Skip to main content

Secure Java Coding Practices

Quick Snapshot on Threats, Vulnerabilities, Attack and Defense.


This blog focuses on Secure Java Coding standards for the following Vulnerabilities.
  1. Unvalidated Inputs
  2. Cross-Site Scripting (XSS)
  3. SQL Inject flows
  4. Improper Error Handling

Unvalidated Inputs

Attacker can change any value of the input submitted to the Web Server
Re-validate all the inputs at the server
Take only the necessary information (user input) from a for submission

Cross Site Scripting (XSS)

Attacker
Injects code into the input data
Hide malicious code with Unicode

Counter measures
Input validations
Input length check

SQL Injection


Attacker
Can inject System commands
Can inject other SQL
Can override access checks

Examples
Add more commands “; select * from users;”
Override access “’ OR 1=1;”

Counter Measures
Use prepared statements in SQL
Run with limited privileges
Filter / validate the input


Improper Error Handling

Attacker
Gets system information
Gets Database information

Examples
Stack (Thread) Traces
Database dump

Counter Measures
Sanitize the error message
Avoid sending stack traces to end user.
Customize error pages (HTTP errors 404 etc)



Comments

Popular posts from this blog

Function Point Analysis : ISO/IEC 20926:2009

This blog focuses on explaining the Function Point calculations. Software Sizing Background Function Point Rules for Counting FP Deep Dive - Function Point Analysis Case Study General Software Characteristics Details History - Measurement Methodologies Lines of Code (Oldest) Use case based Software Sizing IPFUG Function Point Analysis (ISO) Need for Software Sizing. Estimation and Budgeting Phasing Development Work Prioritization of Work Monitoring the Progress Bidding for Projects Allocating Testing Resources To measure and Manage Productivity Risk Assessment Software Asset Valuation CMMi Level 2 and 3 require that a valid sizing method be used. Software Sizing - Lines of Code The easiest and historically the most common method in Sizing Software project has been counting the number of lines of code and / or the number of screens. Advantages Automation of the counting process can be done Intuitive as the measurements are easily u

Redis Installation Steps

“ Redis is an in-memory key-value store known for its flexibility, performance, and wide language support” Inorder to install redis on your machine you need ubuntu 16.4 and a non-root user with sudo privileges to perform the administrative functions required for this process. Download and Extract the Source Code Create a tmp directory cd /tmp Download the latest stable version of Redis curl -O http://download.redis.io/redis-stable.tar.gz untar tar xzvf redis-stable.tar.gz Move into the Redis source directory structure that was just extracted cd redis-stable Build and Install Redis Now, we can compile the Redis binaries by typing make After the binaries are compiled, run the test suite to make sure everything was built correctly. You can do this by typing: make test This will typically take a few minutes to run. Once it is complete, you can install the binaries onto the system by typing: sudo

Eureka-Server with spring cloud netflix

In this write-up we will focus on Service Registry – Eureka Server Rest service (auth-service application, eureka client) which register itself to registry. Web application which consumes Rest service using service registry. Service discovery  allows services to find and communicate with each other without hardcoding hostname and port. Eureka Server In spring-boot application enable the Eureka-Server by adding @EnableEurekaServer annotation to spring boot application. We have put all the configuration on GIT and this is accessed using config-server. To now more about centralized configuration (config-server) click  here eurekaserver.yml Place below bootstrap.yml in application, it basically connects to config-server and gets it required configuration. Start the spring-boot application and access eureka server using http://localhost:8760/ you will get below screen. Right now there is no application which is registered to e