diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..76e22beb --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,11 @@ +# To get started with Dependabot version updates, you'll need to specify which +# package ecosystems to update and where the package manifests are located. +# Please see the documentation for all configuration options: +# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates + +version: 2 +updates: + - package-ecosystem: "maven" # See documentation for possible values + directory: "/" # Location of package manifests + schedule: + interval: "daily" diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml index 6d5d04ef..3bb20fa3 100644 --- a/.github/workflows/maven.yml +++ b/.github/workflows/maven.yml @@ -7,14 +7,16 @@ on: jobs: build: - runs-on: ubuntu-latest - + name: JavaWebSecurity Build steps: - - uses: actions/checkout@v2 - - name: Set up JDK 1.8 - uses: actions/setup-java@v1 + - name: Checkout + uses: actions/checkout@v4 + - name: Configure Java for Build + uses: actions/setup-java@v4 with: - java-version: 1.8 + distribution: 'temurin' + java-version: '17' + cache: 'maven' - name: Build with Maven run: mvn -B package --file pom.xml diff --git a/Ch04_OutputEscapingJSF/src/main/java/de/dominikschadow/webappsecurity/ContactController.java b/Ch04_OutputEscapingJSF/src/main/java/de/dominikschadow/webappsecurity/ContactController.java index a4e73aa2..9a62d296 100644 --- a/Ch04_OutputEscapingJSF/src/main/java/de/dominikschadow/webappsecurity/ContactController.java +++ b/Ch04_OutputEscapingJSF/src/main/java/de/dominikschadow/webappsecurity/ContactController.java @@ -19,6 +19,7 @@ import javax.faces.bean.ManagedBean; import javax.faces.bean.SessionScoped; +import java.io.Serial; import java.io.Serializable; /** @@ -29,6 +30,7 @@ @ManagedBean(name = "contact") @SessionScoped public class ContactController implements Serializable { + @Serial private static final long serialVersionUID = 4083596061570021965L; private String firstname; diff --git a/Ch04_OutputEscapingJSP/pom.xml b/Ch04_OutputEscapingJSP/pom.xml index e89f1169..be850102 100644 --- a/Ch04_OutputEscapingJSP/pom.xml +++ b/Ch04_OutputEscapingJSP/pom.xml @@ -30,16 +30,8 @@ jstl - org.slf4j - slf4j-api - - - org.slf4j - slf4j-log4j12 - - - log4j - log4j + ch.qos.logback + logback-classic org.springframework diff --git a/Ch04_OutputEscapingJSP/src/main/resources/log4j.xml b/Ch04_OutputEscapingJSP/src/main/resources/log4j.xml deleted file mode 100644 index 012b99da..00000000 --- a/Ch04_OutputEscapingJSP/src/main/resources/log4j.xml +++ /dev/null @@ -1,16 +0,0 @@ - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/Ch04_OutputEscapingJSP/src/main/resources/logback.xml b/Ch04_OutputEscapingJSP/src/main/resources/logback.xml new file mode 100644 index 00000000..6156c218 --- /dev/null +++ b/Ch04_OutputEscapingJSP/src/main/resources/logback.xml @@ -0,0 +1,11 @@ + + + + %d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n + + + + + + + \ No newline at end of file diff --git a/Ch05_AccessReferenceMaps/pom.xml b/Ch05_AccessReferenceMaps/pom.xml index 7393b92c..c87a0364 100644 --- a/Ch05_AccessReferenceMaps/pom.xml +++ b/Ch05_AccessReferenceMaps/pom.xml @@ -33,16 +33,8 @@ hibernate-core - org.slf4j - slf4j-api - - - org.slf4j - slf4j-log4j12 - - - log4j - log4j + ch.qos.logback + logback-classic diff --git a/Ch05_AccessReferenceMaps/src/main/resources/log4j.xml b/Ch05_AccessReferenceMaps/src/main/resources/log4j.xml deleted file mode 100644 index b9da58c6..00000000 --- a/Ch05_AccessReferenceMaps/src/main/resources/log4j.xml +++ /dev/null @@ -1,16 +0,0 @@ - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/Ch05_AccessReferenceMaps/src/main/resources/logback.xml b/Ch05_AccessReferenceMaps/src/main/resources/logback.xml new file mode 100644 index 00000000..6156c218 --- /dev/null +++ b/Ch05_AccessReferenceMaps/src/main/resources/logback.xml @@ -0,0 +1,11 @@ + + + + %d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n + + + + + + + \ No newline at end of file diff --git a/Ch05_HSTS/pom.xml b/Ch05_HSTS/pom.xml index 8d2c11df..c11a112a 100644 --- a/Ch05_HSTS/pom.xml +++ b/Ch05_HSTS/pom.xml @@ -15,22 +15,14 @@ Chapter 5 HTTP Strict