This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Searching for Code in J2EE/Java"
(20 intermediate revisions by 5 users not shown) | |||
Line 1: | Line 1: | ||
− | + | {{LinkBar | |
− | == Searching for | + | | useprev=PrevLink | prev=Crawling Code | lblprev= |
− | + | | usemain=MainLink | main=OWASP Code Review Guide Table of Contents | lblmain=Table of Contents | |
− | + | | usenext=NextLink | next=Searching for Code in Classic ASP | lblnext= | |
+ | }} | ||
+ | __TOC__ | ||
− | + | ==Input and Output Streams== | |
− | + | These are used to read data into one’s application. They may be potential entry points into an application. The entry points may be from an external source and must be investigated. These may also be used in path traversal attacks or DoS attacks. | |
− | + | Java.io <br> | |
+ | java.util.zip <br> | ||
+ | java.util.jar <br> | ||
+ | FileInputStream <br> | ||
+ | ObjectInputStream <br> | ||
+ | FilterInputStream <br> | ||
+ | PipedInputStream <br> | ||
+ | SequenceInputStream <br> | ||
+ | StringBufferInputStream <br> | ||
+ | BufferedReader <br> | ||
+ | ByteArrayInputStream <br> | ||
+ | CharArrayReader <br> | ||
+ | File <br> | ||
+ | ObjectInputStream <br> | ||
+ | PipedInputStream <br> | ||
+ | StreamTokenizer <br> | ||
+ | getResourceAsStream <br> | ||
+ | java.io.FileReader <br> | ||
+ | java.io.FileWriter <br> | ||
+ | java.io.RandomAccessFile <br> | ||
+ | java.io.File <br> | ||
+ | java.io.FileOutputStream <br> | ||
+ | mkdir <br> | ||
+ | renameTo <br> | ||
+ | java.io.File.delete <br> | ||
+ | java.io.File.listFiles <br> | ||
+ | java.io.File.list <br> | ||
− | + | ==Servlets== | |
− | + | These API calls may be avenues for parameter, header, URL, and cookie tampering, HTTP Response Splitting and information leakage. They should be examined closely as many of such APIs obtain the parameters directly from HTTP requests. | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | javax.servlet.* <br> | |
+ | getParameterNames<br> | ||
+ | getParameterValues<br> | ||
+ | getParameter<br> | ||
+ | getParameterMap<br> | ||
+ | getScheme<br> | ||
+ | getProtocol<br> | ||
+ | getContentType<br> | ||
+ | getServerName<br> | ||
+ | getRemoteAddr<br> | ||
+ | getRemoteHost<br> | ||
+ | getRealPath<br> | ||
+ | getLocalName<br> | ||
+ | getAttribute<br> | ||
+ | getAttributeNames<br> | ||
+ | getLocalAddr<br> | ||
+ | getAuthType<br> | ||
+ | getRemoteUser<br> | ||
+ | getCookies<br> | ||
+ | isSecure<br> | ||
+ | HttpServletRequest<br> | ||
+ | getQueryString<br> | ||
+ | getHeaderNames<br> | ||
+ | getHeaders<br> | ||
+ | getPrincipal<br> | ||
+ | getUserPrincipal<br> | ||
+ | isUserInRole<br> | ||
+ | getInputStream<br> | ||
+ | getOutputStream<br> | ||
+ | getWriter<br> | ||
+ | addCookie<br> | ||
+ | addHeader<br> | ||
+ | setHeader<br> | ||
+ | setAttribute<br> | ||
+ | putValue<br> | ||
+ | javax.servlet.http.Cookie<br> | ||
+ | getName<br> | ||
+ | getPath<br> | ||
+ | getDomain<br> | ||
+ | getComment<br> | ||
+ | getMethod<br> | ||
+ | getPath<br> | ||
+ | getReader<br> | ||
+ | getRealPath<br> | ||
+ | getRequestURI<br> | ||
+ | getRequestURL<br> | ||
+ | getServerName<br> | ||
+ | getValue<br> | ||
+ | getValueNames<br> | ||
+ | getRequestedSessionId<br> | ||
− | + | ==Cross Site Scripting== | |
− | + | javax.servlet.ServletOutputStream.print <br> | |
− | + | javax.servlet.jsp.JspWriter.print <br> | |
− | + | java.io.PrintWriter.print <br> | |
− | + | ==Response Splitting== | |
− | + | javax.servlet.http.HttpServletResponse.sendRedirect <br> | |
− | + | addHeader, setHeader <br> | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | ==== | + | ==Redirection== |
− | + | sendRedirect <br> | |
+ | setStatus <br> | ||
+ | addHeader, setHeader <br> | ||
− | + | ==SQL & Database== | |
