I have a java app on my server and I can access it with my browser by going to server.com:8080/app.
I've been trying to get my application to access this weblet but because of XSS jQuery.post() gives me errors. Both the app and weblet are on the same server, but since I have to access the weblet through port 8080 Javascript thinks it's another server.
My question: Is there a way to avoid this XSS issue?
I don't want to use a PHP proxy or .htaccess. I also don't want to use the $.getJSON(url + '&callback?') method.
I'm looking for any other solutions.
Thanks in advance.
It' SOP(Same Origin Policy) that's stopping you here, not XSS. XSS is a security vulnerability, which breaks SOP. And yes it limits access so both pages have to run on the same protocol, port and domain.
Can you use a reverse proxy from the webserver on port 80 to 8080? If not you could take a look at easyXDM. Another alternative is to have the 8080 service return rhe access control header mentioned in one of your comments, but this is not supported in older browsers.
Related
I am trying to block certain websites using a web application. So, when a I type a url suppose "http://www.google.com" it should first check whether google is blocked by my application or not. If not open the website otherwise reject the browser request to open it. I am unable to find a way to capture all HTTP request from browser so that I can process it.
I Know proxies are the most suitable option but is there any alternative solution to this. After some searching I found a library - jpcap (a network packet capture library) and I was wondering if this could help me or not?
What you are trying to create is a proxy-server.
You have to configure the browser to go through the proxy, then you can deny websites, reroute them etc.
There are many proxies already there (open source and commercial) that offer what you want.
For example: Squid http://www.squid-cache.org/
See Wikipedia description of a proxy here: https://en.wikipedia.org/wiki/Proxy_server
Many firewall products offer the service of a transparent proxy, redirecting all http/https traffic going through the firewall into a proxy server. It seems, you have a direct connection but your packages are really filtered. Aka transparent proxy.
If your assignment does not allow this context, you need to check the assignment again, if you really got the scope of filtering right.
You cannot take over the browser's ip communication from a servlet or servlet filter. Using a (servlet) filter, you can only filter requests directed to your application. One step above, using an application server valve (Tomcat uses this term, others may use a different one), you can only filter requests directed at that server. One step above (or below) your application server is the physical server and the network it is running in.
If your client does not share the same network as your server, you can't even apply transparent proxy to it. Since browsers are running on the client computer, most clients in the world do not share the same network zone as the server.
It just does not work as you expect it.
I have an web application (Java-html5/js) which runs on our servers that is accessed simply by its URL, no login options or checks. I have been asked to secure it, but I have no access to its source code and I have not managed to contact the developer behind it. It is widely being used on the company, so there is no option to shut it down. The other applications on the network require authentication, so I can use those credentials for this app as well, by redirecting him from a another page. But once he logins, how can I stop him from just accessing the actual unsecured url?
If you're unable to change anything on this server, you may do the following:
Install a proxy server with authentication on another machine - if there's not already one in the company
restrict access to the app server to this proxy's IP address by putting it behind a firewall or changing routing rules
You need to go through the proxy to access and you need to authenticate. Way complicated but should work
I would like to know if there is an easy (or hard) way to spy the secure sockets from a java applet ? (without having the source code)
The goal here is to know exactly what for informations send an (very good obfuscated) applet.
I thought i can simply compile myself a modified java version with a log function but the full source code from java is not available for security reasons...
Set up a proxy server with a security certificate that the applet accepts. Afterwards, you just have to configure your browser to use that proxy and the applet should use the same config.
See Does https prevent man in the middle attacks by proxy server? for how it works technically.
Some things you will need: A proxy than can act as a web server and which is probably reachable with the name of the real server from your browser. You will need to create a valid certificate for this combination which isn't trivial unless the applet is configured to accept certificates from untrusted sources (no CA authority will issue a certificate for, say, "google.com" so that you can feed that to your proxy).
Googling for "man in the middle attack ssl proxy" turns up many links that should be useful.
This article seems to describe an out-of-the-box solution: Understanding Man-In-The-Middle Attacks - Part 4: SSL Hijacking
It doesn't mention applets but Fiddler might fit the bill (from Capturing HTTPS traffic in the clear?)
Just set -Djavax.net.debug=all in the JVM properties. You will get all kinds of output from different layers of the network stack, including the pre-encrypted SSL traffic.
If you're talking about SSL, it wouldn't be secure if that was possible, and it is secure, so it isn't.
I have developed myself in the last few months about web development in java (servlets and jsp). I am developing a web server, which is mainly serving for an application. Actually it is running on google app engine. My concern is, although I am using SSL connections, sending parameters in the URL (e.g. https://www.xyz.com/server?password=1234&username=uname) may not be secure. Should I use another way or is it really secure? I don't know if this url is delivered as plaint text as whole (with the parameters)?
Any help would be appreciated!
Everything is encrypted, including the URL and its parameters. You might still avoid them because they might be stored in server-side logs and in the browser history, though.
Your problem seems to go further than Web Server and Google App Engine.
Sending a password through a web form to your server is a very common security issue. See this SO threads:
Is either GET or POST more secure than the other? (meaningly, POST will simply not display the parameter in the URL so this is not enough)
Are https URLs encrypted? (describes something similar to what you intend to do)
The complete HTTP request including the request line is encrypted inside SSL.
Example http request for the above URL which will all be contained within the SSL tunnel:
GET /server?password=1234&username=uname HTTP/1.1
Host: www.xyz.com
...
It is possible though that your application will log the requested URL, as this contains the users password this may not be OK.
Well, apart from the issues to do with logging and visibility of URLs (i.e., what happens before and after the secure communication) both GET and POST are equally secure; there is very little information that is exchanged before the encrypted channel is established, not even the first line of the HTTP protocol. But that doesn't mean you should use GET for this.
The issue is that logging in is changing the state of the server and should not be repeated without the user getting properly notified that this is happening (to prevent surprises with Javascript). The state that is being changed is of the user session information on the server, because what logging in does is associate a verified identity with that session. Because it is a (significant) change of state, the operation should not be done by GET; while you could do it by PUT technically, POST is better because of the non-idempotency assumptions associated with it (which in turn encourages browsers to pop up a warning dialog).
I have a servlet hosted in the glassfish server. i want to communicate with it using telnet to understand what is going on behind the scenes when using html form get method.
What should i give in the Host field of the HTTP request?
Get /WebApplication1/NServlet HTTP/1.1
Host: localhost
If i want to send custom properties in the HTTP request as below, is it possible to extract their value using request.getAttribute() method.
Get /WebApplication1/NServlet HTTP/1.1
Host: localhost
Custom-Attribute: xyz
Another doubt is that is javax.servlet package not a part of java SE sdk. i had to install java ee to get it running.
The Host field is just the hostname part of the URL, e.g. Host: google.com for http://google.com/
Custom-Attribute: xyz would be exposed in the HttpServletRequest using getHeader(), not getAttribute().
If you want to use HTTP for your protocol (as you've suggested in your comments), check out HttpClient. As the name suggests, it's the client-side of the client/server HTTP implementation, and it should be relatively easy to determine what to set on the client side such that you see it on the server.
There's a great tutorial here. I would perhaps get a simple page working in the servlet first, and check it via the browser, and then implement the client side.
Based on your question, I don't there's enough information for anyone to answer you. Tomcat/Jetty/etc are basically web servers that contain servlets (and therefore JSP/JSF/Wicket etc etc) processors for dynamically generating content.
So, what is it you're trying to figure out, and why?