SlideShare uma empresa Scribd logo

JSF Input Validation

Source Conference
Source Conference

SOURCE Seattle 2011 - Krishna Raja

Tecnologia
1 de 24
Baixar para ler offline
JSF Security © 2011 Security Compass inc. 1
JSF Input Validation abcd <script> 24c;-- Validated Input © 2011 Security Compass inc. 2
MyFaces: validateRegExpr Tag <%@ taglib uri="http://myfaces.apache.org/tomahawk" prefix="t" %> Using Apache Tomahawk tag library <h:outputLabel for="zip1" value="Zip"/> <t:inputText value="#{order.zipCode}" id="zip1"> <t:validateRegExpr pattern="d{5}" message="ZIP Code must be 5 digits"/> </t:inputText> © 2011 Security Compass inc. 3
Facelets Implementation <html ... xmlns:ui="http://java.sun.com/jsf/facelets" xmlns:t="http://myfaces.apache.org/tomahawk"> <h:inputText type="text" id="val“ value="#{SimpleBean.val}" required="true"> <t:validateRegExpr pattern="[a-zA-Z]{1,100}" /> </h:inputText> © 2011 Security Compass inc. 4
Demo: Facelets validation
Mojarra Validators xmlns:mj=http://mojarra.dev.java.net/mojarra_ext <h:inputText type="text" id="val“ value="#{SimpleBean.val}" required="true"> <mj:regexValidator pattern="[a-zA-Z]{1,50}"/> </h:inputText> There also exists: <mj:creditCardValidator/> © 2011 Security Compass inc. 6
JSF 2.0 Validators • Part of JSF 2.0 core tag library • Can leverage: – <f:validateLength …/> – <f:validateLongRange …/> – <f:validateDoubleRange …/> – <f:validateRegex pattern=“…”/> © 2011 Security Compass inc. 7
Demo: JSF 2.0 Validators
Other JSF Validation Techniques • Validation in Action Controller – Validation tied closely to biz logic – Dependence between different fields • Custom validation methods – More complex validation (i.e. built-in JSF validator doesn’t suit your need) © 2011 Security Compass inc. 9
Output Encoding in JSF <script>alert('xss') &lt; &gt; &#x28;&#x27;&#x29; © 2011 Security Compass inc. 10
<h:outputText> & <h:outputFormat> <h:outputText value="#{param.name}"/> escape attribute is set to “true” by default <h:outputFormat value=“#{param.name}”/> © 2011 Security Compass inc. 11
Output encoding with Facelets <ui:define name="body"> This will safely encode as an HTML element in a Facelet: <h:outputText value="#{SimpleBean.val}"> </h:outputText> </ui:define> EL expression is automatically encoded © 2011 Security Compass inc. 12
But there’s a problem … • <h:outputText> and <h:outputFormat> cannot be used safely within: – HTML attribute – JavaScript or CSS • Similar problem with: Facelets ${bean.name} © 2011 Security Compass inc. 13
Problems with RichFaces • Some tags can lead to XSS • Never use user-supplied data with: – <a4j:loadScript> – <a4j:loadStyle> – <rich:componentControl> • Known vulnerabilities exist with: <rich:editor>, <rich:effect>, <rich:gmap>, <rich:virtualEarth> © 2011 Security Compass inc. 14
Solution: OWASP ESAPI EL <p> <input type="text“ value="${esapi:encodeForHTMLAttribute(dangerous)}"/> </p> <p> <script language="javascript"> var str=${esapi:encodeForJavaScript(dangerous)}; </script> </p> © 2011 Security Compass inc. 15
Demo: ESAPI encoding
Page Level Authorization
ESAPI AccessController • Interface that provides access control for – URLs – Business functions – Data services & files • Contains: – assertAuthorizedForURL(String URL) © 2011 Security Compass inc. 18
Demo: AccessController
Defending Against CSRF Anti-CSRF tokens
What about JSF “view state”? • javax.faces.STATE_SAVING_METHOD – Can save and restore state of the view between requests to server STATE_SAVING_METHOD + JSESSIONID = Anti-CSRF Token ??? © 2011 Security Compass inc. 21
Problem: Padding Oracle Attack • Recently discovered exploit against CBC- mode encryption with PKCS#5 padding • Incorrect padding can result in java.crypto.BadPaddingException • Can use to decrypt STATE_SAVING_METHOD © 2011 Security Compass inc. 22
Solution: OWASP CSRF Guard • Version 3 recently released! • Library that injects per-session or per- request tokens into HTML • Can use 2 strategies to inject token: – JavaScript DOM Manipulation – JSP Tag Library © 2011 Security Compass inc. 23
Demo: Anti-CSRF Tokens

