OWASP - User contributions [en]

OWASP Java Project WIPRO 1 2015

2017-11-10T21:56:25Z

Imifos:

{{taggedDocument
| type=delete
| comment=Tagged via fixme/delete.
}}

<div style="width:100%;border:0,margin:0;overflow: hidden;">[[File:OWASP_Java_Project_Header.png|link=]]</div>
<br>

<center>
<p style="font-size: 1.8em;">Wiki Pages Review Operation - 2015/2016</p>
</center>

<br>

= Main =

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;width:100%" |

91 Pages in category "OWASP Java Pages" have to be reviewed. We use a Google Document where every person interested can let opinions, comments and suggestions. Even reviewing one single page is welcome.

Shared Google document used to comment and review:

https://docs.google.com/spreadsheets/d/13bazikNd5fc9f7ppqMEAxbo0sI3CpOdPgDW5xt3LeMc/edit?usp=sharing

| valign="top" style="padding-left:25px;min-width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Team ==

<br/>

== Meta ==

* Start: 12/2015
* Last Update: 12/2015

<br/>

== Other Resources ==

N/A

<br/>

| valign="top" style="padding-left:25px;min-width:200px;" |

==Classifications==



|}

= Pages List =

Shared Google document used to write reviews:

https://docs.google.com/spreadsheets/d/13bazikNd5fc9f7ppqMEAxbo0sI3CpOdPgDW5xt3LeMc/edit?usp=sharing

