Secure Coding And Cocktail Parties.
I am going to be very clear about his today. In the past I posted vulnerabilities in many websites including websites from companies who say they secure web applications, or store web application vulnerabilities and even those who give out certifications like (ISC)2, and I left out those who talk about application security while using insecure software packages to speak about it, because yeah, it's not their fault is it? What does that say about them? Well, for starters it's the same thing like having a police officer committing a crime. It's about time for some introspective analysis for each and everyone in the web application security field before this stuff get's further out of control. No wonder no one takes web application security and it's experts serious, look at the mess around you and your application security vendor who fails to secure himself. So when I see the secure coding group from cert talk about secure coding standards[1] I get really disappointed when they are vulnerable themselves. It's not like we are dealing with a space mission to Mars for example, it's just web application security for fuck sake! something that can be explained to any 5th grader on four sheets of paper.
Judge for yourself, always useful to gain some extra SQL practice in real life:
A system error has occurred � our apologies! Please ask your Confluence administrator to create a support issue on Atlassian's support system at http://support.atlassian.com with the following information: 1. a description of your problem and what you were doing at the time it occurred 2. a copy of the error and system information found below 3. a copy of the application logs (if possible). Your Confluence administrator can use the support request form to create a support ticket which will include this information. We will respond as promptly as possible. Thank you! Return to site homepage� Cause java.lang.IllegalArgumentException: Invalid search query found in specified search. at com.atlassian.confluence.search.v2.lucene.LuceneSearchManager.search(LuceneSearchManager.java:74) caused by: java.lang.IllegalArgumentException: org.apache.lucene.queryParser.ParseException: Cannot parse '">': Lexical error at line 1, column 3. Encountered: <EOF> after : "\">" at com.atlassian.confluence.search.v2.lucene.mapper.TextFieldQueryMapper.convertToLuceneQuery(TextFieldQueryMapper.java:46) caused by: org.apache.lucene.queryParser.ParseException: Cannot parse '">': Lexical error at line 1, column 3. Encountered: <EOF> after : "\">" at org.apache.lucene.queryParser.QueryParser.parse(QueryParser.java:153) Stack Trace:[hide] java.lang.IllegalArgumentException: Invalid search query found in specified search. at com.atlassian.confluence.search.v2.lucene.LuceneSearchManager.search(LuceneSearchManager.java:74) at com.atlassian.confluence.search.actions.SearchSiteAction.exactUsernameSearch(SearchSiteAction.java:286) at com.atlassian.confluence.search.actions.SearchSiteAction.getContributors(SearchSiteAction.java:237) at com.atlassian.confluence.search.actions.SearchSiteAction.validate(SearchSiteAction.java:158) at com.opensymphony.xwork.interceptor.DefaultWorkflowInterceptor.intercept(DefaultWorkflowInterceptor.java:44) at com.atlassian.confluence.core.ConfluenceWorkflowInterceptor.intercept(ConfluenceWorkflowInterceptor.java:35) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.atlassian.confluence.security.interceptors.CaptchaInterceptor.intercept(CaptchaInterceptor.java:46) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.atlassian.confluence.util.LoggingContextInterceptor.intercept(LoggingContextInterceptor.java:48) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.atlassian.confluence.core.CancellingInterceptor.intercept(CancellingInterceptor.java:23) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.atlassian.confluence.security.actions.PermissionCheckInterceptor.intercept(PermissionCheckInterceptor.java:54) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.atlassian.confluence.pages.actions.CommentAwareInterceptor.intercept(CommentAwareInterceptor.java:43) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.atlassian.confluence.pages.actions.PageAwareInterceptor.intercept(PageAwareInterceptor.java:120) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