Recomendados

Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing Aditya K Sood
 
Introduction to OWASP & Web Application Security
Introduction to OWASP & Web Application SecurityIntroduction to OWASP & Web Application Security
Introduction to OWASP & Web Application SecurityOWASPKerala
 
Secure coding-guidelines
Secure coding-guidelinesSecure coding-guidelines
Secure coding-guidelinesTrupti Shiralkar, CISSP
 
Microsoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable CodeMicrosoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable CodeAleksandar Bozinovski
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EERudy De Busscher
 
Java Security Framework's
Java Security Framework'sJava Security Framework's
Java Security Framework'sMohammed Fazuluddin
 
Java Security
Java SecurityJava Security
Java Securityelliando dias
 
David Thiel - Secure Development On iOS
David Thiel - Secure Development On iOSDavid Thiel - Secure Development On iOS
David Thiel - Secure Development On iOSSource Conference
 

Recomendados

Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing Aditya K Sood
 
Introduction to OWASP & Web Application Security
Introduction to OWASP & Web Application SecurityIntroduction to OWASP & Web Application Security
Introduction to OWASP & Web Application SecurityOWASPKerala
 
Secure coding-guidelines
Secure coding-guidelinesSecure coding-guidelines
Secure coding-guidelinesTrupti Shiralkar, CISSP
 
Microsoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable CodeMicrosoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable CodeAleksandar Bozinovski
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EERudy De Busscher
 
Java Security Framework's
Java Security Framework'sJava Security Framework's
Java Security Framework'sMohammed Fazuluddin
 
Java Security
Java SecurityJava Security
Java Securityelliando dias
 
David Thiel - Secure Development On iOS
David Thiel - Secure Development On iOSDavid Thiel - Secure Development On iOS
David Thiel - Secure Development On iOSSource Conference
 
JavaEE Security
JavaEE SecurityJavaEE Security
JavaEE SecurityAlex Kim
 
Security in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingSecurity in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingMasoud Kalali
 
Servlet to Spring: Internal Understanding
Servlet to Spring: Internal UnderstandingServlet to Spring: Internal Understanding
Servlet to Spring: Internal UnderstandingKnoldus Inc.
 
Martin Toshev - Java Security Architecture - Codemotion Rome 2019
Martin Toshev - Java Security Architecture - Codemotion Rome 2019Martin Toshev - Java Security Architecture - Codemotion Rome 2019
Martin Toshev - Java Security Architecture - Codemotion Rome 2019Codemotion
 
Developing With JAAS
Developing With JAASDeveloping With JAAS
Developing With JAASrahmed_sct
 
Untrusted JS Detection with Chrome Dev Tools and static code analysis
Untrusted JS Detection with Chrome Dev Tools and static code analysisUntrusted JS Detection with Chrome Dev Tools and static code analysis
Untrusted JS Detection with Chrome Dev Tools and static code analysisEnrico Micco
 
Creating Secure Applications
Creating Secure Applications Creating Secure Applications
Creating Secure Applications guest879f38
 
Popular Approaches to Preventing Code Injection Attacks are Dangerously Wrong
Popular Approaches to Preventing Code Injection Attacks are Dangerously WrongPopular Approaches to Preventing Code Injection Attacks are Dangerously Wrong
Popular Approaches to Preventing Code Injection Attacks are Dangerously WrongWaratek Ltd
 
Spring security jwt tutorial toptal
Spring security jwt tutorial toptalSpring security jwt tutorial toptal
Spring security jwt tutorial toptaljbsysatm
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLinkpigorcraveiro
 
Spring security 2017
Spring security 2017Spring security 2017
Spring security 2017Vortexbird
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Kenneth Peeples
 
