\n return null;\n }\n }\n\n public List loadAccountsForUser(User user) {\n return queryAccounts(user);\n }\n\n private List queryAccounts(User user) {\n List ownAccounts = queryUserAccounts(user);\n LOGGER.info(\"Found {} account references\", ownAccounts.size());\n\n List accountReferences = new ArrayList<>();\n for (Account account : ownAccounts) {\n accounts.addDirectReference(account);\n accountReferences.add(accounts.getIndirectReference(account));\n }\n\n return accountReferences;\n }\n}\n"
},
{
"path": "Ch05_AccessReferenceMaps/src/main/java/de/dominikschadow/webappsecurity/AccountsRandomDAO.java",
"content": "/*\n * Copyright (C) 2015 Dominik Schadow, info@dominikschadow.de\n *\n * This file is part of the Java-Web-Security project.\n * \n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * \n * http://www.apache.org/licenses/LICENSE-2.0\n * \n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\npackage de.dominikschadow.webappsecurity;\n\nimport de.dominikschadow.webappsecurity.domain.Account;\nimport de.dominikschadow.webappsecurity.domain.User;\nimport org.owasp.esapi.errors.AccessControlException;\nimport org.owasp.esapi.reference.RandomAccessReferenceMap;\nimport org.slf4j.Logger;\nimport org.slf4j.LoggerFactory;\n\nimport java.util.ArrayList;\nimport java.util.List;\n\nimport static de.dominikschadow.webappsecurity.HibernateUtil.queryUserAccounts;\n\n/**\n * Loads accounts from the in-memory-database for the protected managed bean.\n *\n * @author Dominik Schadow\n * @see AccountRandomController\n */\npublic class AccountsRandomDAO {\n private RandomAccessReferenceMap accounts = new RandomAccessReferenceMap();\n private static final Logger LOGGER = LoggerFactory.getLogger(AccountsRandomDAO.class);\n\n public Account retrieveAccount(String accountReference) {\n try {\n return accounts.getDirectReference(accountReference);\n } catch (AccessControlException ex) {\n LOGGER.error(\"Access to \" + accountReference + \" denied\", ex);\n\n return null;\n }\n }\n\n public List loadAccountsForUser(User user) {\n return queryAccounts(user);\n }\n\n private List queryAccounts(User user) {\n List ownAccounts = queryUserAccounts(user);\n LOGGER.info(\"Found {} account references\", ownAccounts.size());\n\n List accountReferences = new ArrayList<>();\n for (Account account : ownAccounts) {\n accounts.addDirectReference(account);\n accountReferences.add(accounts.getIndirectReference(account));\n }\n\n return accountReferences;\n }\n}\n"
},
{
"path": "Ch05_AccessReferenceMaps/src/main/java/de/dominikschadow/webappsecurity/HibernateUtil.java",
"content": "/*\n * Copyright (C) 2015 Dominik Schadow, info@dominikschadow.de\n *\n * This file is part of the Java-Web-Security project.\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\npackage de.dominikschadow.webappsecurity;\n\nimport de.dominikschadow.webappsecurity.domain.Account;\nimport de.dominikschadow.webappsecurity.domain.User;\nimport org.hibernate.Session;\nimport org.hibernate.SessionFactory;\nimport org.hibernate.cfg.Configuration;\nimport org.hibernate.query.Query;\n\nimport java.util.List;\n\n/**\n * @author Dominik Schadow\n */\npublic class HibernateUtil {\n static SessionFactory sessionFactory;\n\n /**\n * Util class, no constructor required.\n */\n private HibernateUtil() {\n }\n\n public static SessionFactory getSessionFactory() {\n if (sessionFactory == null) {\n sessionFactory = new Configuration().configure().buildSessionFactory();\n }\n\n return sessionFactory;\n }\n\n public static List queryUserAccounts(User user) {\n Session session = getSessionFactory().openSession();\n Query query = session.createQuery(\"FROM Account WHERE ownerId = :id\");\n query.setParameter(\"id\", user.getUserId());\n\n List accounts = query.list();\n\n session.close();\n\n return accounts;\n }\n}\n"
},
{
"path": "Ch05_AccessReferenceMaps/src/main/java/de/dominikschadow/webappsecurity/domain/Account.java",
"content": "/*\n * Copyright (C) 2015 Dominik Schadow, info@dominikschadow.de\n *\n * This file is part of the Java-Web-Security project.\n * \n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * \n * http://www.apache.org/licenses/LICENSE-2.0\n * \n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\npackage de.dominikschadow.webappsecurity.domain;\n\nimport javax.persistence.Entity;\nimport javax.persistence.Id;\nimport java.io.Serializable;\n\n/**\n * Simple account object representing one user account.\n *\n * @author Dominik Schadow\n */\n@Entity\npublic class Account implements Serializable {\n @Id\n private int accountId;\n private String name;\n private String type;\n private int ownerId;\n\n public int getAccountId() {\n return accountId;\n }\n\n public void setAccountId(int accountId) {\n this.accountId = accountId;\n }\n\n public String getName() {\n return name;\n }\n\n public void setName(String name) {\n this.name = name;\n }\n\n public String getType() {\n return type;\n }\n\n public void setType(String type) {\n this.type = type;\n }\n\n public int getOwnerId() {\n return ownerId;\n }\n\n public void setOwnerId(int ownerId) {\n this.ownerId = ownerId;\n }\n}\n"
},
{
"path": "Ch05_AccessReferenceMaps/src/main/java/de/dominikschadow/webappsecurity/domain/User.java",
"content": "/*\n * Copyright (C) 2015 Dominik Schadow, info@dominikschadow.de\n *\n * This file is part of the Java-Web-Security project.\n * \n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * \n * http://www.apache.org/licenses/LICENSE-2.0\n * \n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\npackage de.dominikschadow.webappsecurity.domain;\n\nimport javax.persistence.Entity;\nimport javax.persistence.Id;\nimport java.io.Serializable;\n\n/**\n * Represents a simple user.\n *\n * @author Dominik Schadow\n */\n@Entity\npublic class User implements Serializable {\n @Id\n private int userId;\n private String name;\n\n public int getUserId() {\n return userId;\n }\n\n public void setUserId(int userId) {\n this.userId = userId;\n }\n\n public String getName() {\n return name;\n }\n\n public void setName(String name) {\n this.name = name;\n }\n}\n"
},
{
"path": "Ch05_AccessReferenceMaps/src/main/resources/ESAPI.properties",
"content": "# Logging\nLogger.ApplicationName=Ch05_AccessReferenceMaps"
},
{
"path": "Ch05_AccessReferenceMaps/src/main/resources/context.xml",
"content": "\n\n \n"
},
{
"path": "Ch05_AccessReferenceMaps/src/main/resources/hibernate.cfg.xml",
"content": "\n\n\n \n org.hibernate.dialect.H2Dialect\n java:comp/env/mapDS\n create-drop\n false\n \n \n \n \n"
},
{
"path": "Ch05_AccessReferenceMaps/src/main/resources/import.sql",
"content": "INSERT INTO ACCOUNT (accountid, name, type, ownerid) VALUES (1, 'Marvin Savings', 'Savings', 42);\nINSERT INTO ACCOUNT (accountid, name, type, ownerid) VALUES (2, 'Marvin Credit Card',' Credit Card', 42);\nINSERT INTO ACCOUNT (accountid, name, type, ownerid) VALUES (3, 'Zaphod Savings',' Savings', 55);\nINSERT INTO ACCOUNT (accountid, name, type, ownerid) VALUES (4, 'Ford Prefect Credit Card', 'Credit Card', 10);\nINSERT INTO ACCOUNT (accountid, name, type, ownerid) VALUES (5, 'Ford Prefect Savings', 'Savings', 10);"
},
{
"path": "Ch05_AccessReferenceMaps/src/main/resources/logback.xml",
"content": "\n \n \n %d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n\n \n \n\n \n \n \n"
},
{
"path": "Ch05_AccessReferenceMaps/src/main/webapp/WEB-INF/faces-config.xml",
"content": "\n\n"
},
{
"path": "Ch05_AccessReferenceMaps/src/main/webapp/WEB-INF/web.xml",
"content": "\n\n Ch05_AccessReferenceMaps\n\n \n javax.faces.PROJECT_STAGE\n Development\n \n\n \n Faces Servlet\n javax.faces.webapp.FacesServlet\n 1\n \n\n \n Faces Servlet\n *.xhtml\n \n\n \n index.xhtml\n \n"
},
{
"path": "Ch05_AccessReferenceMaps/src/main/webapp/account.xhtml",
"content": "\n\n\n\n \n Chapter 05 - Access Reference Maps\n\n\n\t
Valid account references for user id #{account.userId} are . All accounts between 1 and 5 are accessible.
\n\n \n \n \n \n \n \n \n \n \n\n
Protected by IntegerAccessReferenceMap
\n\n
Valid account references for user id #{accountInteger.userId} are . Only these accounts are accessible.
\n\n \n \n \n \n \n \n \n \n \n\n
Protected by RandomAccessReferenceMap
\n\n
Valid account references for user id #{accountRandom.userId} are . Only these accounts are accessible.