.atlassian.confluence.spaces.actions.SpaceAwareInterceptor.intercept(SpaceAwareInterceptor.java:67) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.atlassian.confluence.core.actions.LastModifiedInterceptor.intercept(LastModifiedInterceptor.java:39) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.atlassian.confluence.core.ConfluenceAutowireInterceptor.intercept(ConfluenceAutowireInterceptor.java:25) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.atlassian.xwork.interceptors.XWorkTransactionInterceptor.intercept(XWorkTransactionInterceptor.java:97) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35) at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165) at com.opensymphony.xwork.DefaultActionProxy.execute(DefaultActionProxy.java:115) at com.opensymphony.webwork.dispatcher.ServletDispatcher.serviceAction(ServletDispatcher.java:229) at com.opensymphony.webwork.dispatcher.ServletDispatcher.service(ServletDispatcher.java:199) at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:118) at com.atlassian.confluence.util.profiling.ProfilingPageFilter.parsePage(ProfilingPageFilter.java:153) at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:54) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.confluence.jmx.JmxFilter.doFilter(JmxFilter.java:109) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.core.filters.ServletContextThreadLocalFilter.doFilter(ServletContextThreadLocalFilter.java:21) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.confluence.util.LoggingContextFilter.doFilter(LoggingContextFilter.java:49) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.confluence.util.UserThreadLocalFilter.doFilter(UserThreadLocalFilter.java:44) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.seraph.filter.SecurityFilter.doFilter(SecurityFilter.java:192) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.seraph.filter.TrustedApplicationsFilter.doFilter(TrustedApplicationsFilter.java:120) at com.atlassian.confluence.util.AbstractBootstrapHotSwappingFilter.doFilter(AbstractBootstrapHotSwappingFilter.java:28) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.seraph.filter.BaseLoginFilter.doFilter(BaseLoginFilter.java:125) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.confluence.util.ClusterHeaderFilter.doFilter(ClusterHeaderFilter.java:35) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.johnson.filters.AbstractJohnsonFilter.doFilter(AbstractJohnsonFilter.java:72) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at org.springframework.orm.hibernate.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:170) at com.atlassian.spring.filter.FlushingSpringSessionInViewFilter.doFilterInternal(FlushingSpringSessionInViewFilter.java:29) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:75) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.util.profiling.filters.ProfilingFilter.doFilter(ProfilingFilter.java:142) at com.atlassian.core.filters.ProfilingAndErrorFilter.doFilter(ProfilingAndErrorFilter.java:27) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.confluence.core.datetime.RequestTimeThreadLocalFilter.doFilter(RequestTimeThreadLocalFilter.java:34) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.confluence.util.RequestCacheThreadLocalFilter.doFilter(RequestCacheThreadLocalFilter.java:25) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.gzipfilter.GzipFilter.doFilterInternal(GzipFilter.java:94) at com.atlassian.gzipfilter.GzipFilter.doFilter(GzipFilter.java:64) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.core.filters.AbstractEncodingFilter.doFilter(AbstractEncodingFilter.java:33) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:174) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117) at org.apache.catalina.valves.FastCommonAccessLogValve.invoke(FastCommonAccessLogValve.java:482) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174) at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:200) at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:283) at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:773) at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:703) at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:895) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689) at java.lang.Thread.run(Thread.java:595) Caused by: java.lang.IllegalArgumentException: