Friday Nov 06, 2009

Web Site Performance Tips and Tools

The Top 10 Web Application security vulnerabilities

Web Site Performance Tips

  • Make Fewer HTTP Requests
    • reduce the number of components in a page by combining CSS into single stylesheet,  JS single script 
  • Use A Content Delivery Network
    • such as Akamai Technologies, Mirror Image Internet, or Limelight Networks. 
  • Add An Expires Header
    • for static components set a far future expires header
    • for dynamic us a cache-control header 
  • GZIP Components
    • reduces response times by reducing the size of the HTTP response.
  • Put Stylesheets At The Top
    • allows the page to display whatever content it has as soon as possible. 
  • Put Scripts At The Bottom
    • scripts block parallel downloads, which slows rendering of page
  • Avoid CSS Expressions For Dynamic Properties
    • they may be evaluated thousands of times and could affect the performance of your page.
  • Make JS and CSS External
    • if multiple pages re-use the same scripts and stylesheets, then making JS and CSS external files produces faster pages because the files are cached by the browser.
  • Reduce DNS Lookups
    • Reducing the number of unique hostnames used in the page's URL, images, script files, stylesheets.. reduces the number of DNS lookups but also reduces the amount of parallel downloading.  Split these components across at least 2 but no more than 4 hostnames.
  • Minify JavaScript
    • remove unnecessary characters from code to reduce its size  : remove whitespace, comments... Two popular tools for minifying JavaScript code are  JSMin and YUI Compressor. 
  • Avoid Redirects
    • redirects are slow, using Alias and mod_rewrite is faster
  • Remove Duplicate Scripts
  • Configure ETAGS
    • ETag is a string that uniquely identifies a specific version of a component. Used in conditional GET requests, browser uses the If-None-Match header. When ETags match, a 304 status code is returned reducing the response 
  • Optimize Images
  • Reduce Cookie Size
    • Information about cookies is exchanged in the HTTP headers between web servers and browsers.  Keep the size of cookies as low as possible to minimize the impact on the user's response time.
  • Avoid 404 errors
  • JavaScript:
    • make the AJAX responses cacheable, add an Expires or a Cache-Control Header. 
    • write efficient JS
    • reduce DOM elements
    • Make the messages between server and browser as small as possible
    • Don't rewrite the server application in javascript
  • Only Generate Content when Things Change
    • Break the system into components so that you can isolate the costs
      of things that change rapidly from those that change infrequently.

Web Site Performance Tools

Tools to find out What to Fix

  • HttpWatch
    • HttpWatch is an HTTP viewer and debugger that integrates with IE and Firefox to provide seamless HTTP and HTTPS monitoring
  • Firebug
    • Firebug integrates with Firefox . With Firebug you can edit, debug, and monitor CSS, HTML, and JavaScript live in any web page.
  • Fiddler
    • Fiddler is a Web Debugging Proxy which logs all HTTP(S) traffic between your computer and the Internet.
  • Network Protocol Analyzers:

Tools to find out How to Fix it

  • YSlow
    • YSlow analyzes web pages and suggests ways to improve their performance based on a set of rules for high performance web pages. YSlow is a Firefox add-on integrated with the Firebug web development tool. YSlow grades web page based on one of three predefined ruleset or a user-defined ruleset. It offers suggestions for improving the page's performance, summarizes the page's components, displays statistics about the page, and provides tools for performance analysis, including™ and JSLint.
  • Page Speed
    • Page Speed is an open-source Firefox/Firebug Add-on. Webmasters and web developers can use Page Speed to evaluate the performance of their web pages and to get suggestions on how to improve them.
  • Pagetest
    • Pagetest allows you to provide the URL of a webpage to be tested. The test will be conducted from the location specified and you will be provided a waterfall of your page load performance as well as a comparison against an optimization checklist.
  • Visual Round Trip Analyzer
    • Microsoft Web page performance visualizer and analyzer
  • neXpert Performance Tool
    • neXpert is an add-on to Fiddler Web Debugger which aids in performance testing web applications.  neXpert was created to reduce the time it takes to look for performance issues with Fiddler and to create a deliverable that can be used to educate development teams.
  • MSFast
    • MSFast is a browser plugin that help developers to improve their code performance by capturing and measuring possible bottlenecks on their web pages.

