The 10 Most Important Security Controls Missing in JavaEE--reference
JavaEE has some excellent built-in security mechanisms, but they don’t come close to covering all the threats that your applications will face. Many common attacks like Cross-Site Scripting (XSS), SQL Injection, Cross-Site Request Forgery (CSRF), and XML eXternal Entities (XXE) aren’t covered at all. You can prevent your web applications and web services from being vulnerable to these attacks, but it’s going to take some work and testing. Fortunately, the Open Web Application Security Project (OWASP) has issued the “Ten Most Critical Web Application Security Risks” report.
Let’s take a look at how these important risks apply to JavaEE web applications and web services:
1. Injection - Injection happens any time a developers takes untrusted information, such as request.getParameter(), request.getCookie(), or request.getHeader(), and uses it in a command interface. For example, SQL injection happens if you concatenate untrusted data into a regular SQL query, like “SELECT * FROM users WHERE username=‘“ + request.getParameter(“user”) + “‘ AND password=‘“ + request.getParameter(“pass”) = “‘“; Developers should use PreparedStatement to keep attackers from changing the meaning of queries and taking over database hosts. There are many other types of injection such as Command Injection, LDAP Injection, and Expression Language (EL) Injection, and all of them are devastatingly dangerous, so be careful when sending data to these interpreters.
2. Broken Authentication and Session Management – JavaEE has support for authentication and session management, but there are many ways to go wrong here. You’ll have to make sure that all authenticated traffic goes over SSL, no exceptions. If you ever expose a JSESSIONID it can be used to hijack a user’s session without their knowledge. You should rotate the JSESSIONID when the user authenticates to prevent Session Fixation attacks. And you should avoid the use of response.encodeURL() which adds the user’s JSESSIONID to the URL where it can be more easily disclosed or stolen.
3. Cross-Site Scripting (XSS) - XSS occurs when JavaEE developers take untrusted information from the HTTP request and put it in the HTTP response without proper contextual output encoding. The attacker can use this behavior to inject their scripts into a website where they can hijack sessions and steal data. To prevent these attacks, developers need to perform context-sensitive output encoding. If you’re putting data into HTML, use &#xx; format. Be sure to quote your HTML attributes, as unquoted attributes can be terminated with many different characters. If you’re putting untrusted data into Javascript, URLs, or CSS, use the appropriate escaping technique for each. And be very careful when dealing with nested contexts, such as a URL in Javascript in an HTML attribute. You'll want an encoding library like OWASP ESAPI to help.
4. Insecure Direct Object References – Anytime your application exposes an internal identifier, such as a database key, a filename, or hashmap index, attackers may attempt to manipulate those identifiers to access unauthorized data. For example, if you pass untrusted data from the HTTP request to the Java File constructor, the attacker may use "../" or null byte attacks to trick your validation. You should consider using indirect references to your data, to prevent this type of attack. The ESAPI library has support for ReferenceMaps that facilitate this indirection.
5. Security Misconfiguration – There are a lot of security settings in modern JavaEE applications and frameworks like Struts and Spring. Be sure you have reviewed them and set things up the way you want. For example, beware the <http-method> tag in a <security-constraint>. This indicates that the security-constraint only applies to the listed methods, allowing attackers to use other HTTP methods, like HEAD and PUT, to bypass the entire security constraint. Most likely you should delete <http-method> tags from your web.xml.
6. Sensitive Data Exposure – Java has extensive cryptographic libraries, but they are not easy to use correctly. You should find a library that builds on top of JCE to provide easily and safely usable cryptographic methods. Some examples are Jasypt and ESAPI. You should be using strong algorithms like AES for encryption and SHA256 for hashes. Be careful with password hashes as they can be reversed using a Rainbow Table, so use adaptive algorithms like bcrypt or PBKDF2.
7. Missing Function Level Access Control – JavaEE supports both declarative and programmatic access control, but many applications still choose to create their own scheme. Frameworks like Spring also have annotation-based access control primitives. The most important thing is to be sure that every exposed endpoint has the appropriate access control check, including web services. Don’t assume that your client can control anything, as attackers will access your endpoints directly.
8. Cross Site Request Forgery (CSRF) - Every state-changing endpoint needs to verify that requests are not forged. Developers should put a random token in each user’s session and then verify it when requests arrive. Otherwise, attackers can create "attack" pages by including malicious IMG, SCRIPT, FRAME, or FORM tags that link to the unprotected application. When the victim views such a page, their browser will generate a "forged" HTTP request to whatever URL is specified in the tag, and will automatically include the victim’s credentials.
9. Using Components with Known Vulnerabilities – Modern JavaEE applications have hundreds of libraries. Dependency resolution tools like Maven have caused this number to explode in the past five years. Many widely used Java libraries haveknown vulnerabilities that can allow a web application using them to be completely subverted. The solution is to stay on top of your libraries and keep them up to date. Don't just run a single scan, as new vulnerabilities are released every day.
10. Unvalidated Redirects and Forwards — Anytime your application uses untrusted data, such as a request.getParameter() or request.getCookie(), in a call to response.sendRedirect(), the attacker may be able to force a victim’s browser to an untrusted website designed to install malware. A similar problem exists with forwards, except that the attacker may be able to forward himself to unauthorized functionality, such as administrative pages. Be sure to carefully validate redirect and forward targets.
