SlideShare a Scribd company logo

Java Secure Coding Practices

Download as PPTX, PDF
O
OWASPKerala

Slides Used by Rajesh Nair - In OWASP Kerala Chapter Meet April 2015

Engineering
1 of 37
The OWASP Foundation http://www.owasp.org Escape ’Attacks!’ India, Kerala 2015 Rajesh P Board Member, OWASP Kerala Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify the document under the terms of the OWASP License All trademarks, service marks, trade names, product names and logos appearing on the slides are the property of their respective owners Secure Coding Practice Series Parse what you code
The OWASP Foundation http://www.owasp.org 2
The OWASP Foundation http://www.owasp.org • Developer approaches application based on what it is intended to do • Attacker’s approach is based on what application can be made to do • Any action not specifically denied is considered allowed 3 Fundamental difference
The OWASP Foundation http://www.owasp.org • Minimize Attack Surface Area • Secure Defaults • Principle of Least Privilege • Principle of Defense in Depth • Fail Securely • External Systems are Insecure • Separation of Duties • Do not trust Security through Obscurity • Simplicity • Fix Security Issues Correctly 4 Security Principles
The OWASP Foundation http://www.owasp.org • Price related hidden fields, CSS visibility – perform server side validation • Cross Site Request Forgery (CSRF) • Sensitive Information Disclosure via Client- Side Storage and Comments • Hardcoded domain in HTML • HTML5: Form validation turned off • Password Submission using GET method 5 HTML
The OWASP Foundation http://www.owasp.org • Selects, radio buttons, and checkboxes Wrong Approach <input type="radio" name="acctNo" value="455712341234">Gold Card <input type="radio" name="acctNo" value="455712341235">Platinum Card String acctNo = getParameter('acctNo'); String sql = "SELECT acctBal FROM accounts WHERE acctNo = '?'"; 6 HTML
The OWASP Foundation http://www.owasp.org Right Approach <input type="radio" name="acctIndex" value="1" />Gold Credit Card <input type="radio" name="acctIndex" value="2" />Platinum Credit Card String acctNo = acct.getCardNumber(getParameter('acctIndex')) String sql = "SELECT acctBal FROM accounts WHERE acct_id = '?' AND acctNo ='?'"; 7 HTML
The OWASP Foundation http://www.owasp.org • Display of passwords in form, Autocomplete • Don’t populate password in form <input name="password" type="password" value="<%=pass%>" /> 8 HTML
The OWASP Foundation http://www.owasp.org • Ajax Hijacking • Cross Site Scripting: DOM, Poor validation • Dynamic code evaluation: Code, Script Injection, Unsafe XMLHTTPRequest – eval • Open Redirect • Path Manipulation – dot dot slash attack • Obfuscate Client Side JavaScript. Remember the jQuery.min, jQuery.dev versions 9 JavaScript
The OWASP Foundation http://www.owasp.org • jQuery Unsafe usage var txtAlertMsg = "Hello World: "; var txtUserInput = "test<script>alert(1)</script>"; $("#message").html( txtAlertMsg +"" + txtUserInput + ""); Safe usage (use text, not html) $("#userInput").text( "test<script>alert(1)</script>"); <-- treat user input as text 10 JavaScript
The OWASP Foundation http://www.owasp.org • Use of =, != for null comparison • Ignoring exception – try & catch • Persistent Cross Site Scripting • Use parameterized statements, validate input before string concatenation in dynamic SQL’s in stored procedures • Avoid xp_cmdshell • Never store passwords in plaintext 11 SQL
The OWASP Foundation http://www.owasp.org • Use stored procedures to abstract data access and allow for the removal of permissions to the base tables in the database 12 SQL
The OWASP Foundation http://www.owasp.org • The Java libraries (java.lang, java.util etc, often referred to as the Java API) are themselves written in Java, although methods marked as native. The Sun JVM is written in C, JVM running on your machine is a platform-dependent executable and hence could have been originally written in any language. The Oracle JVM (HotSpot) is written in the C++ programming language. Java Compiler provided By Oracle is written in JAVA itself. Many Java vulnerabilities are really C vulnerabilities that occur in an implementation of Java. 13 About Java
The OWASP Foundation http://www.owasp.org • Secure data types – char[], GuardedString • Zip Bombs private static final int LINE_LIMIT = 1000000; int totalLinesRead = 0; while ((s = reader.readLine()) != null) { doSomethingWithLine(s); totalLinesRead++; if (totalLinesRead > LINE_LIMIT) { throw new Exception("File being read is too big."); } } 14 Java
The OWASP Foundation http://www.owasp.org • Do not ignore values returned by methods. private void deleteFile() { File tempFile = new File(tempFileName); if (tempFile.exists()) { if (!tempFile.delete()) { // handle failure to delete the file } } } 15 Java
The OWASP Foundation http://www.owasp.org • Release resources in all cases. The try-with- resource syntax introduced in Java SE 7 automatically handles the release of many resource types. try (final InputStream in = Files.newInputStream(path)) { handler.handle(new BufferedInputStream(in)); } 16 Java - DOS
The OWASP Foundation http://www.owasp.org • Billion laughs attack - XML entity expansion causes an XML document to grow dramatically during parsing. DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSI NG, true); DocumentBuilder parser = dbf.newDocumentBuilder(); parser.parse(xmlfile); 17 Java
The OWASP Foundation http://www.owasp.org • Add security wrapper around native method calls – use JNI defensively • Make public static fields final • java.lang.SecurityManager – policy • In Struts deny direct jsp access explicitly • Use SecureRandom for PRNG, 128 bit length SecureRandom random = new SecureRandom(); byte bytes[] = new byte[20]; random.nextBytes(bytes); 18 Java
