- Ch05_SessionHandling
+ Chapter 05 - Session Handling
Cookie information in popup is empty because of web.xml protection.
diff --git a/Ch06_SQLInjection/pom.xml b/Ch06_SQLInjection/pom.xml
index 12ef8783..28746248 100644
--- a/Ch06_SQLInjection/pom.xml
+++ b/Ch06_SQLInjection/pom.xml
@@ -30,16 +30,8 @@
hibernate-core
- org.slf4j
- slf4j-api
-
-
- org.slf4j
- slf4j-log4j12
-
-
- log4j
- log4j
+ ch.qos.logback
+ logback-classic
diff --git a/Ch06_SQLInjection/src/main/java/de/dominikschadow/webappsecurity/domain/Customer.java b/Ch06_SQLInjection/src/main/java/de/dominikschadow/webappsecurity/domain/Customer.java
index 7bc8feb7..72c64f4e 100644
--- a/Ch06_SQLInjection/src/main/java/de/dominikschadow/webappsecurity/domain/Customer.java
+++ b/Ch06_SQLInjection/src/main/java/de/dominikschadow/webappsecurity/domain/Customer.java
@@ -76,13 +76,10 @@ public void setHint(String hint) {
@Override
public String toString() {
- StringBuilder customer = new StringBuilder();
- customer.append("ID ").append(custId);
- customer.append(", Name ").append(name);
- customer.append(", Status ").append(status);
- customer.append(", Order Limit ").append(orderLimit);
- customer.append(", Hint ").append(hint);
-
- return customer.toString();
+ return "ID " + custId +
+ ", Name " + name +
+ ", Status " + status +
+ ", Order Limit " + orderLimit +
+ ", Hint " + hint;
}
}
diff --git a/Ch06_SQLInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/HQLServlet.java b/Ch06_SQLInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/HQLServlet.java
index 99c499c0..771b7b5f 100644
--- a/Ch06_SQLInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/HQLServlet.java
+++ b/Ch06_SQLInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/HQLServlet.java
@@ -23,7 +23,6 @@
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
@@ -43,7 +42,7 @@ public class HQLServlet extends HttpServlet {
private static final Logger LOGGER = LoggerFactory.getLogger(HQLServlet.class);
@Override
- protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException {
+ protected void doPost(HttpServletRequest request, HttpServletResponse response) {
String name = request.getParameter("name");
LOGGER.info("Received {} as POST parameter", name);
diff --git a/Ch06_SQLInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/InitDbServlet.java b/Ch06_SQLInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/InitDbServlet.java
index e861e44c..76d8931f 100644
--- a/Ch06_SQLInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/InitDbServlet.java
+++ b/Ch06_SQLInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/InitDbServlet.java
@@ -14,6 +14,7 @@
*/
@WebServlet(name = "InitDbServlet", urlPatterns = {"/"})
public class InitDbServlet extends HttpServlet {
+ @Override
public void init() {
Session session = getSessionFactory().openSession();
session.close();
diff --git a/Ch06_SQLInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/PreparedStatementServlet.java b/Ch06_SQLInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/PreparedStatementServlet.java
index 185a184e..f404a1d1 100644
--- a/Ch06_SQLInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/PreparedStatementServlet.java
+++ b/Ch06_SQLInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/PreparedStatementServlet.java
@@ -20,7 +20,6 @@
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
@@ -41,7 +40,7 @@ public class PreparedStatementServlet extends HttpServlet {
private static final Logger LOGGER = LoggerFactory.getLogger(PreparedStatementServlet.class);
@Override
- protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException {
+ protected void doPost(HttpServletRequest request, HttpServletResponse response) {
String name = request.getParameter("name");
LOGGER.info("Received {} as POST parameter", name);