Other Tools 

  • CSS Sprite Generator
    • CSS Sprites are the preferred method for reducing the number of image requests. Combine your background images into a single image and use the CSS background-image and background-position properties to display the desired image segment.
  • SpriteMe (in progress)
  • Hammerhead
    • Hammerhead adds a tab to Firebug for measuring the load time of web pages
  • Cuzillion
    • Cuzillion is a tool for quickly constructing web pages to see how components interact.
    • uses optimization techniques specific to image format to remove unnecessary bytes from image files
    • Once installed, all JS files are minified on demand, leaving commented source intact
  • JSLint
    • JavaScript Code Quality Tool

References and More Information:

Thursday Oct 15, 2009

The Top 10 Web Application security vulnerabilities

Yesterday I gave a talk at a the Jacksonville JUG about the  Top 10 most critical web application security vulnerabilities identified by the Open Web Application Security Project (OWASP).

You can view or download the presentation here

Top 10 Web Security Vulnerabilities

References and More Information:

You can use OWASP's WebGoat to learn more about the OWASP Top Ten security vulnerabilties. WebGoat is an example web application, which has lessons showing "what not to do code", how to exploit the code, and corrected code for each vulnerability.

You can use the OWASP Enterprise Security API Toolkit to protect against the OWASP Top Ten security vulnerabilties.

The ESAPI Swingset is a web application which demonstrates the many uses of the Enterprise Security API.

Thursday Oct 08, 2009

OWASP Top 10 number 3: Malicious File Execution

Number 3 in the Top 10 most critical web application security vulnerabilities identified by the Open Web Application Security Project (OWASP) is Malicious File Execution, which occurs when attacker's files are executed or processed by the web server. This can happen when an input filename is compromised or an uploaded file is improperly trusted.


  • file is accepted from the user without validating content
  • filename is accepted from the user
In the example below a file name is accepted from the user and appended to the server's filesystem path.
// get the absolute file path on the server's filesystem 
String dir = servlet.getServletContext().getRealPath("/ebanking")
// get input file name
String file = request.getParameter(“file”); 
//  Create a new File instance from pathname string   
File f = new File((dir + "\\\\" + file).replaceAll("\\\\\\\\", "/")); 

If the filename was compromised to  ../../web.xml , it might allow access to web server properties

Malicious File Execution can result in:

  • files loaded from another server and executed within the context of the web server
  • modifying paths to gain access to directories on the web server
  • malicious scripts put into a directory with inadequate access controls

Protecting against Malicious File Execution

  • the Java EE Security Manager should be properly configured to not allow access to files outside the web root.
  • do not allow user input to influence the path name for server resources
    • Inspect code containing a file open, include, create, delete...
  • firewall rules should prevent new outbound connections to external web sites or internally back to any other server. Or isolate the web server in a private subnet
  • Upload files to a destination outside of the web application directory.
    • Enable virus scan on the destination directory.

Java specific Protecting against Malicious File Exection

Use the OWASP ESAPI  HTTPUtilities interface:

  • The ESAPI HTTPUtilities interface is a collection of methods that provide additional security related to HTTP requests, responses, sessions, cookies, headers, and logging.

    The HTTPUtilities getSafeFileUploads method uses the Apache Commons FileUploader to parse the multipart HTTP request and extract any files therein
    public class HTTPUtilities 
        public void getSafeFileUploads( tempDir,
                            throws ValidationException

References and More Information:

Tuesday Sep 29, 2009

The Top 10 Web Application security vulnerabilities starting with XSS

This and the next series of blog entries will highlight the Top 10 most critical web application security vulnerabilities identified by the Open Web Application Security Project (OWASP).

You can use OWASP's WebGoat to learn more about the OWASP Top Ten security vulnerabilties. WebGoat is an example web application, which has lessons showing "what not to do code", how to exploit the code, and corrected code for each vulnerability.

You can use the OWASP Enterprise Security API Toolkit to protect against the OWASP Top Ten security vulnerabilities.

The ESAPI Swingset is a web application which demonstrates the many uses of the Enterprise Security API.