\n\n \n \n \n \n \n \n \n\n"
},
{
"path": "Ch05_AccessReferenceMaps/src/main/webapp/resources/css/styles.css",
"content": ".send-button {\n margin-left: 25px;\n}\n\nh1 {\n font-size: 1.5em;\n}\n\nh2 {\n font-size: 1.2em;\n}\n"
},
{
"path": "Ch05_HSTS/pom.xml",
"content": "\n\n 4.0.0\n \n javawebsecurity\n de.dominikschadow.javawebsecurity\n 1.0.0\n \n Ch05_HSTS\n war\n Chapter 05 - HSTS\n https://github.com/dschadow/Java-Web-Security\n Chapter 5 HTTP Strict Transport Security (HSTS sample project. Requires a server like Apache Tomcat or the Maven Tomcat plugin. After starting, open the web application in your browser at http://localhost:8080/Ch05_HSTS\n\n \n \n javax.servlet\n javax.servlet-api\n \n \n ch.qos.logback\n logback-classic\n \n \n\n \n Ch05_HSTS\n tomcat7:run-war\n \n \n org.apache.maven.plugins\n maven-compiler-plugin\n \n \n org.apache.tomcat.maven\n tomcat7-maven-plugin\n \n \n org.apache.maven.plugins\n maven-war-plugin\n \n false\n \n \n \n \n\n\n"
},
{
"path": "Ch05_HSTS/src/main/java/de/dominikschadow/webappsecurity/filter/HSTSFilter.java",
"content": "/*\n * Copyright (C) 2015 Dominik Schadow, info@dominikschadow.de\n *\n * This file is part of the Java-Web-Security project.\n * \n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * \n * http://www.apache.org/licenses/LICENSE-2.0\n * \n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\npackage de.dominikschadow.webappsecurity.filter;\n\nimport org.slf4j.Logger;\nimport org.slf4j.LoggerFactory;\n\nimport javax.servlet.*;\nimport javax.servlet.http.HttpServletResponse;\nimport java.io.IOException;\n\n/**\n * Filter to add the Strict-Transport-Security header to every response.\n *\n * @author Dominik Schadow\n */\npublic class HSTSFilter implements Filter {\n private static final Logger LOGGER = LoggerFactory.getLogger(HSTSFilter.class);\n\n @Override\n public void init(FilterConfig filterConfig) {\n LOGGER.info(\"HSTSFilter init\");\n }\n\n @Override\n public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {\n ((HttpServletResponse) res).setHeader(\"Strict-Transport-Security\", \"max-age=12960000; includeSubdomains\");\n LOGGER.info(\"Added Strict-Transport-Security header to response\");\n\n chain.doFilter(req, res);\n }\n\n @Override\n public void destroy() {\n }\n}\n"
},
{
"path": "Ch05_HSTS/src/main/java/de/dominikschadow/webappsecurity/servlets/LoginServlet.java",
"content": "/*\n * Copyright (C) 2015 Dominik Schadow, info@dominikschadow.de\n *\n * This file is part of the Java-Web-Security project.\n * \n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * \n * http://www.apache.org/licenses/LICENSE-2.0\n * \n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\npackage de.dominikschadow.webappsecurity.servlets;\n\nimport java.io.IOException;\nimport java.io.PrintWriter;\nimport java.io.Serial;\n\nimport javax.servlet.annotation.WebServlet;\nimport javax.servlet.http.HttpServlet;\nimport javax.servlet.http.HttpServletRequest;\nimport javax.servlet.http.HttpServletResponse;\n\nimport org.slf4j.Logger;\nimport org.slf4j.LoggerFactory;\n\n/**\n * Servlet faking a user login. Invalidates the current session (and its session id) and creates a new one afterwards.\n *\n * @author Dominik Schadow\n */\n@WebServlet(name = \"LoginServlet\", urlPatterns = {\"/LoginServlet\"})\npublic class LoginServlet extends HttpServlet {\n private static final Logger LOGGER = LoggerFactory.getLogger(LoginServlet.class);\n @Serial\n private static final long serialVersionUID = 1L;\n\n @Override\n protected void doPost(HttpServletRequest request, HttpServletResponse response) {\n String name = request.getParameter(\"name\");\n LOGGER.info(\"Received {} as POST parameter\", name);\n\n // invalidate the current session\n request.getSession().invalidate();\n\n // create a new one and continue in the \"login\" process\n request.getSession(true);\n\n response.setContentType(\"text/html\");\n\n try (PrintWriter out = response.getWriter()) {\n out.println(\"\");\n out.println(\"\");\n out.println(\"\");\n out.println(\"
Chapter 05 - HTTP Strict Transport Security (HSTS)
\n\n \n\n\n"
},
{
"path": "Ch05_HSTS/src/main/webapp/styles.css",
"content": ".text-input {\n width: 250px;\n}\n\nh1 {\n font-size: 150%;\n}\n\nh2 {\n font-size: 125%;\n}\n\ntd {\n font-size: 115%;\n}\n\nth {\n background-color: darkgrey;\n padding: 2pt;\n font-weight: bold;\n font-size: 125%;\n}\n"
},
{
"path": "Ch05_SessionFixation/pom.xml",
"content": "\n\t4.0.0\n\t\n\t\tde.dominikschadow.javawebsecurity\n\t\tjavawebsecurity\n\t\t1.0.0\n\t\n\tCh05_SessionFixation\n\twar\n\tChapter 05 - Session Fixation\n\thttps://github.com/dschadow/Java-Web-Security\n Chapter 5 Session Fixation sample project. Requires a server like Apache Tomcat or the Maven Tomcat plugin. After starting, open the web application in your browser at http://localhost:8080/Ch05_SessionFixation\n\n \n \n javax.servlet\n javax.servlet-api\n \n \n ch.qos.logback\n logback-classic\n \n\t\n\n \n Ch05_SessionFixation\n tomcat7:run-war\n \n \n org.apache.maven.plugins\n maven-compiler-plugin\n \n \n org.apache.tomcat.maven\n tomcat7-maven-plugin\n \n ${project.basedir}/src/main/resources/context.xml\n \n \n \n org.apache.maven.plugins\n maven-war-plugin\n \n false\n \n \n \n \n"
},
{
"path": "Ch05_SessionFixation/src/main/java/de/dominikschadow/webappsecurity/servlets/LoginServlet.java",
"content": "/*\n * Copyright (C) 2015 Dominik Schadow, info@dominikschadow.de\n *\n * This file is part of the Java-Web-Security project.\n * \n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * \n * http://www.apache.org/licenses/LICENSE-2.0\n * \n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\npackage de.dominikschadow.webappsecurity.servlets;\n\nimport java.io.IOException;\nimport java.io.PrintWriter;\nimport java.io.Serial;\n\nimport javax.servlet.annotation.WebServlet;\nimport javax.servlet.http.HttpServlet;\nimport javax.servlet.http.HttpServletRequest;\nimport javax.servlet.http.HttpServletResponse;\n\nimport org.slf4j.Logger;\nimport org.slf4j.LoggerFactory;\n\n/**\n * Servlet faking a user login. Invalidates the current session (and its session id) and creates a new one afterwards.\n *\n * @author Dominik Schadow\n */\n@WebServlet(name = \"LoginServlet\", urlPatterns = {\"/LoginServlet\"})\npublic class LoginServlet extends HttpServlet {\n private static final Logger LOGGER = LoggerFactory.getLogger(LoginServlet.class);\n @Serial\n private static final long serialVersionUID = 1L;\n\n @Override\n protected void doPost(HttpServletRequest request, HttpServletResponse response) {\n String name = request.getParameter(\"name\");\n LOGGER.info(\"Received {} as POST parameter\", name);\n\n // invalidate the current session\n request.getSession().invalidate();\n\n // create a new one and continue in the \"login\" process\n request.getSession(true);\n\n response.setContentType(\"text/html\");\n\n try (PrintWriter out = response.getWriter()) {\n out.println(\"\");\n out.println(\"\");\n out.println(\"\");\n out.println(\"
Cookie information in popup is empty because of web.xml protection.
\n\n \n\n"
},
{
"path": "Ch05_SessionHandling/src/main/webapp/resources/css/styles.css",
"content": "h1 {\n font-size: 125%;\n}\n"
},
{
"path": "Ch06_SQLInjection/pom.xml",
"content": "\n 4.0.0\n \n de.dominikschadow.javawebsecurity\n javawebsecurity\n 1.0.0\n \n Ch06_SQLInjection\n war\n Chapter 06 - SQL Injection\n https://github.com/dschadow/Java-Web-Security\n Chapter 6 SQL Injection sample project. Requires a server like Apache Tomcat or the Maven Tomcat plugin. After starting, open the web application in your browser at http://localhost:8080/Ch06_SQLInjection\n\n \n \n javax.servlet\n javax.servlet-api\n \n \n com.h2database\n h2\n \n \n org.owasp.esapi\n esapi\n \n \n org.hibernate\n hibernate-core\n \n \n ch.qos.logback\n logback-classic\n \n \n\n \n Ch06_SQLInjection\n tomcat7:run-war\n \n \n org.apache.maven.plugins\n maven-compiler-plugin\n \n \n org.apache.tomcat.maven\n tomcat7-maven-plugin\n \n ${project.basedir}/src/main/resources/context.xml\n \n \n \n org.apache.maven.plugins\n maven-war-plugin\n \n false\n \n \n \n \n"
},
{
"path": "Ch06_SQLInjection/src/main/java/de/dominikschadow/webappsecurity/domain/Customer.java",
"content": "/*\n * Copyright (C) 2015 Dominik Schadow, info@dominikschadow.de\n *\n * This file is part of the Java-Web-Security project.\n * \n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * \n * http://www.apache.org/licenses/LICENSE-2.0\n * \n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\npackage de.dominikschadow.webappsecurity.domain;\n\nimport javax.persistence.*;\n\n/**\n * @author Dominik Schadow\n */\n@Entity\npublic class Customer {\n @Id\n @GeneratedValue(strategy = GenerationType.AUTO)\n @Column(name = \"cust_id\")\n private int custId;\n private String name;\n private String status;\n @Column(name = \"order_limit\")\n private int orderLimit;\n private String hint;\n\n public int getCustId() {\n return custId;\n }\n\n public void setCustId(int custId) {\n this.custId = custId;\n }\n\n public String getName() {\n return name;\n }\n\n public void setName(String name) {\n this.name = name;\n }\n\n public String getStatus() {\n return status;\n }\n\n public void setStatus(String status) {\n this.status = status;\n }\n\n public int getOrderLimit() {\n return orderLimit;\n }\n\n public void setOrderLimit(int orderLimit) {\n this.orderLimit = orderLimit;\n }\n\n public String getHint() {\n return hint;\n }\n\n public void setHint(String hint) {\n this.hint = hint;\n }\n\n @Override\n public String toString() {\n return \"ID \" + custId +\n \", Name \" + name +\n \", Status \" + status +\n \", Order Limit \" + orderLimit +\n \", Hint \" + hint;\n }\n}\n"
},
{
"path": "Ch06_SQLInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/CustomerTable.java",
"content": "package de.dominikschadow.webappsecurity.servlets;\n\nimport de.dominikschadow.webappsecurity.domain.Customer;\nimport org.slf4j.Logger;\nimport org.slf4j.LoggerFactory;\n\nimport javax.servlet.http.HttpServletResponse;\nimport java.io.IOException;\nimport java.io.PrintWriter;\nimport java.sql.ResultSet;\nimport java.sql.SQLException;\nimport java.util.ArrayList;\nimport java.util.List;\n\n/**\n * Util class to create the customers list and to create the HTML table with all queried customers.\n *\n * @author Dominik Schadow\n */\npublic class CustomerTable {\n private static final Logger LOGGER = LoggerFactory.getLogger(CustomerTable.class);\n\n public static List extractCustomers(ResultSet rs) throws SQLException {\n List customers = new ArrayList<>();\n\n while (rs.next()) {\n Customer customer = new Customer();\n customer.setCustId(rs.getInt(1));\n customer.setName(rs.getString(2));\n customer.setStatus(rs.getString(3));\n customer.setOrderLimit(rs.getInt(4));\n\n customers.add(customer);\n }\n\n return customers;\n }\n\n public static void writeCustomers(HttpServletResponse response, String name, List customers) {\n response.setContentType(\"text/html\");\n\n try (PrintWriter out = response.getWriter()) {\n out.println(\"\");\n out.println(\"\");\n out.println(\"\");\n out.println(\"
Chapter 06 - SQL Injection
\");\n out.println(\"
