Intentionally Insecure Web App

Updated 2015-09-25

BunchOfFriends (formerly named FriendFace) is an intentionally insecure social network to teach web security. It was developed for Java EE 7 and a Derby/JavaDB or MySQL database. It has been tested on the GlassFish 4.1 app server. It is designed to have many of the OWASP Top 10 vulnerabilities.

Download BunchOfFriends:

Before deployment: Create a JDBC resource named “jdbc/aip” (without the quotes). On each deployment, the application will automatically (re)create database tables and pre-populate them with sample data.

Requirements: JavaDB or MySQL is required (for other databases, you'll need to modify SampleData.java). Java EE version 7 is required so you'll need GlassFish version 4.1 (or higher) or an equivalent application server. It should also work on GlassFish 4.0 if you upgrade GlassFish to use JSF/Mojarra version 2.2.2 or higher. One way to ensure these dependencies is to download the Java EE download bundle of Netbeans. In Netbeans, you can create JavaDB databases, launch GlassFish and open the domain admin console from the Services tab.

Purpose: I created the system while teaching a subject on advanced internet programming. It is intended to help teach a security mindset. Feel free to use it for any purpose. However, you should not deploy it on a publicly accessible server because it is so insecure.

License: Feel free to use it however you wish - it is under a Creative Commons Zero / Public Domain license.

BunchOfFriends is an alternative to the OWASP WebGoat project. WebGoat is tutorial oriented: it is a set of guided exercises. In contrast, BunchOfFriends is an ordinary application that is full of security holes.

BunchOfFriends can be used to re-create something like the “Samy” MySpace worm. You can create a profile that virally becomes friends with anybody who sees the profile name.

In the following is a discussion of how the OWASP Top 10 vulnerabilities relate to the application.

Continue Reading (Published 28 December 2014)

JSF Design Pattern

JavaServer Faces is a component-based MVC framework for Java web development. It is the “officially endorsed” web framework in Java EE 7.

JavaServer Faces applications have an unusual structure.

To explain, first consider the difference between using the iterator and visitor design patterns. Assume you want to sum the elements of a list. With an iterator, your code takes an active role. It would request (pull) each element of the list one-by-one. It would then update the total using each element it retrieves. In contrast, a visitor takes a more passive role. You would implement a visitor class that updates a total for every element it receives. The list is then responsible for passing (push) each element to the visitor.

What makes JavaServer Faces applications unique is that their controllers are typically very passive. The controllers in most other MVC frameworks are typically very active. They orchestrate most aspects of transforming inputs into a view. In contrast, in a JavaServer Faces application, the container does most of the orchestration. This inversion of control causes most JavaServer Faces applications to use a design pattern in which the application model is exposed as JavaBeans properties of the controller.

I teach a class on Java EE development. I try to relate design decisions to design patterns. However, I could not find any pattern catalog with a design pattern that resembles JavaServer Faces.

Continue Reading (Published 5 December 2014)

Prolog Web-scraping

In 2005, on comp.lang.prolog, I claimed that Prolog is excellent for screen-scraping web-pages. Last week - almost decade later - I received an email asking, “Why?”

The internet never forgets!

My claim was based on Prolog’s powerful pattern matching features. In Prolog, pattern matching is referred to as unification.

Assume we have a variable called Page whose value is as follows:

Page = html(body(h1('Sydney Weather'), p('Sunny')))

Then if we have a variable called Forecast we can match it to a value using the following command:

html(body(_, p(Forecast))) = Page

Prolog will ‘unify’ both sides and output the result that Forecast = 'Sunny'.

Pattern matching (or unification) is central to screen-scraping. In the remainder of this article I’ll show how to combine unification with a HTTP and HTML parser. I’ll then look briefly at the potential for natural language parsing.

Continue Reading (Published 31 May 2014)

ASP.NET MVC Cheat Sheet

I am currently teaching enterprise development with .NET.

I created this cheat sheet as a quick reference for ASP.NET MVC lab sessions. It includes Entity Framework, Validation, Razor and Controllers.

You might also find it useful.

(Published 16 May 2014)

JavaScript Robots

I fear there is a public perception that robots are too "complicated". It is true that some problems are difficult. However, the basics are very accessible. It has never been easier to get started with robotics.

Programming a robot is literally as easy as creating a web-page.

I’ve recently been using the Sphero robot toy as a way to introduce people to robotics. Sphero works well with several technologies: Ubuntu, ROS, rosbridge, sphero_ros. These technologies make it easy to program complex robot behaviors. Because the technologies are standardized, the same programs can be used on other robots, including the PR2.

In the reminder of this article, I will walk through the process of installing these technologies. Once they are all installed, I’ll demonstrate how to program and control Sphero using JavaScript in a web page!

Continue Reading (Published 9 March 2014)

Audio-feedback Speedometer

Should cars use sound instead of a dashboard?

Speedometer checks take attention away from the road. Audio could communicate the current speed without the driver needing to check the dashboard. It seems reasonable that, with audio feedback, a driver should spend less time looking away from the road.

I put this to the test and it turns out that, no, audio is distracting and annoying.

PLX Devices Kiwi2 Bluetooth ODB-II Interface

To prototype the idea, I purchased a Kiwi2 Bluetooth adapter made by PLX Devices. The device plugs into the On-board Diagnostics (“OBD-II”) socket found in virtually all cars made since 1996. The OBD-II standard is designed for technicians to check engine trouble codes as well as retrieve real-time engine performance data.

Continue Reading (Published 2 February 2014)

The Job Market for Prolog

Prolog is one of my favorite programming languages. It is a very powerful language but has not had significant industry adoption (yet!).

Almost a decade ago, I set up keyword alerts for “Prolog” on the major career websites.

There is also a Project Management software system called Prolog. This resulted in many false alarms over the years. I hadn’t come across a single authentic advertisement in a decade...

... until this one (CareerOne, 5 January 2014):

An advertisement for a Prolog job

I had to pinch myself to be sure I wasn’t dreaming.

(Published 1 February 2014)

Robo-hugs for Woz

Steve Wozniak is the inventor of the Apple I and Apple II. In early January, he visited our research lab to meet our robots.

Steve Wozniak receives a hug from a PR2 robot

In the photograph (by Srinivas Madhisetty), my software is giving Steve Wozniak a hug by a PR2 robot.

Continue Reading (Published 1 February 2014)

Markdown Metadata

My homepage is a place where I can experiment with technology as I know the “client” is tech-savvy.

When designing the technical architecture behind this site, I had three objectives:

  1. The site must be served from static HTML
  2. The site must be easy to update
  3. The technology must be simple and elegant

My solution is to use Markdown encapsulated in RFC822 messages.

Continue Reading (Published 26 January 2014)

Hello, World!

I have decided to start a “blog”. I will use it to highlight my current projects. I will focus on projects that are experimental, incomplete, unsuccessful or ‘just-for-fun’.

Prior versions of my personal website have had ‘static’ designs. They made it difficult to add new content. My intention is that the informality of this format will allow me to share work wouldn’t suit publication elsewhere.

So, welcome! Feel free to let me know what you think!

(Published 25 January 2014)

Published 1 January 2014 by Benjamin Johnston.