Skip to main content

Secure Java Coding Practices

Image
By
Quick Snapshot on Threats, Vulnerabilities, Attack and Defense.


This blog focuses on Secure Java Coding standards for the following Vulnerabilities.
  1. Unvalidated Inputs
  2. Cross-Site Scripting (XSS)
  3. SQL Inject flows
  4. Improper Error Handling

Unvalidated Inputs

Attacker can change any value of the input submitted to the Web Server
Re-validate all the inputs at the server
Take only the necessary information (user input) from a for submission

Cross Site Scripting (XSS)

Attacker
Injects code into the input data
Hide malicious code with Unicode

Counter measures
Input validations
Input length check

 SQL Injection
Attacker
Can inject System commands
Can inject other SQL
Can override access checks

Examples
Add more commands “; select * from users;”
Override access “’ OR 1=1;”

Counter Measures
Use prepared statements in SQL
Run with limited privileges
Filter / validate the input


 Improper Error Handling

Attacker
Gets system information
Gets Database information

 Examples
Stack (Thread) Traces
Database dump

 Counter Measures
Sanitize the error message
Avoid sending stack traces to end user.
Customize error pages (HTTP errors 404 etc)


Read more in Slide Share..

Comments

Post a Comment

Popular posts from this blog

Redis Basic CRUD

By Anonymous
We have seen how to setup on your linux machine here , now we will see how to perform basic CRUD operations using Spring Data & Redis server We will be creating a simple application that would persist an employee information into redis database. You will be needing certain JARs like jedis.jar, spring-data-redis.jar etc details of which you can download and view at https://github.com/meta-magic/RedisCRUDexample.git  First of all we will be creating the Employee entity, plz note that we are using the Serializable interface which automatically mapps the objects against the key. Employee.java import java.io.Serializable ; public class Employee implements Serializable { private static final long serialVersionUID = - 8243145429438016231L ; public enum Gender { Male , Female } private String id; private String name; private Gender gender; private int age; public String getId () { return id; } public void setId ( Str...
Post a Comment
Read more

CRUD in MongoDB & Spring Data

By Anonymous
Now, since we have already been introduced to mongo and its server is setup. We shall now move on to performing basic CRUD operations. Lets take a use case example of ‘Company’ database that stores employee information.  We wish to store employee name, email address, age and multiple addresses. Traditionally in RDBMS we would create an Employee table and Address Table having foreign key reference to ‘employee id ‘ Incase of NoSQL, we will be creating Employee documnet which will have store employee information like name, email, age and an array of employes address. Following is a snippet of the schema defined { "name" : "", "email" : "", "age" : “”, "address" : [ ... ] } Thus to begin with, we will first define the entities. We have employee as an aggregate root entity that stores list of address having 1-M relatioship. Address Entity is represend as @Embeddable as it is embaded in another aggregate root entity. Employee is...
Post a Comment
Read more

Ribbon , Hysterix using Spring Feign

By
The idea about this post is show some concept of  Load Balancing  & Circuit Breaker  using Spring Cloud Netflix API. Load Balancing Load Balancing automatically distributes incoming application traffic between number of nodes running for given application. Ribbon  : This provide client side load balancing. Its component offers a good set of configuration options such as connection timeouts, retries, retry algorithm  etc. Strategies offered by ribbon are listed below: Simple Round Robin LB Weighted Response Time LB Zone Aware Round Robin LB Random LB Circuit Breaker pattern Netflix’s Hystrix library provides an implementation of the Circuit Breaker pattern: when we apply a circuit breaker to a method, Hystrix watches for failing calls to that method, and if failures build up to a threshold, Hystrix opens the circuit so that subsequent calls automatically fail. While the circuit is open, Hystrix redirects calls to the metho...
Post a Comment
Read more