{| class="wikitable"
! Page
! Status
! Review
! Operations
|-
|[[Bytecode obfuscation]]
|
| Outdated but interesting to keep, marked for review. https://www.owasp.org/index.php/Talk:Bytecode_obfuscation
|
|-
|[[Captchas in Java ]]
|
|Updated and not of interest. Marked for deletion.
|DELETED BY ADMIN
|-
|[[Clickjacking Protection for Java EE]]
|
|Flagged for deletion, reason stated on page.
|DELETED BY ADMIN
|-
|[[Command injection in Java]]
|
|Marked for review.
|
|-
|[[Comparing classes by name ]]
|
|Marked for review
|
|-
|[[Complejidad Y Longitud De Las Contraseñas ]]
|
|
|
|-
|[[Content Security Policy ]]
|
|
|
|-
|[[CORS OriginHeaderScrutiny]]
|
|
|
|-
|[[CORS RequestPreflighScrutiny]]
|
|
|
|-
|[[Cross-site Scripting (XSS) ]]
|
| Looks updated
| NO ACTION TAKEN, I: Removed Java tag since it's not really a Java specific isue and only an example was written usign JSP.
|-
|[[Declarative Access Control in Java]]
|
|gone
|Deleted by admin
|-
|[[Decompiling Java bytecode]]
|
|
| DELETED
|-
|[[Deserialization of untrusted data]]
|
| Looks legit
| Looks legit
|-
|[[Detect profiling phase into web application]]
|
|
|
|-
|[[Exception handling techniques ]]
|
|
|
|-
|[[Failure to follow guideline/specification ]]
|
|
|
|-
|[[Hacking Java Clients ]]
|
|
|
|-
|[[Hashing Java]]
| UNDER REVIEW
| Updated by Mark Gordon. Thank you!
| No action needed
|-
|[[Hibernate]]
|
|
|
|-
|[[Hibernate-Guidelines ]]
|
|
|
|-
|[[How to add validation logic to HttpServletRequest]]
|
|
|
|-
|[[How to encrypt a properties file ]]
|
|
|
|-
|[[Implementacion De Firmas Digitales en Java]]
|
|
|
|-
|[[Improper Data Validation]]
|
|
|
|-
|[[Improper temp file opening ]]
|
|
|
|-
|[[Information Leakage]]
|
|
|
|-
|[[Insecure Randomness]]
|
|
|
|-
|[[Insecure Transport]]
|
|
|
|-
|[[Insufficient Session-ID Length]]
|
|
|
|-
|[[Invoking untrusted mobile code]]
|
|
|
|-
|[[Inyección De Comandos En Java ]]
|
|Should we keep the 2 spanish pages? A translation is of course a good thing, but we have only 2 pages whose quality we cannot verify.
|
|-
|[[J2EE Misconfiguration: Unsafe Bean Declaration]]
|
|J2EE is completely outdated and only used in old legacy installation. No new projects are based on this environment. Moreover the page does not contain any useful information. Marked for deletion.
|
|-
|[[J2EE third party libraries insecurity]]
|
|See above. Propose to delete the page since it's not referenced by any other wiki page anymore.
| redirected to dependency check
|-
|[[JAAS Timed Login Module ]]
|
|
| Deleted
|-
|[[JAAS Tomcat Login Module]]
|
|
| Deleted
|-
|[[Java Project Article Wishlist ]]
|
|
|
|-
|[[Java Security Frameworks]]
|
|
| Merged into category page
|-
|[[Java Security Resources ]]
|
|
| Merged into category page
|-
|[[Java Server Faces ]]
|
|
|
|-
|[[JSP errorPage]]
|
|
|
|-
|[[JSP JSTL ]]
|
|
|
|-
|[[Leftover Debug Code]]
|
|
|
|-
|[[Log Forging ]]
|
|
|
|-
|[[Logout]]
|
|
|
|-
|[[Member Field Race Condition]]
|
|
|
|-
|[[Missing Error Handling]]
|
|
|
|-
|[[Mobile Java Security ]]
|
|
|
|-
|[[Null Dereference]]
|
|
|
|-
|[[Object Model Violation: Just One of equals() and hashCode() Defined]]
|
|
|
|-
|[[Often Misused: Authentication ]]
|
|
|
|-
|[[Overly-Broad Catch Block]]
|
|
|
|-
|[[Overly-Broad Throws Declaration]]
|
|
|
|-
|[[OWASP CSRFGuard Project/es ]]
|
|
|
|-
|[[OWASP Java Table of Contents]]
|
|
|
|-
|[[Parameter Validation Filter]]
|
|
|
|-
|[[Password length & complexity]]
|
|
|
|-
|[[Password Management: Hardcoded Password]]
|
|
|
|-
|[[Password Management: Weak Cryptography ]]
|
|
|
|-
|[[Password Plaintext Storage ]]
|
|
|
|-
|[[PDF Attack Filter for Java EE ]]
|
|
|
|-
|[[Poor Logging Practice]]
|
|
|
|-
|[[Preventing LDAP Injection in Java]]
|
|
|
|-
|[[Preventing SQL Injection in Java ]]
|
|
|redirected to sqlI cheatsheet
|-
|[[Process Control]]
|
|
|
|-
|[[Protecting code archives with digital signatures]]
|
|
|
|-
|[[Reflection attack in an auth protocol]]
|
|
|
|-
|[[Return Inside Finally Block]]
|
|
|
|-
|[[Securing tomcat]]
|
|
|
|-
|[[Servlet spec - web.xml]]
|
|
|
|-
|[[Session Fixation]]
|
|
|
|-
|[[Session Timeout]]
|
|
|
|-
|[[Signing jar files with jarsigner ]]
|
|
|
|-
|[[State synchronization error]]
|
|
|
|-
|[[Struts]]
|
|
|
|-
|[[Struts Validation in an ActionForm]]
|
|
|
|-
|[[Struts Validation in validator.xml using an ActionForm]]
|
|
|
|-
|[[Struts XSLT Viewer]]
|
|
|
|-
|[[Traducción Español]]
|
|
|(See spanish page above)
|-
|[[Trust Boundary Violation]]
|
|
|
|-
|[[Trustworthy Java]]
|
|
| Delete
|-
|[[Uncaught exception]]
|
|
|
|-
|[[Unchecked Return Value: Missing Check against Null ]]
|
|
|
|-
|[[Unreleased Resource]]
|
|
|
|-
|[[Unsafe JNI]]
|
|
|
|-
|[[Unsafe Mobile Code]]
|
|
|
|-
|[[Unsafe Reflection ]]
|cleaned, extended
|useful code examples
|marked to be merged with another page on the subject
|-
|[[Using JCaptcha ]]
|
|
| deleted
|-
|[[Using the Java Cryptographic Extensions]]
|
|
|
|-
|[[Using the Java Secure Socket Extensions]]
|
|
|
|-
|[[XPATH Injection Java ]]
|
|
|
|-
|[[OWASP's_ESAPI_Wiki_for_Java!]]
| Check Project Status
|
| The entire ESAPI For Java project needs a review. In progress on ML.
|}

Shared Google document used to write reviews:

https://docs.google.com/spreadsheets/d/13bazikNd5fc9f7ppqMEAxbo0sI3CpOdPgDW5xt3LeMc/edit?usp=sharing