Struts & hibernate ppt
Struts & hibernate pptStruts & hibernate ppt
Struts & hibernate pptPankaj Patel
 
Brisk WebApp penetration tester
Brisk WebApp penetration testerBrisk WebApp penetration tester
Brisk WebApp penetration testerBriskInfosec Solutions
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSebastien Gioria
 
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015gmaran23
 
Struts Interview Questions
Struts Interview QuestionsStruts Interview Questions
Struts Interview Questionsjbashask
 
Struts presentation
Struts presentationStruts presentation
Struts presentationNicolaescu Petru
 
Owasp Backend Security Project 1.0beta
Owasp Backend Security Project 1.0betaOwasp Backend Security Project 1.0beta
Owasp Backend Security Project 1.0betaSecurity Date
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxjohnpragasam1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxazida3
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 

Mais conteúdo relacionado

Mais procurados

JavaEE Security
JavaEE SecurityJavaEE Security
JavaEE SecurityAlex Kim
 
Security in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingSecurity in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingMasoud Kalali
 
Servlet to Spring: Internal Understanding
Servlet to Spring: Internal UnderstandingServlet to Spring: Internal Understanding
Servlet to Spring: Internal UnderstandingKnoldus Inc.
 
Martin Toshev - Java Security Architecture - Codemotion Rome 2019
Martin Toshev - Java Security Architecture - Codemotion Rome 2019Martin Toshev - Java Security Architecture - Codemotion Rome 2019
Martin Toshev - Java Security Architecture - Codemotion Rome 2019Codemotion
 
Developing With JAAS
Developing With JAASDeveloping With JAAS
Developing With JAASrahmed_sct
 
Untrusted JS Detection with Chrome Dev Tools and static code analysis
Untrusted JS Detection with Chrome Dev Tools and static code analysisUntrusted JS Detection with Chrome Dev Tools and static code analysis
Untrusted JS Detection with Chrome Dev Tools and static code analysisEnrico Micco
 
Creating Secure Applications
Creating Secure Applications Creating Secure Applications
Creating Secure Applications guest879f38
 
Popular Approaches to Preventing Code Injection Attacks are Dangerously Wrong
Popular Approaches to Preventing Code Injection Attacks are Dangerously WrongPopular Approaches to Preventing Code Injection Attacks are Dangerously Wrong
Popular Approaches to Preventing Code Injection Attacks are Dangerously WrongWaratek Ltd
 
Spring security jwt tutorial toptal
Spring security jwt tutorial toptalSpring security jwt tutorial toptal
Spring security jwt tutorial toptaljbsysatm
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLinkpigorcraveiro
 
Spring security 2017
Spring security 2017Spring security 2017
Spring security 2017Vortexbird
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Kenneth Peeples
 
Struts & hibernate ppt
Struts & hibernate pptStruts & hibernate ppt
Struts & hibernate pptPankaj Patel
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSebastien Gioria
 
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015gmaran23
 
Struts Interview Questions
Struts Interview QuestionsStruts Interview Questions
Struts Interview Questionsjbashask
 
Owasp Backend Security Project 1.0beta
Owasp Backend Security Project 1.0betaOwasp Backend Security Project 1.0beta
Owasp Backend Security Project 1.0betaSecurity Date
 

Mais procurados (19)

JavaEE Security
JavaEE SecurityJavaEE Security
JavaEE Security
 
Security in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingSecurity in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missing
 
Servlet to Spring: Internal Understanding
Servlet to Spring: Internal UnderstandingServlet to Spring: Internal Understanding
Servlet to Spring: Internal Understanding
 
Martin Toshev - Java Security Architecture - Codemotion Rome 2019
Martin Toshev - Java Security Architecture - Codemotion Rome 2019Martin Toshev - Java Security Architecture - Codemotion Rome 2019
Martin Toshev - Java Security Architecture - Codemotion Rome 2019
 
Developing With JAAS
Developing With JAASDeveloping With JAAS
Developing With JAAS
 
Untrusted JS Detection with Chrome Dev Tools and static code analysis
Untrusted JS Detection with Chrome Dev Tools and static code analysisUntrusted JS Detection with Chrome Dev Tools and static code analysis
Untrusted JS Detection with Chrome Dev Tools and static code analysis
 