Input \" + name + \"
\");\n out.println(\"
Customer Data
\");\n out.println(\"
\");\n out.println(\"
\");\n out.println(\"
ID
\");\n out.println(\"
Name
\");\n out.println(\"
Status
\");\n out.println(\"
Order Limit
\");\n out.println(\"
\");\n\n for (Customer customer : customers) {\n out.println(\"
\");\n out.println(\"
\" + customer.getCustId() + \"
\");\n out.println(\"
\" + customer.getName() + \"
\");\n out.println(\"
\" + customer.getStatus() + \"
\");\n out.println(\"
\" + customer.getOrderLimit() + \"
\");\n out.println(\"
\");\n }\n\n out.println(\"
\");\n out.println(\"\");\n out.println(\"\");\n } catch (IOException ex) {\n LOGGER.error(ex.getMessage(), ex);\n }\n }\n}\n"
},
{
"path": "Ch06_SQLInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/HQLServlet.java",
"content": "/*\n * Copyright (C) 2015 Dominik Schadow, info@dominikschadow.de\n *\n * This file is part of the Java-Web-Security project.\n * \n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * \n * http://www.apache.org/licenses/LICENSE-2.0\n * \n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\npackage de.dominikschadow.webappsecurity.servlets;\n\nimport org.hibernate.HibernateException;\nimport org.hibernate.Session;\nimport org.hibernate.query.Query;\nimport org.slf4j.Logger;\nimport org.slf4j.LoggerFactory;\n\nimport javax.servlet.annotation.WebServlet;\nimport javax.servlet.http.HttpServlet;\nimport javax.servlet.http.HttpServletRequest;\nimport javax.servlet.http.HttpServletResponse;\n\nimport static de.dominikschadow.webappsecurity.servlets.CustomerTable.writeCustomers;\nimport static de.dominikschadow.webappsecurity.servlets.HibernateUtil.getSessionFactory;\n\n/**\n * Servlet using Hibernate Query Language (HQL) to query the in-memory-database.\n * User input is not modified and used directly in the HQL query.\n *\n * @author Dominik Schadow\n */\n@WebServlet(name = \"HQLServlet\", urlPatterns = {\"/HQLServlet\"})\npublic class HQLServlet extends HttpServlet {\n private static final Logger LOGGER = LoggerFactory.getLogger(HQLServlet.class);\n\n @Override\n protected void doPost(HttpServletRequest request, HttpServletResponse response) {\n String name = request.getParameter(\"name\");\n LOGGER.info(\"Received {} as POST parameter\", name);\n\n try (Session session = getSessionFactory().openSession()) {\n Query query = session.createQuery(\"FROM Customer WHERE name = :name ORDER BY custId\");\n query.setParameter(\"name\", name);\n\n writeCustomers(response, name, query.list());\n } catch (HibernateException ex) {\n LOGGER.error(ex.getMessage(), ex);\n }\n }\n}\n"
},
{
"path": "Ch06_SQLInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/HibernateUtil.java",
"content": "/*\n * Copyright (C) 2015 Dominik Schadow, info@dominikschadow.de\n *\n * This file is part of the Java-Web-Security project.\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\npackage de.dominikschadow.webappsecurity.servlets;\n\nimport org.hibernate.SessionFactory;\nimport org.hibernate.cfg.Configuration;\n\n/**\n * @author Dominik Schadow\n */\npublic class HibernateUtil {\n static SessionFactory sessionFactory;\n\n /**\n * Util class, no constructor required.\n */\n private HibernateUtil() {\n }\n\n public static SessionFactory getSessionFactory() {\n if (sessionFactory == null) {\n sessionFactory = new Configuration().configure().buildSessionFactory();\n }\n\n return sessionFactory;\n }\n}\n"
},
{
"path": "Ch06_SQLInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/InitDbServlet.java",
"content": "package de.dominikschadow.webappsecurity.servlets;\n\nimport org.hibernate.Session;\n\nimport javax.servlet.annotation.WebServlet;\nimport javax.servlet.http.HttpServlet;\n\nimport static de.dominikschadow.webappsecurity.servlets.HibernateUtil.getSessionFactory;\n\n/**\n * Servlet to initialize the database with some sample data.\n *\n * @author Dominik Schadow\n */\n@WebServlet(name = \"InitDbServlet\", urlPatterns = {\"/\"})\npublic class InitDbServlet extends HttpServlet {\n @Override\n public void init() {\n Session session = getSessionFactory().openSession();\n session.close();\n }\n}\n"
},
{
"path": "Ch06_SQLInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/PreparedStatementServlet.java",
"content": "/*\n * Copyright (C) 2015 Dominik Schadow, info@dominikschadow.de\n *\n * This file is part of the Java-Web-Security project.\n * \n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * \n * http://www.apache.org/licenses/LICENSE-2.0\n * \n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\npackage de.dominikschadow.webappsecurity.servlets;\n\nimport org.slf4j.Logger;\nimport org.slf4j.LoggerFactory;\n\nimport javax.servlet.annotation.WebServlet;\nimport javax.servlet.http.HttpServlet;\nimport javax.servlet.http.HttpServletRequest;\nimport javax.servlet.http.HttpServletResponse;\nimport java.sql.*;\n\nimport static de.dominikschadow.webappsecurity.servlets.CustomerTable.extractCustomers;\nimport static de.dominikschadow.webappsecurity.servlets.CustomerTable.writeCustomers;\n\n/**\n * Servlet using a Prepared Statement to query the in-memory-database.\n * User input is not modified and used directly in the SQL query.\n *\n * @author Dominik Schadow\n */\n@WebServlet(name = \"PreparedStatementServlet\", urlPatterns = {\"/PreparedStatementServlet\"})\npublic class PreparedStatementServlet extends HttpServlet {\n private static final Logger LOGGER = LoggerFactory.getLogger(PreparedStatementServlet.class);\n\n @Override\n protected void doPost(HttpServletRequest request, HttpServletResponse response) {\n String name = request.getParameter(\"name\");\n LOGGER.info(\"Received {} as POST parameter\", name);\n\n String query = \"SELECT * FROM customer WHERE name = ? ORDER BY CUST_ID\";\n ResultSet rs = null;\n\n try (Connection con = DriverManager.getConnection(\"jdbc:h2:mem:sqli\", \"sa\", \"sa\"); PreparedStatement stmt = con.prepareStatement(query)) {\n stmt.setString(1, name);\n rs = stmt.executeQuery();\n\n writeCustomers(response, name, extractCustomers(rs));\n } catch (SQLException ex) {\n LOGGER.error(ex.getMessage(), ex);\n } finally {\n try {\n if (rs != null) {\n rs.close();\n }\n } catch (SQLException ex) {\n LOGGER.error(ex.getMessage(), ex);\n }\n }\n }\n}\n"
},
{
"path": "Ch06_SQLInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/StatementEscapingServlet.java",
"content": "/*\n * Copyright (C) 2015 Dominik Schadow, info@dominikschadow.de\n *\n * This file is part of the Java-Web-Security project.\n * \n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * \n * http://www.apache.org/licenses/LICENSE-2.0\n * \n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\npackage de.dominikschadow.webappsecurity.servlets;\n\nimport org.owasp.esapi.ESAPI;\nimport org.owasp.esapi.codecs.OracleCodec;\nimport org.slf4j.Logger;\nimport org.slf4j.LoggerFactory;\n\nimport javax.servlet.annotation.WebServlet;\nimport javax.servlet.http.HttpServlet;\nimport javax.servlet.http.HttpServletRequest;\nimport javax.servlet.http.HttpServletResponse;\nimport java.sql.*;\n\nimport static de.dominikschadow.webappsecurity.servlets.CustomerTable.extractCustomers;\nimport static de.dominikschadow.webappsecurity.servlets.CustomerTable.writeCustomers;\n\n/**\n * Servlet using a normal Statement to query the in-memory-database.\n * User input is escaped with ESAPI and used in the SQL query afterwards.\n *\n * @author Dominik Schadow\n */\n@WebServlet(name = \"StatementEscapingServlet\", urlPatterns = {\"/StatementEscapingServlet\"})\npublic class StatementEscapingServlet extends HttpServlet {\n private static final Logger LOGGER = LoggerFactory.getLogger(StatementEscapingServlet.class);\n\n @Override\n protected void doPost(HttpServletRequest request, HttpServletResponse response) {\n String name = request.getParameter(\"name\");\n LOGGER.info(\"Received {} as POST parameter\", name);\n\n String safeName = ESAPI.encoder().encodeForSQL(new OracleCodec(), name);\n LOGGER.info(\"Escaped name is {}\", safeName);\n\n String query = \"SELECT * FROM customer WHERE name = '\" + safeName + \"' ORDER BY CUST_ID\";\n\n LOGGER.info(\"Final SQL query {}\", query);\n\n ResultSet rs = null;\n\n try (Connection con = DriverManager.getConnection(\"jdbc:h2:mem:sqli\", \"sa\", \"sa\"); Statement stmt = con.createStatement()) {\n rs = stmt.executeQuery(query);\n\n writeCustomers(response, name, extractCustomers(rs));\n } catch (SQLException ex) {\n LOGGER.error(ex.getMessage(), ex);\n } finally {\n try {\n if (rs != null) {\n rs.close();\n }\n } catch (SQLException ex) {\n LOGGER.error(ex.getMessage(), ex);\n }\n }\n }\n}\n"
},
{
"path": "Ch06_SQLInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/StatementServlet.java",
"content": "/*\n * Copyright (C) 2015 Dominik Schadow, info@dominikschadow.de\n *\n * This file is part of the Java-Web-Security project.\n * \n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * \n * http://www.apache.org/licenses/LICENSE-2.0\n * \n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\npackage de.dominikschadow.webappsecurity.servlets;\n\nimport org.slf4j.Logger;\nimport org.slf4j.LoggerFactory;\n\nimport javax.servlet.annotation.WebServlet;\nimport javax.servlet.http.HttpServlet;\nimport javax.servlet.http.HttpServletRequest;\nimport javax.servlet.http.HttpServletResponse;\nimport java.sql.*;\n\nimport static de.dominikschadow.webappsecurity.servlets.CustomerTable.extractCustomers;\nimport static de.dominikschadow.webappsecurity.servlets.CustomerTable.writeCustomers;\n\n/**\n * Servlet using a normal Statement to query the in-memory-database.\n * User input is not modified and used directly in the SQL query.\n *\n * @author Dominik Schadow\n */\n@WebServlet(name = \"StatementServlet\", urlPatterns = {\"/StatementServlet\"})\npublic class StatementServlet extends HttpServlet {\n private static final Logger LOGGER = LoggerFactory.getLogger(StatementServlet.class);\n\n @Override\n protected void doPost(HttpServletRequest request, HttpServletResponse response) {\n String name = request.getParameter(\"name\");\n LOGGER.info(\"Received {} as POST parameter\", name);\n\n String query = \"SELECT * FROM customer WHERE name = '\" + name + \"' ORDER BY CUST_ID\";\n\n LOGGER.info(\"Final SQL query {}\", query);\n\n ResultSet rs = null;\n\n try (Connection con = DriverManager.getConnection(\"jdbc:h2:mem:sqli\", \"sa\", \"sa\"); Statement stmt = con.createStatement()) {\n rs = stmt.executeQuery(query);\n\n writeCustomers(response, name, extractCustomers(rs));\n } catch (SQLException ex) {\n LOGGER.error(ex.getMessage(), ex);\n } finally {\n try {\n if (rs != null) {\n rs.close();\n }\n } catch (SQLException ex) {\n LOGGER.error(ex.getMessage(), ex);\n }\n }\n }\n}\n"
},
{
"path": "Ch06_SQLInjection/src/main/resources/ESAPI.properties",
"content": "# Logging\nLogger.ApplicationName=Ch06_SQLInjection"
},
{
"path": "Ch06_SQLInjection/src/main/resources/context.xml",
"content": "\n\n \n"
},
{
"path": "Ch06_SQLInjection/src/main/resources/hibernate.cfg.xml",
"content": "\n\n\n \n org.hibernate.dialect.H2Dialect\n java:comp/env/sqliDS\n create-drop\n false\n \n \n \n"
},
{
"path": "Ch06_SQLInjection/src/main/resources/import.sql",
