Methods to prevent XSS

Similar Messages

• Any method to prevent a user login with 1 account, but several machines?

  May I ask for your recommendations to prevent a user to login my application with his/her account through different computers?
  Background information:
  1. My application is developed with BC4J framework.
  2. Login details: Once a user's is validated with their user id and password stored in a backend database table, he/she would be granted the right to use my application with a common connection account, as stated with the configuration details specified.
  Here is my solution:
  - When a user login my application, I'll lookup if there is any existing user record in a database table, let say, TBL_CURR_USERS. If no user record is found, the user will be granted the right of launching my applications and have a user record written down in the table TBL_CURR_USERS. If a user record is found, the user will receive an error message - "Your specified account is in use. You are not allowed to enter until your specified account has been logged off."
  - Problem: My problem is - how to trigger the event for removing the record in the table TBL_CURR_USER when user logs out implicity or internet connection interrupts. Let say, when the user close the browser by clicking the 'X' icon, I have nothing to trigger my deletion for the user record in the TBL_CURR_USERS table. If so, in the long term, many users will not be able to use my application until housekeeping is done for the table TBL_CURR_USERS ... what should I do? Any Java solutions or JDeveloper solutions available?
  Thanks for your replying!

  I had the same problem and I resolved in a different way. In the application server I have a Set in the context and I add a user when the login is successful and I remove it (I store the user even in the session) when the session expires (I have a session listener) or when the user explicitly logouts.
  I don't need table and I don't need to do anything if the application server crashes.
  If you don't use connection pooling you could use a logon trigger on the database.
  I hope it helps,
  Giovanni

• Synchronized method not preventing concurrent access

  Hi
  I have 3 classes, T (a Runnable), TRunner (instantiates and starts a thread using T), and Sync (with one synchronized method, foo).
  The problem is that foo is entered concurrently by different threads at the same time. How so?
  T.java:
  import java.util.Calendar;
  class T implements Runnable
     private String name;
     public T(String name)
       this.name = name;
     public void run()
        Thread.currentThread().setName(name);
        Sync s = new Sync();
        System.out.println(Calendar.getInstance().getTime() + ".....Running " + Thread.currentThread().getName());
        s.foo(name);
  }TRunner.java:
  class TRunner
     public static void main(String args[])
         T tx = new T("x");
         T ty = new T("y");
         T tz = new T("z");
         Thread t1 = new Thread(tx);
         Thread t2 = new Thread(ty);
         Thread t3 = new Thread(tz);
         t1.start();
         t2.start();
         t3.start();
  }Sync.java:
  import java.util.Calendar;
  class Sync
     public synchronized void foo(String threadname)
            System.out.println(Calendar.getInstance().getTime() + ":" + threadname + "....entering FOO");
            try
                 Thread.sleep(5000);
            catch (InterruptedException e)
                 System.out.println("interrupted");
            System.out.println(Calendar.getInstance().getTime() + ":" + threadname + "....leaving FOO");
  }Console output:
  C:\javatemp>java TRunner
  Mon Apr 09 15:35:46 CEST 2007.....Running x
  Mon Apr 09 15:35:46 CEST 2007:x....entering FOO
  Mon Apr 09 15:35:46 CEST 2007.....Running y
  Mon Apr 09 15:35:46 CEST 2007:y....entering FOO
  Mon Apr 09 15:35:46 CEST 2007.....Running z
  Mon Apr 09 15:35:46 CEST 2007:z....entering FOO
  Mon Apr 09 15:35:51 CEST 2007:x....leaving FOO
  Mon Apr 09 15:35:51 CEST 2007:y....leaving FOO
  Mon Apr 09 15:35:51 CEST 2007:z....leaving FOO
  C:\javatemp>Thanks in advance.