The OWASP Foundation http://www.owasp.org • JSP Source code disclosure • Non-Final classes let an attacker extend a class in a malicious manner • Packages are by default open, not sealed, which means a rogue class can be added to your package • Check uploaded file header than just extension alone https://www.owasp.org/images/0/08/OWASP_S CP_Quick_Reference_Guide_v2.pdf 19 Java
The OWASP Foundation http://www.owasp.org • Override the clone method to make classes unclonable unless required. Cloning allows an attacker to instantiate a class without running any of the class constructors. 20 Java Cloning
The OWASP Foundation http://www.owasp.org • Define the following method in each of your classes: public final Object clone() throws java.lang.CloneNotSupportedException { throw new java.lang.CloneNotSupportedException(); } 21 Java Cloning
The OWASP Foundation http://www.owasp.org • If a clone is required, one can make one’s clone method immune to overriding by using the final keyword: public final Object clone() throws java.lang.CloneNotSupportedException { return super.clone(); } 22 Java Cloning
The OWASP Foundation http://www.owasp.org • Unfavour serialization of objects containing sensitive information – transient fields private final void writeObject(ObjectOutputStream out) throws java.io.IOException { throw new java.io.IOException("Object cannot be serialized"); } 23 Java Serialization
The OWASP Foundation http://www.owasp.org • Prevent deserialization of objects containing sensitive information private final void readObject(ObjectInputStream in) throws java.io.IOException { throw new java.io.IOException("Class cannot be deserialized"); } 24 Java Deserialization
The OWASP Foundation http://www.owasp.org • deny access by default isAdmin = false; try { codeWhichMayFail(); isAdmin = isUserInRole(“Administrator”); } catch (Exception ex) { log.write(ex.toString()); } 25 Java
The OWASP Foundation http://www.owasp.org 26 Return after sendRedirect
The OWASP Foundation http://www.owasp.org • Response splitting allows an attacker to take control of the response body by adding extra CRLFs into headers String author = request.getParameter(AUTHOR_PARAM); ... Cookie cookie = new Cookie("author", author); cookie.setMaxAge(cookieExpiration); response.addCookie(cookie); 27 Response Splitting
The OWASP Foundation http://www.owasp.org If an attacker submits a malicious string, such as “Rajesh PrnHTTP/1.1 200 OKrn...", then the HTTP response would be split into two responses of the following form: HTTP/1.1 200 OK ... Set-Cookie: author=Rajesh P HTTP/1.1 200 OK ... Clearly, the second response is completely controlled by the attacker and can be constructed with any header and body content desired. Response Splitting
The OWASP Foundation http://www.owasp.org Attacker Proxy Web Server 302 302 200 (Gotcha!) 1st attacker request (response splitter) 1st attacker request (response splitter) request /account?id=victim 200 (Gotcha!) 200 (Victim’s account data) Victim request /index.html request /index.html 200 (Victim’s account data) Response Splitting
The OWASP Foundation http://www.owasp.org • How to Identify new vulnerability disclosures in Java? – NVD, CVE • Always remove older versions of Java on devices while updating to the new secure version 30 Miscellaneous
The OWASP Foundation http://www.owasp.org The OWASP Enterprise Security API Custom Enterprise Web Application Enterprise Security API Authenticator User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer ExceptionHandling Logger IntrusionDetector SecurityConfiguration Existing Enterprise Security Services/Libraries 31
The OWASP Foundation http://www.owasp.org Validate: getValidDate() getValidCreditCard() getValidInput() getValidNumber() … Validating Untrusted Input / Output BackendController Business Functions User Data Layer Presentation Layer Validate: getValidDate() getValidCreditCard() getValidSafeHTML() getValidInput() getValidNumber() getValidFileName() getValidRedirect() safeReadLine() … Validation Engine Validation Engine
The OWASP Foundation http://www.owasp.org OWASP Top Ten Coverage 33 OWASP Top Ten A1. Cross Site Scripting (XSS) A2. Injection Flaws A3. Malicious File Execution A4. Insecure Direct Object Reference A5. Cross Site Request Forgery (CSRF) A6. Leakage and Improper Error Handling A7. Broken Authentication and Sessions A8. Insecure Cryptographic Storage A9. Insecure Communications A10. Failure to Restrict URL Access OWASP ESAPI Validator, Encoder Encoder HTTPUtilities (upload) AccessReferenceMap User (csrftoken) EnterpriseSecurityException, HTTPUtils Authenticator, User, HTTPUtils Encryptor HTTPUtilities (secure cookie, channel) AccessController
The OWASP Foundation http://www.owasp.org • Disgruntled staff • Unintentional program execution • Identify Training need, Certification • Urgent and Frequent patches • Selection of Third Party Libraries • “Drive by” attacks, such as side effects or direct consequences of a virus, worm or Trojan attack 34 Why Static Code Analysis
The OWASP Foundation http://www.owasp.org • Categories of Vulnerability Sources • URL, Parameter Tampering • Header Manipulation • Cookie Poisoning • Categories of Vulnerability Sinks • SQL, XPath, XML, LDAP Injection • Cross-site Scripting • HTTP Response Splitting • Command Injection • Path Traversal 35 LAPSE+ Static Code Analysis
The OWASP Foundation http://www.owasp.org 36 Free Static Analysis Tools
The OWASP Foundation http://www.owasp.org Thank you! Until next time, stay secure! rajesh.nair@owasp.or g https://www.facebook.com/OWASPKerala https://www.twitter.com/owasp_kerala