=About=

OWASP Java and JVM Project - Wiki Pages Review Operation 1 - 2015/2016

<br>

{{Template:Project About
| project_name =OWASP Java Project WIPRO 1 - 2015/2016
| project_description =
| project_license =
| leader_name1 =
| leader_email1 =
| leader_username1 =
| contributor_name1 =
| contributor_email1 =
| contributor_username1 =
| mailing_list_name =
| links_url1 =
| links_name1 =
| links_url2 =
| links_name2 =
}}

__NOTOC__
<headertabs />

<br/>

Category:Java

2017-11-10T21:55:44Z

Imifos: All pages moved categories, so this list is now empty

= Main =
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

== About ==

The OWASP Java™ and JVM Technology Knowledge Base is the clearing house for all information related to building secure web/distributed applications and services based on Java and JVM technologies. The focus of these pages is on guidance for developers and architects using Java frameworks and JVM based technologies for web application development, on OWASP components that use Java and on participation in OWASP projects that use Java and JVM technologies. Moreover, we aim to provide security related guidance for system administrators managing Java and JVM based applications and tools.

The project is not limited to Java. It aims to also address topics around the JVM in general.

Community content is key to security information. The project depends on content from developers throughout the Java and JVM ecosystem.

==Purpose==

* Provide deep, rich guidance for Java developers in using the security features of Java and of Java frameworks.
* Address security in relation to the Java Virtual Machine and derived technologies.
* Guide system administrators in managing Java and JVM related components and applications.
* Create guidance for use of OWASP components that are designed for use with Java or other JVM languages.
* Focus on information about working with and on OWASP tools built using Java or other JVM technologies.
* Provide a stream of security related information, like vulnerabilities and security patches, related to the Java and JVM universe.
* Build an ecosystem allowing to all actors interested to discuss, share and learn.

== Licensing ==

OWASP Java™ and JVM Technology Knowledge Base is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

Oracle® and Java™ are [http://www.oracle.com/us/legal/trademarks/index.html|registered trademarks of Oracle] and/or its affiliates. Other names may be trademarks of their respective owners.

== What's Hot! ==

See the "Tasks and Roadmap" tab for more information.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

[[File:OWASP_Java_Wiki_logo.png|frame]]

<br/>

== Meta ==

Last Update: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

<br/>

== Other Resources ==

[http://lists.owasp.org/mailman/listinfo/java-project Mailing List]

[https://github.com/owasp GitHub (OWASP)]

<br/>

== Related Projects ==

* [[OWASP_Project|OWASP Project Repository]]
* [[Language|Languages Repository]]
* [[OWASP_.NET_Project|.NET Project]]
* [[Ruby|Ruby]]
* [[PHP|PHP]]
* [[Perl|Perl]]
* [[Python|Python]]
* [[JavaScript|JavaScript]]
* [[C/C++|C/C++]]
* [[SQL|SQL, PL/SQL, DB Scripting]]
* [[OWASP_Internet_of_Things_Project|OWASP IoT Security]]
* [[OWASP_Mobile_Security_Project|OWASP Mobile Security]]

|}

= Related OWASP Projects =

== Security Tools ==

{| width="100%"
| colspan="2" | [[OWASP_Dependency_Check|OWASP Dependency Check]]
|-
| width="20" |  
| Dependency-Check is a utility that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities. Currently <b>Java</b>, .NET, Ruby, Node.js, and Python projects are supported.
|-
| colspan="2" | [[OWASP_SonarQube_Project|OWASP SonarQube Project]]
|-
| width="20" |  
| The first goal of the OWASP SonarQube Project is to a create a referential of check specifications targeting OWASP vulnerabilities that can be detected by SAST tools (Static Application Security Testing). From there, the second goal is to provide a reference implementations of most of those checks in the Open Source SonarQube language analyzers (<b>Java</b>, JavaScript, PHP and C#). SonarQube is an Open Source platform for managing code quality.
|}

