Friday, March 25, 2016

Preventing Mass Assignment Attacks in Spring

If you have a wizard to collect data from users in a set of steps you can open yourself up to a mass assignment attack. OWASP as always gives great information on this.

How it works

You Bind an object to the model and you want to populate the fields in that object as your user progresses through your wizard. So on the first screen you might collect their name, second screen email and so on. Between each of these steps you perform validation on the just entered values.

However a hacker exploiting mass assignment can bind data from step 1 during a subsequent step just by putting the variable and value in the URL (assuming GET, although obviously this can be done with POST also).

So for the first step you are after this:

And the second step, this:

Instead the hacker supplies this which is fine and passes our validation:

Followed by this. Which is not fine as the email is not validated on this step:

Because Spring binds all params that it can match in the URL the email address will be bound in the last case. Your code may not have included validation of email (restricted domains for example) in that step of the wizard.

There are a number of approaches to fix this.

Repeat the validations on each step

Therefore the validation is accretive. Something like this.

Step 1

  • Validate condition 1


  • Validate condition 1 again
  • Validate condition 2
and so on.

This leads to some duplication of code - but it is very minimal - only method calls. I plan to put together a neater way of achieving this accretion, but for now this will do.

Isolate each wizard step in its own controller

This will allow you to use the OWASP recommended method of using a binder (this is the whitelist version, there is blacklist too):

  public class UserController
     public void initBinder(WebDataBinder binder, WebRequest request)

However if you have the steps in the same controller (a better design in my opinion), this won't work. You will end up blocking the params at every step, not just the prohibited ones.

Blacklist params in handler

You can however use the Params attribute on your RequestMapping annotation to disallow certain parameters. This one will disallow role in the params list. If role is supplied the user will get a 404.

@RequestMapping(value = "/bitofurl", params = "!role")

All this is a little awkward and removes some of the elegance of a Spring solution. But mass assignment attacks are serious stuff and can result in all manner of nastiness. Better slightly less elegant code than a compromised user DB.

Saturday, February 20, 2016

Encouraging people to do things with VR

I read an article a few years ago about a study to see if people contribute more to their pension fund if they have seen a future representation of themselves. Not surprisingly they do. I have been bouncing the idea around in my head, so I decided to look up the study. You can read it here.

They used some clever software to produce a 3D model of a person's head which they then aged. The participant was then given a VR headset inside which they could see their older self. They could interact to a limited extent with themselves, so it was better than just a photo of 'you old'.

The experiments were very well run, but basically the outcome was that people can relate to their older self if they see the image and pension contributions go up.

I think this idea is generally fascinating, beyond pension contribution. For example encouraging people to adopt healthy lifestyles is very difficult. Often the pull of pleasure now far outweighs some notion of protecting your future self. If people could see themselves sick, fat and maybe with a few limbs missing they might rethink their choices.

Radical stuff, but really no more than letting people make their own minds up based on what they can see will happen.

Thursday, February 18, 2016

Continuous Learning for Developers

Continuous learning is very important in IT. A break from learning new things for a couple of years can put you in the dark ages.
I have always known this and done my best to keep upskilling, but a few things I have read recently have reminded me how important this is.

Leading Change

John Kotter's Leading Change is a book about managing big change in organisations. It gives a set of steps that should be followed based on the author's experience with change efforts in large numbers of big companies. The most surprising thing about the book is a section at the end where he says that the thing that unites very successful people is lifelong learning.

Big Data

O'Reilly publish a weekly Data Science newsletter. It is well worth a spin if statistics and analysis are your thing. I think that an interest in data is in every developer's interest.
They published an article this week entitled Is your development team ready for Big Data?
Again one of the key skills that a developer should have to be able to handle the challenges of Big Data is continuous learning.

Values in Action

A few years ago I read Authentic Happiness by Martin Seligman. The author had researched the things that make us happy. He analysed world religions to find commonalities which he called Values.  Then he devised a questionnaire which determined which of these virtues were 'yours'. The idea being that if you concentrated on pursuing your virtues you would be happier. The book does a much better job of explaining this and gives solid reasoning too. You can find the survey and others like it here.
Why this talk of happiness and values in a technology blog? Whenever I do this survey 'Love of Learning' comes up at the top of my virtues. Lucky me.

