I’m learning Haskell, so I thought I’d write about my adventures as I go along. One of the first things I noticed about Haskell (apart from the obvious, such as being functional) is that it is very good about type inference. This means that the vast majority of the time, I don’t need to tell […]
Monthly Archives: January 2010
Struts 2 insecure direct object reference – part 2 – ParameterNameAware
Posted January 23, 2010 – 8:39 pmI discussed security issues in a previous post regarding malicious HTTP request parameters injecting data into a Struts 2 application. Jon pointed out an interface I had forgotten about, ParameterNameAware. How this works is quite simple. Your action class implements ParameterNameAware, and in the acceptableParameterName(String parameterName) method, you return true only if the client is […]
Struts 2 insecure direct object reference
Posted January 4, 2010 – 3:49 pmThere is a type of vulnerability which seems peculiar to Struts 2/WebWork applications and therefore may not be widely known. (It may exist in other frameworks as well, but I haven’t personally used any that have it.) The vulnerability is not part of Struts 2, but it enables it in the same sense that a […]
HttpServletRequest cheat sheet
Posted January 1, 2010 – 2:44 pmMany HttpServletRequest properties can be confusing, so I decided to create this cheat sheet. (Properties can have similar names, some properties contain delimiters and some don’t, etc.) Let’s say your domain is domain.com, and it points to a router which forwards the request to port 8080 on a server called bob with a local IP […]