https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=EklaverOWASP - User contributions [en]2026-05-15T00:51:46ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=Struts&diff=22601Struts2007-10-24T09:12:57Z<p>Eklaver: /* Roles */</p>
<hr />
<div>==Status==<br />
'''Content to be finalised. First draft'''<br />
==Author==<br />
Eelco Klaver<br />
==Introduction ==<br />
This article describes the web security implications for the Struts MVC framework, how Struts helps in securing your web applications and where special attention is needed. It will not describe the internal details of Struts.<br />
<br />
==Architecture==<br />
The framework provides its own web Controller component. This Controller acts as a bridge between the application's Model and the web View. When a request is received, the Controller invokes an Action class. The Action class interacts with the Model to examine or update the application's state. The framework provides an ActionForm class to help transfer data between Model and View.<br />
<br />
==Components==<br />
===Action===<br />
* No distinction is made between HTTP GET and POST method. Both methods are mapped to the same Action execute method.<br />
<br />
===ActionForm===<br />
<br />
===Validation===<br />
* Integration with commons validator<br />
<br />
==Configuration==<br />
<br />
==Security==<br />
===Roles===<br />
In the struts-config.xml configuration file it is possible to specify a roles attribute, a comma-delimited list of security role names that are allowed access to the ActionMapping object.<br />
<br />
<pre><br />
<action<br />
roles="administrator,contributor"<br />
path="/article/Edit"<br />
parameter="org.article.FindByArticle"<br />
name="articleForm" <br />
scope="request"><br />
<forward<br />
name="success"<br />
path="article.jsp"/><br />
</action><br />
</pre><br />
[[Category:OWASP Java Project]]</div>Eklaverhttps://wiki.owasp.org/index.php?title=Talk:OWASP_Java_Project_Roadmap&diff=22573Talk:OWASP Java Project Roadmap2007-10-23T12:59:34Z<p>Eklaver: /* Web Services Security */</p>
<hr />
<div>This is the discussion page for the Java Project Roadmap. You can add your thoughts and comments below. Please make them easy to read and end your entries with <nowiki>~~~~</nowiki> to sign your entries.<br />
<br />
==Ideas==<br />
<br />
* I think we should consider revamping the roadmap with specific article titles and content that we'd like to get written. For example, I'm considering writing an article on how to set up Eclipse to do a code review. It would be nice to link that in here, but I'm not sure just where. I was thinking something like this....<br />
<br />
; [[Using Eclipse for security code review]]<br />
: This article will cover setting up Eclipse with plugins like FindBugs, jlint, PMD, and Metrics. Then it will explore how you can use the various search and code browsing functions to find and diagnose potential vulnerabilities. [[User:Jeff Williams|Jeff Williams]] 15:01, 22 June 2006 (EDT)<br />
<br />
Sounds like some excellent content! Couldn't this fit in to the [http://www.owasp.org/index.php?title=Talk:OWASP_Java_Project_Roadmap#Code_Analysis_Tools Code Analysis Tools] section (even if we have to rename the section to something like "Code Analysis Techniques")? Since the Eclipse example is something core to the Java project, I think it should be placed under a real heading, but for other miscellaneous content, I've created a Resources section which could include external articles, books and other resources. [[User:Stephendv|Stephendv]] 04:18, 26 June 2006 (EDT)<br />
<br />
==J2EE Security for Architects==<br />
<table border=1 cellpadding=5><br />
<tr><td><b>Deadline for first draft:</b></td><td>19/08/2006</td></tr><br />
<tr><td><b>Deadline for first review:</b></td><td>26/08/2006</td></tr><br />
<tr><td><b>Deadline for final draft:</b></td><td>11/09/2006</td></tr><br />
<tr><td><b>Deadline for final review:</b></td><td>20/09/2006</td></tr><br />
</table><br />
===Design considerations===<br />
<table border=1 cellpadding=5><br />
<tr><td valign="top"><b>Objective:</b></td><td>Discuss the security implications of common J2EE architectures. This could be discussed in terms of: Authentication, Authorisation, Data Validation, Cross Site Scripting protection. Other architecture concerns such as scalability, performance and maintainability can also be mentioned, but the focus on security should not be lost.<br />
<br />
Any other security concerns that should be addressed during the design phase should also be mentioned here.</td></tr><br />
<tr><td valign="top"><b>Status:</b></td><td>Call for volunteers</td></tr><br />
<tr><td valign="top"><b>Contributors:</b></td><td></td></tr><br />
<tr><td><b>Reviewers:</b></td><td></td></tr><br />
</table><br />
* Architectural considerations<br />
** EJB Middle tier<br />
** Web Services Middle tier<br />
** Spring Middle tier<br />
<br />
===Noteworthy Frameworks===<br />
<table border=1 cellpadding=5><br />
<tr><td valign="top"><b>Objective:</b></td><td>Discuss important and relevant Java security frameworks that would be useful to architects. The information should be at a suitably high level, for example, by discussing the advantages and features as well as the associated costs (direct and indirect) of using the frameworks.</td></tr><br />
<tr><td valign="top"><b>Status:</b></td><td>Call for volunteers</td></tr><br />
<tr><td valign="top"><b>Contributors:</b></td><td></td></tr><br />
<tr><td><b>Reviewers:</b></td><td></td></tr><br />
</table> <br />
* Acegi<br />
* Commons validator<br />
* jGuard <br />
* Stinger seems to be parked for a while now, is this correct Jeff?<br />
** Stinger is <br />
** CVS HEAD is in a functional state; needs work on docs and new features [[User:Roman|Roman]] 00:15, 13 June 2006 (EDT)<br />
Most web tier frameworks will prevent XSS attacks, so listing them all in this section is a bit verbose, would prefer to see them listed in the XSS section. --[[User:Stephendv|Stephendv]] 08:04, 12 June 2006 (EDT)<br />
<br />
<br />
I think Struts should be covered too - Rohyt<br />
<br />
Struts is important as a web framework, but there are many frameworks that provide the same functionality from a security point of view. I think it makes sense to discuss struts as a web framework in section on XSS below with the other popular web frameworks rather than give it a special place in this section which only covers security specific frameworks. --[[User:Stephendv|Stephendv]] 07:22, 18 June 2006 (EDT)<br />
<br />
==J2EE Security for Developers==<br />
<table border=1 cellpadding=5><br />
<tr><td><b>Deadline for first draft:</b></td><td>19/08/2006</td></tr><br />
<tr><td><b>Deadline for first review:</b></td><td>26/08/2006</td></tr><br />
<tr><td><b>Deadline for final draft:</b></td><td>11/09/2006</td></tr><br />
<tr><td><b>Deadline for final review:</b></td><td>20/09/2006</td></tr><br />
</table><br />
===Java Security Basics===<br />
<table border=1 cellpadding=5><br />
<tr><td valign="top"><b>Objective:</b></td><td>Provide an introduction into the basic security services provided by the Java language and environment. Remember to keep this relevant for web developers for the initial release - there may be a potential to expand this to thick clients in subsequent releases.</td></tr><br />
<tr><td valign="top"><b>Status:</b></td><td>Call for volunteers</td></tr><br />