"content": "INSERT INTO CUSTOMER (CUST_ID, NAME, STATUS, ORDER_LIMIT, HINT) VALUES (1001, 'Arthur Dent', 'A', 10000, '');\nINSERT INTO CUSTOMER (CUST_ID, NAME, STATUS, ORDER_LIMIT, HINT) VALUES (1002, 'Ford Prefect', 'B', 5000, '');\nINSERT INTO CUSTOMER (CUST_ID, NAME, STATUS, ORDER_LIMIT, HINT) VALUES (1003, 'Tricia Trillian McMillan', 'C', 1000, '');\nINSERT INTO CUSTOMER (CUST_ID, NAME, STATUS, ORDER_LIMIT, HINT) VALUES (1004, 'Zaphod Beeblebrox', 'D', 500, 'President of the Galaxy');\nINSERT INTO CUSTOMER (CUST_ID, NAME, STATUS, ORDER_LIMIT, HINT) VALUES (1005, 'Marvin', 'A', 100000, 'Depressive');\nINSERT INTO CUSTOMER (CUST_ID, NAME, STATUS, ORDER_LIMIT, HINT) VALUES (1006, 'Slartibartfast', 'D', 100, '42');\n"
},
{
"path": "Ch06_SQLInjection/src/main/resources/logback.xml",
"content": "\n \n \n %d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n\n \n \n\n \n \n \n"
},
{
"path": "Ch06_SQLInjection/src/main/webapp/index.jsp",
"content": "<%@ page language=\"java\" contentType=\"text/html; charset=UTF-8\" pageEncoding=\"UTF-8\"%>\n\n\n\n\t\n \n\tChapter 06 - SQL Injection\n\n\n\t
Chapter 06 - SQL Injection
\n\n
You can use different options to access the database. Not every field is attackable by SQL Injection.\n\t\tValid customers are: Arthur Dent, Ford Prefect, Tricia Trillian McMillan, Zaphod Beeblebrox, Marvin, Slartibartfast
\n\n\t
Using Statement
\n\t\n\t\n\n
Using Statement with Escaping
\n\n \n\n\t
Using Prepared Statement
\n\t\n\t\n\n
Using Hibernate Query Language (HQL)
\n\n \n\n\n"
},
{
"path": "Ch06_SQLInjection/src/main/webapp/styles.css",
"content": ".text-input {\n width: 250px;\n}\n\nh1 {\n font-size: 1.5em;\n}\n\nh2 {\n font-size: 1.2em;\n}\n\nth {\n background-color: darkgrey;\n padding: 2pt;\n font-weight: bold;\n font-size: 1.1em;\n}\n"
},
{
"path": "Ch06_XPathInjection/pom.xml",
"content": "\n 4.0.0\n \n de.dominikschadow.javawebsecurity\n javawebsecurity\n 1.0.0\n \n Ch06_XPathInjection\n war\n Chapter 06 - XPath Injection\n https://github.com/dschadow/Java-Web-Security\n Chapter 6 XPath Injection sample project. Requires a server like Apache Tomcat or the Maven Tomcat plugin. After starting, open the web application in your browser at http://localhost:8080/Ch06_XPathInjection\n\n \n \n javax.servlet\n javax.servlet-api\n \n \n org.owasp.esapi\n esapi\n \n \n ch.qos.logback\n logback-classic\n \n \n\n \n Ch06_XPathInjection\n tomcat7:run-war\n \n \n org.apache.maven.plugins\n maven-compiler-plugin\n \n \n org.apache.tomcat.maven\n tomcat7-maven-plugin\n \n \n org.apache.maven.plugins\n maven-war-plugin\n \n false\n \n \n \n \n"
},
{
"path": "Ch06_XPathInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/XPathEscapingServlet.java",
"content": "/*\n * Copyright (C) 2015 Dominik Schadow, info@dominikschadow.de\n *\n * This file is part of the Java-Web-Security project.\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\npackage de.dominikschadow.webappsecurity.servlets;\n\nimport org.owasp.esapi.ESAPI;\nimport org.slf4j.Logger;\nimport org.slf4j.LoggerFactory;\nimport org.w3c.dom.Document;\nimport org.w3c.dom.NodeList;\nimport org.xml.sax.SAXException;\n\nimport javax.servlet.annotation.WebServlet;\nimport javax.servlet.http.HttpServlet;\nimport javax.servlet.http.HttpServletRequest;\nimport javax.servlet.http.HttpServletResponse;\nimport javax.xml.parsers.DocumentBuilder;\nimport javax.xml.parsers.DocumentBuilderFactory;\nimport javax.xml.parsers.ParserConfigurationException;\nimport javax.xml.xpath.XPathConstants;\nimport javax.xml.xpath.XPathExpression;\nimport javax.xml.xpath.XPathExpressionException;\nimport javax.xml.xpath.XPathFactory;\nimport java.io.IOException;\nimport java.io.InputStream;\nimport java.io.PrintWriter;\n\n/**\n * Servlet using an XPath expression to query the customer XML document.\n * User input is escaped before being used in the XPath expression.\n *
\");\n\n NodeList nodes = (NodeList) result;\n for (int i = 0; i < nodes.getLength(); i++) {\n out.println(\"
\" + nodes.item(i).getTextContent() + \"
\");\n }\n\n out.println(\"\");\n out.println(\"\");\n } catch (XPathExpressionException | IOException ex) {\n LOGGER.error(ex.getMessage(), ex);\n }\n }\n}\n"
},
{
"path": "Ch06_XPathInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/XPathServlet.java",
"content": "/*\n * Copyright (C) 2015 Dominik Schadow, info@dominikschadow.de\n *\n * This file is part of the Java-Web-Security project.\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\npackage de.dominikschadow.webappsecurity.servlets;\n\nimport org.slf4j.Logger;\nimport org.slf4j.LoggerFactory;\nimport org.w3c.dom.Document;\nimport org.w3c.dom.NodeList;\nimport org.xml.sax.SAXException;\n\nimport javax.servlet.annotation.WebServlet;\nimport javax.servlet.http.HttpServlet;\nimport javax.servlet.http.HttpServletRequest;\nimport javax.servlet.http.HttpServletResponse;\nimport javax.xml.parsers.DocumentBuilder;\nimport javax.xml.parsers.DocumentBuilderFactory;\nimport javax.xml.parsers.ParserConfigurationException;\nimport javax.xml.xpath.XPathConstants;\nimport javax.xml.xpath.XPathExpression;\nimport javax.xml.xpath.XPathExpressionException;\nimport javax.xml.xpath.XPathFactory;\nimport java.io.IOException;\nimport java.io.InputStream;\nimport java.io.PrintWriter;\n\n/**\n * Servlet using an XPath expression to query the customer XML document.\n * User input is not modified and used directly in the XPath expression.\n *
Valid customers are: Arthur Dent, Ford Prefect, Tricia Trillian McMillan, Zaphod Beeblebrox, Marvin, Slartibartfast \n Password is always their first name.
\n\n\t
Without Escaping
\n\t\n\t\n\n
With Escaping
\n\n \n\n\n"
},
{
"path": "Ch06_XPathInjection/src/main/webapp/styles.css",
"content": ".text-input {\n width: 250px;\n}\n\nh1 {\n font-size: 150%;\n}\n\nh2 {\n font-size: 125%;\n}\n\ntd {\n font-size: 115%;\n}\n\nth {\n background-color: darkgrey;\n padding: 2pt;\n font-weight: bold;\n font-size: 125%;\n}\n"
},
{
"path": "Ch07_CSP/pom.xml",
"content": "\n\n 4.0.0\n \n de.dominikschadow.javawebsecurity\n javawebsecurity\n 1.0.0\n \n Ch07_CSP\n war\n Chapter 07 - CSP\n https://github.com/dschadow/Java-Web-Security\n Chapter 7 Content Security Policy (CSP) sample project. Requires a server like Apache Tomcat or the Maven Tomcat7 plugin. After starting, open the web application in your browser at http://localhost:8080/Ch07_CSP\n\n \n \n javax.servlet\n javax.servlet-api\n \n \n ch.qos.logback\n logback-classic\n \n \n\n \n Ch07_CSP\n tomcat7:run-war\n \n \n org.apache.maven.plugins\n maven-compiler-plugin\n \n \n org.apache.tomcat.maven\n tomcat7-maven-plugin\n \n \n org.apache.maven.plugins\n maven-war-plugin\n \n false\n \n \n \n \n"
},
{
"path": "Ch07_CSP/src/main/java/de/dominikschadow/webappsecurity/CSPReporting.java",
"content": "/*\n * Copyright (C) 2015 Dominik Schadow, info@dominikschadow.de\n *\n * This file is part of the Java-Web-Security project.\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\npackage de.dominikschadow.webappsecurity;\n\nimport org.slf4j.Logger;\nimport org.slf4j.LoggerFactory;\n\nimport javax.servlet.annotation.WebServlet;\nimport javax.servlet.http.HttpServlet;\nimport javax.servlet.http.HttpServletRequest;\nimport javax.servlet.http.HttpServletResponse;\nimport java.io.BufferedReader;\nimport java.io.IOException;\nimport java.io.InputStreamReader;\nimport java.io.Serial;\nimport java.nio.charset.Charset;\n\n/**\n * Simple CSP-Reporting servlet to receive and print out any JSON style CSP report with violations.\n *\n * @author Dominik Schadow\n */\n@WebServlet(name = \"CSPReporting\", urlPatterns = {\"/CSPReporting\"})\npublic class CSPReporting extends HttpServlet {\n @Serial\n private static final long serialVersionUID = 1L;\n private static final Logger LOGGER = LoggerFactory.getLogger(CSPReporting.class);\n\n @Override\n protected void doPost(HttpServletRequest request, HttpServletResponse response) {\n try (BufferedReader reader = new BufferedReader(new InputStreamReader(request.getInputStream(), Charset.defaultCharset()))) {\n StringBuilder responseBuilder = new StringBuilder();\n\n String inputStr;\n while ((inputStr = reader.readLine()) != null) {\n responseBuilder.append(inputStr);\n }\n\n LOGGER.info(\"\\n{}\", responseBuilder.toString());\n } catch (IOException ex) {\n LOGGER.error(ex.getMessage(), ex);\n }\n }\n}\n"
},
{
"path": "Ch07_CSP/src/main/java/de/dominikschadow/webappsecurity/WithCSPReportingServlet.java",
"content": "/*\n * Copyright (C) 2015 Dominik Schadow, info@dominikschadow.de\n *\n * This file is part of the Java-Web-Security project.\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\npackage de.dominikschadow.webappsecurity;\n\nimport org.slf4j.Logger;\nimport org.slf4j.LoggerFactory;\n\nimport javax.servlet.annotation.WebServlet;\nimport javax.servlet.http.HttpServlet;\nimport javax.servlet.http.HttpServletRequest;\nimport javax.servlet.http.HttpServletResponse;\nimport java.io.IOException;\nimport java.io.PrintWriter;\nimport java.io.Serial;\n\n/**\n * Servlet which sets the Content-Security-Policy-Report-Only response header and reports\n * any JavaScript code that would have been stopped by the policy.\n *\n * @author Dominik Schadow\n */\n@WebServlet(name = \"WithCSPReportingServlet\", urlPatterns = {\"/WithCSPReportingServlet\"})\npublic class WithCSPReportingServlet extends HttpServlet {\n @Serial\n private static final long serialVersionUID = 1L;\n private static final Logger LOGGER = LoggerFactory.getLogger(WithCSPReportingServlet.class);\n\n @Override\n protected void doPost(HttpServletRequest request, HttpServletResponse response) {\n LOGGER.info(\"Processing POST request with Content Security Policy Reporting\");\n\n String name = request.getParameter(\"reporting\");\n LOGGER.info(\"Received {} as POST parameter\", name);\n\n response.setContentType(\"text/html\");\n // the following line only reports violations and does not block anything\n response.setHeader(\"Content-Security-Policy-Report-Only\", \"default-src 'self'; report-uri CSPReporting\");\n\n // use the following line to activate the policy and still report all violations\n //response.setHeader(\"Content-Security-Policy\", \"default-src 'self'; report-uri CSPReporting\");\n\n try (PrintWriter out = response.getWriter()) {\n out.println(\"\");\n out.println(\"\");\n out.println(\"\");\n out.println(\"
Ch07_CSP
\");\n out.println(\"
With Content Security Policy Reporting
\");\n out.println(\"
Hello \" + name + \"
\");\n out.println(\"\");\n out.println(\"\");\n } catch (IOException ex) {\n LOGGER.error(ex.getMessage(), ex);\n }\n }\n}\n"
},
{
"path": "Ch07_CSP/src/main/java/de/dominikschadow/webappsecurity/WithCSPServlet.java",