Wednesday, February 17, 2016

Using Statistics to Hire Developers

The Interview

I was interviewing a developer for a mid level position today and he turned out to be not up to scratch. The CV looked pretty good, but when I dug in with some fundamental Java questions he was found wanting. Not an unusual occurrence, but still costly. It took 30 minutes of my time, his time and a number of other people were involved to get the process to this stage.

I wondered if there might be a way to remove some of the candidate CVs from the batch before we do the costly part of interviewing.

Spam or Ham

Classifying CVs could be considered like the Spam/Ham problem. Apache SpamAssassin is a good example of a spam classifier. It can probably be made to classify CVs - or at least try, but it is written in C, I think and that is not my thing any more. This looks interesting, so I forked it, converted it to eclipse and started the process of making it build with Maven.

First I am going to try this out with spam and ham email, then will try it for other text passages. Maybe CVs if I can get my hands on some. I am not expecting a huge amount of success with this, but I want to try out some Machine Learning techniques in my work. I did this last year and don't want to let all that hard work be for nothing.

Java Interview Questions

If you are going to find yourself on the receiving end of an interview for a Java job take the time to lookup 'Java Interview Questions'. Spending an hour refreshing (or learning) these top items are likely to add considerable polish to your presentation. You can be good, but interviewers have a hard time seeing through rusty skills in an hour.

Tuesday, February 16, 2016

A Philosophy for Modern Applications

I listened to a webinar with Pivotal today and they spoke about some of the thinking behind their Cloud Foundry platform. One of the guides they use to build this is called 12 It is a set of principles devised by the people behind the Heroku cloud platform.

I won't go into the details here, you can read the brief web page yourself, but they cover a broad range of the factors that we often don't think about when we develop large scale enterprise systems.

One such concept is the avoidance of Software erosion. This is the gradual degradation of software running in a changing environment. For example as security holes in the OS are discovered your OS is eroded. A service on which you rely fails and is not restarted. If not managed continuously items like this can result in your application going out of service. The costs of getting it back may be too great to pay.

A related concept is Technical debt. This is work within a system which needs to be done in order for some other work to progress to completion. If you don't attend to the debt it grows as the cost of doing the work gets greater.

Taken together these items are reasons to factor continual maintenance into the costs of software ownership. Using techniques like DevOps in a managed cloud environment - which is what Pivotal were explaining in today's webinar is a way to keep these time growing problems under control for less cost.

Monday, February 15, 2016

Tips for passing Oracle Certified Associate in Java 8

I decided to do this exam a few months ago. I have been a Java developer for over 10 years, so this was overdue.

There are a few simple steps and quite a lot of work.

First get a book

I used this one on Kindle. Kindle is the perfect format for this stuff as you can read snippets while you wait at the bus, checkout etc.
Read it through cover to cover. I did not do the exercises on this pass, I was just making sure that I could understand almost everything in there.
Next you should either do the end of chapter exercises, or write small programs to test your understanding. Don't start taking mock exams too early.

Mock exams

These are absolutely required to test your knowledge. I used these ones. I (like most of the people whom I spoke to about this) found I did not know the material as well as I thought. The huge plus for the Enthuware mock exams is that they explain in detail why you were wrong. Take your time understanding why you made the mistakes you did. Don't rush the exams. There are a limited number of them in the download and you can get used to how to answer that set without being prepared for the real exam.
The Enthuware software also builds up a picture of where you are weak and where you are strong. After a couple of mock exams you can check where you are weakest and concentrate on those areas.

The exam

Once you are passing by a decent margin you can go ahead and take the exam. There is plenty of advice on the immediate preparation for the test in the book I recommended.

Good luck!

Sunday, October 26, 2014

A tool for plotting networks - Cytoscape

The networks referred to here are more general than computer networks. Social networks for example. Cytoscape is a great free and flexible way to produce nice graphical output from 'linked node' data. On a recent project I had a requirement for this and Cytoscape did the job well. I would not describe the tool as all that easy to use, but the task it is carrying out is not easy. Once you take some time to familiarise yourself with the basic operation it works very well.

Full details are available here.

A nice feature of Cytoscape is the ability to tie a property of the data to a visual property. For example you can make the thickness of connecting lines very with a property of the relationship - weight. You could also use things like colour.

There is a large set of plugins available. Many focus on biology which as the name suggests is the typical domain for this tool, but it is not limited to that.

Cytoscape presents a steep learning curve, but this type of work was formerly the domain of experts only. Now amateurs can have a go too.