org.apache.lucene.queryParser.ParseException: Cannot parse '">': Lexical error at line 1, column 3. Encountered: <EOF> after : "\">" at com.atlassian.confluence.search.v2.lucene.mapper.TextFieldQueryMapper.convertToLuceneQuery(TextFieldQueryMapper.java:46) at com.atlassian.confluence.search.v2.lucene.mapper.TextFieldQueryMapper.convertToLuceneQuery(TextFieldQueryMapper.java:15) at com.atlassian.confluence.search.v2.lucene.DelegatingLuceneSearchMapper.convertToLuceneQuery(DelegatingLuceneSearchMapper.java:30) at com.atlassian.confluence.search.v2.lucene.mapper.BooleanQueryMapper.addSubQueries(BooleanQueryMapper.java:43) at com.atlassian.confluence.search.v2.lucene.mapper.BooleanQueryMapper.convertToLuceneQuery(BooleanQueryMapper.java:29) at com.atlassian.confluence.search.v2.lucene.DelegatingLuceneSearchMapper.convertToLuceneQuery(DelegatingLuceneSearchMapper.java:30) at com.atlassian.confluence.search.v2.lucene.LuceneSearchManager.search(LuceneSearchManager.java:52) ... 113 more Caused by: org.apache.lucene.queryParser.ParseException: Cannot parse '">': Lexical error at line 1, column 3. Encountered: <EOF> after : "\">" at org.apache.lucene.queryParser.QueryParser.parse(QueryParser.java:153) at com.atlassian.confluence.search.v2.lucene.mapper.TextFieldQueryMapper.convertToLuceneQuery(TextFieldQueryMapper.java:42) ... 119 more Referer URL Unknown Confluence Application Information Build Information buildNumber: 1418 upTime: 2 days, 2 hours, 12 minutes, 11 seconds devMode: false version: 2.9.1 home: /var/lib/confluence Unique ID: 0x0000011D5EDA2F53458D112A3234C9F2472F5C45C3AF54AE9C867DF600E1355 Server information Application Server: Apache Tomcat/5.5.26 Servlet Version: 2.4 Database Dialect: com.atlassian.hibernate.dialect.MySQLDialect Database Driver Name: com.mysql.jdbc.Driver Database Driver Version: 5.0 Database Name: MySQL Database Version: 4.1.22 Database Transaction Isolation: Repeatable read Database Latency: 0 Memory Information Total Memory: 1016 MB Used Memory: 913 MB Free Memory: 103 MB System Information userName: tomcat favouriteColour: Sangria time: 08:05:12 javaVm: Java HotSpot(TM) Client VM operatingSystemArchitecture: i386 date: Friday, 24 Oct 2008 operatingSystem: Linux 2.6.9-78.0.1.ELsmp jvmVersion: 1.0 userTimezone: US/Eastern fileSystemEncoding: UTF-8 jvmImplementationVersion: 1.5.0_16-b02 appServer: Apache Tomcat javaVendor: Sun Microsystems Inc. javaVersion: 1.5.0_16 javaRuntime: Java(TM) 2 Runtime Environment, Standard Edition jvmVendor: Sun Microsystems Inc. Cluster Information Not clustered. Plugins * Add Content Menu Sections (confluence.menu.add, Version: 1.0) * Admin Sections (confluence.sections.admin, Version: 1.0) * Advanced Macros (confluence.macros.advanced, Version: 1.4.2) * Attachment Actions (confluence.sections.attachments, Version: 1.0) * Attachment Extractors (com.atlassian.confluence.plugins.attachmentExtractors, Version: 1.0-SNAPSHOT) * Basic Macros (confluence.macros.basic, Version: 1.4) * Browse Menu Items (confluence.sections.browse, Version: 1.0) * Chart Plugin (confluence.extra.chart, Version: 1.11) * Clickr Theme (com.atlassian.confluence.themes.clickr, Version: 2.2) * Code Macro (confluence.macros.code, Version: 1.5) * Comment Action Sections (confluence.comment.action, Version: 1.0) * Confluence Atlassian Plugin Repository (confluence.repository.client, Version: 2.0.15) * Confluence Attachments Plugin (confluence.extra.attachments, Version: 2.10) * Confluence Classic Theme (com.atlassian.confluence.themes.classic, Version: 2.0) * Confluence Contributors Plugin (com.atlassian.confluence.contributors, Version: 1.2) * Confluence Usage Stats (com.atlassian.confluence.ext.usage, Version: 0.8) * Content Action Menu Sections (confluence.content.action.menu, Version: 1.0) * Content Buttons (confluence.sections.page.temp, Version: 1.0) * Core Extractors (confluence.extractors.core, Version: 1.4) * Core Listeners (confluence.listeners.core, Version: 1.3) * Core Path Converters (confluence.converters.core, Version: 1.0) * Core Startup and Shutdown (confluence.lifecycle.core, Version: 1) * Dashboard Macros (confluence.macros.dashboard, Version: 1.4.2) * Default Theme (com.atlassian.confluence.themes.default, Version: 1.0) * Dynamic Task List 2 Plugin (confluence.extra.dynamictasklist2, Version: 3.0.6) * Edit Profile