This blog highlights different insecure coding practices seen in JAVA EE applications. It includes most of the OWASP Top 10 Vulnerabilities, giving their root causes and mitigation techniques.
1. Authentication
Insecure Coding Practices |
Secure Coding Practices |
Concatenated SQL queries for login validation.
|
Use Parameterized or pre-compiled queries. String username=request.getParameter(“username”);
|
No authentication check in internal pages / action |
Implement authentication code on all internal pages by making use of session variable //On every request, check if the user identity is present in the session. |
Not restricting failed login attempts If the application does not restrict invalid login attempts, it will allow a user to brute-force login and compromise other user accounts. |
Track and restrict failed login attempts Maintain a list of failed login attempts by a user.
Set a threshold limit of invalid attempts like 5.
Temporarily lockout the user on exceeding the threshold limit. |
2. Authorization
Insecure Coding Practices |
Secure Coding Practices |
No data level access restriction. String query = “SELECT * FROM accts WHERE account = ?“;
|
Implement data level access restriction.
PreparedStatement pstmt = connection.prepareStatement(query , … ); ResultSet results = pstmt.executeQuery( ); |
No role based access restriction |
Implement role based access restriction. //Get User Identify from the session. //Fetching the user’s role from database
if (!urole.equals(“admin”)) { return; |
3. SQL Injection
Insecure Coding Practices |
Secure Coding Practices |
Use of untrusted inputs (like the values fetched from request, database, session etc.) without any prior validation, to form concatenated SQL queries.
//Concatenated SQL Query |
ALWAYS use Precompiled or Parameterized SQL queries. |
4. Input Validation
Insecure Coding Practices |
Secure Coding Practices |
Use of untrusted inputs (like the values fetched from request, database, session etc.) without any prior validation, to form OS commands, file paths, URLs or stored in the database.
//Saved in Database without any prior validation |
Validate all the untrusted inputs mainly request parameters, before processing them. //Untrusted input
|
6. Redirection Attack
Insecure Coding Practices |
Secure Coding Practices |
Use of untrusted inputs (like the values fetched from request, database, session etc.) without any prior validation, to form redirection URL value.
|
Use relative URLs for redirection. In case, redirection to external sites are required, restrict them to a set of specific domains.
for(int i = 0; i
if (url.equals(m_TargetDomains[i])) {
|
6. Cross-Site Scripting
Insecure Coding Practices |
Secure Coding Practices |
Displaying data in response without any encoding.
|
Encode the data before displaying them in response //Encode the value to be displayed //Display the encoded value of the variable in the form element. |
7. Cross-Site Request Forgery
Insecure Coding Practices |
Secure Coding Practices |
Executing state changing requests without any token value
|
Implement Anti-CSRF token for state changing requests. Thus, making it difficult to forge such requests from other logged-in sessions. private String generateCSRFToken() throws NoSuchAlgorithmException { String token = session.getAttribute(“csrfToken”); ” type=”hidden” value=”” /> HttpSession session = request.getSession(); if (storedToken.equals(token)) { |
8. Session Management
Insecure Coding Practices |
Secure Coding Practices |
Maintaining same Pre-login and Post-login session tokens |
Maintain different session tokens for pre-login and post-login sessions |
No session invalidation after logout |
Invalidate the session on logout //On logout, invalidate the session |
No path and httpOnly cookie attributes set in the application Not implementing the “httpOnly” attribute makes session ID, stored Not implementing “path” attribute, makes browsers send the session |
Implement use of path and httpOnly cookie attributes //Set additional attributes for session |
No session timeout set in the application |
Maintain session timeout //Configure |
The post Secure Coding Checklist – JAVA EE appeared first on SynRadar.
This post first appeared on Why Thinking Security At An Early Development Stage Is Extremely Vital For Mobile Apps!, please read the originial post: here