JavaEE has some excellent built-in security mechanisms, but they don’t come close to covering all the threats that your applications will face.  Many common attacks like Cross-Site Scripting (XSS), SQL Injection, Cross-Site Request Forgery (CSRF), and XML eXternal Entities (XXE) aren’t covered at all.  You can prevent your web applications and web services from being vulnerable to these attacks, but it’s going to take some work and testing.  Fortunately, the Open Web Application Security Project (OWASP) has issued the “Ten Most Critical Web Application Security Risks” report.

Let’s take a look at how these important risks apply to JavaEE web applications and web services:

1. Injection - Injection happens any time a developers takes  untrusted information, such as request.getParameter(), request.getCookie(), or request.getHeader(), and uses it in a command interface.  For example, SQL injection happens if you concatenate untrusted data into a regular SQL query, like “SELECT * FROM users WHERE username=‘“ + request.getParameter(“user”) + “‘ AND password=‘“ + request.getParameter(“pass”) = “‘“;  Developers should use PreparedStatement to keep attackers from changing the meaning of queries and taking over database hosts.  There are many other types of injection such as Command Injection, LDAP Injection, and Expression Language (EL) Injection, and all of them are devastatingly dangerous, so be careful when sending data to these interpreters.

2. Broken Authentication and Session Management – JavaEE has support for authentication and session management, but there are many ways to go wrong here. You’ll have to make sure that all authenticated traffic goes over SSL, no exceptions.  If you ever expose a JSESSIONID it can be used to hijack a user’s session without their knowledge.  You should rotate the JSESSIONID when the user authenticates to prevent Session Fixation attacks.  And you should avoid the use of response.encodeURL() which adds the user’s JSESSIONID to the URL where it can be more easily disclosed or stolen.

3. Cross-Site Scripting (XSS) - XSS occurs when JavaEE developers take untrusted information from the HTTP request and put it in the HTTP response without proper contextual output encoding.  The attacker can use this behavior to inject their scripts into a website where they can hijack sessions and steal data.  To prevent these attacks, developers need to perform context-sensitive output encoding.  If you’re putting data into HTML, use &#xx; format. Be sure to quote your HTML attributes, as unquoted attributes can be terminated with many different characters.  If you’re putting untrusted data into Javascript, URLs, or CSS, use the appropriate escaping technique for each.  And be very careful when dealing with nested contexts, such as a URL in Javascript in an HTML attribute. You'll want an encoding library like OWASP ESAPI to help.

4. Insecure Direct Object References – Anytime your application exposes an internal identifier, such as a database key, a filename, or hashmap index, attackers may attempt to manipulate those identifiers to access unauthorized data.  For example, if you pass untrusted data from the HTTP request to the Java File constructor, the attacker may use "../" or null byte attacks to trick your validation. You should consider using indirect references to your data, to prevent this type of attack. The ESAPI library has support for ReferenceMaps that facilitate this indirection.

5. Security Misconfiguration – There are a lot of security settings in modern JavaEE applications and frameworks like Struts and Spring. Be sure you have reviewed them and set things up the way you want.  For example, beware the <http-method> tag in a <security-constraint>.  This indicates that the security-constraint only applies to the listed methods, allowing attackers to use other HTTP methods, like HEAD and PUT, to bypass the entire security constraint.  Most likely you should delete <http-method> tags from your web.xml.

6. Sensitive Data Exposure – Java has extensive cryptographic libraries, but they are not easy to use correctly. You should find a library that builds on top of JCE to provide easily and safely usable cryptographic methods. Some examples are Jasypt and ESAPI.  You should be using strong algorithms like AES for encryption and SHA256 for hashes.  Be careful with password hashes as they can be reversed using a Rainbow Table, so use adaptive algorithms like bcrypt or PBKDF2.

7. Missing Function Level Access Control – JavaEE supports both declarative and programmatic access control, but many applications still choose to create their own scheme. Frameworks like Spring also have annotation-based access control primitives. The most important thing is to be sure that every exposed endpoint has the appropriate access control check, including web services.  Don’t assume that your client can control anything, as attackers will access your endpoints directly.

8. Cross Site Request Forgery (CSRF) - Every state-changing endpoint needs to verify that requests are not forged. Developers should put a random token in each user’s session and then verify it when requests arrive. Otherwise, attackers can create "attack" pages by including malicious IMG, SCRIPT, FRAME, or FORM tags that link to the unprotected application. When the victim views such a page, their browser will generate a "forged" HTTP request to whatever URL is specified in the tag, and will automatically include the victim’s credentials.

9. Using Components with Known Vulnerabilities – Modern JavaEE applications have hundreds of libraries. Dependency resolution tools like Maven have caused this number to explode in the past five years.  Many widely used Java libraries haveknown vulnerabilities that can allow a web application using them to be completely subverted.  The solution is to stay on top of your libraries and keep them up to date. Don't just run a single scan, as new vulnerabilities are released every day.

10. Unvalidated Redirects and Forwards — Anytime your application uses untrusted data, such as a request.getParameter() or request.getCookie(), in a call to response.sendRedirect(), the attacker may be able to force a victim’s browser to an untrusted website designed to install malware.  A similar problem exists with forwards, except that the attacker may be able to forward himself to unauthorized functionality, such as administrative pages.  Be sure to carefully validate redirect and forward targets.

You should stay on top of these problems continuously. New attacks and vulnerabilities are identified all the time. Ideally, you'll integrate security checks into your existing build, test, and deployment process.

