RetireJS for Eclipse extension

Several years ago I wrote an Eclipse plugin to help me identify vulnerable javascript libraries using RetireJS. On a whim, I finally got around to submitting it to the Eclipse marketplace last week and it was approved.

This addresses a common OWASP Top-Ten item – A9:2017-Using Components with Known Vulnerabilities.

For Non-Developers… in English, while software developers are creating websites they often use open-source libraries such as jQuery (or literally thousands of other libraries) to simplify their development. Eventually, almost all software is identified as being vulnerable to various attacks. This tool makes it easier to scan and report on libraries that might be used in an application so that they can be updated or replaced.

REFERENCES:

Firefox 41+ extension signing

In the never-ending quest for browser security, Firefox has started implementing safeguards to only allow signed extensions. I found this out after upgrading to Firefox 41 as my installed version of “Deque FireEyes” stopped working. Thankfully, there is a workaround in Firefox 41, but it goes away in Firefox 42.

  • Firefox 40: warning only!
  • Firefox 41: workaround, via:

    about:config:
    xpinstall.signatures.required = false
  • Firefox 42: BLOCKED! unless signed

REFERENCES:

Deque FireEyes accessibility testing plugin

I’ve done a lot of accessibility testing and development work over my career. One of the many free tools that I use in that role is FireEyes. Deque also has some commercial packages for developer use.

FireEyes adds a new tab on the Firebug tab bar and adds the ability to analyze a web site for WCAG 2.0 Level A and AA and Section 508 accessibility violations. The Stand-Alone version of FireEyes is a browser plugin to the FireFox browser. It requires that the FireBug plugin already be installed

Requirements:

  • Firefox 31-41

    As of 2015aug21, the current version of the extension is NOT signed and will not execute on later versions. [See my later post on this topic]

  • FireBug 2.x – Do NOT install Firebug v3 alpha as the tab will not show.

NOTE: should be on Firebug tab labeled “Worldspace Fireyes”, but does not seem to be available in Firebug3.

NOTE: if you try to download in MSIE, you must rename the .zip to .xpi, and then open with Firefox.

REFERENCES:

Blocking access to files by extension in Apache

Usually, you might have a simple rule to prevent users from accessing sensitive files such as “.htaccess“, that rule might look like:

<FilesMatch "^\.ht">
Order deny,allow
Deny from all
Satisfy all
</FilesMatch>

You can also use this capability to prevent other file extensions. For example, if you wanted to block common image formats extensions, you might add the following:

<FilesMatch "\.(gif|png|jpg|ico)$">
Order allow,deny
Deny from all
Satisfy all
</FilesMatch>

Some other file extensions to consider, *.bak, *.old, *.inc

REFERENCES:

Selenium Firefox modifyheaders

A few of my tests require access to modify the HTTP Request headers. Unfortunately, Selenium hides access to them to allow for portability, and to better emulate what “users” generally can change. To work around this a Firefox extension can be used and configured at runtime for this purpose.

NOTE: for Maven, you need to place a copy of the .xpi file referenced into the /src/test/resources folder for Selenium to locate it.

In the example below, I’m setting the HTTP Header for “DNT” to “1”.

public FirefoxDriver createFirefoxDriver() throws URISyntaxException, IOException {
// Specify the install location (if not default)
System.setProperty("webdriver.firefox.bin","C:\\path\\to\\Firefox.exe");
// Prevent Console log "noise" from the Selenium Firefox plugin
System.setProperty("org.apache.commons.logging.Log", "org.apache.commons.logging.impl.SimpleLog");
System.setProperty("org.apache.commons.logging.simplelog.log.httpclient.wire", "OFF");
System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.commons.httpclient", "OFF");

final FirefoxProfile profile = new FirefoxProfile();
final URL url = this.getClass().getResource("/modify_headers-0.7.1.1-fx.xpi");
final File modifyHeaders = modifyHeaders = new File(url.toURI());

profile.setEnableNativeEvents(false);
profile.addExtension(modifyHeaders);

profile.setPreference("modifyheaders.headers.count", 1);
profile.setPreference("modifyheaders.headers.action0", "Add");
profile.setPreference("modifyheaders.headers.name0", "DNT");
profile.setPreference("modifyheaders.headers.value0", "1");
profile.setPreference("modifyheaders.headers.enabled0", true);
profile.setPreference("modifyheaders.config.active", true);
profile.setPreference("modifyheaders.config.alwaysOn", true);

final DesiredCapabilities capabilities = new DesiredCapabilities();
capabilities.setBrowserName("firefox");
capabilities.setPlatform(org.openqa.selenium.Platform.ANY);
capabilities.setCapability(FirefoxDriver.PROFILE, profile);
return new FirefoxDriver(capabilities);
}

MKS IntegrityClient integration with Eclipse IDE

While the intgration plugins for most SCM products are done rather simply within Eclipse, MKS(now PTC) IntegrityClient requires a few manual steps.

Caution, the plugin has always been a bit “buggy” but nothing too annoying for daily use. I’ve personally used it since IBM WSAD 5.1(Eclipse 3.x based) up to and including the most current Eclipse Luna (4.4) release.

  1. Go to your MKS installation path, then find the “integrations” folder as in the example below:
    C:\MKS\IntegrityClient\integrations\IBM\eclipse_3.2\eclipse
  2. That folder SHOULD have two folders (features/plugins) as well as three files (.eclipseextension, artifacts.xml, content.xml)
  3. Copy the entire contents and paste/overlay into your ‘eclipse’ folder (where you should already have folders for ‘features/plugins)
  4. Restart Eclipse
  5. Configure as required.

JavaScript function overloading

JavaScript, while mostly object-oriented, does not support function overloading like Java and other common OO languages. To my less knowledgeable audience, overloading is use of the same function name with a different number of arguments or types.

NOTE: there are various ways to implement this sort of functionality using various frameworks, but legacy code can be full of these issues!

In the following code, they share the same name, the second function will always be executed as it is defined last!


<script type="text/javascript">
function doSomething(arg1, arg2){
alert('2 args');
}
function doSomething(arg1){
alert('1 arg');
}
</script>