Gidley Gossipings

03 Jan, 2005

I have been trying to spend a bit of time thinking about how to make security completly fool proof in web apps. AFAIK none of the frameworks appear to address this fully.

As I see it their are 3 main weak areas in Java webs applications

1. CSS weaknesses (e.g. redisplaying HTML)
2. Input Validation on initial input
3. Selecting an item from the list and a naugthy user changing the id to something they cannot normally see

None of these are helped by CSS so it is quite tricky to solve

I have been working with Anite on Turbine-Review which solves 2. It basically ensures all fields have some validation run against them. This framework has now been tested and used in anger for quite a while and does solve most of this. However far too often I am seeing examples of no or 'AllwaysTrue' validators being used.

1 has been solved by Penguin (an add-on to Turbine review) and by other frameworks e.g. Tapestry. As the author of Penguin I must say I think Tapestry's approach (assume all output should be esacaped unless told otherwise) is better - but I cannot think of a way to make velocity do that.

3 does not seem to be solved by any framework - it may be Tapestry could help as it has quite a strong table model which could potentially automatically check a selected row was on the source table.

I have been looking around frameworks this seems to be a little discussed topic - it may be that most developers don't really think about this (which would explain the vast number of insecure websites around).