OWASP Top 10 number 1: XSS = Cross Site Scripting

Cross Site Scripting (XSS) is one of the most common security problems in today's web applications. According to the SANS Top Cyber Security Risks, 60% of the total attack attempts observed on the Internet are against Web applications and SQL injection and Cross-Site Scripting account for more than 80% of the vulnerabilities being discovered. You are at risk of an XSS attack any time you put content that could contain scripts from someone un-trusted into your web pages.
There are 3 types of cross site scripting:
  • Reflected XSS: is when an HTML page reflects user input data, e.g. from HTTP query parameters or a HTML form, back to the browser, without properly sanitizing the response. Below is an example of this in a servlet:
     out.writeln(“You searched for: “+request.getParameter(“query”);
  • Stored XSS: is when an Attacker’s input script is stored on the server (e.g. a database) and later displayed in the web server HTML pages, without proper HTML filtering. Examples of this are in blogs, or forums where users can input data that will be displayed to others. Below is an example of this in a servlet, where data is retrieved from the database and returned in the HTML page without any validation:
    out.writeln("<tr><td>" + + "<td>" + guest.comment); 
  • DOM XSS: is when JavaScript uses input data or data from the server to write dynamic HTML (DOM) elements, again without HTML sanitizing/escaping/filtering.

XSS can be used to:
  • deface web pages
  • hijack user sessions
  • conduct phishing attacks
  • execute malicious code in the context of the user's session
  • spread malware

Protecting against XSS

To protect against XSS all the parameters in the application should be validated and/or encoded before being output in HTML pages.
  • Always validate on the server side for data integrity and security:
    • Validate all input data to the application for type, format, length, range, and context before storing or displaying.
    • Use white-listing (what is allowed), reject if invalid, instead of filtering out black-list (what is not allowed).
  • Output encoding:
    • Explicitly set character encoding for all web pages (ISO-8859-1 or UTF 8):
      <%@ page contentType="text/html;charset=ISO-8859-1" language="java" %>
    • all user supplied data should be HTML or XML entity encoded before rendering.

Java specific Protecting against XSS

Validating Input with Java

  • You can use Java regular expressions to validate input, this example from WebGoat allows whitespace, a-zA-Z_0-9, and the characters - and ,
    String regex = "[\\\\s\\\\w-,]\*";
    Pattern pattern = Pattern.compile(regex);
    validate(stringToValidate, pattern);
  • Use Framework (Struts, JSF, Spring...) validators. With Java EE 6 you can use the Bean Validation Framework to centrally define validation constraints on model objects and with JSF 2.0 to extend model validation to the UI. For example here is a JSF 2.0 input field:
    <h:inputText id="creditCard" value="#{booking.creditCardNumber}"/>
    Here is the JSF 2.0 booking Managed Bean using the Bean Validation Framework :
    public class Booking { 
     @NotNull(message = "Credit card number is required") 
     @Size(min = 16, max = 16, 
     message = "Credit card number must 16 digits long") 
     @Pattern(regexp = "\^\\\\d\*$", 
     message = "Credit card number must be numeric") 
     public String getCreditCardNumber() { 
     return creditCardNumber; 
    In addition there are new JSF 2.0 Validators:
    • <f:validateBean> is a validator that delegates the validation of the local value to the Bean Validation API.
    • <f:validateRequired> provides required field validation.
    • <f:validateRegexp> provides regular expression-based validation

  • Use the OWASP Enterprise Security API Java Toolkit's Validator interface:
    ESAPI.validator().getValidInput(String context,String input,String type,int maxLength,
       boolean allowNull,ValidationErrorList errorList)
    ESAPI.validator().getValidInput() returns canonicalized and validated input as a String. Invalid input will generate a descriptive ValidationErrorList, and input that is clearly an attack will generate a descriptive IntrusionException.

Output Encoding with Java

  • You can use Struts output mechanisms such as <bean:write… >, or use the default JSTL escapeXML="true" attribute in <c:out … > 
  • JSF output components filter output and escape dangerous characters as XHTML entities.
    <h:outputText value="#{}"/>

  • You can use the OWASP Enterprise Security API Java Toolkit's ESAPI Encoder.encodeForHTML() method to encode data for use in HTML content. The encodeForHTML() method uses a "whitelist" HTML entity encoding algorithm to ensure that encoded data can not be interpreted as script. This call should be used to wrap any user input being rendered in HTML element content. For example:
    <p>Hello, <%=ESAPI.encoder().encodeForHTML(name)%></p>

References and More Information:

Wednesday Jul 01, 2009

2 JavaOne Hands On Labs , Sun Technology Exchange, Java Technology Day Israel, and Java Day Turkey


June: 2 JavaOne Hands On Labs , Sun Technology Exchange, Java Technology Day Israel, and Java Day Turkey  

I had a very busy June, I gave two Hands on Labs at JavaOne, two sessions at the Sun Technology Exchange, three sessions at Java Technology Day in Tel Aviv Israel, and one session at Java Day in Istanbul Turkey.