<tr><td valign="top"><b>Contributors:</b></td><td></td></tr><br />
<tr><td><b>Reviewers:</b></td><td></td></tr><br />
</table><br />
* Class Loading<br />
* Bytecode verifier<br />
* The Security Manager and security.policy file<br />
<br />
===Input Validation===<br />
* Overview<br />
<br />
==== SQL Injection====<br />
<table border=1 cellpadding=5><br />
<tr><td valign="top"><b>Objective:</b></td><td>Provide cursory background information on SQL injection and refer to the Guide for more indepth coverage (no need to duplicate info in the Guide). This section should provide practical advise and real-world code examples for developers. If you feel that a popular persistence framework is not covered, please add it!</td></tr><br />
<tr><td valign="top"><b>Status:</b></td><td>Call for volunteers</td></tr><br />
<tr><td valign="top"><b>Contributors:</b></td><td></td></tr><br />
<tr><td><b>Reviewers:</b></td><td></td></tr><br />
</table><br />
* Overview<br />
* Prevention<br />
** White Listing<br />
** Prepared Statements<br />
** Stored Procedures <br />
** Hibernate <br />
** Ibatis <br />
** Spring JDBC <br />
** EJB 3.0? <br />
** JDO? <br />
<br />
====Cross Site Scripting (XSS)====<br />
<table border=1 cellpadding=5><br />
<tr><td valign="top"><b>Objective:</b></td><td>Provide cursory background information on XSS and refer to the Guide for more indepth coverage. This section should provide practical advise and real-world code examples for developers. If you would like to see coverage of a web framework that's not listed, please add it!</td></tr><br />
<tr><td valign="top"><b>Status:</b></td><td>Call for volunteers</td></tr> <br />
<tr><td valign="top"><b>Contributors:</b></td><td></td></tr><br />
<tr><td><b>Reviewers:</b></td><td></td></tr><br />
</table><br />
* Overview<br />
* Prevention<br />
** White Listing <br />
** Manual HTML Encoding<br />
** Preventing XSS in popular Web Frameworks<br />
*** JSP/JSTL<br />
*** Struts<br />
*** Spring MVC<br />
*** Java Server Faces<br />
*** WebWork<br />
*** Wicket<br />
*** Tapestry <br />
* CSRF attack<br />
<br />
==== LDAP Injection ====<br />
<table border=1 cellpadding=5><br />
<tr><td valign="top"><b>Objective:</b></td><td>As with the other Injection sections, only provide cursory information on the general case. Should contain practical real-world advise and code examples for preventing LDAP injection.</td></tr><br />
<tr><td valign="top"><b>Status:</b></td><td>Call for volunteers</td></tr> <br />
<tr><td valign="top"><b>Contributors:</b></td><td></td></tr><br />
<tr><td><b>Reviewers:</b></td><td></td></tr><br />
</table><br />
* Overview<br />
* Prevention<br />
<br />
==== XPATH Injection ====<br />
<table border=1 cellpadding=5><br />
<tr><td valign="top"><b>Objective:</b></td><td>As with the other Injection sections, only provide cursory information on the general case. Should contain practical real-world advise and code examples for preventing XPATH injection.</td></tr><br />
<tr><td valign="top"><b>Status:</b></td><td>Call for volunteers</td></tr><br />
<tr><td valign="top"><b>Contributors:</b></td><td></td></tr><br />
<tr><td><b>Reviewers:</b></td><td></td></tr><br />
</table><br />
* Overview<br />
* Prevention<br />
<br />
==== Miscellaneous Injection Attacks ====<br />
<table border=1 cellpadding=5><br />
<tr><td valign="top"><b>Objective:</b></td><td>Should contain practical real-world advise and code examples.</td></tr><br />
<tr><td valign="top"><b>Status:</b></td><td>Call for volunteers</td></tr><br />
<tr><td valign="top"><b>Contributors:</b></td><td></td></tr><br />
<tr><td><b>Reviewers:</b></td><td></td></tr><br />
</table><br />
* HTTP Response splitting<br />
* Command injection - Runtime.getRuntime().exec()<br />
<br />
=== Authentication===<br />
<table border=1 cellpadding=5><br />
<tr><td valign="top"><b>Objective:</b></td><td>Discuss authentication for Java and J2EE apps under the suggested headings below. Examples for container managed authentication of specific application servers are also welcome.</td></tr><br />
<tr><td valign="top"><b>Status:</b></td><td>Call for volunteers</td></tr><br />
<tr><td valign="top"><b>Contributors:</b></td><td></td></tr><br />
<tr><td><b>Reviewers:</b></td><td></td></tr><br />
</table><br />
* Storing credentials<br />
* Hashing<br />
* SSL Best Practices<br />
* CAPTCHA systems (such as jcaptcha)<br />
* Container-managed authentication with Realms<br />
* JAAS Authentication<br />
* Password length & complexity<br />
<br />
===Session Management===<br />
<table border=1 cellpadding=5><br />
<tr><td valign="top"><b>Objective:</b></td><td>The generic problems and solutions for session management are covered in the Guide. This section should focus on Java specific examples. </td></tr><br />
<tr><td valign="top"><b>Status:</b></td><td>Call for volunteers</td></tr><br />
<tr><td valign="top"><b>Contributors:</b></td><td></td></tr><br />
<tr><td><b>Reviewers:</b></td><td></td></tr><br />
</table><br />
* Logout<br />
* Session Timeout<br />
* Absolute Timeout<br />
* Session Fixation<br />
* Terminating sessions<br />
** Terminating sessions when the browser window is closed<br />
<br />
===Authorization===<br />
<table border=1 cellpadding=5><br />
<tr><td valign="top"><b>Objective:</b></td><td>Java and J2EE specific discussion and examples.</td></tr><br />
<tr><td valign="top"><b>Status:</b></td><td>Call for volunteers</td></tr><br />
<tr><td valign="top"><b>Contributors:</b></td><td></td></tr><br />
<tr><td><b>Reviewers:</b></td><td></td></tr><br />
</table><br />
* In presentation layer<br />
* In business logic<br />
* In data layer<br />
* Declarative v/s Programmatic<br />
* web.xml configuration<br />
* [[Forced browsing]]<br />
* JAAS<br />
* EJB Authorization<br />
* Acegi<br />
* JACC<br />
* Check horizontal privilege<br />
<br />
=== Encryption===<br />
<table border=1 cellpadding=5><br />
<tr><td valign="top"><b>Objective:</b></td><td>Java and J2EE specific discussion and examples.</td></tr><br />
<tr><td valign="top"><b>Status:</b></td><td>Call for volunteers</td></tr><br />
<tr><td valign="top"><b>Contributors:</b></td><td></td></tr><br />
<tr><td><b>Reviewers:</b></td><td></td></tr><br />
</table><br />
* JCE<br />
* Storing db secrets<br />
* Encrypting JDBC connections<br />
* JSSE<br />
* Random number generation<br />
<br />
=== Error Handling & Logging===<br />
<table border=1 cellpadding=5><br />
<tr><td valign="top"><b>Objective:</b></td><td>Java and J2EE specific discussion and examples.</td></tr><br />
<tr><td valign="top"><b>Status:</b></td><td>Call for volunteers</td></tr><br />
<tr><td valign="top"><b>Contributors:</b></td><td></td></tr><br />
<tr><td><b>Reviewers:</b></td><td></td></tr><br />
</table><br />
* Output Validation<br />
* Custom Errors<br />
* Logging - why log? what to log? log4j, etc.<br />
* Exception handling techniques<br />
** fail-open/fail-closed<br />
** resource cleanup<br />
** finally block<br />
** swallowing exceptions<br />
* Exception handling frameworks<br />
** Servlet spec - web.xml<br />
** JSP errorPage<br />
* Web application forensics and how it differs from conventional forensics. This will emphasize the importance of appropriate exception handling and logging - Rohyt<br />
<br />
=== Web Services Security ===<br />
<table border=1 cellpadding=5><br />