"content": "/*\n * Copyright (C) 2015 Dominik Schadow, info@dominikschadow.de\n *\n * This file is part of the Java-Web-Security project.\n * \n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * \n * http://www.apache.org/licenses/LICENSE-2.0\n * \n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\npackage de.dominikschadow.webappsecurity;\n\nimport org.slf4j.Logger;\nimport org.slf4j.LoggerFactory;\n\nimport javax.servlet.annotation.WebServlet;\nimport javax.servlet.http.HttpServlet;\nimport javax.servlet.http.HttpServletRequest;\nimport javax.servlet.http.HttpServletResponse;\nimport java.io.IOException;\nimport java.io.PrintWriter;\nimport java.io.Serial;\n\n/**\n * Servlet which sets the Content-Security-Policy response header and stops any JavaScript code entered\n * in the textfield.\n * Any entered script-tag will not be rendered any more in the result page.\n *\n * @author Dominik Schadow\n */\n@WebServlet(name = \"WithCSPServlet\", urlPatterns = {\"/WithCSPServlet\"})\npublic class WithCSPServlet extends HttpServlet {\n @Serial\n private static final long serialVersionUID = 1L;\n private static final Logger LOGGER = LoggerFactory.getLogger(WithCSPServlet.class);\n\n @Override\n protected void doPost(HttpServletRequest request, HttpServletResponse response) {\n LOGGER.info(\"Processing POST request with Content Security Policy\");\n\n String name = request.getParameter(\"protected\");\n LOGGER.info(\"Received {} as POST parameter\", name);\n\n response.setContentType(\"text/html\");\n response.setHeader(\"Content-Security-Policy\", \"default-src 'self'\");\n // following line enables unsafe inline JavaScript\n// response.setHeader(\"Content-Security-Policy\", \"default-src 'self' 'unsafe-inline'\");\n\n try (PrintWriter out = response.getWriter()) {\n out.println(\"\");\n out.println(\"\");\n out.println(\"\");\n out.println(\"
Ch07_CSP
\");\n out.println(\"
With Content Security Policy
\");\n out.println(\"
Hello \" + name + \"
\");\n out.println(\"\");\n out.println(\"\");\n } catch (IOException ex) {\n LOGGER.error(ex.getMessage(), ex);\n }\n }\n}\n"
},
{
"path": "Ch07_CSP/src/main/java/de/dominikschadow/webappsecurity/WithoutCSPServlet.java",
"content": "/*\n * Copyright (C) 2015 Dominik Schadow, info@dominikschadow.de\n *\n * This file is part of the Java-Web-Security project.\n * \n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * \n * http://www.apache.org/licenses/LICENSE-2.0\n * \n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\npackage de.dominikschadow.webappsecurity;\n\nimport org.slf4j.Logger;\nimport org.slf4j.LoggerFactory;\n\nimport javax.servlet.annotation.WebServlet;\nimport javax.servlet.http.HttpServlet;\nimport javax.servlet.http.HttpServletRequest;\nimport javax.servlet.http.HttpServletResponse;\nimport java.io.IOException;\nimport java.io.PrintWriter;\nimport java.io.Serial;\n\n/**\n * Default servlet without any additional protection. Any entered script-tag will be executed on the result page.\n *\n * @author Dominik Schadow\n */\n@WebServlet(name = \"WithoutCSPServlet\", urlPatterns = {\"/WithoutCSPServlet\"})\npublic class WithoutCSPServlet extends HttpServlet {\n @Serial\n private static final long serialVersionUID = 1L;\n private static final Logger LOGGER = LoggerFactory.getLogger(WithoutCSPServlet.class);\n\n @Override\n protected void doPost(HttpServletRequest request, HttpServletResponse response) {\n LOGGER.info(\"Processing POST request without Content Security Policy\");\n\n String name = request.getParameter(\"unprotected\");\n LOGGER.info(\"Received {} as POST parameter\", name);\n\n response.setContentType(\"text/html\");\n\n try (PrintWriter out = response.getWriter()) {\n out.println(\"\");\n out.println(\"\");\n out.println(\"\");\n out.println(\"
\n\n \n\n\n"
},
{
"path": "Ch07_CSP/src/main/webapp/styles.css",
"content": ".text-input {\n width: 250px;\n}\n\nh1 {\n font-size: 150%;\n}\n\nh2 {\n font-size: 125%;\n}\n\ntd {\n font-size: 115%;\n}\n"
},
{
"path": "Ch07_XSS/pom.xml",
"content": "\r\n\r\n 4.0.0\r\n \r\n de.dominikschadow.javawebsecurity\r\n javawebsecurity\r\n 1.0.0\r\n \r\n Ch07_XSS\r\n war\r\n Chapter 07 - XSS\r\n https://github.com/dschadow/Java-Web-Security\r\n Chapter 7 XSS sample project. Requires a server like Apache Tomcat or the Maven Tomcat plugin. After starting, open the web application in your browser at http://localhost:8080/Ch07_XSS\r\n\r\n \r\n \r\n com.sun.faces\r\n jsf-api\r\n \r\n \r\n com.sun.faces\r\n jsf-impl\r\n \r\n \r\n org.hibernate\r\n hibernate-core\r\n \r\n \r\n com.h2database\r\n h2\r\n \r\n \r\n ch.qos.logback\r\n logback-classic\r\n \r\n \r\n org.apache.commons\r\n commons-lang3\r\n \r\n \r\n\r\n \r\n Ch07_XSS\r\n tomcat7:run-war\r\n \r\n \r\n org.apache.maven.plugins\r\n maven-compiler-plugin\r\n \r\n \r\n org.apache.tomcat.maven\r\n tomcat7-maven-plugin\r\n \r\n ${project.basedir}/src/main/resources/context.xml\r\n \r\n \r\n \r\n \r\n\r\n"
},
{
"path": "Ch07_XSS/src/main/java/de/dominikschadow/webappsecurity/beans/CustomerController.java",
"content": "/*\n * Copyright (C) 2015 Dominik Schadow, info@dominikschadow.de\n *\n * This file is part of the Java-Web-Security project.\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\npackage de.dominikschadow.webappsecurity.beans;\n\nimport de.dominikschadow.webappsecurity.daos.CustomerDAO;\nimport de.dominikschadow.webappsecurity.domain.Customer;\n\nimport javax.faces.bean.ManagedBean;\nimport javax.faces.bean.RequestScoped;\nimport java.util.List;\n\n/**\n *\n * @author Dominik Schadow\n */\n@ManagedBean(name = \"customer\")\n@RequestScoped\npublic class CustomerController {\n private Customer customer;\n private CustomerDAO customerDAO;\n\n public CustomerController() {\n customer = new Customer();\n customerDAO = new CustomerDAO();\n }\n\n public Customer getCustomer() {\n return customer;\n }\n\n public void setCustomer(Customer customer) {\n this.customer = customer;\n }\n\n public List getCustomers() {\n return customerDAO.getAllCustomers();\n }\n\n public String save() {\n customerDAO.createCustomer(customer);\n\n return \"showCustomers\";\n }\n}\n"
},
{
"path": "Ch07_XSS/src/main/java/de/dominikschadow/webappsecurity/beans/SearchController.java",
"content": "/*\n * Copyright (C) 2015 Dominik Schadow, info@dominikschadow.de\n *\n * This file is part of the Java-Web-Security project.\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\npackage de.dominikschadow.webappsecurity.beans;\n\nimport de.dominikschadow.webappsecurity.daos.CustomerDAO;\nimport de.dominikschadow.webappsecurity.domain.Customer;\nimport org.apache.commons.lang3.StringUtils;\n\nimport javax.faces.bean.ManagedBean;\nimport javax.faces.bean.RequestScoped;\nimport javax.faces.context.FacesContext;\nimport java.util.List;\nimport java.util.Map;\n\n/**\n * Searches customers by the given customer name. The search string can be passed via\n * customerName setter method or as a customerName parameter.\n *\n * @author Dominik Schadow\n */\n@ManagedBean(name = \"search\")\n@RequestScoped\npublic class SearchController {\n private String customerName;\n private CustomerDAO customerDAO;\n private List customers;\n\n public SearchController() {\n customerDAO = new CustomerDAO();\n }\n\n public String getCustomerName() {\n return customerName;\n }\n\n public void setCustomerName(String customerName) {\n this.customerName = customerName;\n }\n\n public List getCustomers() {\n return customers;\n }\n\n public String search() {\n if (StringUtils.isEmpty(customerName)) {\n Map requestMap = FacesContext.getCurrentInstance().getExternalContext().getRequestParameterMap();\n customerName = requestMap.get(\"customerName\");\n }\n\n Customer search = new Customer();\n search.setName(customerName);\n\n customers = customerDAO.findCustomers(search);\n\n return \"searchCustomer\";\n }\n}\n"
},
{
"path": "Ch07_XSS/src/main/java/de/dominikschadow/webappsecurity/daos/CustomerDAO.java",
"content": "/*\n * Copyright (C) 2015 Dominik Schadow, info@dominikschadow.de\n *\n * This file is part of the Java-Web-Security project.\n * \n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * \n * http://www.apache.org/licenses/LICENSE-2.0\n * \n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\npackage de.dominikschadow.webappsecurity.daos;\n\nimport de.dominikschadow.webappsecurity.domain.Customer;\nimport org.hibernate.Criteria;\nimport org.hibernate.HibernateException;\nimport org.hibernate.Session;\nimport org.hibernate.Transaction;\nimport org.hibernate.criterion.Restrictions;\nimport org.hibernate.query.Query;\nimport org.slf4j.Logger;\nimport org.slf4j.LoggerFactory;\n\nimport java.util.ArrayList;\nimport java.util.List;\n\nimport static de.dominikschadow.webappsecurity.daos.HibernateUtil.getSessionFactory;\n\n/**\n * Loads customers from the in-memory-database for the managed beans.\n *\n * @author Dominik Schadow\n * @see de.dominikschadow.webappsecurity.beans.CustomerController\n */\npublic class CustomerDAO {\n private static final Logger LOGGER = LoggerFactory.getLogger(CustomerDAO.class);\n\n public List getAllCustomers() {\n List customers = new ArrayList<>();\n\n try (Session session = getSessionFactory().openSession()) {\n Query query = session.createQuery(\"FROM Customer\");\n customers = query.list();\n\n LOGGER.info(\"Found {} customers\", customers.size());\n } catch (HibernateException ex) {\n LOGGER.error(ex.getMessage(), ex);\n }\n\n return customers;\n }\n\n public void createCustomer(Customer customer) {\n try (Session session = getSessionFactory().openSession()) {\n Transaction tx = session.beginTransaction();\n session.persist(customer);\n tx.commit();\n } catch (HibernateException ex) {\n LOGGER.error(ex.getMessage(), ex);\n }\n }\n\n public List findCustomers(Customer customer) {\n List customers = new ArrayList<>();\n\n try (Session session = getSessionFactory().openSession()) {\n Criteria criteria = session.createCriteria(Customer.class);\n criteria.add(Restrictions.like(\"name\", \"%\" + customer.getName() + \"%\"));\n\n customers = criteria.list();\n\n LOGGER.info(\"Found {} customers\", customers.size());\n } catch (HibernateException ex) {\n LOGGER.error(ex.getMessage(), ex);\n }\n\n return customers;\n }\n}\n"
},
{
"path": "Ch07_XSS/src/main/java/de/dominikschadow/webappsecurity/daos/HibernateUtil.java",
"content": "/*\n * Copyright (C) 2015 Dominik Schadow, info@dominikschadow.de\n *\n * This file is part of the Java-Web-Security project.\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\npackage de.dominikschadow.webappsecurity.daos;\n\nimport org.hibernate.SessionFactory;\nimport org.hibernate.cfg.Configuration;\n\n/**\n * @author Dominik Schadow\n */\npublic class HibernateUtil {\n private static SessionFactory sessionFactory;\n\n /**\n * Util class, no constructor required.\n */\n private HibernateUtil() {\n }\n\n public static SessionFactory getSessionFactory() {\n if (sessionFactory == null) {\n sessionFactory = new Configuration().configure().buildSessionFactory();\n }\n\n return sessionFactory;\n }\n}\n"
},
{
"path": "Ch07_XSS/src/main/java/de/dominikschadow/webappsecurity/domain/Customer.java",
