OWASP & tools

I just had an application security awarness training, and it was quite enlightening. Of course Owasp was mentioned, with the top ten list of vulnerabilities, along with the webGoat webapp. but also tools like
  • fiddler: free win32 http proxy with scripting facilities, no ssl support and based on .net
  • charles: shareware http proxy in java with ssl suport
  • WebSleuth: an ie plugin to edit forms, suddenly hacking got so much simplier
Of course there are firefox plugins to achieve the same set of functionnalities.

WTP 1.0

Of course with each new release of WTP the process describe for WTP 0.7 is less and less successfull. But this comes with no surprise, as those were undocumented and temporary features. For those who wonders, the assembled webapp now resides under your workspace directory in .metadata/.plugins/org.eclipse.wst.server.core/tmpX where X is the number of your server starting at 0. Using this tmp folder clearly indicate that nobody should rely on the files at this location, as they will be regenrated with the build process. Those tmp folders also allows eclipse to build a separate assembly specific to each server, which make a lot more sense than the .deployables directory which was shared amongts all server instances. If you need to explicitely reference this directory, you should probably review your build process (but you are already using Maven, right?).