You should stay on top of these problems continuously. New attacks and vulnerabilities are identified all the time. Ideally, you'll integrate security checks into your existing build, test, and deployment process.
To check your applications for these problems, try the FREE Contrast for Eclipse plugin. It’s not a simple static analysis tool. Instead, C4E takes advantage of the Java Instrumentation API to monitor everything in your application related to security. C4E even does full data flow analysis in realtime, so it can trace data from the request through a complex application. For example, imagine that your code takes a parameter value, base64 decode it, store it in a map, put the map in a data bean, store the bean in a session attribute, fetch the bean value in a JSP and insert it into the webpage using EL. Contrast for Eclipse will trace that data and report the XSS vulnerability. Even if you are using complex frameworks and libraries. No other tool comes close in terms of speed, accuracy, and ease of use.
You can find Contrast for Eclipse in the Eclipse Marketplace. Then just go to the Servers tab and “Start with Contrast” — we’ll do the rest.
reference from:
http://eclipse.dzone.com/articles/10-most-important-security
The 10 Most Important Security Controls Missing in JavaEE--reference的更多相关文章
- APPLE-SA-2019-3-25-2 macOS Mojave 10.14.4,Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra
APPLE-SA-2019-3-25-2 macOS Mojave 10.14.4, Security Update2019-002 High Sierra, Security Update 2019 ...
- Asp.net - The type or namespace name 'App_Code' does not exist in the namespace 'xxx' (are you missing an assembly reference?)
我在 项目 下面创建一个 App_Code的文件夹,然后在其下创建自定义的类,但是当我在该项目下别的地方使用时报错: The type or namespace name 'App_Code' doe ...
- unity3d MonoDevelop引用外部自定义dll文件报错:are you missing an assembly reference?
在unity3d 编辑器 MonoDevelop 中引用外部自定义dll文件报错:are you missing an assembly reference? 因为unity还停留在.NET Fram ...
- The type or namespace name 'Html' does not exist in the namespace 'System.Web.Mvc' (are you missing an assembly reference?)
The type or namespace name 'Html' does not exist in the namespace 'System.Web.Mvc' (are you missing ...
- The 10 Most Important Linux Commands/10个最经常使用的命令行
1. ls 命令:to show all of the major directiories filed under a given file system. for example: ls /app ...
- The type or namespace name 'Script' does not exist in the namespace 'System.Web' (are you missing an assembly reference?)
应该说是 .net4 的bug,没有所谓的 System.Web.Extensions.dll 库文件,需要将项目的 Target Framework修改为 3.5版本,才能加载System.Web. ...
- A Study of WebRTC Security
转自:http://webrtc-security.github.io/ A Study of WebRTC Security Abstract Web Real-Time Communication ...
- The Ultimate List of Open Source Static Code Analysis Security Tools
https://www.checkmarx.com/2014/11/13/the-ultimate-list-of-open-source-static-code-analysis-security- ...
- SQL Server: Top 10 Secrets of a SQL Server Expert
转载自:http://technet.microsoft.com/en-us/magazine/gg299551.aspx Many companies have downsized their IT ...
随机推荐
- bzoj1324
经典例题 在<最小割模型在信息学竞赛中的应用>有详细的解答就不赘述了 主要想说,其实这题的几个结论其实是很好猜出来的: 当摸不清题目本质的时候,不妨多找几种情况,猜测一下 顺便推广一下几个 ...
- C#的同步和异步调用方法
同步和异步大家都明白什么意思,在这里不多介绍了. namespace ConsoleTest { class Program { static void Main(string[] args) { C ...
- LoadLibraryEx及发回hmodule的一些细节
LoadLibraryEx可以配合 DONT_RESOLVE_DLL_REFERENCES LOAD_LIBRARY_AS_DATAFILE LOAD_LIBRARY_AS_DATAFILE_EXCL ...
- 【C++】计算所有小于N的勾股数组合,可以写入txt文件保存,每组占一行。
#ifndef PYTHAGOREAN_H_ #define PYTHAGOREAN_H_ #include <iostream> class Pythagorean { public: ...
- js中test,exec和match方法
test test 返回 Boolean,查找对应的字符串中是否存在模式. var str = "1a1b1c";var reg = new RegExp("1.&quo ...
- SPOJ3267 D-query 离线+树状数组 在线主席树
分析:这个题,离线的话就是水题,如果强制在线,其实和离线一个思路,然后硬上主席树就行了 离线的代码 #include <iostream> #include <stdio.h> ...
- imdisk命令行使用及配置
imdisk是一个开源的虚拟磁盘软件,集虚拟光驱,文件虚拟光驱,映射物理磁盘,映射物理内存等功能 如果使用devio--Device I/O Service,可以映射网络磁盘等. 通用于windows ...
- 【转】RDO、SAD、SATD、λ
SAD(Sum of Absolute Difference)=SAE(Sum of Absolute Error)即绝对误差和 SATD(Sum of Absolute Transformed Di ...
- LittleTools之输出RenderTexture工具
using UnityEngine; using System.Collections; using System.IO; /// <summary> /// Save render te ...
- SSAS使用MDX生成脱机的多维数据集CUB文件
在运用多维数据进行分析的时候,通常很有可能我们需要把这些多维数据脱机进行处理或演示,这其中就要用到cub文件 http://www.cnblogs.com/yunhuasheng/archive/20 ...