diff --git a/Ch06_SQLInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/StatementEscapingServlet.java b/Ch06_SQLInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/StatementEscapingServlet.java
index a72a73e2..bcdf3f5e 100644
--- a/Ch06_SQLInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/StatementEscapingServlet.java
+++ b/Ch06_SQLInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/StatementEscapingServlet.java
@@ -22,7 +22,6 @@
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
@@ -43,7 +42,7 @@ public class StatementEscapingServlet extends HttpServlet {
private static final Logger LOGGER = LoggerFactory.getLogger(StatementEscapingServlet.class);
@Override
- protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException {
+ protected void doPost(HttpServletRequest request, HttpServletResponse response) {
String name = request.getParameter("name");
LOGGER.info("Received {} as POST parameter", name);
diff --git a/Ch06_SQLInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/StatementServlet.java b/Ch06_SQLInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/StatementServlet.java
index 5ee18ab6..773c4834 100644
--- a/Ch06_SQLInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/StatementServlet.java
+++ b/Ch06_SQLInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/StatementServlet.java
@@ -20,7 +20,6 @@
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
@@ -41,7 +40,7 @@ public class StatementServlet extends HttpServlet {
private static final Logger LOGGER = LoggerFactory.getLogger(StatementServlet.class);
@Override
- protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException {
+ protected void doPost(HttpServletRequest request, HttpServletResponse response) {
String name = request.getParameter("name");
LOGGER.info("Received {} as POST parameter", name);
diff --git a/Ch06_SQLInjection/src/main/resources/log4j.xml b/Ch06_SQLInjection/src/main/resources/log4j.xml
deleted file mode 100644
index 012b99da..00000000
--- a/Ch06_SQLInjection/src/main/resources/log4j.xml
+++ /dev/null
@@ -1,16 +0,0 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
\ No newline at end of file
diff --git a/Ch06_SQLInjection/src/main/resources/logback.xml b/Ch06_SQLInjection/src/main/resources/logback.xml
new file mode 100644
index 00000000..6156c218
--- /dev/null
+++ b/Ch06_SQLInjection/src/main/resources/logback.xml
@@ -0,0 +1,11 @@
+
+
+
+ %d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/Ch06_XPathInjection/pom.xml b/Ch06_XPathInjection/pom.xml
index 83ae9433..9542dc13 100644
--- a/Ch06_XPathInjection/pom.xml
+++ b/Ch06_XPathInjection/pom.xml
@@ -22,16 +22,8 @@
esapi
- org.slf4j
- slf4j-api
-
-
- org.slf4j
- slf4j-log4j12
-
-
- log4j
- log4j
+ ch.qos.logback
+ logback-classic
diff --git a/Ch06_XPathInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/XPathEscapingServlet.java b/Ch06_XPathInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/XPathEscapingServlet.java
index 1e145cf0..8dc8c65b 100644
--- a/Ch06_XPathInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/XPathEscapingServlet.java
+++ b/Ch06_XPathInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/XPathEscapingServlet.java
@@ -24,7 +24,6 @@
import org.w3c.dom.NodeList;
import org.xml.sax.SAXException;
-import javax.annotation.PostConstruct;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
@@ -53,10 +52,9 @@ public class XPathEscapingServlet extends HttpServlet {
private static final Logger LOGGER = LoggerFactory.getLogger(XPathEscapingServlet.class);
private static Document doc;
- @PostConstruct
@Override
public void init() {
- try (InputStream inputStream = getClass().getClassLoader().getResourceAsStream("/customer.xml");) {
+ try (InputStream inputStream = getClass().getClassLoader().getResourceAsStream("/customer.xml")) {
DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();
DocumentBuilder dBuilder = dbFactory.newDocumentBuilder();
doc = dBuilder.parse(inputStream);