"content": "/*\n * Copyright (C) 2015 Dominik Schadow, info@dominikschadow.de\n *\n * This file is part of the Java-Web-Security project.\n * \n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * \n * http://www.apache.org/licenses/LICENSE-2.0\n * \n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\npackage de.dominikschadow.webappsecurity.domain;\n\nimport javax.persistence.*;\n\n/**\n * @author Dominik Schadow\n */\n@Entity\npublic class Customer {\n @Id\n @GeneratedValue(strategy = GenerationType.AUTO)\n @Column(name = \"cust_id\")\n private int custId;\n private String name;\n private String status;\n @Column(name = \"order_limit\")\n private int orderLimit;\n private String hint;\n\n public int getCustId() {\n return custId;\n }\n\n public void setCustId(int custId) {\n this.custId = custId;\n }\n\n public String getName() {\n return name;\n }\n\n public void setName(String name) {\n this.name = name;\n }\n\n public String getStatus() {\n return status;\n }\n\n public void setStatus(String status) {\n this.status = status;\n }\n\n public int getOrderLimit() {\n return orderLimit;\n }\n\n public void setOrderLimit(int orderLimit) {\n this.orderLimit = orderLimit;\n }\n\n public String getHint() {\n return hint;\n }\n\n public void setHint(String hint) {\n this.hint = hint;\n }\n\n @Override\n public String toString() {\n return \"ID \" + custId +\n \", Name \" + name +\n \", Status \" + status +\n \", Order Limit \" + orderLimit +\n \", Hint \" + hint;\n }\n}\n"
},
{
"path": "Ch07_XSS/src/main/resources/context.xml",
"content": "\n\n \n"
},
{
"path": "Ch07_XSS/src/main/resources/hibernate.cfg.xml",
"content": "\n\n\n \n org.hibernate.dialect.H2Dialect\n java:comp/env/xssDS\n create-drop\n false\n \n \n \n"
},
{
"path": "Ch07_XSS/src/main/resources/import.sql",
"content": "INSERT INTO CUSTOMER (CUST_ID, NAME, STATUS, ORDER_LIMIT, HINT) VALUES (1001, 'Arthur Dent', 'A', 10000, '');\nINSERT INTO CUSTOMER (CUST_ID, NAME, STATUS, ORDER_LIMIT, HINT) VALUES (1002, 'Ford Prefect', 'B', 5000, '');\nINSERT INTO CUSTOMER (CUST_ID, NAME, STATUS, ORDER_LIMIT, HINT) VALUES (1003, 'Tricia Trillian McMillan', 'C', 1000, '');\nINSERT INTO CUSTOMER (CUST_ID, NAME, STATUS, ORDER_LIMIT, HINT) VALUES (1004, 'Zaphod Beeblebrox', 'D', 500, 'President of the Galaxy');\nINSERT INTO CUSTOMER (CUST_ID, NAME, STATUS, ORDER_LIMIT, HINT) VALUES (1005, 'Marvin', 'A', 100000, 'Depressive');\nINSERT INTO CUSTOMER (CUST_ID, NAME, STATUS, ORDER_LIMIT, HINT) VALUES (1006, 'Slartibartfast', 'D', 100, '42');\nINSERT INTO CUSTOMER (CUST_ID, NAME, STATUS, ORDER_LIMIT, HINT) VALUES (1007, 'Stored XSS', 'X', 9999, '');\n"
},
{
"path": "Ch07_XSS/src/main/resources/logback.xml",
"content": "\n \n \n %d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n\n \n \n\n \n \n \n"
},
{
"path": "Ch07_XSS/src/main/webapp/WEB-INF/faces-config.xml",
"content": "\r\n\r\n"
},
{
"path": "Ch07_XSS/src/main/webapp/WEB-INF/web.xml",
"content": "\n\n Ch07_XSS\n\n \n javax.faces.PROJECT_STAGE\n Development\n \n\n \n index.xhtml\n \n\n \n Faces Servlet\n javax.faces.webapp.FacesServlet\n 1\n \n\n \n Faces Servlet\n *.xhtml\n \n\t\n\t\n\t \n\t\t\n\t\t\tfalse\n\t\t\n\t\tCOOKIE\n\t\n"
},
{
"path": "Ch07_XSS/src/main/webapp/createCustomer.xhtml",
"content": "\n\n\n\n \n Chapter 07 - XSS\n\n\n
This demo application shows Cross-Site Scripting (XSS) with JavaServer Faces (JSF). The first block of links\n enables normal usage of the demo application (like a normal user). The second block contains attack possibilities\n with XSS.
These are all customers currently available in the database:
\n\n \n \n \n ID\n \n \n \n Name\n \n \n \n Status\n \n \n \n Order Limit\n \n \n \n \n Hint\n \n \n \n \n\n"
},
{
"path": "Ch07_XSSFilter/pom.xml",
"content": "\n\t4.0.0\n\t\n\t\tde.dominikschadow.javawebsecurity\n\t\tjavawebsecurity\n\t\t1.0.0\n\t\n\tCh07_XSSFilter\n\twar\n\tChapter 07 - XSS Filter\n\thttps://github.com/dschadow/Java-Web-Security\n\tChapter 7 XSS Filter sample project. Requires a server like Apache Tomcat. Open the web application in your browser at http://localhost:8080/Ch07_XSSFilter\n\n\t\n\t\t\n\t\t\torg.owasp.esapi\n\t\t\tesapi\n\t\t\n\t\t\n\t\t\tjavax.servlet\n\t\t\tjavax.servlet-api\n\t\t\n\t\t\n\t\t\tjavax.servlet.jsp\n\t\t\tjavax.servlet.jsp-api\n\t\t\n\t\t\n\t\t\tjavax.servlet\n\t\t\tjstl\n\t\t\n\t\n\n\t\n\t\tCh07_XSSFilter\n\t\t\n\t\t\t\n org.apache.maven.plugins\n\t\t\t\tmaven-compiler-plugin\n\t\t\t\n\t\t\t\n\t\t\t\torg.apache.tomcat.maven\n\t\t\t\ttomcat7-maven-plugin\n\t\t\t\n\t\t\n\t\n"
},
{
"path": "Ch07_XSSFilter/src/main/java/de/dominikschadow/webappsecurity/filter/BlacklistFilter.java",
"content": "/*\n * Copyright (C) 2015 Dominik Schadow, info@dominikschadow.de\n *\n * This file is part of the Java-Web-Security project.\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\npackage de.dominikschadow.webappsecurity.filter;\n\nimport javax.servlet.*;\nimport javax.servlet.http.HttpServletRequest;\nimport java.io.IOException;\n\n/**\n * Request filter calling the BlacklistRequestWrapper for filtering.\n *\n * @see de.dominikschadow.webappsecurity.filter.BlacklistRequestWrapper\n *\n * @author Dominik Schadow\n */\npublic class BlacklistFilter implements Filter {\n @Override\n public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)\n throws IOException, ServletException {\n filterChain.doFilter(new BlacklistRequestWrapper((HttpServletRequest) servletRequest), servletResponse);\n }\n\n @Override\n public void init(FilterConfig filterConfig) {\n }\n\n @Override\n public void destroy() {\n }\n}\n"
},
{
"path": "Ch07_XSSFilter/src/main/java/de/dominikschadow/webappsecurity/filter/BlacklistRequestWrapper.java",
"content": "/*\n * Copyright (C) 2015 Dominik Schadow, info@dominikschadow.de\n *\n * This file is part of the Java-Web-Security project.\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n * http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\npackage de.dominikschadow.webappsecurity.filter;\n\nimport org.owasp.esapi.ESAPI;\n\nimport javax.servlet.http.HttpServletRequest;\nimport javax.servlet.http.HttpServletRequestWrapper;\nimport java.util.regex.Pattern;\n\n/**\n * Filter HTML tags which can be used for a XSS attack with a blacklist. \n *
\n * Originally based on Ricardo Zuasti.\n *\n * @author Dominik Schadow\n */\npublic class BlacklistRequestWrapper extends HttpServletRequestWrapper {\n public BlacklistRequestWrapper(HttpServletRequest servletRequest) {\n super(servletRequest);\n }\n\n @Override\n public String[] getParameterValues(String parameter) {\n String[] values = super.getParameterValues(parameter);\n\n if (values == null) {\n return null;\n }\n\n int count = values.length;\n String[] encodedValues = new String[count];\n for (int i = 0; i < count; i++) {\n encodedValues[i] = stripXSS(values[i]);\n }\n\n return encodedValues;\n }\n\n @Override\n public String getParameter(String parameter) {\n String value = super.getParameter(parameter);\n\n return stripXSS(value);\n }\n\n @Override\n public String getHeader(String name) {\n String value = super.getHeader(name);\n\n return stripXSS(value);\n }\n\n private static String stripXSS(String value) {\n if (value != null) {\n value = ESAPI.encoder().canonicalize(value);\n\n // Avoid null characters\n value = value.replaceAll(\"\", \"\");\n\n // Avoid anything between script tags\n Pattern scriptPattern = Pattern.compile(\"\", Pattern.CASE_INSENSITIVE);\n value = scriptPattern.matcher(value).replaceAll(\"\");\n\n // Avoid anything in a src='...' type of expression\n scriptPattern = Pattern.compile(\"src[\\r\\n]*=[\\r\\n]*\\\\'(.*?)\\\\'\", Pattern.CASE_INSENSITIVE\n | Pattern.MULTILINE | Pattern.DOTALL);\n value = scriptPattern.matcher(value).replaceAll(\"\");\n\n scriptPattern = Pattern.compile(\"src[\\r\\n]*=[\\r\\n]*\\\\\\\"(.*?)\\\\\\\"\", Pattern.CASE_INSENSITIVE\n | Pattern.MULTILINE | Pattern.DOTALL);\n value = scriptPattern.matcher(value).replaceAll(\"\");\n\n // Remove any lonesome tag\n scriptPattern = Pattern.compile(\"\", Pattern.CASE_INSENSITIVE);\n value = scriptPattern.matcher(value).replaceAll(\"\");\n\n // Remove any lonesome \";\n private Map maximumMap = null;\n private Status[] maximumArray = null;\n\n public Map getMaximumMap() {\n return maximumMap;\n }\n\n public Status[] getMaximumArray() {\n return maximumArray;\n }\n\n public String getInput() {\n return input;\n }\n\n public void setInput(String input) {\n this.input = input;\n\n maximumMap = new LinkedHashMap<>();\n maximumMap.put(input, input);\n\n maximumArray = new Status[1];\n maximumArray[0] = new Status(input);\n }\n}"
},
{
"path": "Ch07_XSSJSF/src/main/java/de/dominikschadow/webappsecurity/StandardController.java",
"content": "/*\n * Copyright (C) 2015 Dominik Schadow, info@dominikschadow.de\n *\n * This file is part of the Java-Web-Security project.\n * \n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * \n * http://www.apache.org/licenses/LICENSE-2.0\n * \n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\npackage de.dominikschadow.webappsecurity;\n\nimport javax.faces.bean.ManagedBean;\nimport javax.faces.bean.SessionScoped;\nimport java.io.Serial;\nimport java.io.Serializable;\nimport java.util.LinkedHashMap;\nimport java.util.Map;\n\n/**\n * Bean representing user input into the standard protected output page\n * (no additional security related attributes).\n *\n * @author Dominik Schadow\n */\n@ManagedBean(name = \"standard\")\n@SessionScoped\npublic class StandardController implements Serializable {\n @Serial\n private static final long serialVersionUID = 4083596061570021965L;\n\n private String input = \"\";\n\n private Map standardMap = null;\n private Status[] standardArray = null;\n\n public Map getStandardMap() {\n return standardMap;\n }\n\n public Status[] getStandardArray() {\n return standardArray;\n }\n\n public String getInput() {\n return input;\n }\n\n public void setInput(String input) {\n this.input = input;\n\n standardMap = new LinkedHashMap<>();\n standardMap.put(input, input);\n\n standardArray = new Status[1];\n standardArray[0] = new Status(input);\n }\n}"
},
{
"path": "Ch07_XSSJSF/src/main/java/de/dominikschadow/webappsecurity/Status.java",
"content": "/*\n * Copyright (C) 2015 Dominik Schadow, info@dominikschadow.de\n *\n * This file is part of the Java-Web-Security project.\n * \n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * \n * http://www.apache.org/licenses/LICENSE-2.0\n * \n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\npackage de.dominikschadow.webappsecurity;\n\nimport java.io.Serial;\nimport java.io.Serializable;\n\n/**\n * Represents one Status array entry.\n *\n * @author Dominik Schadow\n */\npublic class Status implements Serializable {\n @Serial\n private static final long serialVersionUID = -5176873476153674154L;\n private String label;\n private String value;\n\n public Status(String text) {\n this.label = text;\n this.value = text;\n }\n\n public String getLabel() {\n return label;\n }\n\n public String getValue() {\n return value;\n }\n}\n"
},
{
"path": "Ch07_XSSJSF/src/main/webapp/WEB-INF/faces-config.xml",
"content": "\n\n"
},
{
"path": "Ch07_XSSJSF/src/main/webapp/WEB-INF/web.xml",
"content": "\n\n Ch07_XSSJSF\n\n \n javax.faces.PROJECT_STAGE\n Development\n \n\n \n Faces Servlet\n javax.faces.webapp.FacesServlet\n 1\n \n\n \n Faces Servlet\n *.xhtml\n \n\n \n index.xhtml\n \n"
},
{
"path": "Ch07_XSSJSF/src/main/webapp/index.xhtml",
"content": "\r\n\r\n\r\n\r\n \r\n Chapter 07 - XSS with JSF\r\n\r\n\r\n
Chapter 07 - XSS with JSF
\r\n\t
The first form posts to a page processing the input in elements with default attributes. The second form posts\r\n to a page which is configured as secure as possible using all available attributes to escape the output.