<tr><td valign="top"><b>Objective:</b></td><td>Discuss securely implementing Web Services using Java technologies. Examples using specific frameworks are welcome. The topic list is a bit light at the moment, please add more topics if they're relevant.</td></tr><br />
<tr><td valign="top"><b>Status:</b></td><td>Call for volunteers</td></tr><br />
<tr><td valign="top"><b>Contributors:</b></td><td></td></tr><br />
<tr><td><b>Reviewers:</b></td><td></td></tr><br />
</table><br />
* SAML<br />
* (X)WS-Security<br />
* SunJWSDP<br />
* XML Signature (JSR 105)<br />
* XML Encryption (JSR 106)<br />
* ...?<br />
I think this section should also include WSS4J and a description of how XWS-Security and WSS4J can be integrated in the major Java Web Services Frameworks, such as Spring-WS, Axis, XFire, etc. (see also http://www.nljug.org/pages/events/content/jfall_2007/sessions/00028/) [[User:Eklaver|Eelco Klaver]] 08:59, 23 October 2007 (EDT)<br />
<br />
=== Code Analysis Tools ===<br />
<table border=1 cellpadding=5><br />
<tr><td valign="top"><b>Objective:</b></td><td>The introduction should cover the advantages and short comings of code analysis tools. An overview of the current state of the art and the available tools would go well here. As a start, only open source tools are listed, but if vendors of commercial tools adhere to the [[Tutorial]] guidelines, these submissions will be gladly received.</td></tr><br />
<tr><td valign="top"><b>Status:</b></td><td>Call for volunteers</td></tr><br />
<tr><td valign="top"><b>Contributors:</b></td><td></td></tr><br />
<tr><td><b>Reviewers:</b></td><td></td></tr><br />
</table><br />
* Introduction<br />
* FindBugs<br />
** Creating custom rules<br />
* PMD<br />
** Creating custom rules<br />
* JLint<br />
* Jmetrics<br />
<br />
I proposed some guidelines for the entire OWASP site<br />
in the [[Tutorial]] page. What do you think?? [[User:Jeff Williams|Jeff Williams]] 15:01, 22 June 2006 (EDT)<br />
<br />
I didn't know this existed. Replaced the above with a link to the [[Tutorial]] page. --[[User:Stephendv|Stephendv]] 04:03, 26 June 2006 (EDT)<br />
<br />
== J2EE Security For Deployers ==<br />
<table border=1 cellpadding=5><br />
<tr><td><b>Deadline for first draft:</b></td><td>19/08/2006</td></tr><br />
<tr><td><b>Deadline for first review:</b></td><td>26/08/2006</td></tr><br />
<tr><td><b>Deadline for final draft:</b></td><td>11/09/2006</td></tr><br />
<tr><td><b>Deadline for final review:</b></td><td>20/09/2006</td></tr><br />
</table><br />
=== Securing Popular J2EE Servers ===<br />
<table border=1 cellpadding=5><br />
<tr><td valign="top"><b>Objective:</b></td><td>Practical step-by-step guides to securing various J2EE servers. Examples of secure configurations can also be provided for download. If configurations are provided, they should be properly commented so that the rationale for configuration settings is clearly explained. Users of the configurations should be provided with enough information to make their own risk decisions.</td></tr><br />
<tr><td valign="top"><b>Status:</b></td><td>Call for volunteers</td></tr><br />
<tr><td valign="top"><b>Contributors:</b></td><td></td></tr><br />
<tr><td><b>Reviewers:</b></td><td></td></tr><br />
</table><br />
* Securing Tomcat<br />
* Securing JBoss<br />
* Securing WebLogic<br />
* Securing WebSphere<br />
* Others...<br />
<br />
=== Defining a Java Security Policy ===<br />
<table border=1 cellpadding=5><br />
<tr><td valign="top"><b>Objective:</b></td><td>Practical information on creating a Java security policies for J2EE servers.</td></tr><br />
<tr><td valign="top"><b>Status:</b></td><td>Call for volunteers</td></tr><br />
<tr><td valign="top"><b>Contributors:</b></td><td></td></tr><br />
<tr><td><b>Reviewers:</b></td><td></td></tr><br />
</table><br />
* Jeff's tool? --[[User:Stephendv|Stephendv]] 08:37, 12 June 2006 (EDT)<br />
* jChains (www.jchains.org)<br />
<br />
=== Protecting Binaries ===<br />
<table border=1 cellpadding=5><br />
<tr><td valign="top"><b>Objective:</b></td><td>This should be focussed on web applications, so examples should include applets and web start apps.</td></tr><br />
<tr><td valign="top"><b>Status:</b></td><td>Call for volunteers</td></tr><br />
<tr><td valign="top"><b>Contributors:</b></td><td></td></tr><br />
<tr><td><b>Reviewers:</b></td><td></td></tr><br />
</table><br />
- Discuss Bytecode Manipulation Tools and Techniques - Rohyt<br />
* Bytecode obfuscation<br />
* Convert bytecode to native machine code<br />
* jarsigner</div>Eklaverhttps://wiki.owasp.org/index.php?title=Struts&diff=18901Struts2007-05-31T05:32:49Z<p>Eklaver: </p>
<hr />
<div>==Status==<br />
'''Content to be finalised. First draft'''<br />
==Author==<br />
Eelco Klaver<br />
==Introduction ==<br />
This article describes the web security implications for the Struts MVC framework, how Struts helps in securing your web applications and where special attention is needed. It will not describe the internal details of Struts.<br />
<br />
==Architecture==<br />
The framework provides its own web Controller component. This Controller acts as a bridge between the application's Model and the web View. When a request is received, the Controller invokes an Action class. The Action class interacts with the Model to examine or update the application's state. The framework provides an ActionForm class to help transfer data between Model and View.<br />
<br />
==Components==<br />
===Action===<br />
* No distinction is made between HTTP GET and POST method. Both methods are mapped to the same Action execute method.<br />
<br />
===ActionForm===<br />
<br />
===Validation===<br />
* Integration with commons validator<br />
<br />
==Configuration==<br />
<br />
==Security==<br />
===Roles===<br />
<br />
[[Category:OWASP Java Project]]</div>Eklaverhttps://wiki.owasp.org/index.php?title=Struts&diff=18900Struts2007-05-31T05:32:02Z<p>Eklaver: /* Validation */</p>
<hr />
<div>==Status==<br />
'''Content to be finalised. First draft'''<br />
==Author==<br />
Eelco Klaver<br />
==Introduction ==<br />
This article describes the web security implications for the Struts MVC framework, how Struts helps in securing your web applications and where special attention is needed. It will not describe the internal details of Struts.<br />
<br />
==Architecture==<br />
The framework provides its own web Controller component. This Controller acts as a bridge between the application's Model and the web View. When a request is received, the Controller invokes an Action class. The Action class interacts with the Model to examine or update the application's state. The framework provides an ActionForm class to help transfer data between Model and View.<br />
<br />
==Components==<br />
===Action===<br />
* No distinction is made between HTTP GET and POST method. Both methods are mapped to the same Action execute method.<br />
<br />
===ActionForm===<br />
<br />
===Validation===<br />
* Integration with commons validator<br />
<br />
==Configuration==<br />
==Roles==<br />
<br />
[[Category:OWASP Java Project]]</div>Eklaverhttps://wiki.owasp.org/index.php?title=Struts&diff=18899Struts2007-05-31T05:31:06Z<p>Eklaver: /* Architecture */</p>
<hr />
<div>==Status==<br />
'''Content to be finalised. First draft'''<br />
==Author==<br />
Eelco Klaver<br />
==Introduction ==<br />
This article describes the web security implications for the Struts MVC framework, how Struts helps in securing your web applications and where special attention is needed. It will not describe the internal details of Struts.<br />