  Only for static methods. For instance methods, the lock >is the object.You are absolutely right.
  The Class object is no different from any other object. >"Entire" Class object makes no sense.What I wanted to say is that it's better to synchronize on the object we want to protect from concurrent access rather than on the entire class or instance object.
  "Efficiency" is not altered by locking on a Class object vs. >any other object.I studied that it's better to synchronize on the objects we want to protect instead of the entire instance or class object. If one declares a method as synchronized, it means that other threads won't be able to access other synchronized methods for the same object, even if the two weren't in conflict. That was explained as a performance penalty.
  >
  Or when one or more threads may modify it and one or
  more may read it.
  Yep, sure.
  >
  No, they're not.
  You are absolutely right. What I wanted to say is that local variables are unique per thread.
  >
  Local variables are unique per thread, but that's NOT
  atomicity.Sorry for any confusion
  Message was edited by:
  mtedone

• Application control methods to prevent jerky graph refresh rate

  Hi all,
  In the simplest terms, what I am trying to achieve is a VI with a button on. When the user presses the button, a subVI is executed which acquires some data which is displayed on 2 graphs. The first graph has cursors which can be moved by the user to define the limits of the data plotted on the second graph.
  I created a VI that did the 2 graphs with the limits and they updated fine (see attached file Stiffness and Damping.vi). However, this was when loading some data from a text file (attached as LabTestData.txt).
  When I replaced the loading bit with the DAQ subVI, when the user changed the cursors on the first graph, the range of data on the second graph remained unchanged (see attached file FIND SAD v1.vi).
  I then changed the structure so the data acquisition was in a different loop to the analysis and this works to a certain extent, apart from the fact that the second graph has a very jerky refresh rate (see attached file FIND SAD.vi).
  If someone has a suggestion on a better way to structure the VI to solve these problems then that would be a great help.
  The second version also has the problem that the VI doesnt stop when the 'Back to main menu' button is pressed, and I can't figure out why this is.
  Many thanks,
  Ian
  Attachments:
  Stiffness and Damping VIs for forum.zip ‏240 KB

  Thanks Tom,
  I've attached it along with the subVI it uses as well
  Cheers,
  Ian
  Attachments:
  DATA FROM RIG v2.vi ‏553 KB
  FRA SubVI.vi ‏71 KB

• Method To Prevent Safari 4.0  Webpreview Caching

  This is an experimental technique to disable Safari 4.0 from generating standard, and Webpreview, caches. I am interested in feedback from brave souls :>)
  It's best to use a test-bench OS. Don't use your everyday OS, or any drive you depend on.
  Use 'Disk Utility' to 'Verify Disk,' and 'Repair Permission'. If you get the all-clear, move on. If not, please make necessary repairs (there are many posts on this site which cover repair and maintenance of the OS). When all is well, proceed.
  Navigate to: ~/Library/Caches/
  Delete the "com.apple.Safari" and "Safari" folders.
  Close all open windows. Make sure the Safari application is not active.
  Open the Terminal, located in the Utilities folder.
  At the prompt, enter the following four listed command lines, +one at a time+, pressing the return key between each listing. Spacing is critical, so it may be easier to copy/paste the lines individually; remembering to press the return key between each entry, and also after the last command line is entered. This needs to be done exactly.
  rm -rf ~/Library/Caches/Safari
  touch ~/Library/Caches/Safari
  rm -rf ~/Library/Caches/com.apple.Safari
  touch ~/Library/Caches/com.apple.Safari
  Quit Terminal.
  Navigate to: ~/Library/Caches/
  The Caches folder should now contain two, zero KB Documents, with the names "com.apple.Safari" and "Safari". They act as placeholders for the folders which were deleted earlier. The Safari application appears content with the substitutions.
  Note: This is a speculative adjustment to the normal operation of Safari 4.0. Please, use it only on an OS you can risk, as the consequences of its use are currently unknown.
  Special thanks to the Wikipedia community for the original inspiration :>)

  Solution: If one checks all delete-options offered by 'Reset Safari', then selects 'Reset' (which I did during testing), the two placeholder files get deleted – and it's their original default forms which regenerate.
  If, after making changes to Safari (through the Terminal), one never deletes either 'cache', then the placeholder files remain intact, and Safari does not write to them.
  Both caches now appear to be off limits to Safari. CPU consumption is down, and web pages fly onto the screen. In this new state, Safari 4.0 still receives a 100% score on Acid3, and passes security scans at Symantec and Audit My PC.
  I don't take any of this for granted. There's probably loads of issues still inherent in this 'fix,' but it was fun giving Safari a 20% speed boost.

• Using sed filter to prevent XSS attacks

  Can a sed filter on "Input" act on URLs or just the actual request body? In other words, is their a way to filter < or > from GET requests and not just POSTs?
  Thanks.

