References and More Information:

• Top 10 most critical web application security vulnerabilities
• Open Web Application Security Project (OWASP)
• OWASP Enterprise Security API
• The Top 10 starting with XSS
  
• Top 10 web security vulnerabilities number 2
  
• OWASP Top 10 number 3
• Bean Validation - The Java EE 6 Tutorial, Volume I
• JSF 2.0 validation
  
• XSSed

Examples

• file is accepted from the user without validating content
  
• filename is accepted from the user

// get the absolute file path on the server's filesystem 
String dir = servlet.getServletContext().getRealPath("/ebanking")
// get input file name
String file = request.getParameter(“file”); 
//  Create a new File instance from pathname string   
File f = new File((dir + "\\" + file).replaceAll("\\\\", "/")); 

• files loaded from another server and executed within the context of the web server
• modifying paths to gain access to directories on the web server
• malicious scripts put into a directory with inadequate access controls
  

Protecting against Malicious File Execution

• the Java EE Security Manager should be properly configured to not allow access to files outside the web root.
• do not allow user input to influence the path name for server resources
  • Inspect code containing a file open, include, create, delete...
• firewall rules should prevent new outbound connections to external web sites or internally back to any other server. Or isolate the web server in a private subnet
• Upload files to a destination outside of the web application directory.
  • Enable virus scan on the destination directory.
    

Java specific Protecting against Malicious File Exection

Use the OWASP ESAPI  HTTPUtilities interface:

• The ESAPI HTTPUtilities interface is a collection of methods that provide additional security related to HTTP requests, responses, sessions, cookies, headers, and logging.
  
  The HTTPUtilities getSafeFileUploads method uses the Apache Commons FileUploader to parse the multipart HTTP request and extract any files therein
  

  public class HTTPUtilities public void getSafeFileUploads(java.io.File tempDir, java.io.File finalDir) throws ValidationException

  
  

• Top 10 most critical web application security vulnerabilities
• Open Web Application Security Project (OWASP)
• OWASP TOP 10 FOR JAVA EE
  
• OWASP Enterprise Security API
• OWASP ESAPI  Overview Presentation
  

OWASP Top 10 number 2: Injection Flaws

SQL Injection Example

 "select * from MYTABLE where name=" + parameter

"select * from MYTABLE where name= 'name' OR 'a'='a'; 

"select * from MYTABLE; 

"select * from MYTABLE where name= 'name' OR 'a'='a'; delete from MYTABLE;

"select * from MYTABLE; delete from MYTABLE;

• create , read , update, or delete database data
  

Protecting against SQL Injection

• Don't concatenate user input data to a query or command!
  • Use Query Parameter binding with typed parameters, this ensures the input data can only be interpreted as the value for the intended parameter so the attacker can not change the intent of a query.
• Validate all input data to the application using white list (what is allowed) for type, format, length, range, reject if invalid. (see previous blog entry)
• don't provide too much information in error messages (like SQL Exception Information, table names..) to the user.
  
  

Java specific Protecting against SQL Injection

Don't concatenate user input data to a query or command:

• Don't do this with JDBC:

  String empId= req.getParameter("empId") // input parameter String query = "SELECT * FROM Employee WHERE id = '" + empId +"'";

• Don't do this with JPA:

  q = entityManager.createQuery(“select e from Employee e WHERE ” + “e.id = '” + empId + “'”);

Use Query Parameter binding with typed parameters

• With JDBC you should use a PreparedStatement and set values by calling one of the setXXX methods on the PreparedStatement object, For example:

  String selectStatement = "SELECT * FROM Employee WHERE id = ? "; PreparedStatement pStmt = con.prepareStatement(selectStatement); pStmt.setString(1, empId);

  This sets the first question mark placeholder to the value of the input parameter empId in the SQL command. Any dangerous characters - such as semicolons, quotes, etc.. should be automatically escaped by the JDBC driver.
  
  
• With JPA or Hibernate you should use Named Parameters. Named parameters are parameters in a query that are prefixed with a colon (:). Named parameters in a query are bound to an argument by the javax.persistence.Query.setParameter(String name, Object value) method. For example:

  q = entityManager.createQuery(“select e from Employee e WHERE ”              + “e.id = ':id'”); q.setParameter(“id”, empId);

  This sets the id to the empId in the SQL command, again any dangerous characters should be automatically escaped by the JDBC driver.
  
  
• With JPA 2.0 or Hibernate you can use the Criteria API. The JPA 2.0 criteria API providies a typesafe object-based Query API based on a metamodel of the Entity classes, rather than a string-based Query API. This allows you to develop queries that a Java compiler can verify for correctness at compile time. Below is an example using the Criteria API for the same query as before :

  QueryBuilder qb = em.getQueryBuilder(); CriteriaQuery<Employee> q = qb.createQuery(Employee.class); Root<Employee> e = q.from(Employee.class); ParameterExpression<String> id = cb.parameter(String.class); TypedQuery<Employee> query = em.createQuery( q.select(e).where(cb.equal(e.get(Employee_.id), id) ); query.setParameter(id, empId);

• Top 10 most critical web application security vulnerabilities
• Open Web Application Security Project (OWASP)
• SQL Injection
• SQL Injection cheat sheet
• Dynamic, typesafe queries in JPA 2.0
• JPA 2.0 spec
  
• OWASP Enterprise Security API