Securing Web Applications using OWASP ZAP in passive mode

The OWASP Zed Attack Proxy is a powerful open source web application security assessment tool. Even in passive mode, where it just inspects the traffic generated by your browser, it can give valuable pointers for securing your web application against abuse.

In this blog post I will explain how to configure your browser to use the OWASP ZAP Proxy to click through a web application running on local host. Also I will explain its various findings and how to solve them.

Native JSON handling in Java with EasyGson

Can you handle JSON natively in Java? The very short answer: no. It is possible to get a near-native JSON handling experience, for example with EasyGson. There is a price to pay, though. You will have to forgo standard Java best practices and accept that the JSON itself can be the master data source in your domain.

Java heap start (-Xms) in practice

The discussion on start (-Xms) and maximum (-Xmx) heap memory in Java is and old one. The consensus among admins is that both settings are best set to equal values in order to prevent internal Java reorganizations when heap changes are required. Before you follow this advice, you best understand that the starting heap is not fully claimed at the OS level and also that some garbage collection runs may not be triggered at all in your application.

Explore the vulnerabilities of Spring with Poreus

In cooperation with Certified Secure, 42 has released a showcase that will help you understand the documented vulnerabilities of Spring. Learning more will allow you to harden your applications against this particular attack vector.

Liberating data from Encrypted TPS Files

My previous article on Clarion TPS files left one big question unanswered: how do encrypted TPS files work and is it possible to decrypt them. In this post I will dissect the encryption algorithm and explain how it works. It involves quite a bit of binary arithmetic and hexadecimal numbers, so take a deep breath before diving in!

First there is the password. It is passed as a parameter to the TPS driver. Oddly enough it is called the 'owner' parameter. With the password a key is generated which is used to encrypt and decrypt the data. The effect is pretty dramatic.

Keeping your integration tests isolated from each other

In this blog post I will describe the difficulties that occur with integration tests regarding isolation, what problems this can lead to and how you can address these problems in an in-memory database environment.

Try the Dutch OpenStack Swift with JavaSwift JOSS

JOSS and OpenStack Swift. All very nice, but with no service provider in the Netherlands, a bit of a moot point. Not any more, though. If you have your e-business in the Netherlands, it might be interesting for you to know that OpenStack Swift is now available here, brought to you by CloudVPS.

Mockito / PowerMock vs JMockit

If you are on the verge of choosing between Mockito and JMockit, this article will help you understand why you should pick JMockit. When aiming for a Java codebase which is well-covered with unit tests, you are certain to run into mocking frameworks. The two most popular ones are Mockito and JMockit. Mockito, the successor to the older EasyMock, teams up with PowerMock to have complete functionality. JMockit, an ambitious young library aiming for nothing less than taking Mockito's place, works all by itself.

Recovering from database constraint violations in Java

It is very difficult to recover from a database constraint violation in Java applications, due to the lacking SQL exception API. JaRB offers an exception translator that converts any constraint related SQL exception into a rich constraint violation exception, providing all desired information by API. It is even possible to map constraints to a custom exception, greatly simplifying the recovery of violations.

The dark secret of CRUD applications using Spring MVC

Do you use Spring MVC with an OpenSessionInView filter and your Entities also as Data Transfer Objects, like in a basic CRUD setup? Then you may have exposed more of your model than you've anticipated.

The easy to use Databinding of Spring MVC will, unconfigured, bind any property in the incoming POST to your domain model, including those not present in the form. To make matters worse, it is also possible to navigate property paths and modify other objects in the domain model. They will get saved too if you have a transaction because of Hibernate's automatic dirty checking. If you use Spring Roo with Hibernate and Spring MVC this is the default behavior.

In this blogpost, I will demonstrate this feature and show you how to fix it.

JOSS and Cloudie join forces @

Providing Java tools for dealing with OpenStack Storage aka Swift, that is the mission of Erik Hooijmeijer and Robert Bor have decided to join forces by combining JOSS and Cloudie into this single open source organization.

Liberating data from Clarion TPS files

Migrating a customer from a legacy system to his shiny new one never goes smoothly. In this case the customer had a huge amount of data in a Clarion based system with the tables stored in proprietary TPS (TopSpeed) files. In this blog post I'll discuss the various ways of liberating data from their TPS container and dive deep into the internals of the TPS file itself. Finally I present a TPS to CSV converter.