\r\n\r\n"
},
{
"path": "Ch08_CSRF/pom.xml",
"content": "\n\t4.0.0\n\t\n\t\tde.dominikschadow.javawebsecurity\n\t\tjavawebsecurity\n\t\t1.0.0\n\t\n\tCh08_CSRF\n\twar\n\tChapter 08 - CSRF\n\thttps://github.com/dschadow/Java-Web-Security\n\tChapter 8 CSRF sample project. Requires a server like Apache Tomcat. Open the web application in your browser at http://localhost:8080/Ch08_CSRF\n\n\t\n\t\t\n\t\t\tjavax.servlet\n\t\t\tjavax.servlet-api\n\t\t\n\t\t\n\t\t\torg.owasp.esapi\n\t\t\tesapi\n\t\t\n\t\t\n\t\t\tch.qos.logback\n\t\t\tlogback-classic\n\t\t\n\t\n\t\n\t\n\t\tCh08_CSRF\n\t\t\n\t\t\t\n org.apache.maven.plugins\n\t\t\t\tmaven-compiler-plugin\n\t\t\t\n\t\t\t\n\t\t\t\torg.apache.maven.plugins\n\t\t\t\tmaven-war-plugin\n\t\t\t\t\n\t\t\t\t\tfalse\n\t\t\t\t\n\t\t\t\n\t\t\t\n\t\t\t\torg.apache.tomcat.maven\n\t\t\t\ttomcat7-maven-plugin\n\t\t\t\n\t\t\n\t\n"
},
{
"path": "Ch08_CSRF/src/main/java/de/dominikschadow/webappsecurity/servlets/ProtectedServlet.java",
"content": "/*\n * Copyright (C) 2015 Dominik Schadow, info@dominikschadow.de\n *\n * This file is part of the Java-Web-Security project.\n * \n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * \n * http://www.apache.org/licenses/LICENSE-2.0\n * \n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\npackage de.dominikschadow.webappsecurity.servlets;\n\nimport de.dominikschadow.webappsecurity.token.CSRFTokenHandler;\nimport org.slf4j.Logger;\nimport org.slf4j.LoggerFactory;\n\nimport javax.servlet.ServletException;\nimport javax.servlet.annotation.WebServlet;\nimport javax.servlet.http.HttpServlet;\nimport javax.servlet.http.HttpServletRequest;\nimport javax.servlet.http.HttpServletResponse;\nimport java.io.IOException;\nimport java.io.PrintWriter;\nimport java.io.Serial;\nimport java.security.NoSuchAlgorithmException;\nimport java.security.NoSuchProviderException;\n\n/**\n * Basic protected servlet for GET and POST requests. Checks the CSRF-Token value to identify\n * CSRF attacks. Prints out all information to standard out and returns the received parameter\n * as response.\n *\n * @author Dominik Schadow\n */\n@WebServlet(name = \"ProtectedServlet\", urlPatterns = {\"/ProtectedServlet\"})\npublic class ProtectedServlet extends HttpServlet {\n @Serial\n private static final long serialVersionUID = 1L;\n private static final Logger LOGGER = LoggerFactory.getLogger(ProtectedServlet.class);\n\n @Override\n protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException {\n LOGGER.info(\"Processing protected GET request\");\n\n response.setContentType(\"text/html\");\n\n try {\n if (!CSRFTokenHandler.isValid(request)) {\n LOGGER.warn(\"CSRF token is invalid\");\n response.setStatus(401);\n\n try (PrintWriter out = response.getWriter()) {\n out.println(\"CSRF token is invalid\");\n } catch (IOException ex) {\n LOGGER.error(ex.getMessage(), ex);\n }\n\n return;\n }\n } catch (NoSuchAlgorithmException | NoSuchProviderException ex) {\n LOGGER.error(ex.getMessage(), ex);\n }\n\n LOGGER.info(\"CSRF token is valid\");\n\n String newPassword = request.getParameter(\"newPassword\");\n String confirmPassword = request.getParameter(\"confirmPassword\");\n\n LOGGER.info(\"Received {} and {} as GET parameter.\", newPassword, confirmPassword);\n\n try (PrintWriter out = response.getWriter()) {\n out.println(\"\");\n out.println(\"\");\n out.println(\"Chapter 08 - CSRF\");\n out.println(\"\");\n out.println(\"\");\n out.println(\"\");\n out.println(\"
Chapter 08 - CSRF
\");\n out.println(\"
Received \" + newPassword + \" and \" + confirmPassword + \" as GET parameter.
\");\n out.println(\"\");\n out.println(\"\");\n } catch (IOException ex) {\n LOGGER.error(ex.getMessage(), ex);\n }\n }\n}\n"
},
{
"path": "Ch08_CSRF/src/main/java/de/dominikschadow/webappsecurity/servlets/UnprotectedServlet.java",
"content": "/*\n * Copyright (C) 2015 Dominik Schadow, info@dominikschadow.de\n *\n * This file is part of the Java-Web-Security project.\n * \n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * \n * http://www.apache.org/licenses/LICENSE-2.0\n * \n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\npackage de.dominikschadow.webappsecurity.servlets;\n\nimport org.slf4j.Logger;\nimport org.slf4j.LoggerFactory;\n\nimport javax.servlet.annotation.WebServlet;\nimport javax.servlet.http.HttpServlet;\nimport javax.servlet.http.HttpServletRequest;\nimport javax.servlet.http.HttpServletResponse;\nimport java.io.IOException;\nimport java.io.PrintWriter;\nimport java.io.Serial;\n\n/**\n * Basic unprotected servlet for GET and POST requests. Prints out all information to standard out\n * and returns the received parameter as response.\n *\n * @author Dominik Schadow\n */\n@WebServlet(name = \"UnprotectedServlet\", urlPatterns = {\"/UnprotectedServlet\"})\npublic class UnprotectedServlet extends HttpServlet {\n @Serial\n private static final long serialVersionUID = 1L;\n private static final Logger LOGGER = LoggerFactory.getLogger(UnprotectedServlet.class);\n\n @Override\n protected void doGet(HttpServletRequest request, HttpServletResponse response) {\n String newPassword = request.getParameter(\"newPassword\");\n String confirmPassword = request.getParameter(\"confirmPassword\");\n\n LOGGER.info(\"Processing unprotected GET request: Received {} and {} as parameter.\", newPassword, confirmPassword);\n\n response.setContentType(\"text/html\");\n\n try (PrintWriter out = response.getWriter()) {\n out.println(\"\");\n out.println(\"\");\n out.println(\"Chapter 08 - CSRF\");\n out.println(\"\");\n out.println(\"\");\n out.println(\"\");\n out.println(\"
Chapter 08 - CSRF
\");\n out.println(\"
Received \" + newPassword + \" and \" + confirmPassword + \" as GET parameter.