== Secure Coding Libraries ==

{| width="100%"
|-
| colspan="2" | [[OWASP_AppSensor_Project|OWASP AppSensor]]
|-
| width="20" |  
| The AppSensor project defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into applications.
|-
| colspan="2" | [[CSRFGuard|OWASP CSRFGuard]]
|-
| width="20" |  
| CSRFGuard is a Java library that implements a variant of the synchronizer token pattern to mitigate the risk of Cross-Site Request Forgery (CSRF) attacks.
|-
| colspan="2" | [[OWASP_Java_Encoder_Project|OWASP Java Encoder Project]]
|-
| width="20" |  
| The OWASP Java Encoder is a Java 1.5+ simple-to-use drop-in high-performance encoder class with no dependencies and little baggage. This project will help Java web developers defend against Cross Site Scripting.
|-
| colspan="2" | [[OWASP_Java_HTML_Sanitizer|OWASP Java HTML Sanitizer]]
|-
| width="20" |  
| The OWASP HTML Sanitizer is a fast and easy to configure HTML Sanitizer written in Java which lets you include HTML authored by third-parties in your web application while protecting against XSS.
|-
| colspan="2" | [[OWASP_Security_Logging_Project|OWASP Security Logging Project]]
|-
| width="20" |  
| The OWASP Security Logging project provides developers and ops personnel with APIs for logging security-related events. The aim is to let developers use the same set of logging APIs they are already familiar with from over a decade of experience with Log4J and its successors, while also adding powerful security features.
|-
| colspan="2" | [[OWASP_ESAPI|OWASP Enterprise Security API (ESAPI)]]
|-
| width="20" |  
| ESAPI (The OWASP Enterprise Security API) for Java is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. This project has seen major updates as recently as February 2016.
|}

== General Documents ==

{| width="100%"
| [[OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide|OWASP Secure Coding Practices - Quick Reference Guide]]
| [[OWASP_Codes_of_Conduct|OWASP Codes of Conduct]]
| [[Cheat_Sheets|OWASP Cheat Sheets Series]]
|-
| [[OWASP_Testing_Project|OWASP Testing Project]]
| [[OWASP_Top_Ten_Project|OWASP Web Top 10]]
| [[OWASP_Vulnerable_Web_Applications_Directory_Project|OWASP Vulnerable Web Applications Directory]]
|}

= Related 3rd Party Projects =

A list of third party (i.e. not part of Java SE or EE) security frameworks. This page contains a list of Java security libraries and frameworks and indicates which security features each library supports.

==Enterprise==
* [http://shiro.apache.org/ Apache Shiro] is a Java security framework that performs authentication, authorization, cryptography, and session management.
* [http://projects.spring.io/spring-security/ Spring Security] provides security services for Java EE-based enterprise software applications. Services include authentication, authorization and protection against attacks like session fixation, clickjacking and cross site request forgery.
* [http://www.hdiv.org/ HDIV] A web application security framework that provides a number of functions.

== Access Control (Authentication and Authorization) ==
* [http://oaccframework.org/ OACC] is an application security framework for Java designed for fine grained (object level) access control. OACC uses the abstraction of a ''resource'' for the application objects being secured. This key abstraction enables OACC to provide a rich API that includes grant, revoke and query capabilities for storing and managing the application's security relationships.
* [http://picketlink.org/appsecurity/ PicketLink] provides authentication, single sign on, permission based access control and other security features.

== Encryption ==
* [https://github.com/google/keyczar Keyczar] is an open source cryptographic toolkit designed to make it easier and safer for developers to use cryptography in their applications. Keyczar supports authentication and encryption with both symmetric and asymmetric keys.
* [http://www.bouncycastle.org/ Bouncycastle] is a lightweight Java cryptography API <i>provider</i>.
* [http://www.jasypt.org/ Jasypt] is a Java library which allows the developer to add basic encryption capabilities to his/her projects with minimum effort, and without the need of having deep knowledge on how cryptography works.

== XML Security ==
* The [http://santuario.apache.org/ Apache Santuario] project is aimed at providing implementation of the primary security standards for XML: XML-Signature Syntax and Processing and XML Encryption Syntax and Processing.

== Validation ==
* [http://www.sapia-oss.org/projects/vlad/home.html Vlad] stands for "validation". This projects indeed aims at offering a simple, high-level, extensible, generic validation framework that can easily be integrated into existing applications.
* [https://www.owasp.org/index.php/Protect_FileUpload_Against_Malicious_File This OWASP article] and [https://github.com/righettod/document-upload-protection code snippet] proposes a way to protect a file upload feature against submission of files that may contain malicious code.
* [http://commons.apache.org/proper/commons-validator/ The Apache Common's validator] can be used to perform validation.