Transport Security (HSTS sample project. Requires a server like Apache Tomcat or the Maven Tomcat plugin. After starting, open the web application in your browser at http://localhost:8080/Ch05_HSTS - - org.slf4j - slf4j-api - - - org.slf4j - slf4j-log4j12 - - - log4j - log4j - javax.servlet javax.servlet-api + + ch.qos.logback + logback-classic + diff --git a/Ch05_HSTS/src/main/java/de/dominikschadow/webappsecurity/filter/HSTSFilter.java b/Ch05_HSTS/src/main/java/de/dominikschadow/webappsecurity/filter/HSTSFilter.java index db288da9..2fd32fff 100644 --- a/Ch05_HSTS/src/main/java/de/dominikschadow/webappsecurity/filter/HSTSFilter.java +++ b/Ch05_HSTS/src/main/java/de/dominikschadow/webappsecurity/filter/HSTSFilter.java @@ -33,7 +33,7 @@ public class HSTSFilter implements Filter { private static final Logger LOGGER = LoggerFactory.getLogger(HSTSFilter.class); @Override - public void init(FilterConfig filterConfig) throws ServletException { + public void init(FilterConfig filterConfig) { LOGGER.info("HSTSFilter init"); } diff --git a/Ch05_HSTS/src/main/java/de/dominikschadow/webappsecurity/servlets/LoginServlet.java b/Ch05_HSTS/src/main/java/de/dominikschadow/webappsecurity/servlets/LoginServlet.java index a33c8f67..520be557 100644 --- a/Ch05_HSTS/src/main/java/de/dominikschadow/webappsecurity/servlets/LoginServlet.java +++ b/Ch05_HSTS/src/main/java/de/dominikschadow/webappsecurity/servlets/LoginServlet.java @@ -19,8 +19,8 @@ import java.io.IOException; import java.io.PrintWriter; +import java.io.Serial; -import javax.servlet.ServletException; import javax.servlet.annotation.WebServlet; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; @@ -37,10 +37,11 @@ @WebServlet(name = "LoginServlet", urlPatterns = {"/LoginServlet"}) public class LoginServlet extends HttpServlet { private static final Logger LOGGER = LoggerFactory.getLogger(LoginServlet.class); + @Serial private static final long serialVersionUID = 1L; @Override - protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException { + protected void doPost(HttpServletRequest request, HttpServletResponse response) { String name = request.getParameter("name"); LOGGER.info("Received {} as POST parameter", name); diff --git a/Ch05_HSTS/src/main/resources/log4j.xml b/Ch05_HSTS/src/main/resources/log4j.xml deleted file mode 100644 index 012b99da..00000000 --- a/Ch05_HSTS/src/main/resources/log4j.xml +++ /dev/null @@ -1,16 +0,0 @@ - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/Ch05_HSTS/src/main/resources/logback.xml b/Ch05_HSTS/src/main/resources/logback.xml new file mode 100644 index 00000000..6156c218 --- /dev/null +++ b/Ch05_HSTS/src/main/resources/logback.xml @@ -0,0 +1,11 @@ + + + + %d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n + + + + + + + \ No newline at end of file diff --git a/Ch05_SessionFixation/pom.xml b/Ch05_SessionFixation/pom.xml index 02dc1ad3..3efd4b93 100644 --- a/Ch05_SessionFixation/pom.xml +++ b/Ch05_SessionFixation/pom.xml @@ -17,16 +17,8 @@ javax.servlet-api - org.slf4j - slf4j-api - - - org.slf4j - slf4j-log4j12 - - - log4j - log4j + ch.qos.logback + logback-classic diff --git a/Ch05_SessionFixation/src/main/java/de/dominikschadow/webappsecurity/servlets/LoginServlet.java b/Ch05_SessionFixation/src/main/java/de/dominikschadow/webappsecurity/servlets/LoginServlet.java index e0a4671d..9dfc5370 100644 --- a/Ch05_SessionFixation/src/main/java/de/dominikschadow/webappsecurity/servlets/LoginServlet.java +++ b/Ch05_SessionFixation/src/main/java/de/dominikschadow/webappsecurity/servlets/LoginServlet.java @@ -19,8 +19,8 @@ import java.io.IOException; import java.io.PrintWriter; +import java.io.Serial; -import javax.servlet.ServletException; import javax.servlet.annotation.WebServlet; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; @@ -37,10 +37,11 @@ @WebServlet(name = "LoginServlet", urlPatterns = {"/LoginServlet"}) public class LoginServlet extends HttpServlet { private static final Logger LOGGER = LoggerFactory.getLogger(LoginServlet.class); + @Serial private static final long serialVersionUID = 1L; @Override - protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException { + protected void doPost(HttpServletRequest