Recommended

Secure Coding for Java
Secure Coding for JavaSecure Coding for Java
Secure Coding for JavaSébastien GIORIA
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101Narudom Roongsiriwong, CISSP
 
Secure code
Secure codeSecure code
Secure codeddeogun
 
Web application vulnerabilities
Web application vulnerabilitiesWeb application vulnerabilities
Web application vulnerabilitiesebusinessmantra
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Securitycclark_isec
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top TenChristian Heinrich
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 

Recommended

Secure Coding for Java
Secure Coding for JavaSecure Coding for Java
Secure Coding for JavaSébastien GIORIA
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101Narudom Roongsiriwong, CISSP
 
Secure code
Secure codeSecure code
Secure codeddeogun
 
Web application vulnerabilities
Web application vulnerabilitiesWeb application vulnerabilities
Web application vulnerabilitiesebusinessmantra
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Securitycclark_isec
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top TenChristian Heinrich
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
Web application security
Web application securityWeb application security
Web application securityKapil Sharma
 
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security VulnerabilitiesMarius Vorster
 
OWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISOWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISNull Bhubaneswar
 
Software security
Software securitySoftware security
Software securityRoman Oliynykov
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
OWASP - Dependency Check
OWASP - Dependency CheckOWASP - Dependency Check
OWASP - Dependency CheckVandana Verma
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...Christopher Frohoff
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
OWASP SB -Threat modeling 101
OWASP SB -Threat modeling 101OWASP SB -Threat modeling 101
OWASP SB -Threat modeling 101Jozsef Ottucsak
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile ApplicationsDenim Group
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web SecuritySharePointRadi
 
Black Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized CommunicationBlack Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized Communicationmsaindane
 
Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Rihab Chebbah
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Edureka!
 