  Its not even that glamourous. I'm retrofiting this onto an exiting internal web app for a client. They have a backend function that sends e-mails, sometimes hundreds of them. The issue they have run into is that since there is no visual feedback, users don't know that the long-running backend process (sending the e-mails) is in process. They think that somehting is wrong so they click the submit button 2 or 3 or 4 more times, like people in an elevator. Under Firefox, nothing happens, since the Fox only send the initial request. Under IE, a submit is sent with each click and queued up. My client then has the dubious problem of having that e-mail processing bog down the webapplication server AND sends multiple version of the e-mail.
  I want to ensure that only one request is sent. My filter does this fine, except the original response for the original submit, which may contain a message for the user, is lost. That may be OK for this client but I want to be sure there isn't away to redirect to the original response.
  I wish I could use javascript (which is the easiets fix) but javascript is not allowed in this environment.

• Use of staticCreatePrototypeResource method during Resource configuration

  Does anyone know when the staticCreatePrototypeResource method of an adapter is called? I am trying to create a custom adapter that accepts various different modules to actually do the provisioning. The problem I am having is making the prototypeXML dynamic.
  I know that the prototypeXML is used to store the resource in the repository. I assumed during a creation that the prototypeXML was obtained and populated upon submission of the Resource Wizard form. However, I have put some trace with my custom adapter and that does not seem to be the case.
  Instead the staticCreatePrototypeResource method seems to only get called once, upon the first load of the Resource web page. The xml must then be cached someplace and used during the creation process. I am trying to determine if there is any way around this.
  Thanks,
  Pete

  I wouldn't kill the Presentation Services as it might look like the system is down which is not true. A possible way could be to use a repository variable. We use this method to prevent users from seeing new data as our ETL process is loading it. You could have a repository variable called batchrunning. You would then have an Init Block that refreshes this variable every 5 minutes or so. The Init Block could select a value from a table where you store the status of your batch. Then you would add this variable to all facts as a filter in the RPD like this: where batchrunning = 0. When you are updating the DB you would first change the value on your status table to 1. Once the variable is refreshed all new queries will fail since batchrunning is not equal to 0. Once the ETL process is finished, you would set the status table back to 0, the BI Server would refresh the variable and all the queries will start to work again.
  If you prefer to shutdown services then I suggest you shutdown the BI Server as at least the users will be able to get to the Web Server and it won't look that bad.

• Preventing empty rows in address formats

  Hallo everyone!
  I'd like to know if there is a method to prevent SBO2005A from printing empty rows in the address fields when for instance there is missing county in BP addresses like this:
  I have defined an address format that goes
  Block
  County
  Street
  ZipCode | Freetext(" ") | City
  We use Block as "Name2" and County as "Name3" in master data just in case the customer wants to use additional names for his BPs.
  If I use the "Block" - field and I leave the "County" - field blank it prints an empty row between "Block" and "Street". This is not the behaviour I would like to see. In case "county" is missing I would rather see something like this in a printout:
  Block
  Street
  ZipCode | Freetext(" ") | City
  So, is there a method to force this? or any workaround?

  Hello Patryk,
  PLD does not offer the functionality to control the blank lines in an address field.  I would suggest you use a formatted search in your address field on the marketing document and have it formatted in the document itself before you print.
  Please see sample code for your requirment for the Ship to address.  If you want this to applied to the Bill to address field then you have to slight alter the query by cha
  For Shipto address formatting
  SELECT CASE WHEN T0.Block IS NOT NULL THEN + CHAR(13) + CHAR(10) + T0.Block + CHAR(13) + CHAR(10) ELSE '' END +
  CASE WHEN T0.County IS NOT NULL THEN + CHAR(13) + CHAR(10) + T0.County + CHAR(13) + CHAR(10) ELSE '' END +
  ISNULL(T0.Street, '') + CHAR(13) + CHAR(10) + ISNULL(T0.ZipCode, '') + '  ' + ISNULL(T0.City, '')
  FROM  [dbo].[CRD1] T0 WHERE T0.AdresType = 'S' AND T0.Address = $[$40.0.0] AND T0.CardCode = $[$4.0.0]
  For Billto address formatting
  SELECT CASE WHEN T0.Block IS NOT NULL THEN + CHAR(13) + CHAR(10) + T0.Block + CHAR(13) + CHAR(10) ELSE '' END +
  CASE WHEN T0.County IS NOT NULL THEN + CHAR(13) + CHAR(10) + T0.County + CHAR(13) + CHAR(10) ELSE '' END +
  ISNULL(T0.Street, '') + CHAR(13) + CHAR(10) + ISNULL(T0.ZipCode, '') + '  ' + ISNULL(T0.City, '')
  FROM  [dbo].[CRD1] T0 WHERE T0.AdresType = 'B' AND T0.Address = $[$226.0.0] AND T0.CardCode = $[$4.0.0]
  Suda

• Xss in a Region-Title like &Name.

