Archive for August, 2014

When websites throw Java exceptions on you

Monday, August 4th, 2014

Yesterday I booked a hotel for family coming to visit us in Berlin I got this nice java exception backtrace at the end of the hotel reservation:

HTTP Status 500 -

type Exception report

message

description The server encountered an internal error () that prevented it from fulfilling this request.

exception

javax.servlet.ServletException: BeanUtils.populate
org.apache.struts.util.RequestUtils.populate(RequestUtils.java:467)
org.apache.struts.action.RequestProcessor.processPopulate(RequestProcessor.java:798)
org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:205)
org.apache.struts.action.ActionServlet.process(ActionServlet.java:1164)
org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:415)
javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
de.hrs.web3.web.filter.PasswordChangeFilter.doFilter(PasswordChangeFilter.java:174)
de.hrs.web3.web.trackingswitch.PostViewFilter.doFilter(PostViewFilter.java:69)
de.hrs.web3.web.trackingswitch.sme.PostClickFilterSME.doFilter(PostClickFilterSME.java:67)
de.hrs.web3.web.trackingswitch.PostClickFilter.doFilter(PostClickFilter.java:66)
de.hrs.web3.web.filter.SessionFilter.doFilter(SessionFilter.java:512)
de.hrs.web3.web.filter.CiClientFilter.doFilter(CiClientFilter.java:133)
de.hrs.web3.web.filter.EncodingFilter.doFilter(EncodingFilter.java:80)
de.hrs.web3.web.util.etm.EtmRequestIDFilter.doFilter(EtmRequestIDFilter.java:63)
de.hrs.web3.web.filter.RedirectFilter.performAction(RedirectFilter.java:258)
de.hrs.web3.web.filter.RedirectFilter.doFilter(RedirectFilter.java:236)
de.hrs.web.filter.ExpiresFilter.doFilter(ExpiresFilter.java:225)
de.hrs.web3.web.filter.StaticContentFilter.doFilter(StaticContentFilter.java:105)
org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:83)
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
de.hrs.web3.web.filter.CiClientSAMLFilter.doFilter(CiClientSAMLFilter.java:86)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:118)
org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:183)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:86)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.saml.SAMLEntryPoint.doFilter(SAMLEntryPoint.java:102)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.saml.SAMLLogoutFilter.processLogout(SAMLLogoutFilter.java:157)
org.springframework.security.saml.SAMLLogoutFilter.doFilter(SAMLLogoutFilter.java:103)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.saml.SAMLLogoutProcessingFilter.processLogout(SAMLLogoutProcessingFilter.java:169)
org.springframework.security.saml.SAMLLogoutProcessingFilter.doFilter(SAMLLogoutProcessingFilter.java:93)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
root cause

java.lang.IndexOutOfBoundsException: Index: 0, Size: 0
java.util.ArrayList.RangeCheck(ArrayList.java:547)
java.util.ArrayList.get(ArrayList.java:322)
org.apache.commons.beanutils.PropertyUtilsBean.getIndexedProperty(PropertyUtilsBean.java:513)
org.apache.commons.beanutils.PropertyUtilsBean.getIndexedProperty(PropertyUtilsBean.java:410)
org.apache.commons.beanutils.PropertyUtilsBean.getNestedProperty(PropertyUtilsBean.java:768)
org.apache.commons.beanutils.PropertyUtilsBean.getProperty(PropertyUtilsBean.java:846)
org.apache.commons.beanutils.BeanUtilsBean.setProperty(BeanUtilsBean.java:903)
org.apache.commons.beanutils.BeanUtilsBean.populate(BeanUtilsBean.java:830)
org.apache.commons.beanutils.BeanUtils.populate(BeanUtils.java:433)
org.apache.struts.util.RequestUtils.populate(RequestUtils.java:465)
org.apache.struts.action.RequestProcessor.processPopulate(RequestProcessor.java:798)
org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:205)
org.apache.struts.action.ActionServlet.process(ActionServlet.java:1164)
org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:415)
javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
de.hrs.web3.web.filter.PasswordChangeFilter.doFilter(PasswordChangeFilter.java:174)
de.hrs.web3.web.trackingswitch.PostViewFilter.doFilter(PostViewFilter.java:69)
de.hrs.web3.web.trackingswitch.sme.PostClickFilterSME.doFilter(PostClickFilterSME.java:67)
de.hrs.web3.web.trackingswitch.PostClickFilter.doFilter(PostClickFilter.java:66)
de.hrs.web3.web.filter.SessionFilter.doFilter(SessionFilter.java:512)
de.hrs.web3.web.filter.CiClientFilter.doFilter(CiClientFilter.java:133)
de.hrs.web3.web.filter.EncodingFilter.doFilter(EncodingFilter.java:80)
de.hrs.web3.web.util.etm.EtmRequestIDFilter.doFilter(EtmRequestIDFilter.java:63)
de.hrs.web3.web.filter.RedirectFilter.performAction(RedirectFilter.java:258)
de.hrs.web3.web.filter.RedirectFilter.doFilter(RedirectFilter.java:236)
de.hrs.web.filter.ExpiresFilter.doFilter(ExpiresFilter.java:225)
de.hrs.web3.web.filter.StaticContentFilter.doFilter(StaticContentFilter.java:105)
org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:83)
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
de.hrs.web3.web.filter.CiClientSAMLFilter.doFilter(CiClientSAMLFilter.java:86)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:118)
org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:183)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.saml.metadata.MetadataGeneratorFilter.doFilter(MetadataGeneratorFilter.java:86)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.saml.SAMLEntryPoint.doFilter(SAMLEntryPoint.java:102)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.saml.SAMLLogoutFilter.processLogout(SAMLLogoutFilter.java:157)
org.springframework.security.saml.SAMLLogoutFilter.doFilter(SAMLLogoutFilter.java:103)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.saml.SAMLLogoutProcessingFilter.processLogout(SAMLLogoutProcessingFilter.java:169)
org.springframework.security.saml.SAMLLogoutProcessingFilter.doFilter(SAMLLogoutProcessingFilter.java:93)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
note The full stack trace of the root cause is available in the Apache Tomcat/7.0.25 logs.

Apache Tomcat/7.0.25 on p-web-www-424.hrs.de/10.250.151.24

First of all nice to reveal their software stack to potential attackers, right? Second, you noticed:

java.lang.IndexOutOfBoundsException: Index: 0, Size: 0
java.util.ArrayList.RangeCheck(ArrayList.java:547)
java.util.ArrayList.get(ArrayList.java:322)

“OutOfBoundsException” thank you very much - happy customers to see this matrix gibberish instead of their booking. It are moments like this where I believe a dynamically typed language with “nil” for a non-existing array, and potentially either printing “nil” or just an “” (an empty string) somewhere on some box, or ad, or whatever, nobody probably looks at anyway is a much more elegant way to handle this, …