request, HttpServletResponse response) { String name = request.getParameter("name"); LOGGER.info("Received {} as POST parameter", name); diff --git a/Ch05_SessionFixation/src/main/resources/log4j.xml b/Ch05_SessionFixation/src/main/resources/log4j.xml deleted file mode 100644 index 012b99da..00000000 --- a/Ch05_SessionFixation/src/main/resources/log4j.xml +++ /dev/null @@ -1,16 +0,0 @@ - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/Ch05_SessionFixation/src/main/resources/logback.xml b/Ch05_SessionFixation/src/main/resources/logback.xml new file mode 100644 index 00000000..6156c218 --- /dev/null +++ b/Ch05_SessionFixation/src/main/resources/logback.xml @@ -0,0 +1,11 @@ + + + + %d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n + + + + + + + \ No newline at end of file diff --git a/Ch06_SQLInjection/pom.xml b/Ch06_SQLInjection/pom.xml index 12ef8783..28746248 100644 --- a/Ch06_SQLInjection/pom.xml +++ b/Ch06_SQLInjection/pom.xml @@ -30,16 +30,8 @@ hibernate-core - org.slf4j - slf4j-api - - - org.slf4j - slf4j-log4j12 - - - log4j - log4j + ch.qos.logback + logback-classic diff --git a/Ch06_SQLInjection/src/main/java/de/dominikschadow/webappsecurity/domain/Customer.java b/Ch06_SQLInjection/src/main/java/de/dominikschadow/webappsecurity/domain/Customer.java index 7bc8feb7..72c64f4e 100644 --- a/Ch06_SQLInjection/src/main/java/de/dominikschadow/webappsecurity/domain/Customer.java +++ b/Ch06_SQLInjection/src/main/java/de/dominikschadow/webappsecurity/domain/Customer.java @@ -76,13 +76,10 @@ public void setHint(String hint) { @Override public String toString() { - StringBuilder customer = new StringBuilder(); - customer.append("ID ").append(custId); - customer.append(", Name ").append(name); - customer.append(", Status ").append(status); - customer.append(", Order Limit ").append(orderLimit); - customer.append(", Hint ").append(hint); - - return customer.toString(); + return "ID " + custId + + ", Name " + name + + ", Status " + status + + ", Order Limit " + orderLimit + + ", Hint " + hint; } } diff --git a/Ch06_SQLInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/HQLServlet.java b/Ch06_SQLInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/HQLServlet.java index 99c499c0..771b7b5f 100644 --- a/Ch06_SQLInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/HQLServlet.java +++ b/Ch06_SQLInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/HQLServlet.java @@ -23,7 +23,6 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import javax.servlet.ServletException; import javax.servlet.annotation.WebServlet; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; @@ -43,7 +42,7 @@ public class HQLServlet extends HttpServlet { private static final Logger LOGGER = LoggerFactory.getLogger(HQLServlet.class); @Override - protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException { + protected void doPost(HttpServletRequest request, HttpServletResponse response) { String name = request.getParameter("name"); LOGGER.info("Received {} as POST parameter", name); diff --git a/Ch06_SQLInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/PreparedStatementServlet.java b/Ch06_SQLInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/PreparedStatementServlet.java index 185a184e..f404a1d1 100644 --- a/Ch06_SQLInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/PreparedStatementServlet.java +++ b/Ch06_SQLInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/PreparedStatementServlet.java @@ -20,7 +20,6 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import javax.servlet.ServletException; import javax.servlet.annotation.WebServlet; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; @@ -41,7 +40,7 @@ public class PreparedStatementServlet extends HttpServlet { private static final Logger LOGGER = LoggerFactory.getLogger(PreparedStatementServlet.class); @Override - protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException { + protected void doPost(HttpServletRequest request, HttpServletResponse response) { String name = request.getParameter("name"); LOGGER.info("Received {} as POST parameter", name); diff --git a/Ch06_SQLInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/StatementEscapingServlet.java