EC-Council Secure Programmer Java
EC-Council Secure Programmer JavaEC-Council Secure Programmer Java
EC-Council Secure Programmer JavaBOOSTurSKILLS
 
JBoss Negotiation in AS7
JBoss Negotiation in AS7JBoss Negotiation in AS7
JBoss Negotiation in AS7Josef Cacek
 

More Related Content

What's hot

Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
Web application security
Web application securityWeb application security
Web application securityKapil Sharma
 
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security VulnerabilitiesMarius Vorster
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
OWASP - Dependency Check
OWASP - Dependency CheckOWASP - Dependency Check
OWASP - Dependency CheckVandana Verma
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...Christopher Frohoff
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
OWASP SB -Threat modeling 101
OWASP SB -Threat modeling 101OWASP SB -Threat modeling 101
OWASP SB -Threat modeling 101Jozsef Ottucsak
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile ApplicationsDenim Group
 
Black Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized CommunicationBlack Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized Communicationmsaindane
 
Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Rihab Chebbah
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Edureka!
 

What's hot (20)

Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Web application security
Web application securityWeb application security
Web application security
 
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security Vulnerabilities
 
OWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISOWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITIS
 
Software security
Software securitySoftware security
Software security
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
 
OWASP - Dependency Check
OWASP - Dependency CheckOWASP - Dependency Check
OWASP - Dependency Check
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
 
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
 
OWASP SB -Threat modeling 101
OWASP SB -Threat modeling 101OWASP SB -Threat modeling 101
OWASP SB -Threat modeling 101
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile Applications
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
 
Black Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized CommunicationBlack Hat EU 2010 - Attacking Java Serialized Communication
Black Hat EU 2010 - Attacking Java Serialized Communication
 
Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...
 

Viewers also liked

EC-Council Secure Programmer Java
EC-Council Secure Programmer JavaEC-Council Secure Programmer Java
EC-Council Secure Programmer JavaBOOSTurSKILLS
 
JBoss Negotiation in AS7
JBoss Negotiation in AS7JBoss Negotiation in AS7
JBoss Negotiation in AS7Josef Cacek
 
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Christian Schneider
 
Java Security Manager Reloaded - jOpenSpace Lightning Talk
Java Security Manager Reloaded - jOpenSpace Lightning TalkJava Security Manager Reloaded - jOpenSpace Lightning Talk
Java Security Manager Reloaded - jOpenSpace Lightning TalkJosef Cacek
 
Security Architecture of the Java Platform (http://www.javaday.bg event - 14....
Security Architecture of the Java Platform (http://www.javaday.bg event - 14....Security Architecture of the Java Platform (http://www.javaday.bg event - 14....
Security Architecture of the Java Platform (http://www.javaday.bg event - 14....Martin Toshev
 
Security Architecture of the Java platform
Security Architecture of the Java platformSecurity Architecture of the Java platform
Security Architecture of the Java platformMartin Toshev
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
CIS14: Best Practices You Must Apply to Secure Your APIs
CIS14: Best Practices You Must Apply to Secure Your APIsCIS14: Best Practices You Must Apply to Secure Your APIs
CIS14: Best Practices You Must Apply to Secure Your APIsCloudIDSummit
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
Deep dive into Java security architecture
Deep dive into Java security architectureDeep dive into Java security architecture
Deep dive into Java security architecturePrabath Siriwardena
 

Viewers also liked (13)

EC-Council Secure Programmer Java
EC-Council Secure Programmer JavaEC-Council Secure Programmer Java
EC-Council Secure Programmer Java
 
JBoss Negotiation in AS7
JBoss Negotiation in AS7JBoss Negotiation in AS7
JBoss Negotiation in AS7
 
Jar signing
Jar signingJar signing
Jar signing
 
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
 
Java Security Manager Reloaded - jOpenSpace Lightning Talk
Java Security Manager Reloaded - jOpenSpace Lightning TalkJava Security Manager Reloaded - jOpenSpace Lightning Talk
Java Security Manager Reloaded - jOpenSpace Lightning Talk
 
Security Architecture of the Java Platform (http://www.javaday.bg event - 14....
Security Architecture of the Java Platform (http://www.javaday.bg event - 14....Security Architecture of the Java Platform (http://www.javaday.bg event - 14....
Security Architecture of the Java Platform (http://www.javaday.bg event - 14....
 