<br />
==Architecture==<br />
The framework provides its own web Controller component. This Controller acts as a bridge between the application's Model and the web View. When a request is received, the Controller invokes an Action class. The Action class interacts with the Model to examine or update the application's state. The framework provides an ActionForm class to help transfer data between Model and View.<br />
<br />
==Components==<br />
===Action===<br />
* No distinction is made between HTTP GET and POST method. Both methods are mapped to the same Action execute method.<br />
<br />
===ActionForm===<br />
<br />
===Validation===<br />
<br />
==Configuration==<br />
==Roles==<br />
<br />
[[Category:OWASP Java Project]]</div>Eklaverhttps://wiki.owasp.org/index.php?title=Struts&diff=18898Struts2007-05-31T05:27:55Z<p>Eklaver: </p>
<hr />
<div>==Status==<br />
'''Content to be finalised. First draft'''<br />
==Author==<br />
Eelco Klaver<br />
==Introduction ==<br />
This article describes the web security implications for the Struts MVC framework, how Struts helps in securing your web applications and where special attention is needed. It will not describe the internal details of Struts.<br />
<br />
==Architecture==<br />
<br />
<br />
==Components==<br />
===Action===<br />
* No distinction is made between HTTP GET and POST method. Both methods are mapped to the same Action execute method.<br />
<br />
===ActionForm===<br />
<br />
===Validation===<br />
<br />
==Configuration==<br />
==Roles==<br />
<br />
[[Category:OWASP Java Project]]</div>Eklaverhttps://wiki.owasp.org/index.php?title=Struts&diff=18894Struts2007-05-31T05:16:02Z<p>Eklaver: New page: ==Status== '''Content to be finalised. First draft''' ==Author== Eelco Klaver ==Introduction == ==Architecture== ==Components== ===Action=== ===ActionForm=== ===Validation=== ==Con...</p>
<hr />
<div>==Status==<br />
'''Content to be finalised. First draft'''<br />
==Author==<br />
Eelco Klaver<br />
==Introduction ==<br />
<br />
<br />
==Architecture==<br />
<br />
<br />
==Components==<br />
===Action===<br />
<br />
===ActionForm===<br />
<br />
===Validation===<br />
<br />
==Configuration==<br />
==Roles==<br />
<br />
[[Category:OWASP Java Project]]</div>Eklaverhttps://wiki.owasp.org/index.php?title=OWASP_Java_Table_of_Contents&diff=18891OWASP Java Table of Contents2007-05-31T05:10:24Z<p>Eklaver: /* Noteworthy Frameworks */</p>
<hr />
<div><b>Key:</b><br />
* xx%: Progress status of the paragraph<br />
* <b>Review</b>: The paragraph needs a review<br />
* TD: Paragraph to be assigned<br />
<br />
==[[J2EE Security for Architects]]==<br />
Discuss the security implications of common J2EE architectures. This could be discussed in terms of: Authentication, Authorisation, Data Validation, Cross Site Scripting protection. Other architecture concerns such as scalability, performance and maintainability can also be mentioned, but the focus on security should not be lost.<br />
<br />
Any other security concerns that should be addressed during the design phase should also be mentioned here.<br />
===Design considerations===<br />
* Architectural considerations (0%, TD)<br />
** EJB Middle tier (0%, TD)<br />
** Web Services Middle tier (0%, TD)<br />
** Spring Middle tier (0%, TD)<br />
<br />
==[[J2EE Security for Developers]]==<br />
=== Noteworthy Frameworks ===<br />
Discuss important and relevant Java security frameworks that would be useful to architects. The information should be at a suitably high level, for example, by discussing the advantages and features as well as the associated costs (direct and indirect) of using the frameworks.<br />
<br />
(0%, Seeking Volunteers)<br />
* [[Struts]] (Eelco Klaver - Planning - 0%)<br />
* Turbine<br />
* [[Java Server Faces]] (Sam Reghenzi - 90%, Finalising content)<br />
* Tapestry<br />
* Webwork<br />
* Cocoon<br />
* Tiles<br />
* SiteMesh<br />
* Spring (Eelco Klaver - Planning - 0%)<br />
<br />
===[[Java Security Basics]]===<br />
Provide an introduction into the basic security services provided by the Java language and environment. Remember to keep this relevant for web developers for the initial release - there may be a potential to expand this to thick clients in subsequent releases.<br />
* Class Loading (0%, Shyaam Sundar, <b>Review</b>)<br />
* Bytecode verifier (0%, Shyaam Sundar, <b>Review</b>)<br />
* The Security Manager and security.policy file (0%, Shyaam Sundar, <b>Review</b>)<br />
<br />
===Input Validation Overview ===<br />
Input validation is perhaps the most important category of application security. Any data entering a software system must be verified to contain safe data that is not mounting a SQL Injection, XSS, CSRF or other form of attack. This is done primarily through the use of regular expressions. It's crucial not to hard-code input validation routines. Regular expressions should contained within a configuration file that can easily updated by an InfoSec professional and not require a programmers intervention or deployment of new application code. Application security needs change over time as new attack vectors are discovered. Application administers need to be able to react to these changes as quickly as possible. <br />
<br />
===Input Validation ===<br />
* Dangerous calls (BufferedReader.readLine(), ServletRequest.getParameter(), etc...) (0%, TD)<br />
* [[How to add validation logic to HttpServletRequest]] (100%, Jeff Williams, Complete)<br />
* [[How to perform HTML entity encoding in Java]] (100%, Jeff Williams, Complete)<br />
<br />
==== [[Preventing SQL Injection in Java]] ====<br />
* Overview <br />
* Prevention (60%, Stephen de Vries, <b>Review</b>)<br />
** White Listing<br />
** Prepared Statements<br />
** Stored Procedures <br />
** Hibernate <br />
** Ibatis (60%, Rohyt Belani, <b>Review</b>)<br />
** Spring JDBC <br />
** EJB 3.0<br />
** JDO<br />
<br />
==== [[Preventing LDAP Injection in Java]] ====<br />
* Overview (100%, Stephen de Vries, Complete)<br />
* Prevention (100%, Stephen de Vries, Complete)<br />
<br />
==== [[XPATH Injection]] ====<br />
As with the other Injection sections, only provide cursory information on the general case. Should contain practical real-world advise and code examples for preventing XPATH injection.<br />
* Overview (0%, TD)<br />
* Prevention (0%, TD)<br />
<br />
==== Miscellaneous Injection Attacks ====<br />
* HTTP Response splitting (0%, TD)<br />
* Command injection - Runtime.getRuntime().exec() (0%, TD)<br />
<br />
=== Authentication===<br />
* Storing credentials - (0%, Adrian San Juan, <b>Review</b>)<br />
* [[Hashing Java|Hashing]] - (100%, Michel Prunet, <b>Review</b>)<br />
* [[SSL Best Practices]] - (20%, Philippe Curmin, <b>Review</b>)<br />
* [[Using JCaptcha]] - (100%, Dave Ferguson, <b>Review</b>) <br />
* Container-managed authentication with Realms<br />
** [[Declarative Access Control in Java]] - (100%, Dave Ferguson, Completed)<br />
* [[JAAS Timed Login Module]] - (100%, Stephen de Vries, <b>Review</b>)<br />
* [[JAAS Tomcat Login Module]] - (100%, Stephen de Vries, <b>Review</b>)<br />
* [[Password length & complexity]] - (100%, Adrian San Juan, <b>Review</b>)<br />
<br />
===Session Management ===<br />
The generic problems and solutions for session management are covered in the Guide. This section should focus on Java specific examples.<br />