@@ -75,14 +73,13 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)
String safePassword = ESAPI.encoder().encodeForXPath(password);
LOGGER.info("Using safe name {} and {}", safeName, safePassword);
- StringBuilder xpathExpression = new StringBuilder();
- xpathExpression.append("/customers/customer[name='");
- xpathExpression.append(safeName);
- xpathExpression.append("' and @password='");
- xpathExpression.append(safePassword);
- xpathExpression.append("']/orderLimit");
+ String xpathExpression = "/customers/customer[name='" +
+ safeName +
+ "' and @password='" +
+ safePassword +
+ "']/orderLimit";
- printOrderLimit(xpathExpression.toString(), name, response);
+ printOrderLimit(xpathExpression, name, response);
}
private void printOrderLimit(String xpath, String name, HttpServletResponse response) {
diff --git a/Ch06_XPathInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/XPathServlet.java b/Ch06_XPathInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/XPathServlet.java
index 7a5401d9..d68d3738 100644
--- a/Ch06_XPathInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/XPathServlet.java
+++ b/Ch06_XPathInjection/src/main/java/de/dominikschadow/webappsecurity/servlets/XPathServlet.java
@@ -23,7 +23,6 @@
import org.w3c.dom.NodeList;
import org.xml.sax.SAXException;
-import javax.annotation.PostConstruct;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
@@ -52,10 +51,9 @@ public class XPathServlet extends HttpServlet {
private static final Logger LOGGER = LoggerFactory.getLogger(XPathServlet.class);
private static Document doc;
- @PostConstruct
@Override
public void init() {
- try (InputStream inputStream = getClass().getClassLoader().getResourceAsStream("/customer.xml");) {
+ try (InputStream inputStream = getClass().getClassLoader().getResourceAsStream("/customer.xml")) {
DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();
DocumentBuilder dBuilder = dbFactory.newDocumentBuilder();
doc = dBuilder.parse(inputStream);
@@ -70,14 +68,13 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)
String password = request.getParameter("password");
LOGGER.info("Received {} and {} as parameter", name, password);
- StringBuilder xpathExpression = new StringBuilder();
- xpathExpression.append("/customers/customer[name='");
- xpathExpression.append(name);
- xpathExpression.append("' and @password='");
- xpathExpression.append(password);
- xpathExpression.append("']/orderLimit");
+ String xpathExpression = "/customers/customer[name='" +
+ name +
+ "' and @password='" +
+ password +
+ "']/orderLimit";
- printOrderLimit(xpathExpression.toString(), name, response);
+ printOrderLimit(xpathExpression, name, response);
}
private void printOrderLimit(String xpath, String name, HttpServletResponse response) {
diff --git a/Ch06_XPathInjection/src/main/resources/log4j.xml b/Ch06_XPathInjection/src/main/resources/log4j.xml
deleted file mode 100644
index 012b99da..00000000
--- a/Ch06_XPathInjection/src/main/resources/log4j.xml
+++ /dev/null
@@ -1,16 +0,0 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
\ No newline at end of file
diff --git a/Ch06_XPathInjection/src/main/resources/logback.xml b/Ch06_XPathInjection/src/main/resources/logback.xml
new file mode 100644
index 00000000..6156c218
--- /dev/null
+++ b/Ch06_XPathInjection/src/main/resources/logback.xml
@@ -0,0 +1,11 @@
+
+
+
+ %d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/Ch06_XPathInjection/src/main/webapp/index.jsp b/Ch06_XPathInjection/src/main/webapp/index.jsp
index b6a4ca43..3b67bfff 100644
--- a/Ch06_XPathInjection/src/main/webapp/index.jsp
+++ b/Ch06_XPathInjection/src/main/webapp/index.jsp
@@ -3,10 +3,10 @@
- Ch06_XPathInjection
+ Chapter 06 - XPath Injection
- Ch06_XPathInjection
+ Chapter 06 - XPath Injection
Valid customers are: Arthur Dent, Ford Prefect, Tricia Trillian McMillan, Zaphod Beeblebrox, Marvin, Slartibartfast
Password is always their first name.
