File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Security and the fly likes Java Coding Guidelines Examples vulnerabilities Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "Java Coding Guidelines Examples vulnerabilities" Watch "Java Coding Guidelines Examples vulnerabilities" New topic

Java Coding Guidelines Examples vulnerabilities

matias Yaryura

Joined: Sep 15, 2008
Posts: 22
Hi, i'm interesting to know if the book have examples of vulnerabilities about Web security on coding guidelines.

Thank in advance!

David Svoboda

Joined: Oct 21, 2013
Posts: 13

Hello, Matias.

The book was focusing on 'pure' Java, so programming for the web was not a priority. However, we do have many guidelines that are targeted to web programmers. Some examples:

2. Do not store unencrypted sensitive information at client-side
5. Prevent arbitrary file upload
13. Store passwords using a hash function

[Java Coding Guidelines] and [The CERT Oracle Secure Coding Standard for Java ] are from the [CERT Secure Coding Initiative]
matias Yaryura

Joined: Sep 15, 2008
Posts: 22
Thanks David for you quickly response,

I'm interesting in all security aspect in Java specially Web Application.

Best regards.
Richard Tookey

Joined: Aug 27, 2012
Posts: 1166

David Svoboda wrote:
5. Prevent arbitrary file upload

Assuming that there is an 'upload' facility then, in essence, how does one stop this? Presumably the recommendation relates to files that if executed could damage the server or another client who then downloads the file. Unless one looks in detail at the content of the file before the upload starts then how does one know the file has potentially hazardous content? And if one can install a process on the client to check the content then an attacker just has to replace the checker with one of his own. I would expect any checking to be done on the server (a virus checker maybe?) and that uploaded files would be ring fences on the server in a manner that neuters them as far as damaging the server is concerned.

Am I missing something? I suppose I will have to buy the book to find out.
Ulf Dittmer

Joined: Mar 22, 2005
Posts: 42965
I'm guessing that means not to accept at the server side random unchecked files, rather than somehow preventing them from being uploaded. So before the server-side code does anything with an uploaded file, it would perform some checks on it, possibly including running it through a virus checker.

Do not store unencrypted sensitive information at client-side

I would go even further than that: "Do not store unencrypted sensitive information". Obviously, what is "sensitive" means depends a lot on the data in question, but it's already common to store passwords or credit card information in cryptographically secure ways even on the server (and indeed negligent not to do so). Depending on the context it might be wise to extend that to more data items than those in particular.
I agree. Here's the link:
subject: Java Coding Guidelines Examples vulnerabilities
It's not a secret anymore!