File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Security and the fly likes Java Coding Guidelines Examples vulnerabilities Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Java Coding Guidelines Examples vulnerabilities" Watch "Java Coding Guidelines Examples vulnerabilities" New topic
Author

Java Coding Guidelines Examples vulnerabilities

matias Yaryura
Greenhorn

Joined: Sep 15, 2008
Posts: 20
Hi, i'm interesting to know if the book have examples of vulnerabilities about Web security on coding guidelines.

Thank in advance!

Matias.
David Svoboda
Author
Greenhorn

Joined: Oct 21, 2013
Posts: 13
    
    5

Hello, Matias.

The book was focusing on 'pure' Java, so programming for the web was not a priority. However, we do have many guidelines that are targeted to web programmers. Some examples:

2. Do not store unencrypted sensitive information at client-side
5. Prevent arbitrary file upload
13. Store passwords using a hash function

[Java Coding Guidelines] and [The CERT Oracle Secure Coding Standard for Java ] are from the [CERT Secure Coding Initiative]
matias Yaryura
Greenhorn

Joined: Sep 15, 2008
Posts: 20
Thanks David for you quickly response,

I'm interesting in all security aspect in Java specially Web Application.

Best regards.
Richard Tookey
Ranch Hand

Joined: Aug 27, 2012
Posts: 1035
    
  10

David Svoboda wrote:
5. Prevent arbitrary file upload


Assuming that there is an 'upload' facility then, in essence, how does one stop this? Presumably the recommendation relates to files that if executed could damage the server or another client who then downloads the file. Unless one looks in detail at the content of the file before the upload starts then how does one know the file has potentially hazardous content? And if one can install a process on the client to check the content then an attacker just has to replace the checker with one of his own. I would expect any checking to be done on the server (a virus checker maybe?) and that uploaded files would be ring fences on the server in a manner that neuters them as far as damaging the server is concerned.

Am I missing something? I suppose I will have to buy the book to find out.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41087
    
  43
I'm guessing that means not to accept at the server side random unchecked files, rather than somehow preventing them from being uploaded. So before the server-side code does anything with an uploaded file, it would perform some checks on it, possibly including running it through a virus checker.

Do not store unencrypted sensitive information at client-side

I would go even further than that: "Do not store unencrypted sensitive information". Obviously, what is "sensitive" means depends a lot on the data in question, but it's already common to store passwords or credit card information in cryptographically secure ways even on the server (and indeed negligent not to do so). Depending on the context it might be wise to extend that to more data items than those in particular.


Ping & DNS - my free Android networking tools app
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Java Coding Guidelines Examples vulnerabilities
 
Similar Threads
Java Coding Guidelines: How security relates to "Program Understandability"?
Coding guidelines books
Java security, OS X and C
Application of design principles
How to construct the SQL statement ?