Monthly Archives: June 2013

Webkit’s XSS Auditor explained and current exploits

Webkit is a open source browser engine used by Safari and Chrome. To prevent cross site scripting attacks (number 3 in this years in the security vulnerabilities list of OWASP), Webkit filters all the web traffic with a auditor.

This auditor, called the XSS auditor, can be looked up online: https://github.com/WebKit/webkit/blob/master/Source/WebCore/html/parser/XSSAuditor.cpp

What does it do?
It prevents cross site scripting (XSS) by replacing malicious scripts with an empty script, so ” <script> </script> “.

As an example, we have our insecure web application.
Schermafbeelding 2013-06-16 om 19.29.15

Which has a simple input value:
Schermafbeelding 2013-06-16 om 19.29.23

When inserted a malicious XSS value into a input field, like ” /><script>pay /* test */ &;lt/script></br ”
Schermafbeelding 2013-06-16 om 19.29.40

Then we see that after submitting the page, the malicious script has been removed.
Schermafbeelding 2013-06-16 om 19.29.59

But wait! There are exploits.
It is good to know that the auditor doesn’t reflect all possible output contexts, like in JSP:

<script type="text/javascript">
    var a = "<%= request.getParameter("a") %>";
    document.write("<text>Welcome "+ a + "</text>");
</script>

When this code is called as follows in our insecure web application

http://localhost:8081/insecure-web/noHtmlEscaping?a=2%22;%20alert(document.cookie);%20var%20a=%221

Then we get to see our session cookie!
Schermafbeelding 2013-06-16 om 19.41.02

JPA 2 @ManyToMany java.sql.BatchUpdateException: Field ‘id’ doesn’t have a default value

Required: having a ManyToMany relation with JPA. Underlying ORM framework I use is Hibernate, but that is irrelevant here since JPA abstracts this.

The Entities
For a @ManyToMany we need two entities. Here we have a entity ‘Beurs’, which owns a collection of ‘Fonds’.

Beurs:

@Entity
@Table(name = “Beurs”)
public class Beurs implements Serializable {
private static final long serialVersionUID = -6250201709027758975L;

@Id
@Column(name = “beurscode”, unique = true, nullable = false)
private Long beurscode;
@ManyToMany(fetch = FetchType.LAZY, cascade = CascadeType.ALL)
@JoinTable(name = “BeursFonds” , joinColumns = { @JoinColumn(name = “beurs_beurscode”, nullable = false, updatable = true) }
, inverseJoinColumns = { @JoinColumn(name = “fonds_fondscode”, nullable = false, updatable = true) })
private List fondsen;

Fonds:

@Entity
@Table(name = “Fonds”)
public class Fonds implements Serializable {
private static final long serialVersionUID = 4655056015858729584L;

@Id
@Column(name = “fondscode”)
private Long fondscode;

@ManyToMany(mappedBy = “fondsen”, fetch=FetchType.EAGER, cascade = CascadeType.ALL)
private List beurzen;

The Join Entity

@Entity
@Table(name = “BeursFonds”)
public class BeursFonds implements Serializable {

@Id
@GeneratedValue(strategy= GenerationType.IDENTITY)
private Long id;

@Column(name = “beurs_beurscode”)
private Long beurscode;

@Column(name = “fonds_fondscode”)
private Long fondscode;

public BeursFonds() {
// default constructor for jpa
}

public BeursFonds(Long beurscode, Long fondscode) {
this.beurscode = beurscode;
this.fondscode = fondscode;
}

The entitymanager

public void store(Fonds fonds) {
List beurzen = fonds.getBeurzen();
for(Beurs beurs: beurzen) {
Beurs beursRepo = entityManager.find(Beurs.class, beurs.getBeurscode());

beursRepo.getFondsen().add(fonds);
entityManager.merge(beursRepo);
}
}

I have the ‘hibernate.hbm2ddl.auto’ set to value ‘update’, so when starting the webapplication with the new entities, these are auto generated. When you generated these tables by hand you might get the following exception. Solution: recreate the tables.

Caused by:
java.sql.BatchUpdateException: Field ‘id’ doesn’t have a default value
at com.mysql.jdbc.PreparedStatement.executeBatchSerially(PreparedStatement.java:2007)
at com.mysql.jdbc.PreparedStatement.executeBatch(PreparedStatement.java:1443)
at org.hibernate.jdbc.BatchingBatcher.doExecuteBatch(BatchingBatcher.java:70)
at org.hibernate.jdbc.BatchingBatcher.addToBatch(BatchingBatcher.java:56)
at org.hibernate.persister.collection.AbstractCollectionPersister.recreate(AbstractCollectionPersister.java:1207)