Java security
Java securityJava security
Java security
 
Security Architecture of the Java platform
Security Architecture of the Java platformSecurity Architecture of the Java platform
Security Architecture of the Java platform
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
CIS14: Best Practices You Must Apply to Secure Your APIs
CIS14: Best Practices You Must Apply to Secure Your APIsCIS14: Best Practices You Must Apply to Secure Your APIs
CIS14: Best Practices You Must Apply to Secure Your APIs
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Deep dive into Java security architecture
Deep dive into Java security architectureDeep dive into Java security architecture
Deep dive into Java security architecture
 
Javantura v4 - Security architecture of the Java platform - Martin Toshev
Javantura v4 - Security architecture of the Java platform - Martin ToshevJavantura v4 - Security architecture of the Java platform - Martin Toshev
Javantura v4 - Security architecture of the Java platform - Martin Toshev
 

Similar to Java Secure Coding Practices

Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaJim Manico
 
20151010 my sq-landjavav2a
20151010 my sq-landjavav2a20151010 my sq-landjavav2a
20151010 my sq-landjavav2aIvan Ma
 
[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automationOWASP
 
Projects Valhalla, Loom and GraalVM at JUG Mainz
Projects Valhalla, Loom and GraalVM at JUG MainzProjects Valhalla, Loom and GraalVM at JUG Mainz
Projects Valhalla, Loom and GraalVM at JUG MainzVadym Kazulkin
 
Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization VulnerabilitiesLuca Carettoni
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 
Html5 security
Html5 securityHtml5 security
Html5 securityKrishna T
 
JavaScript Misunderstood
JavaScript MisunderstoodJavaScript Misunderstood
JavaScript MisunderstoodBhavya Siddappa
 
Building Concurrent WebObjects applications with Scala
Building Concurrent WebObjects applications with ScalaBuilding Concurrent WebObjects applications with Scala
Building Concurrent WebObjects applications with ScalaWO Community
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Jim Manico
 
MySQL Document Store
MySQL Document StoreMySQL Document Store
MySQL Document StoreMario Beck
 
Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Sagar M Parmar
 
Security in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishSecurity in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishMarkus Eisele
 

Similar to Java Secure Coding Practices (20)

Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with Java
 
Building Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 FeaturesBuilding Client-Side Attacks with HTML5 Features
Building Client-Side Attacks with HTML5 Features
 
Moose
MooseMoose
Moose
 
20151010 my sq-landjavav2a
20151010 my sq-landjavav2a20151010 my sq-landjavav2a
20151010 my sq-landjavav2a
 
[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation
 
Projects Valhalla, Loom and GraalVM at JUG Mainz
Projects Valhalla, Loom and GraalVM at JUG MainzProjects Valhalla, Loom and GraalVM at JUG Mainz
Projects Valhalla, Loom and GraalVM at JUG Mainz
 
Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities
 
Web Application Defences
Web Application DefencesWeb Application Defences
Web Application Defences
 
SQL Injection Defense in Python
SQL Injection Defense in PythonSQL Injection Defense in Python
SQL Injection Defense in Python
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 
Html5 security
Html5 securityHtml5 security
Html5 security
 
Avatar 2.0
Avatar 2.0Avatar 2.0
Avatar 2.0
 
The JavaFX Ecosystem
The JavaFX EcosystemThe JavaFX Ecosystem
The JavaFX Ecosystem
 
JavaScript Misunderstood
JavaScript MisunderstoodJavaScript Misunderstood
JavaScript Misunderstood
 
Attacking HTML5
Attacking HTML5Attacking HTML5
Attacking HTML5
 
Building Concurrent WebObjects applications with Scala
Building Concurrent WebObjects applications with ScalaBuilding Concurrent WebObjects applications with Scala
Building Concurrent WebObjects applications with Scala
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
 
