This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Java Table of Contents"

From OWASP
Jump to: navigation, search
(Authentication)
 
(87 intermediate revisions by 22 users not shown)
Line 1: Line 1:
<b>Key:</b>
+
This content is out of date. Please visit [https://www.owasp.org/index.php/Category:Java https://www.owasp.org/index.php/Category:Java] for more updated information on the Java platform as it relates to application security.
* xx%: Progress status of the paragraph
 
* Review: The paragraph needs a review
 
* TD: Paragraph to be assigned
 
 
 
==[[J2EE Security for Architects]]==
 
Discuss the security implications of common J2EE architectures.  This could be discussed in terms of: Authentication, Authorisation, Data Validation, Cross Site Scripting protection.  Other architecture concerns such as scalability, performance and maintainability can also be mentioned, but the focus on security should not be lost.
 
 
 
Any other security concerns that should be addressed during the design phase should also be mentioned here.
 
===Design considerations===
 
* Architectural considerations (0%, TD)
 
** EJB Middle tier (0%, TD)
 
** Web Services Middle tier (0%, TD)
 
** Spring Middle tier (0%, TD)
 
 
 
==[[J2EE Security for Developers]]==
 
=== Noteworthy Frameworks ===
 
Discuss important and relevant Java security frameworks that would be useful to architects. The information should be at a suitably high level, for example, by discussing the advantages and features as well as the associated costs (direct and indirect) of using the frameworks.
 
 
 
(50% ?, Claire McDonough, Ranjita Shankar Iyer, Rohyt Belani to update, Review)
 
* Struts
 
* Turbine
 
* JFS (MyFaces)
 
* Tapestry
 
* Webwork
 
* Cocoon
 
* Tiles
 
* SiteMesh
 
* Spring
 
 
 
===[[Java Security Basics]]===
 
Provide an introduction into the basic security services provided by the Java language and environment. Remember to keep this relevant for web developers for the initial release - there may be a potential to expand this to thick clients in subsequent releases.
 
* Class Loading (0%, Shyaam Sundar, Review)
 
* Bytecode verifier (0%, Shyaam Sundar, Review)
 
* The Security Manager and security.policy file (0%, Shyaam Sundar, Review)
 
 
 
===Input Validation===
 
* Overview (0%, TD)
 
* Dangerous calls (BufferedReader.readLine(), ServletRequest.getParameter(), etc...) (0%, TD)
 
* [[How to add validation logic to HttpServletRequest]] (100%, Jeff Williams, Review)
 
* [[How to perform HTML entity encoding in Java]] (100%, Jeff Williams, Review)
 
 
 
==== [[Preventing SQL Injection in Java]] ====
 
* Overview
 
* Prevention (60%, Stephen de Vries, Review)
 
** White Listing
 
** Prepared Statements
 
** Stored Procedures
 
** Hibernate
 
** Ibatis
 
** Spring JDBC
 
** EJB 3.0
 
** JDO
 
 
 
==== [[Preventing LDAP Injection in Java]] ====
 
* Overview (100%, Stephen de Vries, Review)
 
* Prevention (100%, Stephen de Vries, Review)
 
 
 
==== [[XPATH Injection]] ====
 
As with the other Injection sections, only provide cursory information on the general case. Should contain practical real-world advise and code examples for preventing XPATH injection.
 
* Overview (0%, TD)
 
* Prevention (0%, TD)
 
 
 
==== Miscellaneous Injection Attacks  ====
 
* HTTP Response splitting (0%, TD)
 
* Command injection - Runtime.getRuntime().exec() (0%, TD)
 
 
 
=== Authentication===
 
* Storing credentials - (0%, Adrian San Juan, Review)
 
* [[Hashing Java|Hashing]] - (100%, Michel Prunet, Review)
 
* [[SSL Best Practices]] - (20%, Philippe Curmin, Review)
 
* [[Using JCaptcha]] - (100%, Dave Ferguson, Review)
 
* Container-managed authentication with Realms
 
** [[Declarative Access Control in Java]] - (100%, Dave Ferguson, Reviewed by Pierre Parrend, Dave to act on comments)
 
* [[JAAS Timed Login Module]] - (100%, Stephen de Vries, Review)
 
* [[JAAS Tomcat Login Module]] - (100%, Stephen de Vries, Review)
 
* Password length & complexity - (0%, Adrian San Juan, Review)
 
 
 
===Session Management ===
 
The generic problems and solutions for session management are covered in the Guide.  This section should focus on Java specific examples.
 