Creating Secure Applications
Creating Secure Applications Creating Secure Applications
Creating Secure Applications
 
Popular Approaches to Preventing Code Injection Attacks are Dangerously Wrong
Popular Approaches to Preventing Code Injection Attacks are Dangerously WrongPopular Approaches to Preventing Code Injection Attacks are Dangerously Wrong
Popular Approaches to Preventing Code Injection Attacks are Dangerously Wrong
 
Spring security jwt tutorial toptal
Spring security jwt tutorial toptalSpring security jwt tutorial toptal
Spring security jwt tutorial toptal
 
Java EE Application Security With PicketLink
Java EE Application Security With PicketLinkJava EE Application Security With PicketLink
Java EE Application Security With PicketLink
 
Spring security 2017
Spring security 2017Spring security 2017
Spring security 2017
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
 
Struts & hibernate ppt
Struts & hibernate pptStruts & hibernate ppt
Struts & hibernate ppt
 
Brisk WebApp penetration tester
Brisk WebApp penetration testerBrisk WebApp penetration tester
Brisk WebApp penetration tester
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An Introduction
 
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
 
Struts Interview Questions
Struts Interview QuestionsStruts Interview Questions
Struts Interview Questions
 
Struts presentation
Struts presentationStruts presentation
Struts presentation
 
Owasp Backend Security Project 1.0beta
Owasp Backend Security Project 1.0betaOwasp Backend Security Project 1.0beta
Owasp Backend Security Project 1.0beta
 

Semelhante a JSF Input Validation

OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxjohnpragasam1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxazida3
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxcgt38842
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxnmk42194
 
Jetpack, with new features in 2021 GDG Georgetown IO Extended
Jetpack, with new features in 2021 GDG Georgetown IO ExtendedJetpack, with new features in 2021 GDG Georgetown IO Extended
Jetpack, with new features in 2021 GDG Georgetown IO ExtendedToru Wonyoung Choi
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
How to React to JavaScript Insecurity
How to React to JavaScript InsecurityHow to React to JavaScript Insecurity
How to React to JavaScript InsecurityKsenia Peguero
 
WinAppDriver - Windows Store Apps Test Automation
WinAppDriver - Windows Store Apps Test AutomationWinAppDriver - Windows Store Apps Test Automation
WinAppDriver - Windows Store Apps Test AutomationJeremy Kao
 
Spark IT 2011 - Simplified Web Development using Java Server Faces 2.0
Spark IT 2011 - Simplified Web Development using Java Server Faces 2.0Spark IT 2011 - Simplified Web Development using Java Server Faces 2.0
Spark IT 2011 - Simplified Web Development using Java Server Faces 2.0Arun Gupta
 
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730chadtindel
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Jim Manico
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processguest3379bd
 
25+ Reasons to use OmniFaces in JSF applications
25+ Reasons to use OmniFaces in JSF applications25+ Reasons to use OmniFaces in JSF applications
25+ Reasons to use OmniFaces in JSF applicationsAnghel Leonard
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
Hyperproductive JSF 2.0 @ JavaOne Brazil 2010
Hyperproductive JSF 2.0 @ JavaOne Brazil 2010Hyperproductive JSF 2.0 @ JavaOne Brazil 2010
Hyperproductive JSF 2.0 @ JavaOne Brazil 2010Arun Gupta
 
Alberto Maria Angelo Paro - Isomorphic programming in Scala and WebDevelopmen...
Alberto Maria Angelo Paro - Isomorphic programming in Scala and WebDevelopmen...Alberto Maria Angelo Paro - Isomorphic programming in Scala and WebDevelopmen...
Alberto Maria Angelo Paro - Isomorphic programming in Scala and WebDevelopmen...Codemotion
 

Semelhante a JSF Input Validation (20)

OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
 
Node.js vs Play Framework
Node.js vs Play FrameworkNode.js vs Play Framework
Node.js vs Play Framework
 
Secure DevOps: A Puma's Tail
Secure DevOps: A Puma's TailSecure DevOps: A Puma's Tail
Secure DevOps: A Puma's Tail
 