* Logout (0%, TD)<br />
* Session Timeout (0%, TD)<br />
* Absolute Timeout (0%, TD)<br />
* [[Session Fixation in Java]] (100%, Rohyt Belani, <b>Review</b>)<br />
* Terminating sessions (0%, TD)<br />
** Terminating sessions when the browser window is closed<br />
<br />
===Authorization===<br />
* Declarative v/s Programmatic (0%, TD)<br />
* EJB Authorization (0%, TD)<br />
* Acegi (0%, TD)<br />
* JACC (0%, TD)<br />
* Check horizontal privilege (0%, TD)<br />
<br />
=== Encryption===<br />
* [http://www.owasp.org/index.php/Using_the_Java_Cryptographic_Extensions JCE] (80%, Joe Prasanna Kumar - To be reviewed)<br />
* Storing db secrets (0%, TD)<br />
* Encrypting JDBC connections (0%, TD)<br />
* [http://www.owasp.org/index.php/Using_the_Java_Secure_Socket_Extensions JSSE] (80%, Joe Prasanna Kumar - To be reviewed)<br />
* [http://www.owasp.org/index.php/Using_the_Java_Cryptographic_Extensions Random number generation] (80%, Joe Prasanna Kumar - To be reviewed)<br />
<br />
=== Error Handling & Logging===<br />
* Logging - why log? what to log? log4j, etc. (0%, TD)<br />
* Exception handling techniques (0%, TD)<br />
** fail-open/fail-closed<br />
** resource cleanup<br />
** finally block<br />
** swallowing exceptions<br />
* Exception handling frameworks (50%, TD)<br />
** Servlet spec - web.xml [[Securing tomcat]] (100%, Darren Edmonds, Completed)<br />
** JSP errorPage (0%, TD)<br />
* Web application forensics (0%, TD)<br />
<br />
=== Web Services Security ===<br />
* SAML (0%, TD)<br />
* (X)WS-Security (0%, TD)<br />
* SunJWSDP (0%, TD)<br />
* WSS4J (0%, Eelco Klaver)<br />
* XML Signature (JSR 105) (0%, TD)<br />
* XML Encryption (JSR 106) (0%, TD)<br />
<br />
=== Code Analysis Tools ===<br />
The introduction should cover the advantages and short comings of code analysis tools. An overview of the current state of the art and the available tools would go well here. As a start, only open source tools are listed, but if vendors of commercial tools adhere to the [[Tutorial]] guidelines, these submissions will be gladly received.<br />
* Introduction (0%, TD)<br />
* [[:Category:OWASP LAPSE Project]] (100%, <b>Review</b>)<br />
* FindBugs (0%, TD)<br />
** Creating custom rules<br />
* PMD (0%, TD)<br />
** Creating custom rules<br />
* JLint (0%, TD)<br />
* Jmetrics (0%, TD)<br />
<br />
== [[J2EE Security For Deployers]] ==<br />
Practical step-by-step guides to securing various J2EE servers. Examples of secure configurations can also be provided for download. If configurations are provided, they should be properly commented so that the rationale for configuration settings is clearly explained. Users of the configurations should be provided with enough information to make their own risk decisions.<br />
=== Securing Popular J2EE Servers ===<br />
* [[Securing tomcat|Securing Tomcat]] - (100%, Darren Edmonds, Completed)<br />
* Securing JBoss (0%, TD)<br />
* Securing WebLogic (0%, TD)<br />
* Securing WebSphere (0%, TD)<br />
* Others...<br />
<br />
=== Defining a Java Security Policy ===<br />
Practical information on creating a Java security policies for J2EE servers.<br />
* PolicyTool - JChains already provides this functionality, one policy tool is enough.<br />
* jChains (www.jchains.org) - (0%, TD)<br />
<br />
=== Protecting Binaries ===<br />
* Bytecode manipulation tools and techniques (0%, TD)<br />
* [[Bytecode obfuscation]] (100%, Pierre Parrend, <b>Review</b>)<br />
* Convert bytecode to native machine code (0%, TD)<br />
* [[Protecting code archives with digital signatures]] (100%, Pierre Parrend, <b>Review</b>)<br />
* [[Signing jar files with jarsigner]] (100%, Pierre Parrend, <b>Review</b>)<br />
<br />
==[[J2EE Security for Security Analysts and Testers]]==<br />
* Using Eclipse to verify Java applications (0%, TD)<br />
* Using [[:Category:OWASP WebScarab Project|WebScarab]] to find vulnerabilities in J2EE applications - (0%, TD)<br />
* Decompiling Java bytecode (0%, TD)<br />
<br />
== [[Java Security Resources]] (ongoing)==<br />
<br />
[[Category:OWASP Java Project]]</div>Eklaverhttps://wiki.owasp.org/index.php?title=OWASP_Java_Table_of_Contents&diff=18890OWASP Java Table of Contents2007-05-31T05:08:16Z<p>Eklaver: /* Web Services Security */</p>
<hr />
<div><b>Key:</b><br />
* xx%: Progress status of the paragraph<br />
* <b>Review</b>: The paragraph needs a review<br />
* TD: Paragraph to be assigned<br />
<br />
==[[J2EE Security for Architects]]==<br />
Discuss the security implications of common J2EE architectures. This could be discussed in terms of: Authentication, Authorisation, Data Validation, Cross Site Scripting protection. Other architecture concerns such as scalability, performance and maintainability can also be mentioned, but the focus on security should not be lost.<br />
<br />
Any other security concerns that should be addressed during the design phase should also be mentioned here.<br />
===Design considerations===<br />
* Architectural considerations (0%, TD)<br />
** EJB Middle tier (0%, TD)<br />
** Web Services Middle tier (0%, TD)<br />
** Spring Middle tier (0%, TD)<br />
<br />
==[[J2EE Security for Developers]]==<br />
=== Noteworthy Frameworks ===<br />
Discuss important and relevant Java security frameworks that would be useful to architects. The information should be at a suitably high level, for example, by discussing the advantages and features as well as the associated costs (direct and indirect) of using the frameworks.<br />
<br />
(0%, Seeking Volunteers)<br />
* Struts (Eelco Klaver - Planning - 0%)<br />
* Turbine<br />
* [[Java Server Faces]] (Sam Reghenzi - 90%, Finalising content)<br />
* Tapestry<br />
* Webwork<br />
* Cocoon<br />
* Tiles<br />
* SiteMesh<br />
* Spring (Eelco Klaver - Planning - 0%)<br />
<br />
===[[Java Security Basics]]===<br />
Provide an introduction into the basic security services provided by the Java language and environment. Remember to keep this relevant for web developers for the initial release - there may be a potential to expand this to thick clients in subsequent releases.<br />
* Class Loading (0%, Shyaam Sundar, <b>Review</b>)<br />
* Bytecode verifier (0%, Shyaam Sundar, <b>Review</b>)<br />
* The Security Manager and security.policy file (0%, Shyaam Sundar, <b>Review</b>)<br />
<br />
===Input Validation Overview ===<br />
Input validation is perhaps the most important category of application security. Any data entering a software system must be verified to contain safe data that is not mounting a SQL Injection, XSS, CSRF or other form of attack. This is done primarily through the use of regular expressions. It's crucial not to hard-code input validation routines. Regular expressions should contained within a configuration file that can easily updated by an InfoSec professional and not require a programmers intervention or deployment of new application code. Application security needs change over time as new attack vectors are discovered. Application administers need to be able to react to these changes as quickly as possible. <br />
<br />
===Input Validation ===<br />
* Dangerous calls (BufferedReader.readLine(), ServletRequest.getParameter(), etc...) (0%, TD)<br />
* [[How to add validation logic to HttpServletRequest]] (100%, Jeff Williams, Complete)<br />
* [[How to perform HTML entity encoding in Java]] (100%, Jeff Williams, Complete)<br />
