Web Service


How many types of protocol implementations does RMI have?

RMI has at least three protocol implementations: Java Remote Method Protocol(JRMP), Internet Inter ORB Protocol(IIOP), and Jini Extensible Remote Invocation(JERI). These are alternatives, not part of the same thing, All three are indeed layer 6 protocols for those who are still speaking OSI reference model.

Explain RMI Architecture?

RMI uses a layered architecture, each of the layers could be enhanced or replaced without affecting the rest of the system. The details of layers can be summarised as follows:

* Application Layer: The client and server program
* Stub & Skeleton Layer: Intercepts method calls made by the client/redirects these calls to a remote RMI service.
* Remote Reference Layer: Understands how to interpret and manage references made from clients to the remote service objects.
* Transport layer: Based on TCP/IP connections between machines in a network. It provides basic connectivity, as well as some firewall penetration strategies.

What is the difference between RMI & Corba ?

The most significant difference between RMI and CORBA is that CORBA was made specifically for interoperability across programming languages. That is CORBA fosters the notion that programs can be built to interact in multiple languages. The server could be written in C++, the business logic in Python, and the front-end written in COBOL in theory. RMI, on the other hand is a total Java solution, the interfaces, the implementations and the clients—all are written in Java.

RMI allows dynamic loading of classes at runtime. In a multi-language CORBA environment, dynamic class loading is not possible. The important advantage to dynamic class loading is that it allows arguments to be passed in remote invocations that are subtypes of the declared types. In CORBA, all types have to be known in advance. RMI (as well as RMI/IIOP) provides support for polymorphic parameter passing, whereas strict CORBA does not. CORBA does have support for multiple languages which is good for some applications, but RMI has the advantage of being dynamic, which is good for other applications.

design pattern


Bridge vs. Adapter


* Adapter provides an implementation abstraction over and existing legacy system to provide functions that would otherwise be too difficult to add to the existing sytem, or impossible due to lack of source code, documentation, etc…
* Bridge allows the interface to use some common component to be de-coupled from the actual implementation of that component


* Both provide an interface above actual code and implementation to ease development and allow the nitty-grittiness of raw code to be hidden.
* Both are essentially a wrapper that provide an interface to the actual hidden implementation.


Top Five Web Security Bugs In Custom Code


what is False Positive?

A False Positive is when you think you have a specific vulnerability in your program but in fact you don't.

False Negative

A false negative is the opposite of a false positive (go figure!). You may run a security scanner like Nessus and for one reason or another it may miss a vulnerability that may in fact exist.


http defines 8 methods. HTTP TRACE Echoes back the received request, so that a client can see what intermediate servers are adding or changing in the request.

What is a Security Fuzzer?

A Security fuzzer is a tool used by security professionals (and professional hackers :) to test a parameter of an application.

Typical fuzzers test an application for buffer overflows, format string vulnerabilities, and error handling.

More advanced fuzzers incorporate functionality to test for directory traversal attacks, command execution vulnerabilities, SQL Injection and Cross Site Scripting vulnerabilities. Web Vulnerability scanners typically perform all of this functionality, and can be considered an advanced fuzzer.

Popular free fuzzers include SPIKE Proxy, Peach Fuzzer Framework, and WebScarab.


  • what is XSS:

Cross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user. The data is usually gathered in the form of a hyperlink which contains malicious content within it, such as redirecting, cookie log. executable download

malicious user input, for example :


If a user is logged into the site and an attacker tricks user's browser into making a request to one of these task urls, then the task is performed and logged the data of logged-in user

  • how to prevent
- Converting < and >  to &lt; and &gt; is also suggested when it comes to script output.
   - you also attempt to filter out ( and ) by translating them to &#40; and &#41;, " to &#34;, ' to &#39, and also # and & by translating them to &#35 (#) and &#38 (&).
  • HTML Injection?

HTML Injection refers to injecting HTML code into a web servers response to alter the content to the end user. This is also known as Cross Site Scripting.