  Hi,
  I have sort of a general question.
  I have tried to manipulate a Region-Title like &Name. with a
  JavaScirpt Statemante. When I paste the code
  <script>alert('Hello world');</script>
  directly in the Title-Field of the Region, it works.
  But when I try to fill it from a text-field, it does not work.
  So when I paste
  <script>alert('Hello world');</script>
  in a text-field named Text, and the Region-Title is &Text.,
  it does not work.
  The characters are escaped, but I don't know, why.
  Does anyone knows, how I can make this work ?
  ciao, Andre

  Hello Andre,
  >> The characters are escaped, but I don't know, why.
  The APEX engine is automatically escaping the page fields, as part of its rendering process. This is to prevent XSS, which is a serious security breach.
  >> Does anyone knows, how I can make this work ?
  Well, as you are talking about a region title, you can still use the *&ITEM.* notation, just populate it in using an On Load – Before Header process.
  Regards,
  Arie.
  &diams; Please remember to mark appropriate posts as correct/helpful. For the long run, it will benefit us all.
  &diams; Author of Oracle Application Express 3.2 – The Essentials and More

• Prevent slide show image resizing

  Is there any way to prevent iweb from resizing images for the slideshow? My images are already resized to the exact size that I want them to be displayed. I don't want the software to mess with them!!!

  #1DesignGuy posted in macromedia.dreamweaver:
  > I am trying to rebuild the site from scratch since no
  one here
  > knew what was wrong with why my Dreamweaver Flash Slide
  Show image
  > viewer does not display when uploaded to a server but
  for some
  > reason works off of my local hard drive. Any more ideas
  from
  > anyone here?
  We DO know what's wrong. I provided the cure for that
  particular page
  twice and Alan is providing the method to prevent the problem
  from
  happening.
  Refer to your original thread, "Flash swf content does not
  work when
  uploaded"
  Mark A. Boyd
  Keep-On-Learnin' :)

• Preventing google mail from accessing all contacts

  Hi all:
  I use my iPhone mostly for work and have a work email on google.
  I do NOT want google to access all my iPhone contacts, only a portion of which are professional contacts.
  How do I prevent this from happening?
  As soon as I add personal contacts to my iPhone google grabs them, and next thing I know I'm on my laptop on a work-only browser session on my google mail and it's got access to all my personal contacts... what the ****?!
  Anyone knows how that can be avoided?
  Thanks.

  Hi Marcel,
  Database Vault was backported to 9i release 2 so there should be a compatible version for 10g prior to 10.2. The alternative would be to audit actions of users with the SYSDBA privilege and have the DBA's access with named user id's...not with SYS or SYSTEM or / from the command line. This does not prevent access to sensitive data but you can audit the activity and set up alerts when violations occur. Without a method to prevent access you need to rely on policies, procedures and auditing database activity. If you plan to audit you should do some planning and testing for additional storage needs, archiving audit data and possibly performance, depending on your system.
  Thanks.
  Dan.

• How to prevent EFS encrypted files getting green color

  hi friends
  as we know, when we encrypt files via EFS, they get green color so users find out that these are encrypted files. i don't want such thing. 
  is there any method to prevent EFS encrypted files getting green color?
  thanks in advance

  You can set it via Folder Options in Control Panel or in Windows Explorer, and there is a related Group Policy.
  This thread has the details - the configuration
  options apply both to 'green' and 'blue' (compressed) files.
  Elke
  hi Elke.
  nice, thank you very much
  regards

• Weblogic xss vulnerablity : html character entities getting decoded in jsp by ${} expression

  This is from my question at stack overflow java - Weblogic xss vulnerablity : html character entities getting decoded in jsp - Stack Overflow
  I am using a filter to prevent xss by encoding html character of my jsp form parameters.
  I am resolving them in jsp using ${param} expression.
  This is working fine in tomcat as the values are resolved as is, but on weblogic the values are getting decoded, causing the XSS to succeed
  I am using this simple code in jsp to test it
  <c:set var="testing" value="eb011&quot;&gt;&lt;img src=a onerror=confirm(1)&gt;47379"/> <input type="hidden" name="encoding" value="${testing }"/>
  Result in tomcat
  <input type="hidden" onerror="confirm(1)&gt;47379&quot;/" src="a" &gt;&lt;img="" value="eb011" name="encoding">
  Result in weblogic
  <input type="hidden" value="eb011" name="encoding"><img onerror="confirm(1)" src="a">47379"/&gt;
  why is weblogic decoding html codes and what could be done to prevent it.

