Daily Archives: October 4, 2017

JavaOne – The Hacker’s Guide to Session Hijacking

Posted on by
Reply

“The Hacker’s Guide to Session Hijacking”

Speaker: Patrycja Wegrzynowicz

For more blog posts from JavaOne, see the table of contents

Dropbox and Yahoo passwords sold on black market last year

HTTP

  • stateless
  • JSessionId – cookie, header, parameter, hidden field
  • OWASP top 10 – A2 – Broken Authentication and Session Management

Session Hijacking

  • Easy targets
  • Session theft – steal session id from URL, sniffling, logs, XSS.
  • Session fixation – trick user into using the (fixed) session id of the hacker’s choosing
  • Session prediction – server uses weak algorithm so hacker cn guess session id. Least common in Java world. About 5 years ago, Jetty had this issue

How protect

  • Need to disable URL rewriting in an app server.
  • Alternatively can set up tracking mode in the web.xml: <tracking-mode>COOKIE</tracking-mode> starting Java EE 6/Servlet 3
  • Use HTTPS to avoid session exposure during transport
  • Set &ltsecure>true&lt/secure> under cookie-config in web.xml so only sent over https. Also added in Java EE 6/Servlet 3
  • Set &lthttp-only>true&lt/http-only> under cookie-config in web.xml so only sent over https.
  • Java EE 7/Servlet 4 has request.changeSessionId() so can have diferent id
  • Shorter timeouts – 2-5 minutes for critical apps; 15-30 minutes for typical apps. By default they aren’t supposed to timeout
  • Write logic to see if IP/user agent changes during session and invalidate session if does
  • CSRF token, double submit cookie (if no server side session), SameSite cookie flag in Chrome (not yet upported by Java EE)

Session created when call requeest.getSession(true) explicitly or implicity (ex: when visit JSP page)

How attack

  • Get session id from log
  • Use JavaScript to get cookie
  • Get user to click link with URL
  • Go to site anonymously and close tab so user gets that session id [requires physical access]
  • XSS
  • CSRF

My take:
She did interative demos of the issues. She posted a URL with session id on twitter and a bunch of people clicked real time; fun to see. Then she did the opposite where she got into our session. Then she stole the cookie with JavaScript using an image to bypass same source policy. [That I’m not doing. Intentionally sharing all my cookies; no thanks! She only displayed the cookie with the jsession id for her site which is good]. Finally she did an interactive CSRF demo

JavaOne- Lambdas Chops: Recipes for simpler more expressive code

Posted on by
Reply

“Lambdas Chops: Recipes for simpler more expressive code”

Speaker: Ian Robertson
slidehare.net/nainostrebor

For more blog posts from JavaOne, see the table of contents

Disclaimer: These are now the most performant way of doing things. If you have I/O or database code, it won’t be a significant difference.

Did one slide review of lambdas as “test” for whether kow enough to follow rest of session. [good idea]

Null safe navigation

  • In Groovy, a?.getX()?.getY()
  • Call method if object is non-null, otherwise just return null
  • Best route is to refactor to return Optional from the getters
  • If can’t refactor: Optional.ofNullable(employee).ap(Employee::getAddress).map(Address::getCity).orElse(null)
  • By chaining Optional can decide what to do

First non null

  • commons-lang has ObjectUtils.firstNonNull
  • Works will if values are cheap to provide
  • If expensive/time consuming, waiting for wasted work
  • firstNonNull(customer.getCart():getRecommendations, this::getBestSellers)
  • and firstNonNull now would have- Stream.of(values).map(Supplier:get).filter(Objects:nonNull).findFIrst().orElse(null)

Multi-method interfaces

  • Helper methods can create instances from one or more lambdas
  • Showed with SimpleFieVisitor. [i don’t see a lambda or method reference here. He mentioned a lambda, but there are no abstract methods now]