b/Ch06_SQLInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/StatementEscapingServlet.java index a72a73e2..bcdf3f5e 100644 --- a/Ch06_SQLInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/StatementEscapingServlet.java +++ b/Ch06_SQLInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/StatementEscapingServlet.java @@ -22,7 +22,6 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import javax.servlet.ServletException; import javax.servlet.annotation.WebServlet; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; @@ -43,7 +42,7 @@ public class StatementEscapingServlet extends HttpServlet { private static final Logger LOGGER = LoggerFactory.getLogger(StatementEscapingServlet.class); @Override - protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException { + protected void doPost(HttpServletRequest request, HttpServletResponse response) { String name = request.getParameter("name"); LOGGER.info("Received {} as POST parameter", name); diff --git a/Ch06_SQLInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/StatementServlet.java b/Ch06_SQLInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/StatementServlet.java index 5ee18ab6..773c4834 100644 --- a/Ch06_SQLInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/StatementServlet.java +++ b/Ch06_SQLInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/StatementServlet.java @@ -20,7 +20,6 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import javax.servlet.ServletException; import javax.servlet.annotation.WebServlet; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; @@ -41,7 +40,7 @@ public class StatementServlet extends HttpServlet { private static final Logger LOGGER = LoggerFactory.getLogger(StatementServlet.class); @Override - protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException { + protected void doPost(HttpServletRequest request, HttpServletResponse response) { String name = request.getParameter("name"); LOGGER.info("Received {} as POST parameter", name); diff --git a/Ch06_SQLInjection/src/main/resources/log4j.xml b/Ch06_SQLInjection/src/main/resources/log4j.xml deleted file mode 100644 index 012b99da..00000000 --- a/Ch06_SQLInjection/src/main/resources/log4j.xml +++ /dev/null @@ -1,16 +0,0 @@ - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/Ch06_SQLInjection/src/main/resources/logback.xml b/Ch06_SQLInjection/src/main/resources/logback.xml new file mode 100644 index 00000000..6156c218 --- /dev/null +++ b/Ch06_SQLInjection/src/main/resources/logback.xml @@ -0,0 +1,11 @@ + + + + %d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n + + + + + + + \ No newline at end of file diff --git a/Ch06_XPathInjection/pom.xml b/Ch06_XPathInjection/pom.xml index 83ae9433..9542dc13 100644 --- a/Ch06_XPathInjection/pom.xml +++ b/Ch06_XPathInjection/pom.xml @@ -22,16 +22,8 @@ esapi - org.slf4j - slf4j-api - - - org.slf4j - slf4j-log4j12 - - - log4j - log4j + ch.qos.logback + logback-classic diff --git a/Ch06_XPathInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/XPathEscapingServlet.java b/Ch06_XPathInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/XPathEscapingServlet.java index 1148c256..8dc8c65b 100644 --- a/Ch06_XPathInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/XPathEscapingServlet.java +++ b/Ch06_XPathInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/XPathEscapingServlet.java @@ -54,7 +54,7 @@ public class XPathEscapingServlet extends HttpServlet { @Override public void init() { - try (InputStream inputStream = getClass().getClassLoader().getResourceAsStream("/customer.xml");) { + try (InputStream inputStream = getClass().getClassLoader().getResourceAsStream("/customer.xml")) { DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance(); DocumentBuilder dBuilder = dbFactory.newDocumentBuilder(); doc = dBuilder.parse(inputStream); @@ -73,14 +73,13 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response) String safePassword = ESAPI.encoder().encodeForXPath(password); LOGGER.info("Using safe name {} and {}", safeName, safePassword); - StringBuilder xpathExpression = new StringBuilder(); - xpathExpression.append("/customers/customer[name='"); - xpathExpression.append(safeName); - xpathExpression.append("' and @password='"); - xpathExpression.append(safePassword); - xpathExpression.append("']/orderLimit"); + String xpathExpression = "/customers/customer[name='" + + safeName + + "' and @password='" + + safePassword + + "']/orderLimit"; - printOrderLimit(xpathExpression.toString(), name, response); + printOrderLimit(xpathExpression, name, response); } private void printOrderLimit(String xpath, String name, HttpServletResponse response) { diff --git a/Ch06_XPathInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/XPathServlet.java b/Ch06_XPathInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/XPathServlet.java index 7f4cc7f7..d68d3738 100644 --- a/Ch06_XPathInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/XPathServlet.java +++ b/Ch06_XPathInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/XPathServlet.java @@ -53,7 +53,7 @@ public class XPathServlet extends HttpServlet { @Override public void init() { - try (InputStream inputStream = getClass().getClassLoader().getResourceAsStream("/customer.xml");) { + try (InputStream inputStream = getClass().getClassLoader().getResourceAsStream("/customer.xml")) { DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance(); DocumentBuilder dBuilder = dbFactory.newDocumentBuilder(); doc = dBuilder.parse(inputStream); @@ -68,14 +68,13 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response) String password = request.getParameter("password"); LOGGER.info("Received {} and {} as parameter", name, password); - StringBuilder xpathExpression = new StringBuilder(); - xpathExpression.append("/customers/customer[name='"); - xpathExpression.append(name); - xpathExpression.append("' and @password='"); - xpathExpression.append(password); - xpathExpression.append("']/orderLimit"); + String xpathExpression = "/customers/customer[name='" + + name + + "' and @password='" + + password + + "']/orderLimit"; - printOrderLimit(xpathExpression.toString(), name, response); + printOrderLimit(xpathExpression, name, response); } private void printOrderLimit(String xpath, String name, HttpServletResponse response) { diff --git a/Ch06_XPathInjection/src/main/resources/log4j.xml b/Ch06_XPathInjection/src/main/resources/log4j.xml deleted file mode 100644 index 012b99da..00000000 --- a/Ch06_XPathInjection/src/main/resources/log4j.xml +++ /dev/null @@ -1,16 +0,0 @@ - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/Ch06_XPathInjection/src/main/resources/logback.xml b/Ch06_XPathInjection/src/main/resources/logback.xml new file mode 100644 index 00000000..6156c218 --- /dev/null +++ b/Ch06_XPathInjection/src/main/resources/logback.xml @@ -0,0 +1,11 @@ + + + + %d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n + + + + + + + \ No newline at end of file diff --git a/Ch07_CSP/pom.xml b/Ch07_CSP/pom.xml index ddca2ec2..fe84aa0e 100644 --- a/Ch07_CSP/pom.xml +++ b/Ch07_CSP/pom.xml @@ -20,20 +20,8 @@ javax.servlet-api - com.cedarsoftware - json-io - - - org.slf4j - slf4j-api - - - org.slf4j - slf4j-log4j12 - - - log4j - log4j + ch.qos.logback + logback-classic diff --git a/Ch07_CSP/src/main/java/de/dominikschadow/webappsecurity/CSPReporting.java b/Ch07_CSP/src/main/java/de/dominikschadow/webappsecurity/CSPReporting.java index fb77e0ef..af4a20be 100644 --- a/Ch07_CSP/src/main/java/de/dominikschadow/webappsecurity/CSPReporting.java +++ b/Ch07_CSP/src/main/java/de/dominikschadow/webappsecurity/CSPReporting.java @@ -17,7 +17,6 @@ */ package de.dominikschadow.webappsecurity; -import com.cedarsoftware.util.io.JsonWriter; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -28,6 +27,7 @@ import java.io.BufferedReader; import java.io.IOException; import java.io.InputStreamReader; +import java.io.Serial; import java.nio.charset.Charset; /** @@ -37,6 +37,7 @@ */ @WebServlet(name = "CSPReporting", urlPatterns = {"/CSPReporting"}) public class CSPReporting extends HttpServlet { + @Serial private static final long serialVersionUID = 1L; private static final Logger LOGGER = LoggerFactory.getLogger(CSPReporting.class); @@ -50,7 +51,7 