Piet Souris wrote:Isit possible that one or more of the lines are empty? In that case you would expect an error in this line:
If that is the case, put a .filter in front of the map.
Stephan van Hulst wrote:Not really though. Why are you catching the IOException and printing it to the standard output?
If the key contains invalid characters, you may want to wrap the exception in one that's appropriate for your method, and let it propagate up the call stack.
Stephan van Hulst wrote:There is no exploit. BASE64Decoder throws an exception when the data is not valid Base64, so unless the code that calls the get() method does very strange things when such an exception is thrown, you don't have to worry.
A bigger issue is that you're treating key material as strings. Key material should be treated as raw binary data.
And why does the client have an opportunity to inject key material in the first place? Why are you sending keys?
Tim Moores wrote:That page talks about serialized objects - is that what is being sent over the WS? If so, can you change the API so that data is sent instead of objects?
It's hard to be more speciifc without knowing what kind of data we're talking about. I wouldn't call the act of decoding base-64 "deserialization", BTW, and I'm quite sure OWASP doesn't either.
Stephan van Hulst wrote:Why, what's wrong with it? Other than that you're treating the key as a string, which you should not, and that you're using an obsolete String constructor...
Jeanne Boyarsky wrote:Supposing your bean instance is called owner, this is how to use EL in a JSP to call it:
Jeanne Boyarsky wrote:Yes. What type of object are you iterating through on the form? As a first step, add helper methods to it such as getNumber() and getRequiredIndex(). This will get you move that java code into a Java object and out of the JSP.