Skip to main content

Secure Java Coding Practices

Image
By
Quick Snapshot on Threats, Vulnerabilities, Attack and Defense.


This blog focuses on Secure Java Coding standards for the following Vulnerabilities.
  1. Unvalidated Inputs
  2. Cross-Site Scripting (XSS)
  3. SQL Inject flows
  4. Improper Error Handling

Unvalidated Inputs

Attacker can change any value of the input submitted to the Web Server
Re-validate all the inputs at the server
Take only the necessary information (user input) from a for submission

Cross Site Scripting (XSS)

Attacker
Injects code into the input data
Hide malicious code with Unicode

Counter measures
Input validations
Input length check

 SQL Injection
Attacker
Can inject System commands
Can inject other SQL
Can override access checks

Examples
Add more commands “; select * from users;”
Override access “’ OR 1=1;”

Counter Measures
Use prepared statements in SQL
Run with limited privileges
Filter / validate the input


 Improper Error Handling

Attacker
Gets system information
Gets Database information

 Examples
Stack (Thread) Traces
Database dump

 Counter Measures
Sanitize the error message
Avoid sending stack traces to end user.
Customize error pages (HTTP errors 404 etc)


Read more in Slide Share..

Comments

Post a Comment

Popular posts from this blog

Centralized configuration using Spring Cloud Config

By
In this blog we will be focusing on centralized configuration using  Spring Cloud Config  project. For single standalone application we can keep all required configuration bundle with application itself.  However, when we have more than one application, say in a microservice architecture, a better alternative would be to manage the configurations centrally. With the Config Server we have a central place to manage external properties for applications with support for different environments. Configuration files in several formats like YAML or properties are added to a Git repository. Features Spring Cloud Config Server features: HTTP, resource-based API for external configuration (name-value pairs, or equivalent YAML content) Encrypt and decrypt property values (symmetric or asymmetric) Embeddable easily in a Spring Boot application using  @EnableConfigServer Config Client features (for Spring applications): Bind to the Config Server and initialize...
Post a Comment
Read more

Redis Basic CRUD

By Anonymous
We have seen how to setup on your linux machine here , now we will see how to perform basic CRUD operations using Spring Data & Redis server We will be creating a simple application that would persist an employee information into redis database. You will be needing certain JARs like jedis.jar, spring-data-redis.jar etc details of which you can download and view at https://github.com/meta-magic/RedisCRUDexample.git  First of all we will be creating the Employee entity, plz note that we are using the Serializable interface which automatically mapps the objects against the key. Employee.java import java.io.Serializable ; public class Employee implements Serializable { private static final long serialVersionUID = - 8243145429438016231L ; public enum Gender { Male , Female } private String id; private String name; private Gender gender; private int age; public String getId () { return id; } public void setId ( Str...
Post a Comment
Read more

Eureka-Server with spring cloud netflix

By
In this write-up we will focus on Service Registry – Eureka Server Rest service (auth-service application, eureka client) which register itself to registry. Web application which consumes Rest service using service registry. Service discovery  allows services to find and communicate with each other without hardcoding hostname and port. Eureka Server In spring-boot application enable the Eureka-Server by adding @EnableEurekaServer annotation to spring boot application. We have put all the configuration on GIT and this is accessed using config-server. To now more about centralized configuration (config-server) click  here eurekaserver.yml Place below bootstrap.yml in application, it basically connects to config-server and gets it required configuration. Start the spring-boot application and access eureka server using http://localhost:8760/ you will get below screen. Right now there is no application which...
Post a Comment
Read more