Comments for John Melton's Weblog http://www.jtmelton.com Java, Security and Technology Wed, 14 Jul 2010 12:23:13 +0000 http://wordpress.org/?v=2.9.1 hourly 1 Comment on The OWASP Top Ten and ESAPI – Part 2 – Cross Site Scripting (XSS) by Mostafa Siraj http://www.jtmelton.com/2009/01/12/the-owasp-top-ten-and-esapi-part-2-cross-site-scripting-xss/comment-page-1/#comment-8125 Mostafa Siraj Wed, 14 Jul 2010 12:23:13 +0000 http://www.jtmelton.com/2009/11/12/the-owasp-top-ten-and-esapi-part-2-cross-site-scripting-xss/#comment-8125 John, the article is great, I would suggestion renaming the titles of posts to start from zero, like that the posts part numbers will match those on owasp top 10 vulnerabilities. John, the article is great, I would suggestion renaming the titles of posts to start from zero, like that the posts part numbers will match those on owasp top 10 vulnerabilities.

]]> Comment on The OWASP Top Ten and ESAPI – Part 8 – Broken Authentication and Session Management by Owen http://www.jtmelton.com/2010/06/16/the-owasp-top-ten-and-esapi-part-8-broken-authentication-and-session-management/comment-page-1/#comment-5907 Owen Sat, 26 Jun 2010 00:25:42 +0000 http://www.jtmelton.com/?p=123#comment-5907 Cool, thank you, working on it now. Will likely take me longer than a day though! Cool, thank you, working on it now. Will likely take me longer than a day though!

]]> Comment on The OWASP Top Ten and ESAPI – Part 8 – Broken Authentication and Session Management by john http://www.jtmelton.com/2010/06/16/the-owasp-top-ten-and-esapi-part-8-broken-authentication-and-session-management/comment-page-1/#comment-5834 john Fri, 25 Jun 2010 04:32:02 +0000 http://www.jtmelton.com/?p=123#comment-5834 @Owen, There is currently no database-backed implementation of the authenticator in ESAPI, and that may or may not change. I suspect (though I can't speak for the dev team) that the reason for not including one is that a database driven implementation is going to levy a specific schema requirement on an application. This might be fine for some applications that are likely a)very small and b)using ESAPI from day one, but it's unlikely that's an acceptable requirement outside of those 2 situations. However, having said that, much of the code in the FileBasedAuthenticator does not need to be changed in order to use a database. Simply look for the places where data goes in or out of the datastore, and make your modifications. Much of the code can likely be reused. If it helps, it took me a day or two to do that work, and I believe I remember Jim Manico (ESAPI dev lead) saying a similar conversion to Hibernate took him about 2 days as well. Good luck! @Owen,
There is currently no database-backed implementation of the authenticator in ESAPI, and that may or may not change. I suspect (though I can’t speak for the dev team) that the reason for not including one is that a database driven implementation is going to levy a specific schema requirement on an application. This might be fine for some applications that are likely a)very small and b)using ESAPI from day one, but it’s unlikely that’s an acceptable requirement outside of those 2 situations.
However, having said that, much of the code in the FileBasedAuthenticator does not need to be changed in order to use a database. Simply look for the places where data goes in or out of the datastore, and make your modifications. Much of the code can likely be reused. If it helps, it took me a day or two to do that work, and I believe I remember Jim Manico (ESAPI dev lead) saying a similar conversion to Hibernate took him about 2 days as well. Good luck!

]]> Comment on The OWASP Top Ten and ESAPI – Part 8 – Broken Authentication and Session Management by Owen http://www.jtmelton.com/2010/06/16/the-owasp-top-ten-and-esapi-part-8-broken-authentication-and-session-management/comment-page-1/#comment-5833 Owen Fri, 25 Jun 2010 04:23:24 +0000 http://www.jtmelton.com/?p=123#comment-5833 Mr. Melton, I have been attempting to adapt a website I am working on to use the principles (and of course the library) of ESAPI, but there is no User to Database interaction that I can find. Are there any examples you are aware of for a DatabaseBasedAuthenticator, rather than the FileBasedAuthenticator that they use as the default authenticator? Thank you for any help. Mr. Melton,
I have been attempting to adapt a website I am working on to use the principles (and of course the library) of ESAPI, but there is no User to Database interaction that I can find. Are there any examples you are aware of for a DatabaseBasedAuthenticator, rather than the FileBasedAuthenticator that they use as the default authenticator? Thank you for any help.

]]> Comment on The OWASP Top Ten and ESAPI – Part 8 – Broken Authentication and Session Management by Tweets that mention The OWASP Top Ten and ESAPI – Part 8 – Broken Authentication and Session Management : John Melton's Weblog -- Topsy.com http://www.jtmelton.com/2010/06/16/the-owasp-top-ten-and-esapi-part-8-broken-authentication-and-session-management/comment-page-1/#comment-5097 Tweets that mention The OWASP Top Ten and ESAPI – Part 8 – Broken Authentication and Session Management : John Melton's Weblog -- Topsy.com Thu, 17 Jun 2010 09:18:17 +0000 http://www.jtmelton.com/?p=123#comment-5097 [...] This post was mentioned on Twitter by Roberto Martinez, Open Foundstone. Open Foundstone said: The OWASP Top Ten and ESAPI – Part 8 – Broken Authentication and Session Management: This article will describe ho... http://bit.ly/dj41JD [...] [...] This post was mentioned on Twitter by Roberto Martinez, Open Foundstone. Open Foundstone said: The OWASP Top Ten and ESAPI – Part 8 – Broken Authentication and Session Management: This article will describe ho… http://bit.ly/dj41JD [...]