SQL Injection

select id from employees where name='joe'

we expect user to input joe from web input box. however, if user input malicious input such as :
joe' or 1=1. so the query will always be true and return records

select salary from employees where name='joe' or 1=1'

Blind SQL Injection
When an attacker executes SQL Injection attacks sometimes the server responds with error messages from the database server complaining that the SQL Query's syntax is incorrect. Blind SQL injection is identical to normal SQL Injection except that when an attacker attempts to exploit an application rather then getting a useful error message they get a generic page specified by the developer instead. This makes exploiting a potential SQL Injection attack more difficult but not impossible. An attacker can still steal data by asking a series of True and False questions through sql statements.

session fixation attack

Session Fixation is an attack technique that forces a user's session ID to an explicit value. After a user's session ID has been fixed, the attacker will wait for them to login. Once the user does so, the attacker uses the predefined session ID value to assume their online identity.

Command execution vulnerability


example: By appending a semicolon (;) followed by an Operating System command, it is possible to force the web application into executing the second command:


The result will retrieve the contents of the /etc/passwd file.

server side include

< !—#exec cmd="/bin/ls /" — >

Xpath injection

XPath Injection is an attack technique used to exploit web sites that construct XPath queries from user-supplied input.


++++digital signature:
you can use your private key to encrypt the message, then send it to Paul. Paul can try to decrypt it using your public key.

However, this is not a good solution, because if the message is long, the encrypted message may double in size and the encryption takes a lot of time.

one way hashing

one way hash function is that it is very fast to calculate the digest of a given message, but it is extremely difficult to calculate a message given a digest.

No matter how long the input is, the output from the one way hash function is always the same small size (e.g., 128 bits).

Now, to prove to Paul that you know your private key, you can use your private key to encrypt the message digest (because the digest is small, the result is also small and the encryption process will be fast), then send both the message and the message digest to Paul.
1)He can try to decrypt the digest using your public key.
2)Then he can calculate the digest from the message
finally compare the two. If the two match, then the person producing the encrypted digest must be you

encrypt message.

if you want keeping the message available to Paul only?
1)Just sign it as usual
2)encrypt the message and the digest using Paul's public key.
3)When Paul receives it, he uses his private key to decrypt it and then go on to verify the signature as usual:

You use Paul's public key to do message encryption. However, in practice few people would do it this
way, because asymmetric encryption is very slow. In contrast, symmetric encryption is a lot faster. To solve this problem,
1) you can generate a random symmetric key, use it to encrypt the message,
2) then use Paul's public key to encrypt that symmetric key and send it to Paul along with the encrypted message.

Paul can use his private key to get back the symmetric key and then use it to decrypt the message:


However, when you need to say send a confidential message to Paul, you'll need his public key. But how can you find out his public key?

To solve the problem, Paul may go to a government authority, show his ID card and etc and tell the authority his public key.
Then the authority will generate an electronic message (like an email) stating Paul's public key. Finally, it signs that message using authority's own private key. Such a signed message is called a "certificate".

Then Paul can put his certificate on his personal web site, email it to you directly or put it onto some 3rd
party public web site. From where you get the certificate is unimportant. What is important is that if you can
verify the signature of that CA and you trust what the CA says, then you can trust that public key in the certificate.

In order to verify the signature, you will need the public key of that CA. What?! You're back to the origin of the problem. However, you only need to find out a single public key for a single entity (the CA), not a public key for everyone you need to communicate with. How to obtain that public key? Usually it is already configured in your browser.

For the public key of the CA, you don't directly store its public key. Instead, you store its certificate
which contains its public key. But who issued that certificate to it? It was issued by itself (signed by its own private key).


In order to use PKI, typically you should have :
1)a private key for yourself (see the diagram below),
2)a certificate for yourself so that you can send to others,
3)a certificate for each person that you need to send something confidential to (e.g.,
Paul and Mary)
4)and the public keys of the CA's that you trust. i.e the certificate of CA itself.

key generation algorithm : DSA or RSA.
The signature algorithm(SHA1withRSA): hash the message using SHA1 first and then encrypt it using the RSA private key. If you don't specify it here, keytool will use MD5withRSA. But MD5 is known to be insecure nowadays, so don't use MD5 anymore for hashing

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License