<br />
==== [[Preventing SQL Injection in Java]] ====<br />
* Overview <br />
* Prevention (60%, Stephen de Vries, <b>Review</b>)<br />
** White Listing<br />
** Prepared Statements<br />
** Stored Procedures <br />
** Hibernate <br />
** Ibatis (60%, Rohyt Belani, <b>Review</b>)<br />
** Spring JDBC <br />
** EJB 3.0<br />
** JDO<br />
<br />
==== [[Preventing LDAP Injection in Java]] ====<br />
* Overview (100%, Stephen de Vries, Complete)<br />
* Prevention (100%, Stephen de Vries, Complete)<br />
<br />
==== [[XPATH Injection]] ====<br />
As with the other Injection sections, only provide cursory information on the general case. Should contain practical real-world advise and code examples for preventing XPATH injection.<br />
* Overview (0%, TD)<br />
* Prevention (0%, TD)<br />
<br />
==== Miscellaneous Injection Attacks ====<br />
* HTTP Response splitting (0%, TD)<br />
* Command injection - Runtime.getRuntime().exec() (0%, TD)<br />
<br />
=== Authentication===<br />
* Storing credentials - (0%, Adrian San Juan, <b>Review</b>)<br />
* [[Hashing Java|Hashing]] - (100%, Michel Prunet, <b>Review</b>)<br />
* [[SSL Best Practices]] - (20%, Philippe Curmin, <b>Review</b>)<br />
* [[Using JCaptcha]] - (100%, Dave Ferguson, <b>Review</b>) <br />
* Container-managed authentication with Realms<br />
** [[Declarative Access Control in Java]] - (100%, Dave Ferguson, Completed)<br />
* [[JAAS Timed Login Module]] - (100%, Stephen de Vries, <b>Review</b>)<br />
* [[JAAS Tomcat Login Module]] - (100%, Stephen de Vries, <b>Review</b>)<br />
* [[Password length & complexity]] - (100%, Adrian San Juan, <b>Review</b>)<br />
<br />
===Session Management ===<br />
The generic problems and solutions for session management are covered in the Guide. This section should focus on Java specific examples.<br />
* Logout (0%, TD)<br />
* Session Timeout (0%, TD)<br />
* Absolute Timeout (0%, TD)<br />
* [[Session Fixation in Java]] (100%, Rohyt Belani, <b>Review</b>)<br />
* Terminating sessions (0%, TD)<br />
** Terminating sessions when the browser window is closed<br />
<br />
===Authorization===<br />
* Declarative v/s Programmatic (0%, TD)<br />
* EJB Authorization (0%, TD)<br />
* Acegi (0%, TD)<br />
* JACC (0%, TD)<br />
* Check horizontal privilege (0%, TD)<br />
<br />
=== Encryption===<br />
* [http://www.owasp.org/index.php/Using_the_Java_Cryptographic_Extensions JCE] (80%, Joe Prasanna Kumar - To be reviewed)<br />
* Storing db secrets (0%, TD)<br />
* Encrypting JDBC connections (0%, TD)<br />
* [http://www.owasp.org/index.php/Using_the_Java_Secure_Socket_Extensions JSSE] (80%, Joe Prasanna Kumar - To be reviewed)<br />
* [http://www.owasp.org/index.php/Using_the_Java_Cryptographic_Extensions Random number generation] (80%, Joe Prasanna Kumar - To be reviewed)<br />
<br />
=== Error Handling & Logging===<br />
* Logging - why log? what to log? log4j, etc. (0%, TD)<br />
* Exception handling techniques (0%, TD)<br />
** fail-open/fail-closed<br />
** resource cleanup<br />
** finally block<br />
** swallowing exceptions<br />
* Exception handling frameworks (50%, TD)<br />
** Servlet spec - web.xml [[Securing tomcat]] (100%, Darren Edmonds, Completed)<br />
** JSP errorPage (0%, TD)<br />
* Web application forensics (0%, TD)<br />
<br />
=== Web Services Security ===<br />
* SAML (0%, TD)<br />
* (X)WS-Security (0%, TD)<br />
* SunJWSDP (0%, TD)<br />
* WSS4J (0%, Eelco Klaver)<br />
* XML Signature (JSR 105) (0%, TD)<br />
* XML Encryption (JSR 106) (0%, TD)<br />
<br />
=== Code Analysis Tools ===<br />
The introduction should cover the advantages and short comings of code analysis tools. An overview of the current state of the art and the available tools would go well here. As a start, only open source tools are listed, but if vendors of commercial tools adhere to the [[Tutorial]] guidelines, these submissions will be gladly received.<br />
* Introduction (0%, TD)<br />
* [[:Category:OWASP LAPSE Project]] (100%, <b>Review</b>)<br />
* FindBugs (0%, TD)<br />
** Creating custom rules<br />
* PMD (0%, TD)<br />
** Creating custom rules<br />
* JLint (0%, TD)<br />
* Jmetrics (0%, TD)<br />
<br />
== [[J2EE Security For Deployers]] ==<br />
Practical step-by-step guides to securing various J2EE servers. Examples of secure configurations can also be provided for download. If configurations are provided, they should be properly commented so that the rationale for configuration settings is clearly explained. Users of the configurations should be provided with enough information to make their own risk decisions.<br />
=== Securing Popular J2EE Servers ===<br />
* [[Securing tomcat|Securing Tomcat]] - (100%, Darren Edmonds, Completed)<br />
* Securing JBoss (0%, TD)<br />
* Securing WebLogic (0%, TD)<br />
* Securing WebSphere (0%, TD)<br />
* Others...<br />
<br />
=== Defining a Java Security Policy ===<br />
Practical information on creating a Java security policies for J2EE servers.<br />
* PolicyTool - JChains already provides this functionality, one policy tool is enough.<br />
* jChains (www.jchains.org) - (0%, TD)<br />
<br />
=== Protecting Binaries ===<br />
* Bytecode manipulation tools and techniques (0%, TD)<br />
* [[Bytecode obfuscation]] (100%, Pierre Parrend, <b>Review</b>)<br />
* Convert bytecode to native machine code (0%, TD)<br />
* [[Protecting code archives with digital signatures]] (100%, Pierre Parrend, <b>Review</b>)<br />
* [[Signing jar files with jarsigner]] (100%, Pierre Parrend, <b>Review</b>)<br />
<br />
==[[J2EE Security for Security Analysts and Testers]]==<br />
* Using Eclipse to verify Java applications (0%, TD)<br />
* Using [[:Category:OWASP WebScarab Project|WebScarab]] to find vulnerabilities in J2EE applications - (0%, TD)<br />
* Decompiling Java bytecode (0%, TD)<br />
<br />
== [[Java Security Resources]] (ongoing)==<br />
<br />
[[Category:OWASP Java Project]]</div>Eklaverhttps://wiki.owasp.org/index.php?title=Talk:OWASP_Java_Project_Roadmap&diff=6567Talk:OWASP Java Project Roadmap2006-06-23T09:12:30Z<p>Eklaver: /* Web Services Security */</p>
<hr />
<div>This is the discussion page for the Java Project Roadmap. You can add your thoughts and comments below. Please make them easy to read and end your entries with <nowiki>~~~~</nowiki> to sign your entries.<br />
<br />
==Ideas==<br />
<br />
* I think we should consider revamping the roadmap with specific article titles and content that we'd like to get written. For example, I'm considering writing an article on how to set up Eclipse to do a code review. It would be nice to link that in here, but I'm not sure just where. I was thinking something like this....<br />
<br />
; [[Using Eclipse for security code review]]<br />
: This article will cover setting up Eclipse with plugins like FindBugs, jlint, PMD, and Metrics. Then it will explore how you can use the various search and code browsing functions to find and diagnose potential vulnerabilities. [[User:Jeff Williams|Jeff Williams]] 15:01, 22 June 2006 (EDT)<br />
<br />
==J2EE Security for Architects==<br />
<table border=1 cellpadding=5><br />
<tr><td><b>Deadline for first draft:</b></td><td>19/08/2006</td></tr><br />
<tr><td><b>Deadline for first review:</b></td><td>26/08/2006</td></tr><br />
<tr><td><b>Deadline for final draft:</b></td><td>11/09/2006</td></tr><br />
<tr><td><b>Deadline for final review:</b></td><td>20/09/2006</td></tr><br />
</table><br />
