Category Archives: Others

classNotFoundException : Javax.Servlet.Jsp.Jstl.Core.Config


Are you trying to leverage JSTL tags in JSP but getting classNotFoundException? This might be the case if you are deploying your web application in tomcat (I came across this while migrating from one container to other). Many JEE containers provides this, but not tomcat.
To solve this, Include following dependency in project to fetch the jar and bundle it with library

<dependency>
    <groupId>javax.servlet</groupId>
    <artifactId>jstl</artifactId>
    <version>1.2</version> 
</dependency>

Book review of “HTML5 & CSS3 For The Real World” By Estelle Weyl, Louis Lazaris, Alexis Goldstein


HTML and CSS for real world is a quick peak into HTML5 and CSS elements for developing modern web apps. But it for UI –do not look out for WebRtc, CORS feature etc.

This books expects familiarity with the HTML and CSS –so if it’s your first encounter with HTML and CSS, skip this book and get familiarity with those first as many a place you will find phrase “as you already know”.
Book starts nice with a bit of background and history, weighing in why HTML5 is good, how much it is supported –but then it became too theoretical, at least till chapter 5. Some visuals have been provided along with code, but I felt a lack of “hands on approach”. Chapters 6 and 7 have plenty of examples but again starting chapter 8, it weighs more towards theory.

The part I like most is that it covers compatibility across browsers quite comprehensively, augmenting it with notes, tips and tricks

Why to buy the book: If you do not know what to learn in HTML5 and CSS3 and not keen on getting your hands on reference guide –go for this book. It will give you enough steam to get you started. Cross browser compatibility have been covered thoroughly.

Why not to buy the book: If you know what to learn, this book is no better than reference guide. Practical tips and tricks help, but anyway it can be acquired as one get hands on.

Review of “The Basics of Web Hacking Tools and Techniques to Attack the Web” by Josh Pauli; O’Reilly Media


Josh Pauli, in this book tries to touch of the basics of web hacking -concepts, tools, methodologies and all. The author does a great justice providing enough pointers to start with and then delve as much deeper as ones interest.

It identifies different layers at which hacking can be done for example network layer, application layer etc., provides insight about the tools (Burp, Zed Attack Proxy, Nmap, Nessus etc.) which can be used at each layer –both free as well as paid ones, discusses what are the ways an application vulnerability can be attacked, good analogies to understand the issues better and many hands on example to try out each one of them. In fact analogies makes life much easier to understand stuff!
If you are developer and have not thought about the security issues before –it will be an eye-opener! Oh no, can this be hacked? Tools to monitor HTTP traffic (Browser extension as well as PC tools), types of XSS attack, how user’s trust and server’s trust can be fooled –many more concepts have been nicely touched upon. For advanced knowledge, author have given out an impressive list of book at the end.

One drawback –or maybe not, it’s really subjective, is that most of context is for Linux –so users working primarily with windows will have to map all linux stuff to windows parallel.

For the users who already are well versed with the tools, methodology and type of attacks -this might be a refresher, but at end it does justice for its title, BASICs.

A must have for everyone who want to understand the basic, what really a PEN test mean, want to “break” and fix application before the penetration test team does it! Have fun hacking your own website 😉

HAPROXY up and running in couple of minutes


I tried HAPROXY for my WEBAPP (Hosted on tomcat) -reason for using HAPROXY is that it also supports WEBSOCKETS and my current project uses websockets for server push.
As first step, I tested it with bare bone web application -wow, it’s just so easy, without any hiccups it was up and working in ~30 minutes. I used Linux box as no distribution for windows is available (One can use cygwin) -My previous poston same.

  1. Download HAPROXY , I used version haproxy-1.4.24.
  2. Untar it tar -xvf haproxy-1.4.24.tar.gz.
  3. Build HAPROXY, command “make TARGET=linux26” This is for centos58, Linux kernel 2.6. 26 in “TARGET=linux26″ indicates kernel for linux, if its 2.4 use TARGET=linux24”. As a side note, to know the kernel use uname -a on your linux box.
  4. copy haproxy to /usr/sbin use “cp haproxy /usr/sbin/haproxy”
  5. Create a config file say /etc/haproxy_chandan.cfg:
  6. A mentioned on the HAPROXY site, this is the bare minimum configuration needed -Add it to the config file
    global
        daemon
        maxconn 256
    
    defaults
        mode http
        timeout connect 5000ms
        timeout client 50000ms
        timeout server 50000ms
    
    frontend http-in
        bind *:80
        default_backend websockets_support
    
    backend websockets_support
        server ws1 a.b.c.d:8888 maxconn 32
        server ws2 a.b.c.d:8080 maxconn 32
    
    listen admin
        bind *:8080
        stats enable
    
  7. Start HAPROXY, /usr/sbin/haproxy -f /etc/haproxy_chandan.cfg
  8. As configured, requests will be handled at port 80 while the admin console for haproxy is 8080

Access your app from http://ipofmachinewherehaproxyisinstalled:80
Access haproxy admin console from http://ipofmachinewherehaproxyisinstalled:8080/haproxy?stats

Thats all. Moving on to configure it for WebSockets and see if it needs additional configuration tweaks or changes -will post.

Never depend on client side dates or any stuff which can be manipulated outside out control


Recently while doing a code review I came across a code which was using date functions in Action script (Adobe client side code) to print payment receipt date.
For persisting the payment date, it was being read from server -But for printing on receipt it was read from client machine.
I got an explanation that why to send a data which can be read same way on client (Referring to equivalent of getCurrentDate) -missing the point that we should never rely of stuff which can be manipulated outside out control.

Adding height and width to a Flex popup


A flex popup -typically of type title window, is by default 50% of the size of its parent and with hel of PopUPManager, it can be centered when loaded.
What if requirement is to have a fuller size popup window -size of it’s parent container?

  • One way is to use fixed height and width
  • other way is to resize it wrt it’s parent as
sectionPopUp.width=UIComponent(this.parentApplication).width;
sectionPopUp.height=UIComponent(this.parentApplication).height;

Not to say that first approach of using fixed height and width must be avoided as it will break on different screen sizes.
Approach two seemed more elegant to me .

Adding code in word press blog


blog on word press about word press feature ;). I was having hard time how to put in XML code or HTML code directly inside my blog, after spending little time I came across this link http://en.support.wordpress.com/code/posting-source-code
Idea is use “sourcecode” tag, which supports a lot of languages.

	  			 
          [//sourcecode]

Some of the supported languages

actionscript3
bash
clojure
coldfusion
cpp
csharp
css
delphi
erlang
fsharp
diff
groovy
html
javascript
java
javafx
matlab (keywords only)
objc
perl
php
text
powershell
python
r
ruby
scala
sql
vb
xml

All UI elements should be disabled if not applicable


Was working on an flex based User Interface -SV team reported an issue that Till the time user has not filled all of the “Valid” details on the screen, the submit button remains should remain disabled.
I had purposely avoided this for following reasons

  • There is in field hint and tip available for each of input field to assist user
  • If users submit, there will be client side validation and any way wrong information cannot be submitted. Error can be more informative
  • Displaying error message as user types, this can be irritating
  • Why unnecessarily waste CPU cycle capturing keyboard events (Not a great point, but for listing sake ..)?

So a conflict between SV and Dev team –nothing unusual 🙂
Usability team was called in –and they mandated the SV objection, saying this has been done in some other products so I must comply…
Since it was more of my preference to avoid validation on key press, I gave in but would like to know how others think about this.