− | + | Searching for Java Database related code this list should help you pinpoint classes/methods which are involved in the persistence layer of the application being reviewed. | |
− | |||
− | |||
− | |||
− | |||
− | |||
+ | jdbc <br> | ||
+ | executeQuery <br> | ||
+ | select <br> | ||
+ | insert <br> | ||
+ | update <br> | ||
+ | delete <br> | ||
+ | execute <br> | ||
+ | executestatement <br> | ||
+ | createStatement <br> | ||
+ | java.sql.ResultSet.getString <br> | ||
+ | java.sql.ResultSet.getObject <br> | ||
+ | java.sql.Statement.executeUpdate <br> | ||
+ | java.sql.Statement.executeQuery <br> | ||
+ | java.sql.Statement.execute <br> | ||
+ | java.sql.Statement.addBatch <br> | ||
+ | java.sql.Connection.prepareStatement <br> | ||
+ | java.sql.Connection.prepareCall <br> | ||
− | == | + | ==SSL== |
− | + | Looking for code which utilises SSL as a medium for point to point encryption. The following fragments should indicate where SSL functionality has been developed. | |
− | + | com.sun.net.ssl <br> | |
− | + | SSLContext <br> | |
− | + | SSLSocketFactory <br> | |
− | + | TrustManagerFactory <br> | |
− | + | HttpsURLConnection <br> | |
− | + | KeyManagerFactory <br> | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | == | + | ==Session Management== |
− | + | getSession <br> | |
− | + | invalidate <br> | |
− | + | getId <br> | |
− | |||
− | == | + | ==Legacy Interaction== |
− | + | Here we may be vulnerable to command injection attacks or OS injection attacks. Java linking to the native OS can cause serious issues and potentially give rise to total server compromise. | |
− | + | java.lang.Runtime.exec <br> | |
− | + | java.lang.Runtime.getRuntime <br> | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | == | + | ==Logging== |
− | + | We may come across some information leakage by examining code below contained in one’s application. | |
− | + | java.io.PrintStream.write <br> | |
− | + | log4j <br> | |
− | + | jLo <br> | |
− | + | Lumberjack <br> | |
− | + | MonoLog <br> | |
+ | qflog <br> | ||
+ | just4log <br> | ||
+ | log4Ant <br> | ||
+ | JDLabAgent <br> | ||
− | == | + | ==Architectural Analysis== |
− | + | If we can identify major architectural components within that application (right away) it can help narrow our search, and we can then look for known vulnerabilities in those components and frameworks: | |
− | + | <nowiki>### Ajax </nowiki><br> | |
− | + | XMLHTTP <br> | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | <nowiki>### Struts </nowiki><br> | |
− | + | org.apache.struts <br> | |
− | + | <nowiki>### Spring </nowiki><br> | |
− | + | org.springframework <br> | |
− | |||
− | |||
− | + | <nowiki>### Java Server Faces (JSF) </nowiki><br> | |
− | + | import javax.faces <br> | |
− | + | <nowiki>### Hibernate </nowiki><br> | |
− | + | import org.hibernate <br> | |
− | |||
− | |||
− | + | <nowiki>### Castor </nowiki><br> | |
− | + | org.exolab.castor <br> | |
− | + | <nowiki>### JAXB </nowiki><br> | |
− | + | javax.xml <br> | |
− | |||
− | + | <nowiki>### JMS </nowiki><br> | |
− | + | JMS <br> | |
− | + | ==Generic Keywords== | |
− | + | Developers say the darnedest things in their source code. Look for the following keywords as pointers to possible software vulnerabilities: | |
− | + | Hack <br> | |
− | + | Kludge <br> | |
+ | Bypass <br> | ||
+ | Steal <br> | ||
+ | Stolen <br> | ||
+ | Divert <br> | ||
+ | Broke <br> | ||
+ | Trick <br> | ||
+ | FIXME <br> | ||
+ | ToDo <br> | ||
+ | Password <br> | ||
+ | Backdoor <br> | ||
− | + | ==WEB 2.0== | |
− | + | '''Ajax and JavaScript''' | |
− | + | Look for Ajax usage, and possible JavaScript issues: | |
− | |||
− | + | document.write <br> | |
− | + | eval <br> | |
− | + | document.cookie <br> | |
− | + | window.location <br> | |
− | + | document.URL <br> | |
− | |||