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response) responseBuilder.append(inputStr); } - LOGGER.info("\n{}", JsonWriter.formatJson(responseBuilder.toString())); + LOGGER.info("\n{}", responseBuilder.toString()); } catch (IOException ex) { LOGGER.error(ex.getMessage(), ex); } diff --git a/Ch07_CSP/src/main/java/de/dominikschadow/webappsecurity/WithCSPReportingServlet.java b/Ch07_CSP/src/main/java/de/dominikschadow/webappsecurity/WithCSPReportingServlet.java index de606287..ae708c33 100644 --- a/Ch07_CSP/src/main/java/de/dominikschadow/webappsecurity/WithCSPReportingServlet.java +++ b/Ch07_CSP/src/main/java/de/dominikschadow/webappsecurity/WithCSPReportingServlet.java @@ -20,13 +20,13 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import javax.servlet.ServletException; import javax.servlet.annotation.WebServlet; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; import java.io.PrintWriter; +import java.io.Serial; /** * Servlet which sets the Content-Security-Policy-Report-Only response header and reports @@ -36,11 +36,12 @@ */ @WebServlet(name = "WithCSPReportingServlet", urlPatterns = {"/WithCSPReportingServlet"}) public class WithCSPReportingServlet extends HttpServlet { + @Serial private static final long serialVersionUID = 1L; private static final Logger LOGGER = LoggerFactory.getLogger(WithCSPReportingServlet.class); @Override - protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException { + protected void doPost(HttpServletRequest request, HttpServletResponse response) { LOGGER.info("Processing POST request with Content Security Policy Reporting"); String name = request.getParameter("reporting"); diff --git a/Ch07_CSP/src/main/java/de/dominikschadow/webappsecurity/WithCSPServlet.java b/Ch07_CSP/src/main/java/de/dominikschadow/webappsecurity/WithCSPServlet.java index 2455b9ba..c5c55551 100644 --- a/Ch07_CSP/src/main/java/de/dominikschadow/webappsecurity/WithCSPServlet.java +++ b/Ch07_CSP/src/main/java/de/dominikschadow/webappsecurity/WithCSPServlet.java @@ -20,13 +20,13 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import javax.servlet.ServletException; import javax.servlet.annotation.WebServlet; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; import java.io.PrintWriter; +import java.io.Serial; /** * Servlet which sets the Content-Security-Policy response header and stops any JavaScript code entered @@ -37,11 +37,12 @@ */ @WebServlet(name = "WithCSPServlet", urlPatterns = {"/WithCSPServlet"}) public class WithCSPServlet extends HttpServlet { + @Serial private static final long serialVersionUID = 1L; private static final Logger LOGGER = LoggerFactory.getLogger(WithCSPServlet.class); @Override - protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException { + protected void doPost(HttpServletRequest request, HttpServletResponse response) { LOGGER.info("Processing POST request with Content Security Policy"); String name = request.getParameter("protected"); diff --git a/Ch07_CSP/src/main/java/de/dominikschadow/webappsecurity/WithoutCSPServlet.java b/Ch07_CSP/src/main/java/de/dominikschadow/webappsecurity/WithoutCSPServlet.java index c409a7a6..0f61a6c9 100644 --- a/Ch07_CSP/src/main/java/de/dominikschadow/webappsecurity/WithoutCSPServlet.java +++ b/Ch07_CSP/src/main/java/de/dominikschadow/webappsecurity/WithoutCSPServlet.java @@ -20,13 +20,13 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import javax.servlet.ServletException; import javax.servlet.annotation.WebServlet; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; import java.io.PrintWriter; +import java.io.Serial; /** * Default servlet without any additional protection. Any entered script-tag will be executed on the result page. @@ -35,11 +35,12 @@ */ @WebServlet(name = "WithoutCSPServlet", urlPatterns = {"/WithoutCSPServlet"}) public class WithoutCSPServlet extends HttpServlet { + @Serial private static final long serialVersionUID = 1L; private static final Logger LOGGER = LoggerFactory.getLogger(WithoutCSPServlet.class); @Override - protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException { + protected void doPost(HttpServletRequest request, HttpServletResponse response) { LOGGER.info("Processing POST request without Content Security Policy"); String name = request.getParameter("unprotected"); diff --git a/Ch07_CSP/src/main/resources/log4j.xml b/Ch07_CSP/src/main/resources/log4j.xml deleted file mode 100644 index 012b99da..00000000 --- a/Ch07_CSP/src/main/resources/log4j.xml +++ /dev/null @@ -1,16 +0,0 @@ - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/Ch07_CSP/src/main/resources/logback.xml b/Ch07_CSP/src/main/resources/logback.xml new file mode 100644 index 00000000..6156c218 --- /dev/null +++ b/Ch07_CSP/src/main/resources/logback.xml @@ -0,0 +1,11 @@ + + + + %d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n + + + + + + + \ No newline at end of file diff --git a/Ch07_XSS/pom.xml b/Ch07_XSS/pom.xml index a1499bb3..42ca2e35 100644 --- a/Ch07_XSS/pom.xml +++ b/Ch07_XSS/pom.xml @@ -31,16 +31,8 @@ h2 - org.slf4j - slf4j-api - - - org.slf4j - slf4j-log4j12 - - - log4j - log4j + ch.qos.logback + logback-classic org.apache.commons diff --git a/Ch07_XSS/src/main/java/de/dominikschadow/webappsecurity/domain/Customer.java b/Ch07_XSS/src/main/java/de/dominikschadow/webappsecurity/domain/Customer.java index 7bc8feb7..72c64f4e 100644 --- a/Ch07_XSS/src/main/java/de/dominikschadow/webappsecurity/domain/Customer.java +++ b/Ch07_XSS/src/main/java/de/dominikschadow/webappsecurity/domain/Customer.java @@ -76,13 +76,10 @@ public void setHint(String hint) { @Override public String toString() { - StringBuilder customer = new StringBuilder(); - customer.append("ID ").append(custId); - customer.append(", Name ").append(name); - customer.append(", Status ").append(status); - customer.append(", Order Limit ").append(orderLimit); - customer.append(", Hint ").append(hint); - - return customer.toString(); + return "ID " + custId + + ", Name " + name + + ", Status " + status + + ", Order Limit " + orderLimit + + ", Hint " + hint; } } diff --git a/Ch07_XSS/src/main/resources/log4j.xml b/Ch07_XSS/src/main/resources/log4j.xml deleted file mode 100644 index 012b99da..00000000 --- a/Ch07_XSS/src/main/resources/log4j.xml +++ /dev/null @@ -1,16 +0,0 @@ - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/Ch07_XSS/src/main/resources/logback.xml b/Ch07_XSS/src/main/resources/logback.xml new file mode 100644 index 00000000..6156c218 --- /dev/null +++ b/Ch07_XSS/src/main/resources/logback.xml @@ -0,0 +1,11 @@ + + + + %d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n + + + + + + + \ No newline at end of file diff --git a/Ch07_XSS/src/main/webapp/showCustomers.xhtml b/Ch07_XSS/src/main/webapp/showCustomers.xhtml index 9b606ec9..e13dd2a0 100644 --- a/Ch07_XSS/src/main/webapp/showCustomers.xhtml +++ b/Ch07_XSS/src/main/webapp/showCustomers.xhtml @@ -35,8 +35,8 @@ Order Limit "; private Map maximumMap = null; diff --git a/Ch07_XSSJSF/src/main/java/de/dominikschadow/webappsecurity/StandardController.java b/Ch07_XSSJSF/src/main/java/de/dominikschadow/webappsecurity/StandardController.java index ea61a3be..781cd5d5 100644 --- a/Ch07_XSSJSF/src/main/java/de/dominikschadow/webappsecurity/StandardController.java +++ b/Ch07_XSSJSF/src/main/java/de/dominikschadow/webappsecurity/StandardController.java @@ -19,6 +19,7 @@ import javax.faces.bean.ManagedBean; import javax.faces.bean.SessionScoped; +import java.io.Serial; import java.io.Serializable; import java.util.LinkedHashMap; import java.util.Map; @@ -32,6 +33,7 @@ @ManagedBean(name = "standard") @SessionScoped public class StandardController implements Serializable { + @Serial private static final long serialVersionUID = 4083596061570021965L; private String input = ""; diff --git a/Ch07_XSSJSF/src/main/java/de/dominikschadow/webappsecurity/Status.java b/Ch07_XSSJSF/src/main/java/de/dominikschadow/webappsecurity/Status.java index 7cc89709..ebebcbc7 100644 --- a/Ch07_XSSJSF/src/main/java/de/dominikschadow/webappsecurity/Status.java +++ b/Ch07_XSSJSF/src/main/java/de/dominikschadow/webappsecurity/Status.java @@ -17,6 +17,7 @@ */ package de.dominikschadow.webappsecurity; +import java.io.Serial; import java.io.Serializable; /** @@ -25,6 +26,7 @@ * @author Dominik Schadow */ public class Status implements Serializable { + @Serial private static final long serialVersionUID = -5176873476153674154L; private String label; private String value; diff --git a/Ch08_CSRF/pom.xml