===Design considerations===<br />
<table border=1 cellpadding=5><br />
<tr><td valign="top"><b>Objective:</b></td><td>Discuss the security implications of common J2EE architectures. This could be discussed in terms of: Authentication, Authorisation, Data Validation, Cross Site Scripting protection. Other architecture concerns such as scalability, performance and maintainability can also be mentioned, but the focus on security should not be lost.<br />
<br />
Any other security concerns that should be addressed during the design phase should also be mentioned here.</td></tr><br />
<tr><td valign="top"><b>Status:</b></td><td>Call for volunteers</td></tr><br />
<tr><td valign="top"><b>Contributors:</b></td><td></td></tr><br />
<tr><td><b>Reviewers:</b></td><td></td></tr><br />
</table><br />
* Architectural considerations<br />
** EJB Middle tier<br />
** Web Services Middle tier<br />
** Spring Middle tier<br />
<br />
===Noteworthy Frameworks===<br />
<table border=1 cellpadding=5><br />
<tr><td valign="top"><b>Objective:</b></td><td>Discuss important and relevant Java security frameworks that would be useful to architects. The information should be at a suitably high level, for example, by discussing the advantages and features as well as the associated costs (direct and indirect) of using the frameworks.</td></tr><br />
<tr><td valign="top"><b>Status:</b></td><td>Call for volunteers</td></tr><br />
<tr><td valign="top"><b>Contributors:</b></td><td></td></tr><br />
<tr><td><b>Reviewers:</b></td><td></td></tr><br />
</table> <br />
* Acegi<br />
* Commons validator<br />
* jGuard <br />
* Stinger seems to be parked for a while now, is this correct Jeff?<br />
** Stinger is <br />
** CVS HEAD is in a functional state; needs work on docs and new features [[User:Roman|Roman]] 00:15, 13 June 2006 (EDT)<br />
Most web tier frameworks will prevent XSS attacks, so listing them all in this section is a bit verbose, would prefer to see them listed in the XSS section. --[[User:Stephendv|Stephendv]] 08:04, 12 June 2006 (EDT)<br />
<br />
<br />
I think Struts should be covered too - Rohyt<br />
<br />
Struts is important as a web framework, but there are many frameworks that provide the same functionality from a security point of view. I think it makes sense to discuss struts as a web framework in section on XSS below with the other popular web frameworks rather than give it a special place in this section which only covers security specific frameworks. --[[User:Stephendv|Stephendv]] 07:22, 18 June 2006 (EDT)<br />
<br />
==J2EE Security for Developers==<br />
<table border=1 cellpadding=5><br />
<tr><td><b>Deadline for first draft:</b></td><td>19/08/2006</td></tr><br />
<tr><td><b>Deadline for first review:</b></td><td>26/08/2006</td></tr><br />
<tr><td><b>Deadline for final draft:</b></td><td>11/09/2006</td></tr><br />
<tr><td><b>Deadline for final review:</b></td><td>20/09/2006</td></tr><br />
</table><br />
===Java Security Basics===<br />
<table border=1 cellpadding=5><br />
<tr><td valign="top"><b>Objective:</b></td><td>Provide an introduction into the basic security services provided by the Java language and environment. Remember to keep this relevant for web developers for the initial release - there may be a potential to expand this to thick clients in subsequent releases.</td></tr><br />
<tr><td valign="top"><b>Status:</b></td><td>Call for volunteers</td></tr><br />
<tr><td valign="top"><b>Contributors:</b></td><td></td></tr><br />
<tr><td><b>Reviewers:</b></td><td></td></tr><br />
</table><br />
* Class Loading<br />
* Bytecode verifier<br />
* The Security Manager and security.policy file<br />
<br />
===Input Validation===<br />
* Overview<br />
<br />
==== SQL Injection====<br />
<table border=1 cellpadding=5><br />
<tr><td valign="top"><b>Objective:</b></td><td>Provide cursory background information on SQL injection and refer to the Guide for more indepth coverage (no need to duplicate info in the Guide). This section should provide practical advise and real-world code examples for developers. If you feel that a popular persistence framework is not covered, please add it!</td></tr><br />
<tr><td valign="top"><b>Status:</b></td><td>Call for volunteers</td></tr><br />
<tr><td valign="top"><b>Contributors:</b></td><td></td></tr><br />
<tr><td><b>Reviewers:</b></td><td></td></tr><br />
</table><br />
* Overview<br />
* Prevention<br />
** White Listing<br />
** Prepared Statements<br />
** Stored Procedures <br />
** Hibernate <br />
** Ibatis <br />
** Spring JDBC <br />
** EJB 3.0? <br />
** JDO? <br />
<br />
====Cross Site Scripting (XSS)====<br />
<table border=1 cellpadding=5><br />
<tr><td valign="top"><b>Objective:</b></td><td>Provide cursory background information on XSS and refer to the Guide for more indepth coverage. This section should provide practical advise and real-world code examples for developers. If you would like to see coverage of a web framework that's not listed, please add it!</td></tr><br />
<tr><td valign="top"><b>Status:</b></td><td>Call for volunteers</td></tr> <br />
<tr><td valign="top"><b>Contributors:</b></td><td></td></tr><br />
<tr><td><b>Reviewers:</b></td><td></td></tr><br />
</table><br />
* Overview<br />
* Prevention<br />
** White Listing <br />
** Manual HTML Encoding<br />
** Preventing XSS in popular Web Frameworks<br />
*** JSP/JSTL<br />
*** Struts<br />
*** Spring MVC<br />
*** Java Server Faces<br />
*** WebWork<br />
*** Wicket<br />
*** Tapestry <br />
* CSRF attack<br />
<br />
==== LDAP Injection ====<br />
<table border=1 cellpadding=5><br />
<tr><td valign="top"><b>Objective:</b></td><td>As with the other Injection sections, only provide cursory information on the general case. Should contain practical real-world advise and code examples for preventing LDAP injection.</td></tr><br />
<tr><td valign="top"><b>Status:</b></td><td>Call for volunteers</td></tr> <br />
<tr><td valign="top"><b>Contributors:</b></td><td></td></tr><br />
<tr><td><b>Reviewers:</b></td><td></td></tr><br />
</table><br />
* Overview<br />
* Prevention<br />
<br />
==== XPATH Injection ====<br />
<table border=1 cellpadding=5><br />
<tr><td valign="top"><b>Objective:</b></td><td>As with the other Injection sections, only provide cursory information on the general case. Should contain practical real-world advise and code examples for preventing XPATH injection.</td></tr><br />
<tr><td valign="top"><b>Status:</b></td><td>Call for volunteers</td></tr><br />
<tr><td valign="top"><b>Contributors:</b></td><td></td></tr><br />
<tr><td><b>Reviewers:</b></td><td></td></tr><br />
</table><br />
* Overview<br />
* Prevention<br />
<br />
==== Miscellaneous Injection Attacks ====<br />
<table border=1 cellpadding=5><br />
<tr><td valign="top"><b>Objective:</b></td><td>Should contain practical real-world advise and code examples.</td></tr><br />
<tr><td valign="top"><b>Status:</b></td><td>Call for volunteers</td></tr><br />
<tr><td valign="top"><b>Contributors:</b></td><td></td></tr><br />
<tr><td><b>Reviewers:</b></td><td></td></tr><br />
</table><br />
* HTTP Response splitting<br />
* Command injection - Runtime.getRuntime().exec()<br />
<br />
=== Authentication===<br />
<table border=1 cellpadding=5><br />
<tr><td valign="top"><b>Objective:</b></td><td>Discuss authentication for Java and J2EE apps under the suggested headings below. Examples for container managed authentication of specific application servers are also welcome.</td></tr><br />
