Jakob Korherr's Blog

“CDI für Rich Clients” – online version

admin — Thu, 26 Jul 2012 10:34:00 +0000

My article for Eclipse Magazin (see here) is now also available online at http://it-republik.de/jaxenter/artikel/CDI-fuer-Rich-Clients-5012.html

TinyOS syntax highlighting in BBedit

admin — Thu, 24 May 2012 10:21:26 +0000

If you are working with TextWrangler (or BBedit) on TinyOS files (*.nc), you can use the following file to get correct syntax highlighting: TinyOS.plist

To install it for TextWrangler, copy the .plist file to the following directory:

Username/Library/Application Support/TextWrangler/Language Modules

Then restart TextWrangler and you should have a language module called “TinyOS”, which will be automatically applied to *.nc files.

Pong on ATmega1280 dev board

admin — Wed, 23 May 2012 09:46:46 +0000

This video shows my implementation of Pong on an ATmega1280 dev board (AVR 51 microcontroller). The game uses the accelerometer of the respective Wii mote to calculate the racket position of player 1 or 2. To communicate with the Wii motes, it uses a bluetooth module. Furthermore a bundled MP3 and SD-card module is used to play sounds from unreal tournament (stored on the SD-card), each time a player scores a point.

This game was an exercise of the microcontroller course at TU Vienna in 2012S.

“CDI für Rich Clients” in Eclipse Magazin

admin — Thu, 17 May 2012 15:11:29 +0000

I am very happy to announce that the current issue (4.2012) of the german Eclipse Magazin (http://eclipse-magazin.de) includes my article “CDI für Richt Clients”, which is about the integration of Apache OpenWebBeans into Eclipse RCP.

After publishing my blog entry Apache OpenWebBeans meets Eclipse RCP, I was contacted by Claudia Fröhling asking if I wanted to write about this topic for the Eclipse Magazin. I was very glad to get this offer and, of course, agreed to write the article. Authoring such an article was a quite new experience for me, and I really enjoyed it. Hopefully it will not be the last one.

You can obtain a copy of the current Eclipse Magazin here or you can download the iPad app of the magazine.

Web security workshop @ confess 2012

admin — Thu, 10 May 2012 11:28:16 +0000

Yesterday was the workshop day of CONFESS 2012. My workshop was called “How to exploit and fix typical web application vulnerabilities” and that was what we did. I provided two JSF web applications, some PHP scripts and some C files, which all were vulnerable. At the workshop, we tried to break them in as many different ways, as possible.

At the beginning we did a lot of SQL injection exploits, at first manually and later using sqlmap. Then we looked into XSS, XSRF and poor session management. And last but not least we took a look at buffer overflows, using metasploit as shellcode generator. Unfortunately, we did not have time to check out the jsf-security web application, which would have shown some vulnerabilities of (old versions of) JSF 2.

The workshop HOW-TO and all the source files used at the workshop are available at github: https://github.com/jakobk/confess-2012

Web security session @ confess 2012

admin — Mon, 07 May 2012 11:29:33 +0000

Today I spoke at the conference for enterprise software solutions (CONFESS) in Leogang, Austria. My session was called “Introduction to web security” and it explained attacks like SQL injection, XSS, XSRF or buffer overflows. It was quite well-attended and I got lots of positive feedback, which I was really happy about.

As promised at the session, here are the slides as PDF: Web_Security_jakobk.pdf

I really enjoyed speaking at CONFESS, and now I am looking forward to my workshop (again about web security) on Wednesday.

Edit 2012-05-15: The slides are now also available on slideshare:

Introduction to web security @ confess 2012

Apache OpenWebBeans meets Eclipse RCP

admin — Fri, 09 Mar 2012 12:30:32 +0000

Last year I had to do a project at university using Eclipse RCP. Frankly, the Eclipse framework kinda sucked. Thus I tried to pimp Eclipse RCP a little bit, which means I wanted to use OWB and CODI.

After some time I figured out how to combine OWB and Eclipse RCP thanks to the excellent plugin system of OWB. Now I finally found some time to put the relevant classes online. You can find the project at apache-extras: http://code.google.com/a/apache-extras.org/p/openwebbeans-eclipse-rcp/

Please note: Although this is a maven project, I was not able to really build it with maven, b/c I couldn’t find a way to get all the relevant eclipse jars into a maven repo. If you want to use it, the best way is to copy the source files directly into your Eclipse RCP project.

If anyone is interested in getting this stuff running in his/her Eclipse RCP project, just ping me and I can help you with the pitfalls.

JSF value expression injection vulnerability

admin — Tue, 22 Nov 2011 15:40:09 +0000

A few days ago this issue was reported to Mojarra: http://java.net/jira/browse/JAVASERVERFACES-2247.

It basically states that it is possible in JSF 2 to perform ValueExpression injection when includeViewParams is set to true on a navigation case.

To illustrate this in a better way, I created an example project at apache-extras, which shows the vulnerability: http://code.google.com/a/apache-extras.org/p/jsf-includeviewparams-security-hole-example/

Use the following steps to run the example:

svn checkout http://svn.codespot.com/a/apache-extras.org/jsf-includeviewparams-security-hole-example/trunk/
mvn clean jetty:run-exploded -PjettyConfig
go to http://localhost:8080/include-view-params-security and follow the instructions

This vulnerability exists, because JSF treats the value of a view parameter as a ValueExpression when performing a navigation case with includeViewParams=true. For further details, see the issues at Mojarra and MyFaces: http://java.net/jira/browse/JAVASERVERFACES-2247 and https://issues.apache.org/jira/browse/MYFACES-3405

Until this is fixed you should avoid using includeViewParams=true!

Bachelor thesis about relative resource handler

admin — Tue, 08 Nov 2011 13:52:49 +0000

I am very happy to announce that I will write my bachelor thesis at the research group for industrial software (INSO) at Vienna University of Technology. The thesis will be about my work on the relative resource handler for JSF 2 [1].

Together with Marcus Büttner and Mark Struberg I will adapt the relative resource handler for the administration software of the Vienna University of Technology, TISS [2]. For this task the relative resource handler will include some new features apart from supporting relative paths between resources, like e.g. supporting external resource locations. Check out the issue tracker for all enhancements [3]. Also, we already created a wiki page [4] for a list of all requirements.

Stay tuned!

[1] http://code.google.com/a/apache-extras.org/p/relative-resource-handler/
[2] https://tiss.tuwien.ac.at/
[3] http://code.google.com/a/apache-extras.org/p/relative-resource-handler/issues/list
[4] http://code.google.com/a/apache-extras.org/p/relative-resource-handler/wiki/Requirements

MyFaces 2.1 is now trunk

admin — Mon, 02 May 2011 19:07:19 +0000

After a discussion about keeping our 2.0.x and 2.1.x branches in sync last week on the MyFaces dev mailing list, we decided to promote the 2.1.x branch to trunk. In addition, we created a 2.0.x maintenance branch.

MyFaces core 2.1.x is now here:

https://svn.apache.org/repos/asf/myfaces/core/trunk/
https://svn.apache.org/repos/asf/myfaces/shared/trunk/
or
https://svn.apache.org/repos/asf/myfaces/current21/

MyFaces core 2.0.x is now here:

https://svn.apache.org/repos/asf/myfaces/core/branches/2.0.x/
https://svn.apache.org/repos/asf/myfaces/shared/trunk_4.0.x/
or
https://svn.apache.org/repos/asf/myfaces/current20/