Win a copy of Reactive Streams in Java: Concurrency with RxJava, Reactor, and Akka Streams this week in the Reactive Progamming forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Junilu Lacar
  • Jeanne Boyarsky
  • Bear Bibeault
Sheriffs:
  • Knute Snortum
  • Tim Cooke
  • Devaka Cooray
Saloon Keepers:
  • Ron McLeod
  • Stephan van Hulst
  • Tim Moores
  • Tim Holloway
  • Carey Brown
Bartenders:
  • Piet Souris
  • Frits Walraven
  • Ganesh Patekar

Resources for understanding how Java code fails?

 
Ranch Hand
Posts: 68
1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Greetings all. I'm on a bit of a mission to understand software security better, in a Java environment. My particular focus right now is to try to find--and understand--real examples of how code fails in practice. I've read extensive stuff about "don't do this" on a bunch of topics, and I've looked at a number of resources (e.g. metasploit) that would potentially show me how to *perform* an attack (with the goal of penetration testing one's own software, one hopes!) but what I'd really like to see now is examples of how real code has actually failed. E.g. how did the struts code permit remote code execution? I'm hoping some of you might be able to point me at such resources, either individual case studies, or perhaps whole data sets, that describe some of these.

I will add that I already found the OWASP web goat, and am trying to get into that. But I am hoping for specific, described, examples of real failures "in the wild", ideally (for impact's sake) associated with known dramatic breaches (Equifax, anyone?!)

Thanks
Toby
 
Marshal
Posts: 14031
234
Mac Android IntelliJ IDE Eclipse IDE Spring Debian Java Ubuntu Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The most common one I've seen is when naive programmers create dynamic queries using string concatenation instead of using parameterized queries. This, of course, opens you up to SQL injection attacks.

The next most common is again related to naively using string concatenation: HTML injection attacks. If you haven't already, see this: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html and this https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Basic_XSS_Test_Without_Filter_Evasion

Sorry I can't give you anything more exotic but there's a good reason these two are perpetual top-ranked vulnerabilities: they're the kind of traps that naive programmers can easily fall into and apparently, there are many naive programmers.
 
Toby Eggitt
Ranch Hand
Posts: 68
1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for this Junilu, yes, I mostly am aware of what one shouldn't do (thanks to OWASP) and the advised fixes. I'm really looking for real examples. I find that the canned "see how this breaks" examples always look so obvious that one feels only a fool would make such a mistake, and seeing a mistake that one knows was actually made, rather than an illustration, would be far more convincing.

But anyway, thanks again, and fwiw, I worked through the entire OWASP WebGoat project, which involves some lessons, followed by some "go ahead, try to break this deliberately" vulnerable code. I will say that while still not "real code" it was a fun and valuable exercise that I can recommend to anyone who has 24-40 hours for tinkering! YMMV of course, perhaps some will break it completely in less than that, but I suspect three days of fairly dedicated time is probably about right for version 25, where many of the hints are missing, misleading, or otherwise leave you do some "real" hacking (i.e. being imaginative and trying several alternative approaches while looking for clues
 
Beware the other head of science - it bites! Nibble on this message:
Java file APIs (DOC, XLS, PDF, and many more)
https://products.aspose.com/total/java
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!