  It is really handy to learn how to read schema validation errors. It really does say exactly what's wrong there. If you can get access to the XSD that your XML document is prescribing, you should be able to tell what mistake you made. If you learn how to do this, you'll never have to ask questions like this again. :)
  The error refers to the "http://www.bea.com/ns/weblogic/weblogic-web-app" namespace, which I believe is in your "weblogic.xml" file. It's saying that in the "jsp-descriptor" element, it found a "noTryBlocks" element at a point where it was not legal. At that point, it expected to find either a "'precompile-continue" or several other elements, but not that one. Read the XSD to determine the correct order for elements. If you're editing this file in Eclipse, you may not even have to obtain the XSD. If you hover the mouse over the root element of the document, it will give you a popup showing the syntax details of the element, which will tell you what the expected order of elements is.

• Prevent internal Ldap Queries

  What is the best method to prevent internal domain users (Non Administrators) to query my AD for any info.
  Running any Powershell or other queries against the Active Directory from domain joined computer by a non administrative user must be blocked.
  Thank you,
  Darshan

  Darshan,
  By design, everyone has read-only access Active Directory information.  Anyone who knows how can initiate an LDAP query to pull information if they have the fortitude to create a query.  Most folks wouldn't know where to begin.  However, if
  folks have administrator rights on their pc's, then they could download and install the RSAT package and browse AD using ADUC. 
  There are some things you can do to make it more difficult though. You should remove local admin rights to the users PC's using Group Policy to strip it off.  This prevents the loading of
  some tools.  Not all. You can prevent PowerShell from running queries through Group Policy.  We have this in place and it works well.  With all that said, from an LDAP perspective, you can't restrict or prevent it on a global basis.  It
  is baked into sauce so to speak.  You can put up roadblocks, but these usually affect other capabilities that you would want to leave alone.
  Additional reading:
  http://technet.microsoft.com/en-us/library/aa996205(v=EXCHG.65).aspx
  http://windowsitpro.com/active-directory/hiding-data-active-directory
  Hope that helps.
  Gary
  Gary G. Gray
   MCP, MCTS, MCITP, MCT Alumni
  Please remember to mark the replies as answers if they are helpful.
  This posting is provided AS-IS with no warranties or guarantees and confers no rights.

• Mac OS X 10.5 Server: Preventing DDNS registration for multiple interfaces

  Please see http://support.apple.com/kb/ht3169 regarding a method to prevent OS X from registering all of its NICs IP addresses to the Active Directory to which it is bound's DNS.
  This is the default and expected behavior and is actually quite helpful on machines with a single NIC.
  However it is fatal on servers with more than one NIC as it breaks all sorts of things!
  The problem I am having is that apples fix as linked does not work. I have applied this two both my Xserves running OS X 10.5.x Server (currently 10.5.6 Server) and I still see the automatic registration of both NICs IP addresses to the AD DNS. I am a little unconvinced that SAMBA is the root cause as my logs cheerfully report directory services is successfully registering the IPs to the Active Directory.
  Windows at least allows you to turn of this feature per NIC, Id settle for turning it off entirely and manualy adding Arecords to the AD DNS as at the moment this is killing me.
  What am I doing wrong. i have actualy rebuilt one of my servers from scratch to see if I can fix this to no avail.
  In short, help!

  I contacted Apple and they provided me a workaround:
  You have to manually add the DNS entries once you have followed the steps.
  1. In Terminal, we need to make a backup of the file /usr/bin/net which we will be replacing:
  sudo mv /usr/bin/net /usr/bin/oldnet
  2. Place the following in a shell script at /usr/bin/net and chmod its permissions to make it executable. The script will prevent the name registration and allow other net commands to succeed.
  #!/bin/sh
  if [ "$4" == "ads" -a "$5" == "dns" -a "$6" == "register" ]; then
  exit 0
  else
  /usr/bin/oldnet "$@"
  fi