* Logout (0%, TD)
 
* Session Timeout (0%, TD)
 
* Absolute Timeout (0%, TD)
 
* Session Fixation (0%, TD)
 
* Terminating sessions (0%, TD)
 
** Terminating sessions when the browser window is closed
 
 
 
===Authorization===
 
* Declarative v/s Programmatic (0%, TD)
 
* EJB Authorization (0%, TD)
 
* Acegi (0%, TD)
 
* JACC (0%, TD)
 
* Check horizontal privilege (0%, TD)
 
 
 
=== Encryption===
 
* JCE (0%, TD)
 
* Storing db secrets (0%, TD)
 
* Encrypting JDBC connections (0%, TD)
 
* JSSE (0%, TD)
 
* Random number generation (0%, TD)
 
 
 
=== Error Handling & Logging===
 
* Logging - why log? what to log? log4j, etc. (0%, TD)
 
* Exception handling techniques (0%, TD)
 
** fail-open/fail-closed
 
** resource cleanup
 
** finally block
 
** swallowing exceptions
 
* Exception handling frameworks (50%, TD)
 
** Servlet spec - web.xml [[Securing tomcat]] (100%, Darren Edmonds, Review)
 
** JSP errorPage (0%, TD)
 
* Web application forensics (0%, TD)
 
 
 
=== Web Services Security ===
 
* SAML (0%, TD)
 
* (X)WS-Security (0%, TD)
 
* SunJWSDP (0%, TD)
 
* XML Signature (JSR 105) (0%, TD)
 
* XML Encryption (JSR 106) (0%, TD)
 
 
 
=== Code Analysis Tools ===
 
The introduction should cover the advantages and short comings of code analysis tools.  An overview of the current state of the art and the available tools would go well here.  As a start, only open source tools are listed, but if vendors of commercial tools adhere to the [[Tutorial]] guidelines, these submissions will be gladly received.
 
* Introduction (0%, TD)
 
* [[:Category:OWASP LAPSE Project]] (100%, Review)
 
* FindBugs (0%, TD)
 
** Creating custom rules
 
* PMD (0%, TD)
 
** Creating custom rules
 
* JLint (0%, TD)
 
* Jmetrics (0%, TD)
 
 
 
== [[J2EE Security For Deployers]] ==
 
Practical step-by-step guides to securing various J2EE servers.  Examples of secure configurations can also be provided for download.  If configurations are provided, they should be properly commented so that the rationale for configuration settings is clearly explained.  Users of the configurations should be provided with enough information to make their own risk decisions.
 
=== Securing Popular J2EE Servers ===
 
* [[Securing tomcat|Securing Tomcat]] - (100%, Darren Edmonds, Review)
 
* Securing JBoss (0%, TD)
 
* Securing WebLogic (0%, TD)
 
* Securing WebSphere (0%, TD)
 
* Others...
 
 
 
=== Defining a Java Security Policy ===
 
Practical information on creating a Java security policies for J2EE servers.
 
* PolicyTool (80%, Jeff Williams, Needs a new owner, Review)
 
* jChains (www.jchains.org) - (0%, TD)
 
 
 
=== Protecting Binaries ===
 
* Bytecode manipulation tools and techniques (0%, TD)
 
* Bytecode obfuscation (proguard) (0%, TD)
 
* Convert bytecode to native machine code (0%, TD)
 
* Signing jar files with jarsigner (0%, TD)
 
 
 
==[[J2EE Security for Security Analysts and Testers]]==
 
* Using Eclipse to verify Java applications (0%, TD)
 
* Using [[:Category:OWASP WebScarab Project|WebScarab]] to find vulnerabilities in J2EE applications - (0%, TD)
 
* Decompiling Java bytecode (0%, TD)
 
 
 
== [[Java Security Resources]] (ongoing)==
 
 
 
[[Category:OWASP Java Project]]
 

Latest revision as of 18:40, 4 March 2016

This content is out of date. Please visit https://www.owasp.org/index.php/Category:Java for more updated information on the Java platform as it relates to application security.