\");\n out.println(\"\");\n out.println(\"\");\n } catch (IOException ex) {\n LOGGER.error(ex.getMessage(), ex);\n }\n }\n}\n"
},
{
"path": "Ch08_CSRF/src/main/java/de/dominikschadow/webappsecurity/token/CSRFTokenHandler.java",
"content": "/*\n * Copyright (C) 2015 Dominik Schadow, info@dominikschadow.de\n *\n * This file is part of Java-Web-Security\n.\n * \n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n * \n * http://www.apache.org/licenses/LICENSE-2.0\n * \n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\npackage de.dominikschadow.webappsecurity.token;\n\nimport org.apache.commons.lang.StringUtils;\n\nimport javax.servlet.ServletException;\nimport javax.servlet.http.HttpServletRequest;\nimport javax.servlet.http.HttpSession;\nimport java.security.NoSuchAlgorithmException;\nimport java.security.NoSuchProviderException;\nimport java.security.SecureRandom;\n\n/**\n * Calculates a new token and adds it to the session. Compares the session toke value with the\n * token value included in the request.\n *\n * @author Dominik Schadow\n */\npublic final class CSRFTokenHandler {\n public static final String CSRF_TOKEN = \"CSRF_TOKEN\";\n private static final String MISSING_SESSION = \"No session available\";\n\n /**\n * Private constructor to prevent initialization.\n */\n private CSRFTokenHandler() {\n }\n\n private static String getToken() throws NoSuchAlgorithmException, NoSuchProviderException {\n SecureRandom sr = SecureRandom.getInstance(\"SHA1PRNG\", \"SUN\");\n sr.nextBytes(new byte[20]);\n return String.valueOf(sr.nextLong());\n }\n\n public static String getToken(HttpSession session) throws ServletException, NoSuchAlgorithmException,\n NoSuchProviderException {\n if (session == null) {\n throw new ServletException(MISSING_SESSION);\n }\n\n String token = (String) session.getAttribute(CSRF_TOKEN);\n\n if (StringUtils.isEmpty(token)) {\n token = getToken();\n session.setAttribute(CSRF_TOKEN, token);\n }\n\n return token;\n }\n\n public static boolean isValid(HttpServletRequest request) throws ServletException, NoSuchAlgorithmException,\n NoSuchProviderException {\n if (request.getSession(false) == null) {\n throw new ServletException(MISSING_SESSION);\n }\n\n return StringUtils.equals(getToken(request.getSession(false)), request.getParameter(CSRF_TOKEN));\n }\n}"
},
{
"path": "Ch08_CSRF/src/main/resources/logback.xml",
"content": "\n \n \n %d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n\n \n \n\n \n \n \n"
},
{
"path": "Ch08_CSRF/src/main/webapp/form-protected.html",
"content": "\n\n\n \n Chapter 08 - CSRF\n \n\n\n
\n\n"
},
{
"path": "LICENSE",
"content": "Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"{}\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright {yyyy} {name of copyright owner}\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n\n"
},
{
"path": "README.md",
"content": "Java-Web-Security\n==============\n\nThis repository contains the complete code samples from my book **Java-Web-Security - Sichere Webanwendungen mit Java entwickeln** (dpunkt.verlag, ISBN 978-3-86490-146-1), available as [Print](http://www.dpunkt.de/buecher/4198/java-web-security.html), as [PDF/EPub](http://www.dpunkt.de/buecher/4825/java-web-security.html) and for [Kindle](http://www.amazon.de/gp/product/B00IUJM3J4/ref=as_li_qf_sp_asin_tl?ie=UTF8&camp=1638&creative=6742&creativeASIN=B00IUJM3J4&linkCode=as2&tag=dominikswelt).\n\nAll Java projects are created as **Maven** projects and require [Java 17](https://adoptium.net/temurin/) and [Apache Maven 3](http://maven.apache.org) or newer. In **Eclipse** you therefore need to install the Maven integration via the Eclipse update manager. After that, you can either use the **git m2e connector (m2e-egit)** to import the new projects directly from the repository. Alternatively, you can clone the repository and use **Import Maven Projects** instead (no connector required here). **IntelliJ IDEA** supports this out of the box.\n\n**Mozilla Firefox** is the recommended and up until today working browser for all vulnerable web applications in this repository. Keep in mind that browsers or some add-ons may block or filter certain attacks already. Deactivate all blocking or intercepting add-ons or try a different browser if a sample application is not working.\n\nThe easiest way to start a web application is to use the **Maven-Tomcat7-Plug-in** in each project: **mvn tomcat7:run-war** (or simply **mvn** in the console, since this is the default goal). Open your browser and point it to **http://localhost:8080/PROJECT_NAME**, e.g. **http://localhost:8080/Ch04_OutputEscaping**. The project name is always the final part of the URL.\n\nSee the following subsections for a short description and the requirements to execute the sample code and launch the web application.\n\n## Ch04_OutputEscaping\nWeb application using JavaServer Pages (JSP) to show the difference between output escaping via Enterprise Security API (ESAPI) and no output escaping at all. Use an input like *<script>alert('XSS')</script>* to examine the difference.\n\n**Requirements:** Apache Tomcat, Webbrowser\n\n## Ch04_OutputEscapingJSF\nWeb application using JavaServer Faces (JSF) to demonstrate the two different possibilities to show user input in a web page with *#{contact.firstname}* and *<h:outputText value=\"#{contact.firstname}\" />*. Use an input like *<script>alert('XSS')</script>* to examine the difference.\n\n**Requirements:** Apache Tomcat, Webbrowser\n\n## Ch04_OutputEscapingJSP\nSpring based web application using JavaServer Pages (JSP) to demonstrate the two different possibilities to show user input in a web page with *${contact.firstname}* and *<c:out value=\"${contact.firstname}\" />*. Use an input like *<script>alert('XSS')</script>* to examine the difference.\n\n**Requirements:** Apache Tomcat, Webbrowser\n\n## Ch05_AccessReferenceMaps\nWeb application using JavaServer Faces (JSF) to show the difference between using unprotected and protected Maps (with *IntegerAccessReferenceMaps* and *RandomAccessReferenceMaps*) with user data.\n\n**Requirements:** Apache Tomcat, Webbrowser\n\n## Ch05_HSTS\nWeb application using a Servlet filter to add the *Strict-Transport-Security* header to each response.\n\n**Requirements:** Apache Tomcat, Webbrowser\n\n## Ch05_SessionFixation\nWeb application invalidating an existing session and its session id before continuing the login process. This web application requires the included special *context.xml* configuration for Tomcat in order to display the current session id via JavaScript.\n\n**Requirements:** Apache Tomcat, Webbrowser\n\n## Ch05_SessionHandling\nWeb application containing a complete *web.xml* configuration showing how to protect cookies and other session data. Contains only a start page which fails trying to show the session cookie in a JavaScript popup.\n\n**Requirements:** Apache Tomcat, Webbrowser\n\n## Ch06_SQLInjection\nWeb application using user input to query a in-memory-database. The entered data is used as part of a normal *Statement*, an *escaped Statement*, a *Prepared Statement* and as input for a *Hibernate Query Language*.\n\n**Requirements:** Apache Tomcat, Webbrowser\n\n## Ch06_XPathInjection\nWeb application using user input to query a simple XML document. The entered data (name and password) is used as part of a normal *XPath expression* without any escaping and escaped as part of another *XPath expression*. The unescaped version is prune to XPath Injection, which makes it possible to retrieve more data of the XML document as the intended order limit.\n\n**Requirements:** Apache Tomcat, Webbrowser\n\n## Ch07_CSP\nWeb application with three input processing servlets. One is unprotected and processes any input without input validation or output escaping and is prone to Cross-Site Scripting. The second servlet adds a minimal *Content-Security-Policy* header to the response and allows to use any source from the same page (URL). This already protects the response page from Cross-Site Scripting in supported browsers. The third form adds a *Content-Security-Policy-Report-Only* header and shows how easy the reported data can be processed.\n\n**Requirements:** Apache Tomcat, Webbrowser\n\n## Ch07_XSS\nWeb application to test the three XSS types *stored*, *reflected* and *DOM based*. The input textfield is vulnerable to XSS and can be easily protected by enabling output escaping. Cookie could be protected by removing the special *context.xml* and by setting the corresponding *web.xml* parameter.\n\nThis web application requires the included special *context.xml* configuration for Tomcat in order to display the current session id via JavaScript.\n\n**Requirements:** Apache Tomcat, Webbrowser\n\n## Ch07_XSSFilter\nWeb application showing the differences between a blacklist and an ESAPI based request filtering. Use an input like *<script>alert('XSS')</script>* to see the different output on the output pages.\n\n**Requirements:** Apache Tomcat, Webbrowser\n\n## Ch07_XSSJSF\nJavaServer Faces (JSF) based web application accepting user input in two forms. The first form results into an output page showing the user input in drop down boxes and output text fields with all default attributes active. The second form results into an output page using the same output fields with any additional security related attribute set to the maximum. Use an input like *<script>alert('XSS')</script>* to challenge the JSF XSS protection.\n\n**Requirements:** Apache Tomcat, Webbrowser\n\n## Ch08_CSRF\nWeb application showing Cross-Site Request Forgery (CSRF) with GET and POST requests and how to protect forms with an anti CSRF token. All requests on the **Unprotected Requests** page are successful and reach the backend as a normal request. The **Protected Requests** page contains successful (with token) and unsuccessful (without token) requests; only the valid requests are processed in the backend.\n\n**Requirements:** Apache Tomcat, Webbrowser\n\n## Meta\n [](https://opensource.org/licenses/Apache-2.0)\n"
},
{
"path": "pom.xml",
"content": "\n\n 4.0.0\n javawebsecurity\n de.dominikschadow.javawebsecurity\n 1.0.0\n pom\n Java-Web-Security\n https://github.com/dschadow/Java-Web-Security\n This repository contains the complete code samples from my book 'Java-Web-Security - Sichere\n Webanwendungen mit Java entwickeln' (dpunkt.verlag, ISBN 978-3-86490-146-1).\n \n\n \n Dominik Schadow\n https://blog.dominikschadow.de\n \n\n \n GitHub\n https://github.com/dschadow/Java-Web-Security/issues\n \n\n \n scm:git:git@github.com:dschadow/Java-Web-Security.git\n scm:git:git@github.com:dschadow/Java-Web-Security.git\n https://github.com/dschadow/Java-Web-Security\n \n\n \n \n Apache License 2.0\n https://www.apache.org/licenses/LICENSE-2.0\n \n \n\n \n UTF-8\n 5.3.29\n 1.7.33\n 2.2.20\n 5.6.15.Final\n 6.0.3\n 3.0\n 17\n \n\n \n \n \n javax.servlet\n javax.servlet-api\n 4.0.1\n provided\n \n \n javax.servlet.jsp\n javax.servlet.jsp-api\n 2.3.3\n provided\n \n \n javax.servlet\n jstl\n 1.2\n compile\n \n \n org.owasp.esapi\n esapi\n 2.7.0.0\n \n \n javax.servlet\n servlet-api\n \n \n antisamy\n org.owasp.antisamy\n \n \n \n \n org.springframework\n spring-test\n ${spring.version}\n test\n \n \n org.springframework\n spring-webmvc\n ${spring.version}\n \n \n com.h2database\n h2\n 2.4.240\n runtime\n \n \n org.hibernate\n hibernate-core\n ${hibernate.version}\n \n \n com.sun.faces\n jsf-api\n ${jsf.version}\n \n \n com.sun.faces\n jsf-impl\n ${jsf.version}\n \n \n ch.qos.logback\n logback-classic\n 1.5.32\n \n \n org.apache.commons\n commons-lang3\n 3.20.0\n \n \n org.junit.jupiter\n junit-jupiter-engine\n ${junit.jupiter.version}\n test\n \n \n org.hamcrest\n hamcrest-library\n ${hamcrest.version}\n test\n \n \n \n\n \n \n \n com.github.spotbugs\n spotbugs-maven-plugin\n 4.9.8.3\n \n Max\n Low\n \n \n com.h3xstream.findsecbugs\n findsecbugs-plugin\n 1.14.0\n \n \n \n \n \n\n \n \n \n org.apache.maven.plugins\n maven-compiler-plugin\n 3.15.0\n \n ${java.version}\n ${java.version}\n \n \n \n org.apache.tomcat.maven\n tomcat7-maven-plugin\n 2.2\n \n \n org.apache.maven.plugins\n maven-war-plugin\n 3.5.1\n \n \n org.apache.maven.plugins\n maven-site-plugin\n 3.21.0\n \n \n org.apache.maven.plugins\n maven-project-info-reports-plugin\n 3.9.0\n \n \n \n \n\n \n \n \n org.owasp\n dependency-check-maven\n 12.2.1\n \n true\n true\n \n \n \n \n aggregate\n \n \n \n \n \n \n\n \n Ch04_OutputEscaping\n Ch04_OutputEscapingJSF\n Ch04_OutputEscapingJSP\n Ch05_AccessReferenceMaps\n Ch05_HSTS\n Ch05_SessionFixation\n Ch05_SessionHandling\n Ch06_SQLInjection\n Ch06_XPathInjection\n Ch07_CSP\n Ch07_XSS\n Ch07_XSSFilter\n Ch07_XSSJSF\n Ch08_CSRF\n \n"
}
]