MySQL Document Store
MySQL Document StoreMySQL Document Store
MySQL Document Store
 
Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17
 
Security in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishSecurity in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFish
 

Recently uploaded

Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxIntroduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxupamatechverse
 
Processing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxProcessing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxpranjaldaimarysona
 
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130Suhani Kapoor
 
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...Soham Mondal
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxAsutosh Ranjan
 
UNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISUNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISrknatarajan
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Call Girls in Nagpur High Profile
 
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINEMANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINESIVASHANKAR N
 
UNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular ConduitsUNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular Conduitsrknatarajan
 
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Dr.Costas Sachpazis
 
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Dr.Costas Sachpazis
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...ranjana rawat
 
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordAsst.prof M.Gokilavani
 
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Christo Ananth
 
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)Suman Mia
 
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )Tsuyoshi Horigome
 

Recently uploaded (20)

Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxIntroduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptx
 
Processing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxProcessing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptx
 
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
 
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptx
 
Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024
 
UNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISUNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSIS
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
 
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINEMANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
 
UNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular ConduitsUNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular Conduits
 
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
 
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
 
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
 
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
 
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
 
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
 
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
 
SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )
 

Java Secure Coding Practices

  • 1. The OWASP Foundation http://www.owasp.org Escape ’Attacks!’ India, Kerala 2015 Rajesh P Board Member, OWASP Kerala Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify the document under the terms of the OWASP License All trademarks, service marks, trade names, product names and logos appearing on the slides are the property of their respective owners Secure Coding Practice Series Parse what you code
  • 3. The OWASP Foundation http://www.owasp.org • Developer approaches application based on what it is intended to do • Attacker’s approach is based on what application can be made to do • Any action not specifically denied is considered allowed 3 Fundamental difference
  • 4. The OWASP Foundation http://www.owasp.org • Minimize Attack Surface Area • Secure Defaults • Principle of Least Privilege • Principle of Defense in Depth • Fail Securely • External Systems are Insecure • Separation of Duties • Do not trust Security through Obscurity • Simplicity • Fix Security Issues Correctly 4 Security Principles
  • 5. The OWASP Foundation http://www.owasp.org • Price related hidden fields, CSS visibility – perform server side validation • Cross Site Request Forgery (CSRF) • Sensitive Information Disclosure via Client- Side Storage and Comments • Hardcoded domain in HTML • HTML5: Form validation turned off • Password Submission using GET method 5 HTML
  • 6. The OWASP Foundation http://www.owasp.org • Selects, radio buttons, and checkboxes Wrong Approach <input type="radio" name="acctNo" value="455712341234">Gold Card <input type="radio" name="acctNo" value="455712341235">Platinum Card String acctNo = getParameter('acctNo'); String sql = "SELECT acctBal FROM accounts WHERE acctNo = '?'"; 6 HTML
