Monthly Archives: January 2010

Adventures in Haskell – Type inference

I’m learning Haskell, so I thought I’d write about my adventures as I go along. One of the first things I noticed about Haskell (apart from the obvious, such as being functional) is that it is very good about type inference. This means that the vast majority of the time, I don’t need to tell […]

Struts 2 insecure direct object reference – part 2 – ParameterNameAware

I discussed security issues in a previous post regarding malicious HTTP request parameters injecting data into a Struts 2 application. Jon pointed out an interface I had forgotten about, ParameterNameAware. How this works is quite simple. Your action class implements ParameterNameAware, and in the acceptableParameterName(String parameterName) method, you return true only if the client is […]

Struts 2 insecure direct object reference

There is a type of vulnerability which seems peculiar to Struts 2/WebWork applications and therefore may not be widely known. (It may exist in other frameworks as well, but I haven’t personally used any that have it.) The vulnerability is not part of Struts 2, but it enables it in the same sense that a […]

HttpServletRequest cheat sheet

Many HttpServletRequest properties can be confusing, so I decided to create this cheat sheet. (Properties can have similar names, some properties contain delimiters and some don’t, etc.) Let’s say your domain is domain.com, and it points to a router which forwards the request to port 8080 on a server called bob with a local IP […]