albert kao

Ranch Hand
+ Follow
since Feb 04, 2010
Cows and Likes
Total received
In last 30 days
Total given
Total received
Received in last 30 days
Total given
Given in last 30 days
Forums and Threads
Scavenger Hunt
expand Ranch Hand Scavenger Hunt
expand Greenhorn Scavenger Hunt

Recent posts by albert kao

Piet Souris wrote:Isit possible that one or more of the lines are empty? In that case you would expect an error in this line:
If that is the case, put a .filter in front of the map.

Put a .filter in front of the map fix the error.
1 year ago
This program run ok with a small file but fail with a large file.

Exception in thread "main" java.lang.StringIndexOutOfBoundsException: String index out of range: 0
at java.lang.String.charAt(
at ReadWriteFile2.lambda$0(
at java.util.Iterator.forEachRemaining(
at java.util.Spliterators$IteratorSpliterator.forEachRemaining(
at ReadWriteFile2.main(

Attaching these files got errors so I share them via dropbox.

1 year ago

Stephan van Hulst wrote:Not really though. Why are you catching the IOException and printing it to the standard output?

If the key contains invalid characters, you may want to wrap the exception in one that's appropriate for your method, and let it propagate up the call stack.

Anyway, the proper code for the old program will be:
1 year ago

Stephan van Hulst wrote:There is no exploit. BASE64Decoder throws an exception when the data is not valid Base64, so unless the code that calls the get() method does very strange things when such an exception is thrown, you don't have to worry.

A bigger issue is that you're treating key material as strings. Key material should be treated as raw binary data.

And why does the client have an opportunity to inject key material in the first place? Why are you sending keys?

Thanks for the comment.
This is an old program written by my colleague, which I don't have to worry (maintain) now.
Anyway, the proper code will be:
1 year ago

Tim Moores wrote:That page talks about serialized objects - is that what is being sent over the WS? If so, can you change the API so that data is sent instead of objects?

It's hard to be more speciifc without knowing what kind of data we're talking about. I wouldn't call the act of decoding base-64 "deserialization", BTW, and I'm quite sure OWASP doesn't either.

Thanks for the comment.
1 year ago

Stephan van Hulst wrote:Why, what's wrong with it? Other than that you're treating the key as a string, which you should not, and that you're using an obsolete String constructor...

The String key variable is an input (untrusted data) in a web service.
I am concerned about deserialization of untrusted data. Malformed data or unexpected data could be used to abuse application logic, deny service, or execute arbitrary code, when deserialized.
Please see for details.
How to fix this program to prevent hackers to exploit the vulnerability?
1 year ago
My company still use JDK 7 (will not upgrade to JDK 8 for now).
I am maintaining an old program.
I am concerned about deserialization of untrusted data.
How to fix this program?

1 year ago
How to import java zipped source code into Eclipse?

I downloaded the zipped source code from (the book Java SE 8 for the Really Impatient by Cay Horstmann).
I created a Java project. (File, New, Java Project).

then I tried different ways to import java source code
- Import, General, Archive File
- unzip the downloaded source code, then Import, File System

but got errors such as:
- Editor does not contain a main type
- The declared package "" does not match the expected package "sec01"

I can fix these errors one by one, but I like to konw whether there is a proper way to import java source code from a zipped file to prevent these errors to occur.
Please help.

I use Eclipse Java EE IDE for Web Developers.
Version: Oxygen.3 Release (4.7.3)
Build id: 20180308-1800
2 years ago
The code has been changed to the following.
Can it be simplified anymore?
.java file

.jsp file
6 years ago

Jeanne Boyarsky wrote:Supposing your bean instance is called owner, this is how to use EL in a JSP to call it:

getNumber has two parameters : Integer index and String ownershipCode.
How to pass values to these two parameters in jsp using Struts 1.x library?
6 years ago
What is the syntax to call getNumber in a jsp?
6 years ago
Solution is:

6 years ago
How to do variable substitution in html:textarea?
Java code


I try to make "lastName" to appear at my.jsp but get the following instead:
6 years ago

Jeanne Boyarsky wrote:Yes. What type of object are you iterating through on the form? As a first step, add helper methods to it such as getNumber() and getRequiredIndex(). This will get you move that java code into a Java object and out of the JSP.

The type of object iterating through on the form is:

Do I do something like this?
Please help.

6 years ago
The following Struts 1 jsp code is working fine.
However, is it possible to change the jsp code so as to remove all the Java codes?
If it is possible, please show the new jsp code as much as possible.
Existing code:

New code will be similar to this:

6 years ago