b/Ch08_CSRF/pom.xml index c630f8dd..b30780a8 100644 --- a/Ch08_CSRF/pom.xml +++ b/Ch08_CSRF/pom.xml @@ -20,18 +20,10 @@ org.owasp.esapi esapi - - org.slf4j - slf4j-api - - - org.slf4j - slf4j-log4j12 - - - log4j - log4j - + + ch.qos.logback + logback-classic + diff --git a/Ch08_CSRF/src/main/java/de/dominikschadow/webappsecurity/servlets/ProtectedServlet.java b/Ch08_CSRF/src/main/java/de/dominikschadow/webappsecurity/servlets/ProtectedServlet.java index fa954742..7d1ebce0 100644 --- a/Ch08_CSRF/src/main/java/de/dominikschadow/webappsecurity/servlets/ProtectedServlet.java +++ b/Ch08_CSRF/src/main/java/de/dominikschadow/webappsecurity/servlets/ProtectedServlet.java @@ -28,6 +28,7 @@ import javax.servlet.http.HttpServletResponse; import java.io.IOException; import java.io.PrintWriter; +import java.io.Serial; import java.security.NoSuchAlgorithmException; import java.security.NoSuchProviderException; @@ -40,6 +41,7 @@ */ @WebServlet(name = "ProtectedServlet", urlPatterns = {"/ProtectedServlet"}) public class ProtectedServlet extends HttpServlet { + @Serial private static final long serialVersionUID = 1L; private static final Logger LOGGER = LoggerFactory.getLogger(ProtectedServlet.class); diff --git a/Ch08_CSRF/src/main/java/de/dominikschadow/webappsecurity/servlets/UnprotectedServlet.java b/Ch08_CSRF/src/main/java/de/dominikschadow/webappsecurity/servlets/UnprotectedServlet.java index 4b9de048..a982b26c 100644 --- a/Ch08_CSRF/src/main/java/de/dominikschadow/webappsecurity/servlets/UnprotectedServlet.java +++ b/Ch08_CSRF/src/main/java/de/dominikschadow/webappsecurity/servlets/UnprotectedServlet.java @@ -20,13 +20,13 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import javax.servlet.ServletException; import javax.servlet.annotation.WebServlet; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; import java.io.PrintWriter; +import java.io.Serial; /** * Basic unprotected servlet for GET and POST requests. Prints out all information to standard out @@ -36,11 +36,12 @@ */ @WebServlet(name = "UnprotectedServlet", urlPatterns = {"/UnprotectedServlet"}) public class UnprotectedServlet extends HttpServlet { + @Serial private static final long serialVersionUID = 1L; private static final Logger LOGGER = LoggerFactory.getLogger(UnprotectedServlet.class); @Override - protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException { + protected void doGet(HttpServletRequest request, HttpServletResponse response) { String newPassword = request.getParameter("newPassword"); String confirmPassword = request.getParameter("confirmPassword"); @@ -66,7 +67,7 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) t } @Override - protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException { + protected void doPost(HttpServletRequest request, HttpServletResponse response) { String newPassword = request.getParameter("newPassword"); String confirmPassword = request.getParameter("confirmPassword"); diff --git a/Ch08_CSRF/src/main/resources/log4j.xml b/Ch08_CSRF/src/main/resources/log4j.xml deleted file mode 100644 index 012b99da..00000000 --- a/Ch08_CSRF/src/main/resources/log4j.xml +++ /dev/null @@ -1,16 +0,0 @@ - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/Ch08_CSRF/src/main/resources/logback.xml b/Ch08_CSRF/src/main/resources/logback.xml new file mode 100644 index 00000000..6156c218 --- /dev/null +++ b/Ch08_CSRF/src/main/resources/logback.xml @@ -0,0 +1,11 @@ + + + + %d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n + + + + + + + \ No newline at end of file diff --git a/Ch08_CSRF/src/main/webapp/form-working.jsp b/Ch08_CSRF/src/main/webapp/form-working.jsp index 02783ddc..44d30c75 100644 --- a/Ch08_CSRF/src/main/webapp/form-working.jsp +++ b/Ch08_CSRF/src/main/webapp/form-working.jsp @@ -15,12 +15,12 @@ value="<%=CSRFTokenHandler.getToken(request.getSession(false))%>"> - - + + - - + + diff --git a/Ch08_CSRF/src/main/webapp/xmlhttprequest-protected.html b/Ch08_CSRF/src/main/webapp/xmlhttprequest-protected.html index 42a63099..56c951c2 100644 --- a/Ch08_CSRF/src/main/webapp/xmlhttprequest-protected.html +++ b/Ch08_CSRF/src/main/webapp/xmlhttprequest-protected.html @@ -7,8 +7,8 @@
New Password
Confirm Password