This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Java Table of Contents"

From OWASP
Jump to: navigation, search
 
 
(90 intermediate revisions by 22 users not shown)
Line 1: Line 1:
<b>Key:</b>
+
This content is out of date. Please visit [https://www.owasp.org/index.php/Category:Java https://www.owasp.org/index.php/Category:Java] for more updated information on the Java platform as it relates to application security.
* xx%: Progress status of the paragraph
 
* Review: The paragraph needs a review
 
* TD: Paragraph to be assigned
 
 
 
==[[J2EE Security for Architects]]==
 
===Design considerations===
 
* Architectural considerations (0%, TD)
 
** EJB Middle tier (0%, TD)
 
** Web Services Middle tier (0%, TD)
 
** Spring Middle tier (0%, TD)
 
 
 
==[[J2EE Security for Developers]]==
 
=== Noteworthy Frameworks ===
 
(50% ?, Claire McDonough, Ranjita Shankar Iyer, Rohyt Belani to update, Review)
 
* Struts
 
* Turbine
 
* JFS (MyFaces)
 
* Tapestry
 
* Webwork
 
* Cocoon
 
* Tiles
 
* SiteMesh
 
* Spring
 
 
 
===[[Java Security Basics]]===
 
* Class Loading (0%, Shyaam Sundar, Review)
 
* Bytecode verifier (0%, Shyaam Sundar, Review)
 
* The Security Manager and security.policy file (0%, Shyaam Sundar, Review)
 
 
 
===Input Validation===
 
* Overview (0%, TD)
 
* Dangerous calls (BufferedReader.readLine(), ServletRequest.getParameter(), etc...) (0%, TD)
 
* [How to add validation logic to HttpServletRequest] (100%, Jeff Williams, Review)
 
* [How to perform HTML entity encoding in Java] (100%, Jeff Williams, Review)
 
 
 
==== [[Preventing SQL Injection in Java]] ====
 
* Overview
 
* Prevention (60%, Stephen de Vries, Review)
 
** White Listing
 
** Prepared Statements
 
** Stored Procedures
 
** Hibernate
 
** Ibatis
 
** Spring JDBC
 
** EJB 3.0
 
** JDO
 
 
 
==== [[Preventing LDAP Injection in Java]] ====
 
* Overview (100%, Stephen de Vries, Review)
 
* Prevention (100%, Stephen de Vries, Review)
 
 
 
==== [[XPATH Injection]] ====
 
* Overview (0%, TD)
 
* Prevention (0%, TD)
 
 
 
==== Miscellaneous Injection Attacks  ====
 
* HTTP Response splitting (0%, TD)
 
* Command injection - Runtime.getRuntime().exec() (0%, TD)
 
 
 
=== Authentication===
 
* Storing credentials - (0%, Adrian San Juan, Review)
 
* [[Hashing Java|Hashing]] - (100%, Michel Prunet, Review)
 
* [[SSL Best Practices]] - (20%, Philippe Curmin, Review)
 
* [[Using JCaptcha]] - (100%, Dave Ferguson, Review)
 
* Container-managed authentication with Realms
 
** [[Declarative Access Control in Java]] - (100%, Dave Ferguson, Review)
 
* [[JAAS Timed Login Module]] - (100%, Stephen de Vries, Review)
 
* [[JAAS Tomcat Login Module]] - (100%, Stephen de Vries, Review)
 
* Password length & complexity - (0%, Adrian San Juan, Review)
 
 
 
===Session Management ===
 
* Logout (0%, TD)
 
* Session Timeout (0%, TD)
 
* Absolute Timeout (0%, TD)
 
* Session Fixation (0%, TD)
 
* Terminating sessions (0%, TD)
 
** Terminating sessions when the browser window is closed
 
 
 
===Authorization===
 
* Declarative v/s Programmatic (0%, TD)
 
* EJB Authorization (0%, TD)
 
* Acegi (0%, TD)
 
* JACC (0%, TD)
 
* Check horizontal privilege (0%, TD)
 
 
 
=== Encryption===
 
* JCE (0%, TD)
 
* Storing db secrets (0%, TD)
 
* Encrypting JDBC connections (0%, TD)
 
* JSSE (0%, TD)
 
* Random number generation (0%, TD)
 
 
 
=== Error Handling & Logging===
 
* Logging - why log? what to log? log4j, etc. (0%, TD)
 
* Exception handling techniques (0%, TD)
 
** fail-open/fail-closed
 
** resource cleanup
 
** finally block
 
** swallowing exceptions
 
* Exception handling frameworks (50%, TD)
 
** Servlet spec - web.xml [[Securing tomcat]] (100%, Darren Edmonds, Review)
 
** JSP errorPage (0%, TD)
 
* Web application forensics (0%, TD)
 
 
 
=== Web Services Security ===
 
* SAML (0%, TD)
 
* (X)WS-Security (0%, TD)
 
* SunJWSDP (0%, TD)
 
* XML Signature (JSR 105) (0%, TD)
 
* XML Encryption (JSR 106) (0%, TD)
 
 
 
=== Code Analysis Tools ===
 
* Introduction (0%, TD)
 
* [[:Category:OWASP LAPSE Project]] (100%, Review)
 
* FindBugs (0%, TD)
 
** Creating custom rules
 
* PMD (0%, TD)
 
** Creating custom rules
 
* JLint (0%, TD)
 
* Jmetrics (0%, TD)
 
 
 
== [[J2EE Security For Deployers]] ==
 
 
 
=== Securing Popular J2EE Servers ===
 
* [[Securing tomcat|Securing Tomcat]] - (100%, Darren Edmonds, Review)
 
* Securing JBoss (0%, TD)
 
* Securing WebLogic (0%, TD)
 
* Securing WebSphere (0%, TD)
 
* Others...
 
 
 
=== Defining a Java Security Policy ===
 
* PolicyTool (80%, Jeff Williams, Needs a new owner, Review)
 
* jChains (www.jchains.org) - (0%, TD)
 
 
 
=== Protecting Binaries ===
 
* Bytecode manipulation tools and techniques (0%, TD)
 
* Bytecode obfuscation (proguard) (0%, TD)
 
* Convert bytecode to native machine code (0%, TD)
 
* Signing jar files with jarsigner (0%, TD)
 
 
 
==[[J2EE Security for Security Analysts and Testers]]==
 
* Using Eclipse to verify Java applications (0%, TD)
 
* Using [[:Category:OWASP WebScarab Project|WebScarab]] to find vulnerabilities in J2EE applications - (0%, TD)
 
* Decompiling Java bytecode (0%, TD)
 
 
 
== [[Java Resources]] (ongoing)==
 
 
 
[[Category:OWASP Java Project]]
 

Latest revision as of 18:40, 4 March 2016

This content is out of date. Please visit https://www.owasp.org/index.php/Category:Java for more updated information on the Java platform as it relates to application security.