JavaOne Hands On Labs:

iguana.jpg iguana.jpg

I co-developed and delivered 2 Hands On Labs for JavaOne this year:

You can download these 2 HOLs documentation and code below:

Sun Technology Exchange:

iguana.jpg iguana.jpg
In Fort Lauderdale as part of the Sun Technology Exchange I gave two educational sessions to learn how:
  • JavaFX can help you build rich internet applications (RIAs) and includes the tools and platform SDK for developers, web developers, and designers to create dynamic applications.
  • GlassFish, an enterprise-quality Java EE 5 application server, offers advanced clustering, centralized administration, and best-in-class performance.
  • download the slides

Java Technology Day Israel

iguana.jpg iguana.jpgiguana.jpg
At the Java Technology Day in Israel I gave the following sessions:
  • WSIT Reliability Security and Transactions in Web Services
    • Metro is a high-performance, extensible, easy-to-use web service stack. You can use it for every type of web service, from simple to reliable, secured, and transacted web services that interoperate with .NET services. Metro bundles stable versions of the JAX-WS (Java API for XML Web Services) reference implementation and WSIT (Web Services Interoperability Technology). JAX-WS is a fundamental technology for developing SOAP-based and RESTful Java technology-based web services. WSIT enables secure, reliable interoperability between Java technology-based web services and Microsoft's Windows Communication Foundation.
    • you can download and try out WSIT in this JavaOne HOL: Metro: Try Out Simple and Interoperable Web Services and with these lab instructions.
    • You can read more about some of the example code for this session at
      GlassFish and MySQL, Part 3: Creating a Pet Catalog Web Service
  • MySQL for Developers
    • If you are a developer using MySQL, you should learn enough to take advantage of its strengths, because having an understanding of the database can help you develop better-performing applications. This session talks about MySQL database design and SQL tuning for developers.
    • download or view a screencast of this presentation
  • OpenESB and Connecting Enterprises
    • This session  explains and demonstrates several concrete technologies that make SOA architecture possible - BPEL (Business Process Execution Language), JBI (Java Business Integration) and OpenESB. The part of of BPEL starts with an explanation of the requirements of standardized business process language. The BPEL language is then described using an example. The relationship between BPEL and WSDL is also explained. Finally, BPEL designer and runtime that comes with NetBeans IDE is demonstrated using Travel reservation sample BPEL project. It also explains the motivation of the JBI and OpenESB as a standardized application integration framework in the same way J2EE architecture standardized how enterprise applications are built and deployed. Finally Sun's solution in SOA and application integration space is discussed. Whenever possible, concrete steps of building, deploying and testing SOA applications will be demonstrated step by step.
  • download the slides for all 3

Java Day Turkey

iguana.jpg iguana.jpg iguana.jpg
At the Java Day in Istanbul Turkey I gave the MySQL for Developers session again, see above for more information.

Thursday Apr 16, 2009

Developing RESTful Web Services with JAX-RS, Netbeans, Glassfish and MySQL

Developing RESTful Web Services with JAX-RS, Netbeans, Glassfish and MySQL

Yesterday I gave a talk at a the Jacksonville Java Users Group (JAXJUG) on Developing RESTful Web Services with JAX-RS, Netbeans, Glassfish, and MySQL.

You can dowload the StarOffice presentation here

Developing RESTful Web Services with Netbeans and JAX-RS

Lightweight RESTful approaches have emerged as a popular alternative to SOAP-based technologies for deployment of services on the Internet.

The goal of the Java API for RESTful Web Services (JAX-RS) is to provide a high-level declarative programming model for such services that is easy to use and encourages development according to REST tenets. Services built with this API are deployable with a variety of Web container technologies and benefit from built-in support for best-practice HTTP usage patterns and conventions.

This talk will provides an overview of the design process for a sample RESTful Pet Catalog service using JAX-RS. It shows how to build 2 sample clients for the Pet Catalog service one using the dojo AJAX framework and one using JavaFX.

You can get more information here:

Here is a link to the PDF slides and recorded Webinar
Developing MySQL-Backed RESTful Web Services with Netbeans and JAX-RS

Here is a link to the Article
GlassFish and MySQL, Part 4: Creating a RESTful Web Service and JavaFX Client

Here is a link to the JavaFX code
RESTful Web Service and JavaFX client code

Here is a link to dojo client explanation and code
RESTful Web Service and dojo client explanation and code




« July 2016