To check your applications for these problems, try the FREE Contrast for Eclipse plugin. It’s not a simple static analysis tool.  Instead, C4E takes advantage of the Java Instrumentation API to monitor everything in your application related to security.  C4E even does full data flow analysis in realtime, so it can trace data from the request through a complex application.  For example, imagine that your code takes a parameter value, base64 decode it, store it in a map, put the map in a data bean, store the bean in a session attribute, fetch the bean value in a JSP and insert it into the webpage using EL. Contrast for Eclipse will trace that data and report the XSS vulnerability.  Even if you are using complex frameworks and libraries.  No other tool comes close in terms of speed, accuracy, and ease of use.

You can find Contrast for Eclipse in the Eclipse Marketplace.  Then just go to the Servers tab and “Start with Contrast” — we’ll do the rest.

reference from:

http://eclipse.dzone.com/articles/10-most-important-security

The 10 Most Important Security Controls Missing in JavaEE--reference的更多相关文章

  1. APPLE-SA-2019-3-25-2 macOS Mojave 10.14.4,Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra

    APPLE-SA-2019-3-25-2 macOS Mojave 10.14.4, Security Update2019-002 High Sierra, Security Update 2019 ...

  2. Asp.net - The type or namespace name 'App_Code' does not exist in the namespace 'xxx' (are you missing an assembly reference?)

    我在 项目 下面创建一个 App_Code的文件夹,然后在其下创建自定义的类,但是当我在该项目下别的地方使用时报错: The type or namespace name 'App_Code' doe ...

  3. unity3d MonoDevelop引用外部自定义dll文件报错:are you missing an assembly reference?

    在unity3d 编辑器 MonoDevelop 中引用外部自定义dll文件报错:are you missing an assembly reference? 因为unity还停留在.NET Fram ...

  4. The type or namespace name 'Html' does not exist in the namespace 'System.Web.Mvc' (are you missing an assembly reference?)

    The type or namespace name 'Html' does not exist in the namespace 'System.Web.Mvc' (are you missing ...

  5. The 10 Most Important Linux Commands/10个最经常使用的命令行

    1. ls 命令:to show all of the major directiories filed under a given file system. for example: ls /app ...

  6. The type or namespace name 'Script' does not exist in the namespace 'System.Web' (are you missing an assembly reference?)

    应该说是 .net4 的bug,没有所谓的 System.Web.Extensions.dll 库文件,需要将项目的 Target Framework修改为 3.5版本,才能加载System.Web. ...

  7. A Study of WebRTC Security

    转自:http://webrtc-security.github.io/ A Study of WebRTC Security Abstract Web Real-Time Communication ...

  8. The Ultimate List of Open Source Static Code Analysis Security Tools

    https://www.checkmarx.com/2014/11/13/the-ultimate-list-of-open-source-static-code-analysis-security- ...

  9. SQL Server: Top 10 Secrets of a SQL Server Expert

    转载自:http://technet.microsoft.com/en-us/magazine/gg299551.aspx Many companies have downsized their IT ...

随机推荐

  1. scaleform mobile sdk for android 多点触摸 修正

    修正 scaleform 的多点触控 (随手一记 给后来的人做个参考) scaleform 版本号 4.2.24 (估计这就是最后一个 移动版的版本了,万年没有更新了) 开始 一直以为 scalefo ...

  2. [WebKit]浏览器的加载与页面性能优化

    非常棒.非常系统的一份资料,值得阅读! 原文来自百度泛用户体验. 作者:nwind 本文将探讨浏览器渲染的loading过程,主要有2个目的: 了解浏览器在loading过程中的实现细节,具体都做了什 ...

  3. 基于WebForm+EasyUI的业务管理系统形成之旅 -- 系统设置(Ⅰ)

    上篇<基于WebForm+EasyUI的业务管理系统形成之旅 -- 总体介绍>,主要介绍系统总体的界面效果和用户体验UI设计. 在MVC.MVP大行其道的今天,写WebForm该系列篇章, ...

  4. OAuth 的权限问题与信息隐忧

    核心提示:以 QQ 登陆和微博登陆为代表的“一键登陆”背后不仅仅是登陆这么简单,它还默认获取了你的其他隐私资料和账号的部分使用权限,我们在享受便利的同时一定不要忘记保护好我们的个人信息安全. 去年3Q ...

  5. STL总结之vector

    STL中vector是通常作为数组使用,不过它更像一个动态数组,在实际项目开发中大量使用. 优点:存储空间连续,可以使用下标访问,时间复杂度O(1). 缺点:不适合从中间删除和添加元素. C++标准规 ...

  6. HDU 2191

    思路:简单动态规划,多重背包转化成0 1背包问题 #include<stdio.h> #include<string.h> int a[101][2001],rcw[2001] ...

  7. [Tommas] SQL 中 WITH AS 的用法

    WITH AS短语,也叫做子查询部分(subquery factoring),可以让你做很多事情,定义一个SQL片断,该SQL片断会被整个SQL语句所用到: 下面的例子定义了一个 Temp 片段,Te ...

  8. SSE 标准化向量

    mov esi, this ; vector u movups xmm0, [esi] ; first vector in xmm0 movaps xmm2, xmm0 ; copy original ...

  9. javascript设计模式1

    普通写法 function startAnimation(){ ... } function stopAnimation(){ ... } 对象类 /*Anim class*/ var Anim=fu ...

  10. E297: Write error in swap file解决方法

    vi打开配置文件后显示E297: Write error in swap file,检查磁盘发现磁盘满了.使用du –max-depth=1 | sort –n –r 查找大文件所在位置并删除.