Comments for John Melton's Weblog

Comment on Year Of Security for Java – Week 3 – Session Cookie Secure Flag by Year Of Security for Java – Week 4 – Session Cookie HttpOnly Flag : John Melton's Weblog

Wed, 25 Jan 2012 05:18:23 +0000

[...] if you were following along from last week, with both the secure and HttpOnly [...]

Comment on Year Of Security for Java – Week 1 – Session Fixation Prevention by Dominik Schadow

Dominik Schadow — Thu, 12 Jan 2012 21:24:06 +0000

Java security updates – January 2012…

The Oracle Secure Coding Guidelines for the Java Programming Language are available in version 4.0 (probably already for a couple of days, couldn’t find any announcement). This version includes some hints for the latest Java 7 SDK. And John Melton anno…

Comment on The OWASP Top Ten and ESAPI – Part 6 – Information Leakage and Improper Error Handling by Year Of Security for Java – Week 2 – Error Handling in web.xml : John Melton's Weblog

Wed, 11 Jan 2012 04:20:29 +0000

[...] in more detail as it’s part of the OWASP Top 10, so you can find more detail here – http://www.jtmelton.com/2010/06/02/the-owasp-top-ten-and-esapi-part-7-information-leakage-and-improp…. In this article, I’ll just cover the important [...]

Comment on The OWASP Top Ten and ESAPI – Final Summary by Year Of Security for Java – Introduction : John Melton's Weblog

Year Of Security for Java – Introduction : John Melton's Weblog — Tue, 03 Jan 2012 03:50:12 +0000

[...] will have roughly 1 article per week for a year. This series will be different from my last series (OWASP Top Ten – Java) in that each article will be pretty short and focused. There are several motivations for this [...]

Comment on The OWASP Top Ten and ESAPI – Part 9 – Insecure Communications by john

john — Wed, 21 Sep 2011 15:13:34 +0000

@Charles,
I honestly don’t remember if there is a config option in the ESAPI.properties file (though that’s where you need to check) related to https. However, you can always override the check (probably search for assertSecure in the ESAPI code) in your own implementation.

Comment on The OWASP Top Ten and ESAPI – Part 9 – Insecure Communications by Charles

Charles — Wed, 21 Sep 2011 14:26:47 +0000

Okay… but what if you WANT to use HTTP? The Swingset demo and apache server are HTTP, and none of the pages in the demo work because of that. How do I disable the HTTPS requirement in ESAPI so I can run these samples?

Comment on The OWASP Top Ten and ESAPI – Part 1 – Cross Site Scripting (XSS) by john

john — Wed, 21 Sep 2011 01:02:53 +0000

@Charles,
Yes you can look at the esapi-dev and esapi-user mailing lists (and their archives). Thought it’s not a standard forum, it’s the mechanism you can use to get info. I’d start w/ the user list first.

Comment on The OWASP Top Ten and ESAPI – Part 1 – Cross Site Scripting (XSS) by Charles

Charles — Tue, 20 Sep 2011 20:10:40 +0000

Is there a forum for ESAPI? I need to disable strong password checks, and the complete lack of documentation is daunting.

Comment on A Simple Multi-Threaded Java HTTP Proxy Server by João Cortela

João Cortela — Thu, 25 Aug 2011 20:32:01 +0000

Thanks man!

Now it’s working… =)

It helped me a lot!

Comment on A Simple Multi-Threaded Java HTTP Proxy Server by john

john — Thu, 25 Aug 2011 20:21:59 +0000

@Joao,
Looks like you might not have the java command right. You might want to try “java -cp . proxy.ProxyServer”