OWASP - User contributions [en]

EJB Bad Practices: Use of Sockets

2009-01-16T15:03:18Z

Benoit.dechateauvieux: /* Description */

{{Template:Vulnerability}}
{{Template:Fortify}}

__TOC__

[[ASDR Table of Contents]]

Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

[[Category:FIXME|This is the text from the old template. This needs to be rewritten using the new template.]]

==Description==

The program violates the Enterprise JavaBeans specification by listening on a socket or accept connections on a socket.
However it can act as a network socket client.

The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container [1].

In this case, the program violates the following EJB guideline:

"An enterprise bean must not attempt to listen on a socket, accept connections on a socket, or use a socket for multicast."

A requirement that the specification justifies in the following way:

"The EJB architecture allows an enterprise bean instance to be a network socket client, but it does not allow it to be
a network server. Allowing the instance to become a network server would conflict with the basic function of the
enterprise bean – to serve the EJB clients."

==Risk Factors==

TBD

==Examples==

TBD

==Related [[Attacks]]==

* [[Attack 1]]
* [[Attack 2]]

==Related [[Vulnerabilities]]==

* [[Vulnerability 1]]
* [[Vulnerabiltiy 2]]

==Related [[Controls]]==

* [[Control 1]]
* [[Control 2]]

==Related [[Technical Impacts]]==

* [[Technical Impact 1]]
* [[Technical Impact 2]]

==References==

* [1] Enterprise JavaBeans 2.1 Specification. Sun Microsystems. http://java.sun.com/products/ejb/docs.html.

[[Category:FIXME|add links

In addition, one should classify vulnerability based on the following subcategories: Ex:<nowiki>[[Category:Error Handling Vulnerability]]</nowiki>

Availability Vulnerability

Authorization Vulnerability

Authentication Vulnerability

Concurrency Vulnerability

Configuration Vulnerability

Cryptographic Vulnerability

Encoding Vulnerability

Error Handling Vulnerability

Input Validation Vulnerability

Logging and Auditing Vulnerability

Session Management Vulnerability]]

__NOTOC__

[[Category:OWASP ASDR Project]]
[[Category:Use of Dangerous API]]
[[Category:Java]]
[[Category:Implementation]]
[[Category:Communication]]
[[Category:API Abuse]]
[[Category:Vulnerability]]

EJB Bad Practices: Use of Sockets

2009-01-16T15:02:50Z

Benoit.dechateauvieux: /* Description */

{{Template:Vulnerability}}
{{Template:Fortify}}

__TOC__

[[ASDR Table of Contents]]

Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

[[Category:FIXME|This is the text from the old template. This needs to be rewritten using the new template.]]

==Description==

The program violates the Enterprise JavaBeans specification by listening on a socket or accept connections on a socket.
However it can as a network socket client.

The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container [1].

In this case, the program violates the following EJB guideline:

"An enterprise bean must not attempt to listen on a socket, accept connections on a socket, or use a socket for multicast."

A requirement that the specification justifies in the following way:

"The EJB architecture allows an enterprise bean instance to be a network socket client, but it does not allow it to be
a network server. Allowing the instance to become a network server would conflict with the basic function of the
enterprise bean – to serve the EJB clients."

==Risk Factors==

TBD

==Examples==

TBD

==Related [[Attacks]]==

* [[Attack 1]]
* [[Attack 2]]

==Related [[Vulnerabilities]]==

* [[Vulnerability 1]]
* [[Vulnerabiltiy 2]]

==Related [[Controls]]==

* [[Control 1]]
* [[Control 2]]

==Related [[Technical Impacts]]==

* [[Technical Impact 1]]
* [[Technical Impact 2]]

==References==

* [1] Enterprise JavaBeans 2.1 Specification. Sun Microsystems. http://java.sun.com/products/ejb/docs.html.

[[Category:FIXME|add links

In addition, one should classify vulnerability based on the following subcategories: Ex:<nowiki>[[Category:Error Handling Vulnerability]]</nowiki>

Availability Vulnerability

Authorization Vulnerability

Authentication Vulnerability

Concurrency Vulnerability

Configuration Vulnerability

Cryptographic Vulnerability

Encoding Vulnerability

Error Handling Vulnerability

Input Validation Vulnerability

Logging and Auditing Vulnerability

Session Management Vulnerability]]

__NOTOC__

[[Category:OWASP ASDR Project]]
[[Category:Use of Dangerous API]]
[[Category:Java]]
[[Category:Implementation]]
[[Category:Communication]]
[[Category:API Abuse]]
[[Category:Vulnerability]]

EJB Bad Practices: Use of Sockets

2009-01-16T15:01:51Z

Benoit.dechateauvieux:

{{Template:Vulnerability}}
{{Template:Fortify}}

__TOC__

[[ASDR Table of Contents]]

Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

[[Category:FIXME|This is the text from the old template. This needs to be rewritten using the new template.]]

==Description==

The program violates the Enterprise JavaBeans specification by listening on a socket or accept connections on a socket.
However it acts as network socket client.

The Enterprise JavaBeans specification requires that every bean provider follow a set of programming guidelines designed to ensure that the bean will be portable and behave consistently in any EJB container [1].

In this case, the program violates the following EJB guideline:

"An enterprise bean must not attempt to listen on a socket, accept connections on a socket, or use a socket for multicast."

A requirement that the specification justifies in the following way:

"The EJB architecture allows an enterprise bean instance to be a network socket client, but it does not allow it to be
a network server. Allowing the instance to become a network server would conflict with the basic function of the
enterprise bean – to serve the EJB clients."

==Risk Factors==

TBD

==Examples==

TBD

==Related [[Attacks]]==

* [[Attack 1]]
* [[Attack 2]]

==Related [[Vulnerabilities]]==

* [[Vulnerability 1]]
* [[Vulnerabiltiy 2]]

==Related [[Controls]]==

* [[Control 1]]
* [[Control 2]]

==Related [[Technical Impacts]]==

* [[Technical Impact 1]]
* [[Technical Impact 2]]

==References==

* [1] Enterprise JavaBeans 2.1 Specification. Sun Microsystems. http://java.sun.com/products/ejb/docs.html.

[[Category:FIXME|add links

In addition, one should classify vulnerability based on the following subcategories: Ex:<nowiki>[[Category:Error Handling Vulnerability]]</nowiki>

Availability Vulnerability

Authorization Vulnerability

Authentication Vulnerability

Concurrency Vulnerability

Configuration Vulnerability

Cryptographic Vulnerability

Encoding Vulnerability

Error Handling Vulnerability

Input Validation Vulnerability

Logging and Auditing Vulnerability

Session Management Vulnerability]]

__NOTOC__

[[Category:OWASP ASDR Project]]
[[Category:Use of Dangerous API]]
[[Category:Java]]
[[Category:Implementation]]
[[Category:Communication]]
[[Category:API Abuse]]
[[Category:Vulnerability]]