]]> Comment on The OWASP Top Ten and ESAPI – Part 6 – Cross Site Request Forgery (CSRF) by Owen http://www.jtmelton.com/2010/05/16/the-owasp-top-ten-and-esapi-part-6-cross-site-request-forgery-csrf/comment-page-1/#comment-4427 Owen Fri, 11 Jun 2010 05:49:35 +0000 http://www.jtmelton.com/?p=87#comment-4427 I love this series! I tried to implement the randomizer for a Session Credential on one of my projects, rather than my own hacked version, and it stated that DefaultEncoder.CHAR_ALPHANUMERICS is deprecated and to use EncoderConstants instead. Thank you again and keep up the good work. I love this series! I tried to implement the randomizer for a Session Credential on one of my projects, rather than my own hacked version, and it stated that DefaultEncoder.CHAR_ALPHANUMERICS is deprecated and to use EncoderConstants instead. Thank you again and keep up the good work.

]]> Comment on The OWASP Top Ten and ESAPI – Part 4 – Malicious File Execution by Tweets that mention The OWASP Top Ten and ESAPI – Part 4 – Malicious File Execution : John Melton's Weblog -- Topsy.com http://www.jtmelton.com/2010/05/02/the-owasp-top-ten-and-esapi-part-4-malicious-file-execution/comment-page-1/#comment-1548 Tweets that mention The OWASP Top Ten and ESAPI – Part 4 – Malicious File Execution : John Melton's Weblog -- Topsy.com Mon, 03 May 2010 14:48:32 +0000 http://www.jtmelton.com/?p=81#comment-1548 [...] This post was mentioned on Twitter by d3v1l, Open Foundstone. Open Foundstone said: The OWASP Top Ten and ESAPI – Part 4 – Malicious File Execution: This article will describe how to protect your J2... http://bit.ly/aFJ8E6 [...] [...] This post was mentioned on Twitter by d3v1l, Open Foundstone. Open Foundstone said: The OWASP Top Ten and ESAPI – Part 4 – Malicious File Execution: This article will describe how to protect your J2… http://bit.ly/aFJ8E6 [...]

]]> Comment on The OWASP Top Ten and ESAPI – Part 3 – Injection Flaws by jose http://www.jtmelton.com/2009/12/01/the-owasp-top-ten-and-esapi-part-3-injection-flaws/comment-page-1/#comment-1102 jose Tue, 13 Apr 2010 15:01:56 +0000 http://www.jtmelton.com/2009/12/01/the-owasp-top-ten-and-esapi-part-3-injection-flaws/#comment-1102 Excellents articles! I hope that you'll still continue writting about that, because is a issue than there're not so much information about how can we used it. Good for you! and thank u Excellents articles!

I hope that you’ll still continue writting about that, because is a issue than there’re not so much information about how can we used it.

Good for you! and thank u

]]> Comment on The OWASP Top Ten and ESAPI by Nodo54 » Blog Archive » The OWASP Top Ten and ESAPI – Part 3 – Injection Flaws http://www.jtmelton.com/2009/01/03/the-owasp-top-ten-and-esapi/comment-page-1/#comment-33 Nodo54 » Blog Archive » The OWASP Top Ten and ESAPI – Part 3 – Injection Flaws Mon, 04 Jan 2010 09:04:37 +0000 http://www.jtmelton.com/2009/11/03/the-owasp-top-ten-and-esapi/#comment-33 [...] This article will describe how to protect your J2EE application from injection (SQL and others) attacks using ESAPI. As with all of the detail articles in this series, if you need a refresher on OWASP or ESAPI, please see the intro article The OWASP Top Ten and ESAPI. [...] [...] This article will describe how to protect your J2EE application from injection (SQL and others) attacks using ESAPI. As with all of the detail articles in this series, if you need a refresher on OWASP or ESAPI, please see the intro article The OWASP Top Ten and ESAPI. [...]

]]> Comment on The OWASP Top Ten and ESAPI – Part 3 – Injection Flaws by KRvW http://www.jtmelton.com/2009/12/01/the-owasp-top-ten-and-esapi-part-3-injection-flaws/comment-page-1/#comment-14 KRvW Wed, 02 Dec 2009 13:13:01 +0000 http://www.jtmelton.com/2009/12/01/the-owasp-top-ten-and-esapi-part-3-injection-flaws/#comment-14 Excellent series of articles--thanks for taking the time to write and post them. Cheers, Ken van Wyk Excellent series of articles–thanks for taking the time to write and post them.

Cheers,

Ken van Wyk

]]>