diff --git a/Ch07_CSP/pom.xml b/Ch07_CSP/pom.xml
index ddca2ec2..fe84aa0e 100644
--- a/Ch07_CSP/pom.xml
+++ b/Ch07_CSP/pom.xml
@@ -20,20 +20,8 @@
javax.servlet-api
- com.cedarsoftware
- json-io
-
-
- org.slf4j
- slf4j-api
-
-
- org.slf4j
- slf4j-log4j12
-
-
- log4j
- log4j
+ ch.qos.logback
+ logback-classic
diff --git a/Ch07_CSP/src/main/java/de/dominikschadow/webappsecurity/CSPReporting.java b/Ch07_CSP/src/main/java/de/dominikschadow/webappsecurity/CSPReporting.java
index 8848672a..af4a20be 100644
--- a/Ch07_CSP/src/main/java/de/dominikschadow/webappsecurity/CSPReporting.java
+++ b/Ch07_CSP/src/main/java/de/dominikschadow/webappsecurity/CSPReporting.java
@@ -17,11 +17,9 @@
*/
package de.dominikschadow.webappsecurity;
-import com.cedarsoftware.util.io.JsonWriter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
@@ -29,6 +27,8 @@
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
+import java.io.Serial;
+import java.nio.charset.Charset;
/**
* Simple CSP-Reporting servlet to receive and print out any JSON style CSP report with violations.
@@ -37,12 +37,13 @@
*/
@WebServlet(name = "CSPReporting", urlPatterns = {"/CSPReporting"})
public class CSPReporting extends HttpServlet {
+ @Serial
private static final long serialVersionUID = 1L;
private static final Logger LOGGER = LoggerFactory.getLogger(CSPReporting.class);
@Override
- protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException {
- try (BufferedReader reader = new BufferedReader(new InputStreamReader(request.getInputStream()))) {
+ protected void doPost(HttpServletRequest request, HttpServletResponse response) {
+ try (BufferedReader reader = new BufferedReader(new InputStreamReader(request.getInputStream(), Charset.defaultCharset()))) {
StringBuilder responseBuilder = new StringBuilder();
String inputStr;
@@ -50,7 +51,7 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)
responseBuilder.append(inputStr);
}
- LOGGER.info("\n{}", JsonWriter.formatJson(responseBuilder.toString()));
+ LOGGER.info("\n{}", responseBuilder.toString());
} catch (IOException ex) {
LOGGER.error(ex.getMessage(), ex);
}
diff --git a/Ch07_CSP/src/main/java/de/dominikschadow/webappsecurity/WithCSPReportingServlet.java b/Ch07_CSP/src/main/java/de/dominikschadow/webappsecurity/WithCSPReportingServlet.java
index de606287..ae708c33 100644
--- a/Ch07_CSP/src/main/java/de/dominikschadow/webappsecurity/WithCSPReportingServlet.java
+++ b/Ch07_CSP/src/main/java/de/dominikschadow/webappsecurity/WithCSPReportingServlet.java
@@ -20,13 +20,13 @@
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;
+import java.io.Serial;
/**
* Servlet which sets the Content-Security-Policy-Report-Only response header and reports
@@ -36,11 +36,12 @@
*/
@WebServlet(name = "WithCSPReportingServlet", urlPatterns = {"/WithCSPReportingServlet"})
public class WithCSPReportingServlet extends HttpServlet {
+ @Serial
private static final long serialVersionUID = 1L;
private static final Logger LOGGER = LoggerFactory.getLogger(WithCSPReportingServlet.class);
@Override
- protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException {
+ protected void doPost(HttpServletRequest request, HttpServletResponse response) {
LOGGER.info("Processing POST request with Content Security Policy Reporting");
String name = request.getParameter("reporting");
diff --git a/Ch07_CSP/src/main/java/de/dominikschadow/webappsecurity/WithCSPServlet.java b/Ch07_CSP/src/main/java/de/dominikschadow/webappsecurity/WithCSPServlet.java