Exceptions

  • forEach(File::createNewFile) – doesn’t compile because throws IOException
  • Tried to solve in language and couldn’t.
  • Can catch exception in lambda and convert to runtime exception, but now code is long
  • jOOL library create companion interface that allows checked exceptions and converts to runtime exception
  • now write forEach(Unchecked.consumer(File::createNewFile))

Design Pattern

  • Dispose pattern – close in proper place [no null check in example]
  • Try-with-resources added in Java 7
  • Can forget; poor API that lets you forget
  • Must implement AutoCloseable
  • Can have close logic or lock/unlock in one place and pass lambda [still have to remember to call that]
  • Vavr (Java upside down) library has good library for lazy evaluation (double checked locking pattern) – pass lambda wih work

Type safety

  • Many APIs rely on String representation of method names
  • ex: commmons-beanutils takes method name for comparators. “stringly typed”
  • JDK added API that takes method reference Comparator.comparing(Person::getLastName).thenComparing(Person:getFirstName)
  • Now type safe

JUnit 5 Parameterized Tests

  • @MethodSource has “stringly typed” problem. Also, no way to know passing right # parameters and types
  • Alternatively can use @TestFactory and DynamicTests to have compile time type safety
  • Harder to read with tuples. Can improve further with helper method per combo and have tests use it.
  • [the lack of type safety doesn’t seem like a big deal here since run tests regularly so would know if mismatch. And parameterized tests are much easier to read ]
  • Wrote LambdataRunner to do this in JUnit 4

Best Practices

  • Have more single method interfaces. Provide static helper methods to create
  • Use existing interfaces where can instead of writing own. Easier because already know what it is
  • Avoid overloading method names to accept different lambas of same “shape”. Compiler says lamda ambigious and require lients to cast

My take: I really liked the discussion of pros and cons. And the emoticons were fun – happy, sad, angry, meh. I don’t like the JUnit example, but the rest sound like things I’d do/try.

JavaOne – Mockito 2 Cleaner Tests and Enhanced Productivity

Posted on by
Reply

“Mockito 2 Cleaner Tests and Enhanced Productivity”

Speaker: Szczepan Faber
[nice twitter handle – @mockitoguy]

For more blog posts from JavaOne, see the table of contents

Stats

  • Started in 2008 to overcome shortcomings of JMock and EasyMock
  • Mockito is number 3 Java library on github [not sure what this means]
  • 2016 – Mockito 2 came out
  • About 50 unique contributors

Conceptual

  • Talked about the importance of clean code
  • Plugged GTD (gettng things done) book
  • A good test tell you why it fails without using debugger
  • Used given/when/then format in tests – recommends actually writing those three words in comments; encourages to think about test that way
  • PowerMock extends/integrates with Mockito so can test legacy code

Live coding based on https://github.com/szczepiq/mockito-conferences-2017/tree/javaone

General

  • Fails with clear messages
  • Can click on line in console output message to go to it in IDE
  • JMock/EasyMock use strict mocking as default. Mockito is lenient by default so don’t have to put “unnecessary” code in the tests. [he did a demo of strict mocking simulation. I didn’t follow it. the code is here]
  • MockitoJUnit.rule().strictness(Strictness.STRICT_STUBS) can change default. MockitoSession is the non-rule way to do so. Strict stubbing good as finds unused code. [confused; he just got through saying that strict mocking is bad. but it’s good for stubbing?].
  • Mockito 3 has strict stubs this as a default.
  • With strict stubs, don’t need to call verify – finds unused coe
  • There’s a way to enroll in strict stubs without the @Rule [didn’t show how]
  • Use shipkit for CD

My take: CodeRanch is in the process of migrating to Mockito (from a mix of Mockito/JMock and random other things). It was good to see best practices. I’m going to miss strict mocking. Trying to keep an open mind. I was able to follow most of it with my minimal experience with Mockito. Thought there’d have been a bit of intro up front. I left with questions though. For example, I don’t follow why strict mocks are bad but strict stubs are good. Which is conceptual so I was hoping to follow his point. And he has another session immediately after this one so can’t ask hallway questions.