Attacking HTML5
Attacking HTML5Attacking HTML5
Attacking HTML5
 
Jetpack, with new features in 2021 GDG Georgetown IO Extended
Jetpack, with new features in 2021 GDG Georgetown IO ExtendedJetpack, with new features in 2021 GDG Georgetown IO Extended
Jetpack, with new features in 2021 GDG Georgetown IO Extended
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
How to React to JavaScript Insecurity
How to React to JavaScript InsecurityHow to React to JavaScript Insecurity
How to React to JavaScript Insecurity
 
WinAppDriver - Windows Store Apps Test Automation
WinAppDriver - Windows Store Apps Test AutomationWinAppDriver - Windows Store Apps Test Automation
WinAppDriver - Windows Store Apps Test Automation
 
Spark IT 2011 - Simplified Web Development using Java Server Faces 2.0
Spark IT 2011 - Simplified Web Development using Java Server Faces 2.0Spark IT 2011 - Simplified Web Development using Java Server Faces 2.0
Spark IT 2011 - Simplified Web Development using Java Server Faces 2.0
 
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
 
25+ Reasons to use OmniFaces in JSF applications
25+ Reasons to use OmniFaces in JSF applications25+ Reasons to use OmniFaces in JSF applications
25+ Reasons to use OmniFaces in JSF applications
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
 
Hyperproductive JSF 2.0 @ JavaOne Brazil 2010
Hyperproductive JSF 2.0 @ JavaOne Brazil 2010Hyperproductive JSF 2.0 @ JavaOne Brazil 2010
Hyperproductive JSF 2.0 @ JavaOne Brazil 2010
 
Alberto Maria Angelo Paro - Isomorphic programming in Scala and WebDevelopmen...
Alberto Maria Angelo Paro - Isomorphic programming in Scala and WebDevelopmen...Alberto Maria Angelo Paro - Isomorphic programming in Scala and WebDevelopmen...
Alberto Maria Angelo Paro - Isomorphic programming in Scala and WebDevelopmen...
 

Mais de Source Conference

iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on AndroidSource Conference
 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICSource Conference
 
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsSource Conference
 
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesSource Conference
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network SecuritySource Conference
 
Wfuzz para Penetration Testers
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration TestersSource Conference
 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSource Conference
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSource Conference
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserSource Conference
 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItSource Conference
 
Adapting To The Age Of Anonymous
Adapting To The Age Of AnonymousAdapting To The Age Of Anonymous
Adapting To The Age Of AnonymousSource Conference
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Source Conference
 
Advanced (persistent) binary planting
Advanced (persistent) binary plantingAdvanced (persistent) binary planting
Advanced (persistent) binary plantingSource Conference
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudSource Conference
 
Who should the security team hire next?
Who should the security team hire next?Who should the security team hire next?
Who should the security team hire next?Source Conference
 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawSource Conference
 
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendHow To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendSource Conference
 
Everything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationEverything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationSource Conference
 

Mais de Source Conference (20)

Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on Android
 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUIC
 
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and Bobs
 
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus Derivatives
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network Security
 
Wfuzz para Penetration Testers
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration Testers
 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on Rails
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful Applications
 
Esteganografia
EsteganografiaEsteganografia
Esteganografia
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the Browser
 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done It
 
Adapting To The Age Of Anonymous
Adapting To The Age Of AnonymousAdapting To The Age Of Anonymous
Adapting To The Age Of Anonymous
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
 
Advanced (persistent) binary planting
Advanced (persistent) binary plantingAdvanced (persistent) binary planting
Advanced (persistent) binary planting
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
 
Who should the security team hire next?
Who should the security team hire next?Who should the security team hire next?
Who should the security team hire next?
 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime Law
 
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendHow To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security Spend
 
Everything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationEverything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitation
 

Último

Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 

Último (20)

Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 

JSF Input Validation

  • 1. JSF Security © 2011 Security Compass inc. 1
  • 2. JSF Input Validation abcd <script> 24c;-- Validated Input © 2011 Security Compass inc. 2
  • 3. MyFaces: validateRegExpr Tag <%@ taglib uri="http://myfaces.apache.org/tomahawk" prefix="t" %> Using Apache Tomahawk tag library <h:outputLabel for="zip1" value="Zip"/> <t:inputText value="#{order.zipCode}" id="zip1"> <t:validateRegExpr pattern="d{5}" message="ZIP Code must be 5 digits"/> </t:inputText> © 2011 Security Compass inc. 3
  • 4. Facelets Implementation <html ... xmlns:ui="http://java.sun.com/jsf/facelets" xmlns:t="http://myfaces.apache.org/tomahawk"> <h:inputText type="text" id="val“ value="#{SimpleBean.val}" required="true"> <t:validateRegExpr pattern="[a-zA-Z]{1,100}" /> </h:inputText> © 2011 Security Compass inc. 4
  • 6. Mojarra Validators xmlns:mj=http://mojarra.dev.java.net/mojarra_ext <h:inputText type="text" id="val“ value="#{SimpleBean.val}" required="true"> <mj:regexValidator pattern="[a-zA-Z]{1,50}"/> </h:inputText> There also exists: <mj:creditCardValidator/> © 2011 Security Compass inc. 6
  • 7. JSF 2.0 Validators • Part of JSF 2.0 core tag library • Can leverage: – <f:validateLength …/> – <f:validateLongRange …/> – <f:validateDoubleRange …/> – <f:validateRegex pattern=“…”/> © 2011 Security Compass inc. 7
  • 8. Demo: JSF 2.0 Validators
  • 9. Other JSF Validation Techniques • Validation in Action Controller – Validation tied closely to biz logic – Dependence between different fields • Custom validation methods – More complex validation (i.e. built-in JSF validator doesn’t suit your need) © 2011 Security Compass inc. 9
  • 10. Output Encoding in JSF <script>alert('xss') &lt; &gt; &#x28;&#x27;&#x29; © 2011 Security Compass inc. 10
  • 11. <h:outputText> & <h:outputFormat> <h:outputText value="#{param.name}"/> escape attribute is set to “true” by default <h:outputFormat value=“#{param.name}”/> © 2011 Security Compass inc. 11
  • 12. Output encoding with Facelets <ui:define name="body"> This will safely encode as an HTML element in a Facelet: <h:outputText value="#{SimpleBean.val}"> </h:outputText> </ui:define> EL expression is automatically encoded © 2011 Security Compass inc. 12
  • 13. But there’s a problem … • <h:outputText> and <h:outputFormat> cannot be used safely within: – HTML attribute – JavaScript or CSS • Similar problem with: Facelets ${bean.name} © 2011 Security Compass inc. 13
  • 14. Problems with RichFaces • Some tags can lead to XSS • Never use user-supplied data with: – <a4j:loadScript> – <a4j:loadStyle> – <rich:componentControl> • Known vulnerabilities exist with: <rich:editor>, <rich:effect>, <rich:gmap>, <rich:virtualEarth> © 2011 Security Compass inc. 14
  • 15. Solution: OWASP ESAPI EL <p> <input type="text“ value="${esapi:encodeForHTMLAttribute(dangerous)}"/> </p> <p> <script language="javascript"> var str=${esapi:encodeForJavaScript(dangerous)}; </script> </p> © 2011 Security Compass inc. 15
  • 18. ESAPI AccessController • Interface that provides access control for – URLs – Business functions – Data services & files • Contains: – assertAuthorizedForURL(String URL) © 2011 Security Compass inc. 18
  • 21. What about JSF “view state”? • javax.faces.STATE_SAVING_METHOD – Can save and restore state of the view between requests to server STATE_SAVING_METHOD + JSESSIONID = Anti-CSRF Token ??? © 2011 Security Compass inc. 21
  • 22. Problem: Padding Oracle Attack • Recently discovered exploit against CBC- mode encryption with PKCS#5 padding • Incorrect padding can result in java.crypto.BadPaddingException • Can use to decrypt STATE_SAVING_METHOD © 2011 Security Compass inc. 22
  • 23. Solution: OWASP CSRF Guard • Version 3 recently released! • Library that injects per-session or per- request tokens into HTML • Can use 2 strategies to inject token: – JavaScript DOM Manipulation – JSP Tag Library © 2011 Security Compass inc. 23