  • 7. The OWASP Foundation http://www.owasp.org Right Approach <input type="radio" name="acctIndex" value="1" />Gold Credit Card <input type="radio" name="acctIndex" value="2" />Platinum Credit Card String acctNo = acct.getCardNumber(getParameter('acctIndex')) String sql = "SELECT acctBal FROM accounts WHERE acct_id = '?' AND acctNo ='?'"; 7 HTML
  • 8. The OWASP Foundation http://www.owasp.org • Display of passwords in form, Autocomplete • Don’t populate password in form <input name="password" type="password" value="<%=pass%>" /> 8 HTML
  • 9. The OWASP Foundation http://www.owasp.org • Ajax Hijacking • Cross Site Scripting: DOM, Poor validation • Dynamic code evaluation: Code, Script Injection, Unsafe XMLHTTPRequest – eval • Open Redirect • Path Manipulation – dot dot slash attack • Obfuscate Client Side JavaScript. Remember the jQuery.min, jQuery.dev versions 9 JavaScript
  • 10. The OWASP Foundation http://www.owasp.org • jQuery Unsafe usage var txtAlertMsg = "Hello World: "; var txtUserInput = "test<script>alert(1)</script>"; $("#message").html( txtAlertMsg +"" + txtUserInput + ""); Safe usage (use text, not html) $("#userInput").text( "test<script>alert(1)</script>"); <-- treat user input as text 10 JavaScript
  • 11. The OWASP Foundation http://www.owasp.org • Use of =, != for null comparison • Ignoring exception – try & catch • Persistent Cross Site Scripting • Use parameterized statements, validate input before string concatenation in dynamic SQL’s in stored procedures • Avoid xp_cmdshell • Never store passwords in plaintext 11 SQL
  • 12. The OWASP Foundation http://www.owasp.org • Use stored procedures to abstract data access and allow for the removal of permissions to the base tables in the database 12 SQL
  • 13. The OWASP Foundation http://www.owasp.org • The Java libraries (java.lang, java.util etc, often referred to as the Java API) are themselves written in Java, although methods marked as native. The Sun JVM is written in C, JVM running on your machine is a platform-dependent executable and hence could have been originally written in any language. The Oracle JVM (HotSpot) is written in the C++ programming language. Java Compiler provided By Oracle is written in JAVA itself. Many Java vulnerabilities are really C vulnerabilities that occur in an implementation of Java. 13 About Java
  • 14. The OWASP Foundation http://www.owasp.org • Secure data types – char[], GuardedString • Zip Bombs private static final int LINE_LIMIT = 1000000; int totalLinesRead = 0; while ((s = reader.readLine()) != null) { doSomethingWithLine(s); totalLinesRead++; if (totalLinesRead > LINE_LIMIT) { throw new Exception("File being read is too big."); } } 14 Java
  • 15. The OWASP Foundation http://www.owasp.org • Do not ignore values returned by methods. private void deleteFile() { File tempFile = new File(tempFileName); if (tempFile.exists()) { if (!tempFile.delete()) { // handle failure to delete the file } } } 15 Java
  • 16. The OWASP Foundation http://www.owasp.org • Release resources in all cases. The try-with- resource syntax introduced in Java SE 7 automatically handles the release of many resource types. try (final InputStream in = Files.newInputStream(path)) { handler.handle(new BufferedInputStream(in)); } 16 Java - DOS
  • 17. The OWASP Foundation http://www.owasp.org • Billion laughs attack - XML entity expansion causes an XML document to grow dramatically during parsing. DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSI NG, true); DocumentBuilder parser = dbf.newDocumentBuilder(); parser.parse(xmlfile); 17 Java
  • 18. The OWASP Foundation http://www.owasp.org • Add security wrapper around native method calls – use JNI defensively • Make public static fields final • java.lang.SecurityManager – policy • In Struts deny direct jsp access explicitly • Use SecureRandom for PRNG, 128 bit length SecureRandom random = new SecureRandom(); byte bytes[] = new byte[20]; random.nextBytes(bytes); 18 Java
  • 19. The OWASP Foundation http://www.owasp.org • JSP Source code disclosure • Non-Final classes let an attacker extend a class in a malicious manner • Packages are by default open, not sealed, which means a rogue class can be added to your package • Check uploaded file header than just extension alone https://www.owasp.org/images/0/08/OWASP_S CP_Quick_Reference_Guide_v2.pdf 19 Java
  • 20. The OWASP Foundation http://www.owasp.org • Override the clone method to make classes unclonable unless required. Cloning allows an attacker to instantiate a class without running any of the class constructors. 20 Java Cloning
  • 21. The OWASP Foundation http://www.owasp.org • Define the following method in each of your classes: public final Object clone() throws java.lang.CloneNotSupportedException { throw new java.lang.CloneNotSupportedException(); } 21 Java Cloning