Sections (confluence.sections.profile.edit, Version: 1.0) * French language pack (confluence.languages.fr_FR, Version: 1.8) * German language pack (confluence.languages.de_DE, Version: 1.3) * Global Labels Sections (confluence.sections.labels, Version: 1.0) * Information Macros (confluence.extra.information, Version: 1.0) * Layout Macros (confluence.extra.layout, Version: 1.1) * Left Navigation Theme (com.atlassian.confluence.themes.leftnavigation, Version: 2.0) * Live Search Macros (confluence.extra.livesearch, Version: 2.8) * News Tabs (confluence.sections.news, Version: 1.0) * Page Operations (confluence.sections.page.operations, Version: 1.0) * Page Tabs (confluence.sections.page, Version: 1.0) * Page Tabs (confluence.search.mappers.lucene, Version: 1.0) * Page Tree (com.atlassian.confluence.plugins.pagetree, Version: 1.10) * Page View Links (confluence.sections.page.actions, Version: 1.0) * Profile Tabs (confluence.sections.profile, Version: 1.0) * Search Web Interface (confluence.sections.search.view, Version: 1.0) * Space Actions Sections (confluence.sections.space.actions, Version: 1.0) * Space Admin Sections (confluence.sections.space.admin, Version: 1.0) * Space Advanced Sections (confluence.sections.space.advanced, Version: 1.0) * Space Browse Sections (confluence.sections.space.browse, Version: 1.0) * Space Item Tabs (confluence.sections.space, Version: 1.0) * Space Labels Sections (confluence.sections.space.labels, Version: 1.0) * Space Pages Sections (confluence.sections.space.pages, Version: 1.0) * System Web Resources (confluence.web.resources, Version: 1.0) * Table of Contents Plugin (org.randombits.confluence.toc, Version: 2.4.8) * Tabular Metadata (confluence.extra.masterdetail, Version: 2.7) * TinyMCE Editor Plugin (com.atlassian.confluence.extra.tinymceplugin, Version: 3.0-rc2) * User Lister (confluence.extra.userlister, Version: 2.4) * User Menu Sections (confluence.user.menu, Version: 1.0) * View Profile Web Interface (confluence.sections.profile.view, Version: 1.0) * Wiki Renderer Components (confluence.renderer.components, Version: 1.0) Request Information URL https://www.securecoding.cert.org/confluence/500page.jsp URI /confluence/500page.jsp Context Path /confluence Servlet Path /500page.jsp Query String queryString=%22%3E&queryString=%22%3E&where=conf_all&type=&lastModified=&contributor=%22%3E&contributorUsername= Headers (Limited subset) host www.securecoding.cert.org user-agent Mozilla/1.0 (Windows; U; Windows NT 1.1; en-US; rv:2.9.0.3) Gecko/2002016217 keep-alive 300 connection keep-alive Attributes javax.servlet.forward.request_uri /confluence/dosearchsite.action javax.servlet.forward.context_path /confluence javax.servlet.forward.servlet_path /dosearchsite.action javax.servlet.forward.path_info /500page.jsp javax.servlet.forward.query_string queryString=%22%3E&queryString=%22%3E&where=conf_all&type=&lastModified=&contributor=%22%3E&contributorUsername= javax.servlet.error.message javax.servlet.error.exception java.lang.IllegalArgumentException: Invalid search query found in specified search. os_securityfilter_already_filtered true com.atlassian.johnson.filters.JohnsonFilter_already_filtered true __sitemesh__using_stream false javax.servlet.error.request_uri /confluence/dosearchsite.action com.atlassian.gzipfilter.GzipFilter_already_filtered true javax.servlet.error.status_code 500 __sitemesh__filterapplied true javax.servlet.error.servlet_name action webwork.valueStack com.opensymphony.xwork.util.OgnlValueStack@e2a5ac Confluence-Request-Time 1224851735677 loginfilter.already.filtered true atlassian.core.seraph.original.url /dosearchsite.action?queryString=%22%3E&queryString=%22%3E&where=conf_all&type=&lastModified=&contributor=%22%3E&contributorUsername= javax.servlet.jsp.jspException java.lang.IllegalArgumentException: Invalid search query found in specified search. sessioninview.FILTERED true Parameters (Limited subset) queryString "> "> contributorUsername type where conf_all lastModified contributor "> Confluence User anonymous
^ Oops, besides this hideous blob of intelligence it also let us modify the SQL query. Finally something really interesing to discuss at those cocktail parties or is it?
[1] https://www.securecoding.cert.org/confluence/display/seccode/CERT+Secure+Coding+Standards
source: OWASP News
No comments yet.