index 2455b9ba..c5c55551 100644
--- a/Ch07_CSP/src/main/java/de/dominikschadow/webappsecurity/WithCSPServlet.java
+++ b/Ch07_CSP/src/main/java/de/dominikschadow/webappsecurity/WithCSPServlet.java
@@ -20,13 +20,13 @@
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;
+import java.io.Serial;
/**
* Servlet which sets the Content-Security-Policy response header and stops any JavaScript code entered
@@ -37,11 +37,12 @@
*/
@WebServlet(name = "WithCSPServlet", urlPatterns = {"/WithCSPServlet"})
public class WithCSPServlet extends HttpServlet {
+ @Serial
private static final long serialVersionUID = 1L;
private static final Logger LOGGER = LoggerFactory.getLogger(WithCSPServlet.class);
@Override
- protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException {
+ protected void doPost(HttpServletRequest request, HttpServletResponse response) {
LOGGER.info("Processing POST request with Content Security Policy");
String name = request.getParameter("protected");
diff --git a/Ch07_CSP/src/main/java/de/dominikschadow/webappsecurity/WithoutCSPServlet.java b/Ch07_CSP/src/main/java/de/dominikschadow/webappsecurity/WithoutCSPServlet.java
index c409a7a6..0f61a6c9 100644
--- a/Ch07_CSP/src/main/java/de/dominikschadow/webappsecurity/WithoutCSPServlet.java
+++ b/Ch07_CSP/src/main/java/de/dominikschadow/webappsecurity/WithoutCSPServlet.java
@@ -20,13 +20,13 @@
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;
+import java.io.Serial;
/**
* Default servlet without any additional protection. Any entered script-tag will be executed on the result page.
@@ -35,11 +35,12 @@
*/
@WebServlet(name = "WithoutCSPServlet", urlPatterns = {"/WithoutCSPServlet"})
public class WithoutCSPServlet extends HttpServlet {
+ @Serial
private static final long serialVersionUID = 1L;
private static final Logger LOGGER = LoggerFactory.getLogger(WithoutCSPServlet.class);
@Override
- protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException {
+ protected void doPost(HttpServletRequest request, HttpServletResponse response) {
LOGGER.info("Processing POST request without Content Security Policy");
String name = request.getParameter("unprotected");
diff --git a/Ch07_CSP/src/main/resources/log4j.xml b/Ch07_CSP/src/main/resources/log4j.xml
deleted file mode 100644
index 012b99da..00000000
--- a/Ch07_CSP/src/main/resources/log4j.xml
+++ /dev/null
@@ -1,16 +0,0 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
\ No newline at end of file
diff --git a/Ch07_CSP/src/main/resources/logback.xml b/Ch07_CSP/src/main/resources/logback.xml
new file mode 100644
index 00000000..6156c218
--- /dev/null
+++ b/Ch07_CSP/src/main/resources/logback.xml
@@ -0,0 +1,11 @@
+
+
+
+ %d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/Ch07_CSP/src/main/webapp/index.jsp b/Ch07_CSP/src/main/webapp/index.jsp
index e9bdb65f..a46e19a4 100644
--- a/Ch07_CSP/src/main/webapp/index.jsp
+++ b/Ch07_CSP/src/main/webapp/index.jsp
@@ -4,10 +4,10 @@
- Ch07_CSP
+ Chapter 07 - Content Security Policy (CSP)
- Ch07_CSP
+ Chapter 07 - Content Security Policy (CSP)
Without Content Security Policy
diff --git a/Ch07_XSS/pom.xml b/Ch07_XSS/pom.xml
index a1499bb3..42ca2e35 100644
--- a/Ch07_XSS/pom.xml
+++ b/Ch07_XSS/pom.xml
@@ -31,16 +31,8 @@
h2
- org.slf4j
- slf4j-api
-
-
- org.slf4j
- slf4j-log4j12
-
-
- log4j
- log4j
+ ch.qos.logback
+ logback-classic
org.apache.commons