  • 22. The OWASP Foundation http://www.owasp.org • If a clone is required, one can make one’s clone method immune to overriding by using the final keyword: public final Object clone() throws java.lang.CloneNotSupportedException { return super.clone(); } 22 Java Cloning
  • 23. The OWASP Foundation http://www.owasp.org • Unfavour serialization of objects containing sensitive information – transient fields private final void writeObject(ObjectOutputStream out) throws java.io.IOException { throw new java.io.IOException("Object cannot be serialized"); } 23 Java Serialization
  • 24. The OWASP Foundation http://www.owasp.org • Prevent deserialization of objects containing sensitive information private final void readObject(ObjectInputStream in) throws java.io.IOException { throw new java.io.IOException("Class cannot be deserialized"); } 24 Java Deserialization
  • 25. The OWASP Foundation http://www.owasp.org • deny access by default isAdmin = false; try { codeWhichMayFail(); isAdmin = isUserInRole(“Administrator”); } catch (Exception ex) { log.write(ex.toString()); } 25 Java
  • 27. The OWASP Foundation http://www.owasp.org • Response splitting allows an attacker to take control of the response body by adding extra CRLFs into headers String author = request.getParameter(AUTHOR_PARAM); ... Cookie cookie = new Cookie("author", author); cookie.setMaxAge(cookieExpiration); response.addCookie(cookie); 27 Response Splitting
  • 28. The OWASP Foundation http://www.owasp.org If an attacker submits a malicious string, such as “Rajesh PrnHTTP/1.1 200 OKrn...", then the HTTP response would be split into two responses of the following form: HTTP/1.1 200 OK ... Set-Cookie: author=Rajesh P HTTP/1.1 200 OK ... Clearly, the second response is completely controlled by the attacker and can be constructed with any header and body content desired. Response Splitting
  • 29. The OWASP Foundation http://www.owasp.org Attacker Proxy Web Server 302 302 200 (Gotcha!) 1st attacker request (response splitter) 1st attacker request (response splitter) request /account?id=victim 200 (Gotcha!) 200 (Victim’s account data) Victim request /index.html request /index.html 200 (Victim’s account data) Response Splitting
  • 30. The OWASP Foundation http://www.owasp.org • How to Identify new vulnerability disclosures in Java? – NVD, CVE • Always remove older versions of Java on devices while updating to the new secure version 30 Miscellaneous
  • 31. The OWASP Foundation http://www.owasp.org The OWASP Enterprise Security API Custom Enterprise Web Application Enterprise Security API Authenticator User AccessController AccessReferenceMap Validator Encoder HTTPUtilities Encryptor EncryptedProperties Randomizer ExceptionHandling Logger IntrusionDetector SecurityConfiguration Existing Enterprise Security Services/Libraries 31
  • 32. The OWASP Foundation http://www.owasp.org Validate: getValidDate() getValidCreditCard() getValidInput() getValidNumber() … Validating Untrusted Input / Output BackendController Business Functions User Data Layer Presentation Layer Validate: getValidDate() getValidCreditCard() getValidSafeHTML() getValidInput() getValidNumber() getValidFileName() getValidRedirect() safeReadLine() … Validation Engine Validation Engine
  • 33. The OWASP Foundation http://www.owasp.org OWASP Top Ten Coverage 33 OWASP Top Ten A1. Cross Site Scripting (XSS) A2. Injection Flaws A3. Malicious File Execution A4. Insecure Direct Object Reference A5. Cross Site Request Forgery (CSRF) A6. Leakage and Improper Error Handling A7. Broken Authentication and Sessions A8. Insecure Cryptographic Storage A9. Insecure Communications A10. Failure to Restrict URL Access OWASP ESAPI Validator, Encoder Encoder HTTPUtilities (upload) AccessReferenceMap User (csrftoken) EnterpriseSecurityException, HTTPUtils Authenticator, User, HTTPUtils Encryptor HTTPUtilities (secure cookie, channel) AccessController
  • 34. The OWASP Foundation http://www.owasp.org • Disgruntled staff • Unintentional program execution • Identify Training need, Certification • Urgent and Frequent patches • Selection of Third Party Libraries • “Drive by” attacks, such as side effects or direct consequences of a virus, worm or Trojan attack 34 Why Static Code Analysis
  • 35. The OWASP Foundation http://www.owasp.org • Categories of Vulnerability Sources • URL, Parameter Tampering • Header Manipulation • Cookie Poisoning • Categories of Vulnerability Sinks • SQL, XPath, XML, LDAP Injection • Cross-site Scripting • HTTP Response Splitting • Command Injection • Path Traversal 35 LAPSE+ Static Code Analysis
  • 37. The OWASP Foundation http://www.owasp.org Thank you! Until next time, stay secure! rajesh.nair@owasp.or g https://www.facebook.com/OWASPKerala https://www.twitter.com/owasp_kerala