= Resources =

== Mailing List ==

[http://lists.owasp.org/mailman/listinfo/java-project OWASP Java and JVM Technologies Mailing List]

== Code Repository ==

[https://github.com/owasp GitHub OWASP Global Repository]

== Related Project Resources ==

[[OWASP_Project|OWASP Project Repository]]

[[Language|Languages Repository]]

[[OWASP_.NET_Project|.NET Project]]

[[Ruby|Ruby Technology Knowledge Base]]

[[PHP|PHP Technology Knowledge Base]]

[[Perl|Perl Technology Knowledge Base]]

[[Python|Python Technology Knowledge Base]]

[[JavaScript|JavaScript Technology Knowledge Base]]

[[C/C++|C/C++ Technology Knowledge Base]]

[[SQL|SQL, PL/SQL and DB Scripting Technology Knowledge Base]]

[[OWASP_Internet_of_Things_Project|OWASP IoT Security Project]]

[[OWASP_Mobile_Security_Project|OWASP Mobile Security Project]]

= Tasks and Roadmap =

== Roadmap ==

* Build Java and JVM security related net resources guide
* The OWASP Java and JVM Technology Knowledge Base is principally about creating deep, rich guidance for Java and JVM developers using all kind of security resources. The idea is to have an effort of building a internet resource guide for everything around the JVM universe. Information, blogs, articles, tools, test servers and more. Important however is that this list is seriously curated.
* Concrete guideline for Java and JVM developers
* Clear checklists, around various topics, language, servers and frameworks.

<br/>

= Get involved =

The first step would be to establish contact with the project leaders and/or the entire team. This can be done using a direct and private message, or by joining the public mailing list to say hello.

When it comes to participating in project activities, everything depends on the time you are willing and able to invest. It is however very important to not jump into too many things at the beginning, later having to back out or to let unfinished things behind you. It is much better to start with small tasks, increasing intensity and investment over time.

Please also be patient with expecting the "merge" of your work into the existing project pages and code. As everywhere in live, trust has to be built-up.

The Java and JVM knowledge base has currently multiple tasks open, which can be found on the adequate section of this page. Not all tasks require a wiki account. Please take something you are interested in and start participating. Work load is not the only outcome when participating in open projects. You are getting a lot of things back: recognition, satisfaction, knowledge and contacts, sometime friends.

Sounds cool? Then jump in...

To get involved join the mailing list, follow this link: [http://lists.owasp.org/mailman/listinfo/java-project OWASP Java and JVM Mailing List]

= Archives =

The previous version of this JAVA Project home page is archived here: [[OWASP Java Project Archive (8.2010)]]

<br/>

<hr/>

__NOTOC__
<headertabs />

<br/>

'''IMPORTANT: all pages of these project are currently under review. A lot are outdated and are in the process of being removed or updated.'''



[[Category:Technology]]
[[Category:Language]]

Struts Validation in an ActionForm

2017-11-10T21:54:43Z

Imifos: typo

* struts-config.xml
<pre>
<struts-config>
<form-beans>
<form-bean name="logonForm" type="net.jcj.LogonForm"/>
</form-beans>
<action-mappings>
<action path="/Logon" forward="/pages/Logon.jsp"/>
<action path="/LogonSubmit" type="app.jcj.LogonAction" name="logonForm"
scope="request" validate="true" input="/pages/Logon.jsp">
<forward name="success" path="/pages/Welcome.jsp"/>
<forward name="failure" path="/pages/Logon.jsp"/>
</action>
</action-mappings>
<message-resources parameter="resources.application"/>
</struts-config>
</pre>
* net.jcj.LogonForm
<pre>
package net.jcj;

import javax.servlet.http.HttpServletRequest;
import org.apache.struts.action.*;

public class LogonForm extends ActionForm
{
private String userId = null;
private String password = null;

public void setUserId (String userId){
this.userId = userId ;
}

public String getUserId(){
return this.userId ;
}

public void setPassword (String password){
this.password = password;
}

public String getPassword(){
return this.password;
}

/**
* Resets all properties to their default values.
*/
public void reset(ActionMapping mapping, HttpServletRequest request) {
this.userId = null;
this.password = null;
}

/**
* Validates the form. Returns a list of action
* Of course in a production environment, your rules would be far more strict than this.
*/
public ActionErrors validate(
ActionMapping mapping, HttpServletRequest request ) {
ActionErrors errors = new ActionErrors();

if( getUserId() == null || getUserId().length() < 1 ) {
errors.add("userId",new ActionMessage("error.userid.required"));
}
if( getPassword() == null || getPassword().length() < 1 ) {
errors.add("password",new ActionMessage("error.password.required"));
}

return errors;
}

}
</pre>

[[Category:Java]]

PDF Attack Filter for Java EE

2017-11-10T21:54:23Z