<tr><td valign="top"><b>Status:</b></td><td>Call for volunteers</td></tr><br />
<tr><td valign="top"><b>Contributors:</b></td><td></td></tr><br />
<tr><td><b>Reviewers:</b></td><td></td></tr><br />
</table><br />
* Storing credentials<br />
* Hashing<br />
* SSL Best Practices<br />
* CAPTCHA systems (such as jcaptcha)<br />
* Container-managed authentication with Realms<br />
* JAAS Authentication<br />
* Password length & complexity<br />
<br />
===Session Management===<br />
<table border=1 cellpadding=5><br />
<tr><td valign="top"><b>Objective:</b></td><td>The generic problems and solutions for session management are covered in the Guide. This section should focus on Java specific examples. </td></tr><br />
<tr><td valign="top"><b>Status:</b></td><td>Call for volunteers</td></tr><br />
<tr><td valign="top"><b>Contributors:</b></td><td></td></tr><br />
<tr><td><b>Reviewers:</b></td><td></td></tr><br />
</table><br />
* Logout<br />
* Session Timeout<br />
* Absolute Timeout<br />
* Session Fixation<br />
* Terminating sessions<br />
** Terminating sessions when the browser window is closed<br />
<br />
===Authorization===<br />
<table border=1 cellpadding=5><br />
<tr><td valign="top"><b>Objective:</b></td><td>Java and J2EE specific discussion and examples.</td></tr><br />
<tr><td valign="top"><b>Status:</b></td><td>Call for volunteers</td></tr><br />
<tr><td valign="top"><b>Contributors:</b></td><td></td></tr><br />
<tr><td><b>Reviewers:</b></td><td></td></tr><br />
</table><br />
* In presentation layer<br />
* In business logic<br />
* In data layer<br />
* Declarative v/s Programmatic<br />
* web.xml configuration<br />
* [[Forced browsing]]<br />
* JAAS<br />
* EJB Authorization<br />
* Acegi<br />
* JACC<br />
* Check horizontal privilege<br />
<br />
=== Encryption===<br />
<table border=1 cellpadding=5><br />
<tr><td valign="top"><b>Objective:</b></td><td>Java and J2EE specific discussion and examples.</td></tr><br />
<tr><td valign="top"><b>Status:</b></td><td>Call for volunteers</td></tr><br />
<tr><td valign="top"><b>Contributors:</b></td><td></td></tr><br />
<tr><td><b>Reviewers:</b></td><td></td></tr><br />
</table><br />
* JCE<br />
* Storing db secrets<br />
* Encrypting JDBC connections<br />
* JSSE<br />
* Random number generation<br />
<br />
=== Error Handling & Logging===<br />
<table border=1 cellpadding=5><br />
<tr><td valign="top"><b>Objective:</b></td><td>Java and J2EE specific discussion and examples.</td></tr><br />
<tr><td valign="top"><b>Status:</b></td><td>Call for volunteers</td></tr><br />
<tr><td valign="top"><b>Contributors:</b></td><td></td></tr><br />
<tr><td><b>Reviewers:</b></td><td></td></tr><br />
</table><br />
* Output Validation<br />
* Custom Errors<br />
* Logging - why log? what to log? log4j, etc.<br />
* Exception handling techniques<br />
** fail-open/fail-closed<br />
** resource cleanup<br />
** finally block<br />
** swallowing exceptions<br />
* Exception handling frameworks<br />
** Servlet spec - web.xml<br />
** JSP errorPage<br />
* Web application forensics and how it differs from conventional forensics. This will emphasize the importance of appropriate exception handling and logging - Rohyt<br />
<br />
=== Web Services Security ===<br />
<table border=1 cellpadding=5><br />
<tr><td valign="top"><b>Objective:</b></td><td>Discuss securely implementing Web Services using Java technologies. Examples using specific frameworks are welcome. The topic list is a bit light at the moment, please add more topics if they're relevant.</td></tr><br />
<tr><td valign="top"><b>Status:</b></td><td>Call for volunteers</td></tr><br />
<tr><td valign="top"><b>Contributors:</b></td><td></td></tr><br />
<tr><td><b>Reviewers:</b></td><td></td></tr><br />
</table><br />
* SAML<br />
* (X)WS-Security<br />
* SunJWSDP<br />
* XML Signature (JSR 105)<br />
* XML Encryption (JSR 106)<br />
* ...?<br />
<br />
=== Code Analysis Tools ===<br />
<table border=1 cellpadding=5><br />
<tr><td valign="top"><b>Objective:</b></td><td>The introduction should cover the advantages and short comings of code analysis tools. An overview of the current state of the art and the available tools would go well here. As a start, only open source tools are listed, but if vendors of commercial tools adhere to the [[Contributing to the OWASP Java project]] guidelines, these submissions will be gladly received.</td></tr><br />
<tr><td valign="top"><b>Status:</b></td><td>Call for volunteers</td></tr><br />
<tr><td valign="top"><b>Contributors:</b></td><td></td></tr><br />
<tr><td><b>Reviewers:</b></td><td></td></tr><br />
</table><br />
* Introduction<br />
* FindBugs<br />
** Creating custom rules<br />
* PMD<br />
** Creating custom rules<br />
* JLint<br />
* Jmetrics<br />
<br />
I proposed some guidelines for the entire OWASP site<br />
in the [[Tutorial]] page. What do you think?? [[User:Jeff Williams|Jeff Williams]] 15:01, 22 June 2006 (EDT)<br />
<br />
== J2EE Security For Deployers ==<br />
<table border=1 cellpadding=5><br />
<tr><td><b>Deadline for first draft:</b></td><td>19/08/2006</td></tr><br />
<tr><td><b>Deadline for first review:</b></td><td>26/08/2006</td></tr><br />
<tr><td><b>Deadline for final draft:</b></td><td>11/09/2006</td></tr><br />
<tr><td><b>Deadline for final review:</b></td><td>20/09/2006</td></tr><br />
</table><br />
=== Securing Popular J2EE Servers ===<br />
<table border=1 cellpadding=5><br />
<tr><td valign="top"><b>Objective:</b></td><td>Practical step-by-step guides to securing various J2EE servers. Examples of secure configurations can also be provided for download. If configurations are provided, they should be properly commented so that the rationale for configuration settings is clearly explained. Users of the configurations should be provided with enough information to make their own risk decisions.</td></tr><br />
<tr><td valign="top"><b>Status:</b></td><td>Call for volunteers</td></tr><br />
<tr><td valign="top"><b>Contributors:</b></td><td></td></tr><br />
<tr><td><b>Reviewers:</b></td><td></td></tr><br />
</table><br />
* Securing Tomcat<br />
* Securing JBoss<br />
* Securing WebLogic<br />
* Securing WebSphere<br />
* Others...<br />
<br />
=== Defining a Java Security Policy ===<br />
<table border=1 cellpadding=5><br />
<tr><td valign="top"><b>Objective:</b></td><td>Practical information on creating a Java security policies for J2EE servers.</td></tr><br />
<tr><td valign="top"><b>Status:</b></td><td>Call for volunteers</td></tr><br />
<tr><td valign="top"><b>Contributors:</b></td><td></td></tr><br />
<tr><td><b>Reviewers:</b></td><td></td></tr><br />
</table><br />
* Jeff's tool? --[[User:Stephendv|Stephendv]] 08:37, 12 June 2006 (EDT)<br />
* jChains (www.jchains.org)<br />
<br />
=== Protecting Binaries ===<br />
<table border=1 cellpadding=5><br />
<tr><td valign="top"><b>Objective:</b></td><td>This should be focussed on web applications, so examples should include applets and web start apps.</td></tr><br />
<tr><td valign="top"><b>Status:</b></td><td>Call for volunteers</td></tr><br />
<tr><td valign="top"><b>Contributors:</b></td><td></td></tr><br />
<tr><td><b>Reviewers:</b></td><td></td></tr><br />
</table><br />
- Discuss Bytecode Manipulation Tools and Techniques - Rohyt<br />
* Bytecode obfuscation<br />
* Convert bytecode to native machine code<br />
* jarsigner</div>Eklaver