diff --git a/Ch07_XSS/src/main/java/de/dominikschadow/webappsecurity/domain/Customer.java b/Ch07_XSS/src/main/java/de/dominikschadow/webappsecurity/domain/Customer.java
index 7bc8feb7..72c64f4e 100644
--- a/Ch07_XSS/src/main/java/de/dominikschadow/webappsecurity/domain/Customer.java
+++ b/Ch07_XSS/src/main/java/de/dominikschadow/webappsecurity/domain/Customer.java
@@ -76,13 +76,10 @@ public void setHint(String hint) {
@Override
public String toString() {
- StringBuilder customer = new StringBuilder();
- customer.append("ID ").append(custId);
- customer.append(", Name ").append(name);
- customer.append(", Status ").append(status);
- customer.append(", Order Limit ").append(orderLimit);
- customer.append(", Hint ").append(hint);
-
- return customer.toString();
+ return "ID " + custId +
+ ", Name " + name +
+ ", Status " + status +
+ ", Order Limit " + orderLimit +
+ ", Hint " + hint;
}
}
diff --git a/Ch07_XSS/src/main/resources/log4j.xml b/Ch07_XSS/src/main/resources/log4j.xml
deleted file mode 100644
index 012b99da..00000000
--- a/Ch07_XSS/src/main/resources/log4j.xml
+++ /dev/null
@@ -1,16 +0,0 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
\ No newline at end of file
diff --git a/Ch07_XSS/src/main/resources/logback.xml b/Ch07_XSS/src/main/resources/logback.xml
new file mode 100644
index 00000000..6156c218
--- /dev/null
+++ b/Ch07_XSS/src/main/resources/logback.xml
@@ -0,0 +1,11 @@
+
+
+
+ %d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/Ch07_XSS/src/main/webapp/showCustomers.xhtml b/Ch07_XSS/src/main/webapp/showCustomers.xhtml
index 9b606ec9..e13dd2a0 100644
--- a/Ch07_XSS/src/main/webapp/showCustomers.xhtml
+++ b/Ch07_XSS/src/main/webapp/showCustomers.xhtml
@@ -35,8 +35,8 @@
Order Limit
";
private Map maximumMap = null;
diff --git a/Ch07_XSSJSF/src/main/java/de/dominikschadow/webappsecurity/StandardController.java b/Ch07_XSSJSF/src/main/java/de/dominikschadow/webappsecurity/StandardController.java
index ea61a3be..781cd5d5 100644
--- a/Ch07_XSSJSF/src/main/java/de/dominikschadow/webappsecurity/StandardController.java
+++ b/Ch07_XSSJSF/src/main/java/de/dominikschadow/webappsecurity/StandardController.java
@@ -19,6 +19,7 @@
import javax.faces.bean.ManagedBean;
import javax.faces.bean.SessionScoped;
+import java.io.Serial;
import java.io.Serializable;
import java.util.LinkedHashMap;
import java.util.Map;
@@ -32,6 +33,7 @@
@ManagedBean(name = "standard")
@SessionScoped
public class StandardController implements Serializable {
+ @Serial
private static final long serialVersionUID = 4083596061570021965L;
private String input = "";
diff --git a/Ch07_XSSJSF/src/main/java/de/dominikschadow/webappsecurity/Status.java b/Ch07_XSSJSF/src/main/java/de/dominikschadow/webappsecurity/Status.java
index 7cc89709..ebebcbc7 100644
--- a/Ch07_XSSJSF/src/main/java/de/dominikschadow/webappsecurity/Status.java
+++ b/Ch07_XSSJSF/src/main/java/de/dominikschadow/webappsecurity/Status.java
@@ -17,6 +17,7 @@
*/
package de.dominikschadow.webappsecurity;
+import java.io.Serial;
import java.io.Serializable;
/**
@@ -25,6 +26,7 @@
* @author Dominik Schadow
*/
public class Status implements Serializable {
+ @Serial
private static final long serialVersionUID = -5176873476153674154L;
private String label;
private String value;
diff --git a/Ch08_CSRF/pom.xml b/Ch08_CSRF/pom.xml
index c630f8dd..b30780a8 100644
--- a/Ch08_CSRF/pom.xml
+++ b/Ch08_CSRF/pom.xml
@@ -20,18 +20,10 @@
org.owasp.esapi
esapi
-
- org.slf4j
