Win a copy of The Java Performance Companion this week in the Performance forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Java Coding Guidelines Examples vulnerabilities

 
matias Yaryura
Greenhorn
Posts: 22
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi, i'm interesting to know if the book have examples of vulnerabilities about Web security on coding guidelines.

Thank in advance!

Matias.
 
David Svoboda
Author
Greenhorn
Posts: 13
5
Debian Java Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello, Matias.

The book was focusing on 'pure' Java, so programming for the web was not a priority. However, we do have many guidelines that are targeted to web programmers. Some examples:

2. Do not store unencrypted sensitive information at client-side
5. Prevent arbitrary file upload
13. Store passwords using a hash function
 
matias Yaryura
Greenhorn
Posts: 22
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks David for you quickly response,

I'm interesting in all security aspect in Java specially Web Application.

Best regards.
 
Richard Tookey
Bartender
Posts: 1166
17
Java Linux Netbeans IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
David Svoboda wrote:
5. Prevent arbitrary file upload


Assuming that there is an 'upload' facility then, in essence, how does one stop this? Presumably the recommendation relates to files that if executed could damage the server or another client who then downloads the file. Unless one looks in detail at the content of the file before the upload starts then how does one know the file has potentially hazardous content? And if one can install a process on the client to check the content then an attacker just has to replace the checker with one of his own. I would expect any checking to be done on the server (a virus checker maybe?) and that uploaded files would be ring fences on the server in a manner that neuters them as far as damaging the server is concerned.

Am I missing something? I suppose I will have to buy the book to find out.
 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm guessing that means not to accept at the server side random unchecked files, rather than somehow preventing them from being uploaded. So before the server-side code does anything with an uploaded file, it would perform some checks on it, possibly including running it through a virus checker.

Do not store unencrypted sensitive information at client-side

I would go even further than that: "Do not store unencrypted sensitive information". Obviously, what is "sensitive" means depends a lot on the data in question, but it's already common to store passwords or credit card information in cryptographically secure ways even on the server (and indeed negligent not to do so). Depending on the context it might be wise to extend that to more data items than those in particular.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic