Category Archives: Mac OS X

MAC OS X && [ERROR] Failed to execute goal org.apache.maven.plugins:maven-javadoc-plugin:2.9:jar (attach-javadocs) on project sonar-enforcer-rules-repository: MavenReportException: Error while creating archive: Unable to find javadoc command: The environment variable JAVA_HOME is not correctly set. -> [Help 1]

I just had this error while trying to perform maven release:

“[ERROR] Failed to execute goal org.apache.maven.plugins:maven-javadoc-plugin:2.9:jar (attach-javadocs) on project sonar-enforcer-rules-repository: MavenReportException: Error while creating archive: Unable to find javadoc command: The environment variable JAVA_HOME is not correctly set. -> [Help 1]”

How to fix? Simply:

1) Verify if the JAVA_HOME is really empty
MacBook-Pro-van-Geert:sonar-enforcer-rules-repository GJDB$ echo $JAVA_HOME

2) If empty: set it with the following command
MacBook-Pro-van-Geert:sonar-enforcer-rules-repository GJDB$ export JAVA_HOME=$(/usr/libexec/java_home)

3) Verify it has been set
MacBook-Pro-van-Geert:sonar-enforcer-rules-repository GJDB$ echo $JAVA_HOME
/Library/Java/JavaVirtualMachines/jdk1.7.0_40.jdk/Contents/Home

javadoc-java-home-macosx

Webkit’s XSS Auditor explained and current exploits

Webkit is a open source browser engine used by Safari and Chrome. To prevent cross site scripting attacks (number 3 in this years in the security vulnerabilities list of OWASP), Webkit filters all the web traffic with a auditor.

This auditor, called the XSS auditor, can be looked up online: https://github.com/WebKit/webkit/blob/master/Source/WebCore/html/parser/XSSAuditor.cpp

What does it do?
It prevents cross site scripting (XSS) by replacing malicious scripts with an empty script, so ” <script> </script> “.

As an example, we have our insecure web application.
Schermafbeelding 2013-06-16 om 19.29.15

Which has a simple input value:
Schermafbeelding 2013-06-16 om 19.29.23

When inserted a malicious XSS value into a input field, like ” /><script>pay /* test */ &;lt/script></br ”
Schermafbeelding 2013-06-16 om 19.29.40

Then we see that after submitting the page, the malicious script has been removed.
Schermafbeelding 2013-06-16 om 19.29.59

But wait! There are exploits.
It is good to know that the auditor doesn’t reflect all possible output contexts, like in JSP:

<script type="text/javascript">
    var a = "<%= request.getParameter("a") %>";
    document.write("<text>Welcome "+ a + "</text>");
</script>

When this code is called as follows in our insecure web application

http://localhost:8081/insecure-web/noHtmlEscaping?a=2%22;%20alert(document.cookie);%20var%20a=%221

Then we get to see our session cookie!
Schermafbeelding 2013-06-16 om 19.41.02

NTFS-3G-Wait-Error

TrueCrypt sharing files Mac and Ubuntu

When using TrueCrypt on your Mac you might want to backup or synchronize your TrueCrypt volumes to a non-Mac formatted (like NTFS ) external (USB) harddisk so you can view or edit the volumes under Linux  /Ubuntu or Windows.

By default, Mac OS X can only read NTFS formatted volumes, not write to it. To enable this, you have to install NTFS-3G for Mac OS X 2010.10.2

On some Mac OS X version (Lion in my case) you will additionally add a patch to prevent the following error message. This patch can be downloaded here

NTFS-3G-Wait-Error