• Post Reply Bookmark Topic Watch Topic
  • New Topic

Servlet Security  RSS feed

 
Jessica Doe
Ranch Hand
Posts: 32
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
One of my system's keeps getting hacked. Is there a Java package to test the security of a servlet/JSP based Web site?
[ March 08, 2006: Message edited by: Jessica Doe ]
 
Adeel Ansari
Ranch Hand
Posts: 2874
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Are you placing private infos in hidden variables?
Are you URL re-writing private infos?
Are you putting private infos in cookies?

Moreover, using SSL might solve your problem.
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Your request is a bit too broad, but you may find OWASP useful.
 
Jessica Doe
Ranch Hand
Posts: 32
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Too broad? I am looking for a Java package--so it is customizable--to identify security holes. It might exercise the running app. It might inspect source. I don't know what is available.
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Are you placing private infos in hidden variables?
Not just hidden variables. Anything sent to the client must be treated as untrusted or open for misuse. Never pass the user's name or ID to them and allow them to pass it back, changing this value may allow them to assume other user's identities.
 
Adeel Ansari
Ranch Hand
Posts: 2874
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by David O'Meara:
Not just hidden variables. Anything sent to the client must be treated as untrusted or open for misuse. Never pass the user's name or ID to them and allow them to pass it back, changing this value may allow them to assume other user's identities.


Cent percent agreement. Therefore, I have asked some more questions like that. But those are all specific and might not be enough to cover.
 
Adeel Ansari
Ranch Hand
Posts: 2874
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
As an example I prefer to use a label instead of a readonly text field.
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I meant broad in the sense that without specific information there are too many things that could be going wrong. As a comparison, it would be like someone saying "this program won't work", without being able to investigate it, we can offer broad suggestions but no specific help.

With regards to automated tools, I am not aware of any. My impression is that breaching security requires too much intelligence to be able to be automated. It requires investigation of how the system works, what data may or may not be important, and not least of all a way of detecting when it has broken the system.

If you can trace the hacks to a specific IP or range, I'd be tempted to throw some sort of exception when they visit to give them impression the site was broken eg throw new ArrayIndexOutOfBoundsException("1>0");
 
Jessica Doe
Ranch Hand
Posts: 32
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for all the tips, Guys!
 
Jessica Doe
Ranch Hand
Posts: 32
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Adeel Ansari:


If I have seen further, it is because I have stood on the shoulders of giants. � Isaac Newton


Most people assume that in saying this, Newton was being modest: modesty is not a characteristic of Newton. Instead, he was--apparently--jibing at his chief rival Robert Hooke--who was slight and had a severe stoop.
 
Jessica Doe
Ranch Hand
Posts: 32
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by David O'Meara:
...If you can trace the hacks to a specific IP or range, I'd be tempted to throw some sort of exception when they visit to give them impression the site was broken eg throw new ArrayIndexOutOfBoundsException("1>0");


The IP is 213.154.80.11 which appears to be originating from Senegal?
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!