- slf4j-api
-
-
- org.slf4j
- slf4j-log4j12
-
-
- log4j
- log4j
-
+
+ ch.qos.logback
+ logback-classic
+
diff --git a/Ch08_CSRF/src/main/java/de/dominikschadow/webappsecurity/servlets/ProtectedServlet.java b/Ch08_CSRF/src/main/java/de/dominikschadow/webappsecurity/servlets/ProtectedServlet.java
index fa954742..7d1ebce0 100644
--- a/Ch08_CSRF/src/main/java/de/dominikschadow/webappsecurity/servlets/ProtectedServlet.java
+++ b/Ch08_CSRF/src/main/java/de/dominikschadow/webappsecurity/servlets/ProtectedServlet.java
@@ -28,6 +28,7 @@
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;
+import java.io.Serial;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
@@ -40,6 +41,7 @@
*/
@WebServlet(name = "ProtectedServlet", urlPatterns = {"/ProtectedServlet"})
public class ProtectedServlet extends HttpServlet {
+ @Serial
private static final long serialVersionUID = 1L;
private static final Logger LOGGER = LoggerFactory.getLogger(ProtectedServlet.class);
diff --git a/Ch08_CSRF/src/main/java/de/dominikschadow/webappsecurity/servlets/UnprotectedServlet.java b/Ch08_CSRF/src/main/java/de/dominikschadow/webappsecurity/servlets/UnprotectedServlet.java
index 4b9de048..a982b26c 100644
--- a/Ch08_CSRF/src/main/java/de/dominikschadow/webappsecurity/servlets/UnprotectedServlet.java
+++ b/Ch08_CSRF/src/main/java/de/dominikschadow/webappsecurity/servlets/UnprotectedServlet.java
@@ -20,13 +20,13 @@
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;
+import java.io.Serial;
/**
* Basic unprotected servlet for GET and POST requests. Prints out all information to standard out
@@ -36,11 +36,12 @@
*/
@WebServlet(name = "UnprotectedServlet", urlPatterns = {"/UnprotectedServlet"})
public class UnprotectedServlet extends HttpServlet {
+ @Serial
private static final long serialVersionUID = 1L;
private static final Logger LOGGER = LoggerFactory.getLogger(UnprotectedServlet.class);
@Override
- protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException {
+ protected void doGet(HttpServletRequest request, HttpServletResponse response) {
String newPassword = request.getParameter("newPassword");
String confirmPassword = request.getParameter("confirmPassword");
@@ -66,7 +67,7 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) t
}
@Override
- protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException {
+ protected void doPost(HttpServletRequest request, HttpServletResponse response) {
String newPassword = request.getParameter("newPassword");
String confirmPassword = request.getParameter("confirmPassword");
diff --git a/Ch08_CSRF/src/main/resources/log4j.xml b/Ch08_CSRF/src/main/resources/log4j.xml
deleted file mode 100644
index 012b99da..00000000
--- a/Ch08_CSRF/src/main/resources/log4j.xml
+++ /dev/null
@@ -1,16 +0,0 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
\ No newline at end of file
diff --git a/Ch08_CSRF/src/main/resources/logback.xml b/Ch08_CSRF/src/main/resources/logback.xml
new file mode 100644
index 00000000..6156c218
--- /dev/null
+++ b/Ch08_CSRF/src/main/resources/logback.xml
@@ -0,0 +1,11 @@
+
+
+
+ %d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/Ch08_CSRF/src/main/webapp/form-working.jsp b/Ch08_CSRF/src/main/webapp/form-working.jsp
index 02783ddc..44d30c75 100644
--- a/Ch08_CSRF/src/main/webapp/form-working.jsp
+++ b/Ch08_CSRF/src/main/webapp/form-working.jsp
@@ -15,12 +15,12 @@
value="<%=CSRFTokenHandler.getToken(request.getSession(false))%>">