− | == | + | ==Code Execution== |
− | + | The following may lead to arbitrary java code execution if source of input data is entrusted or not validated. | |
+ | java.lang.ClassLoader.defineClass <br> | ||
+ | java.net.URLClassLoader <br> | ||
+ | java.beans.Instrospector.getBeanInfo <br> | ||
+ | System.load <br> | ||
+ | System.loadLibrary <br> | ||
+ | Runtime.exec <br> | ||
+ | ProcessBuilder (constructor) <br> | ||
+ | javax.script.ScriptEngine.eval <br> | ||
− | + | ==XMLHTTP== | |
− | + | window.createRequest | |
− | |||
− | |||
− | ==== | + | {{LinkBar |
− | + | | useprev=PrevLink | prev=Crawling Code | lblprev= | |
− | + | | usemain=MainLink | main=OWASP Code Review Guide Table of Contents | lblmain=Table of Contents | |
+ | | usenext=NextLink | next=Searching for Code in Classic ASP | lblnext= | ||
+ | }} | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
[[Category:OWASP Code Review Project]] | [[Category:OWASP Code Review Project]] |
Latest revision as of 22:44, 18 April 2016
Input and Output Streams
These are used to read data into one’s application. They may be potential entry points into an application. The entry points may be from an external source and must be investigated. These may also be used in path traversal attacks or DoS attacks.
Java.io
java.util.zip
java.util.jar
FileInputStream
ObjectInputStream
FilterInputStream
PipedInputStream
SequenceInputStream
StringBufferInputStream
BufferedReader
ByteArrayInputStream
CharArrayReader
File
ObjectInputStream
PipedInputStream
StreamTokenizer
getResourceAsStream
java.io.FileReader
java.io.FileWriter
java.io.RandomAccessFile
java.io.File
java.io.FileOutputStream
mkdir
renameTo
java.io.File.delete
java.io.File.listFiles
java.io.File.list
Servlets
These API calls may be avenues for parameter, header, URL, and cookie tampering, HTTP Response Splitting and information leakage. They should be examined closely as many of such APIs obtain the parameters directly from HTTP requests.
javax.servlet.*
getParameterNames
getParameterValues
getParameter
getParameterMap
getScheme
getProtocol
getContentType
getServerName
getRemoteAddr
getRemoteHost
getRealPath
getLocalName
getAttribute
getAttributeNames
getLocalAddr
getAuthType
getRemoteUser
getCookies
isSecure
HttpServletRequest
getQueryString
getHeaderNames
getHeaders
getPrincipal
getUserPrincipal
isUserInRole
getInputStream
getOutputStream
getWriter
addCookie
addHeader
setHeader
setAttribute
putValue
javax.servlet.http.Cookie
getName
getPath
getDomain
getComment
getMethod
getPath
getReader
getRealPath
getRequestURI
getRequestURL
getServerName
getValue
getValueNames
getRequestedSessionId
Cross Site Scripting
javax.servlet.ServletOutputStream.print
javax.servlet.jsp.JspWriter.print
java.io.PrintWriter.print
Response Splitting
javax.servlet.http.HttpServletResponse.sendRedirect
addHeader, setHeader
Redirection
sendRedirect
setStatus
addHeader, setHeader
SQL & Database
Searching for Java Database related code this list should help you pinpoint classes/methods which are involved in the persistence layer of the application being reviewed.
jdbc
executeQuery
select
insert
update
delete
execute
executestatement
createStatement
java.sql.ResultSet.getString
java.sql.ResultSet.getObject
java.sql.Statement.executeUpdate
java.sql.Statement.executeQuery
java.sql.Statement.execute
java.sql.Statement.addBatch
java.sql.Connection.prepareStatement
java.sql.Connection.prepareCall
SSL
Looking for code which utilises SSL as a medium for point to point encryption. The following fragments should indicate where SSL functionality has been developed.
com.sun.net.ssl
SSLContext
SSLSocketFactory
TrustManagerFactory
HttpsURLConnection
KeyManagerFactory
Session Management
getSession
invalidate
getId
Legacy Interaction
Here we may be vulnerable to command injection attacks or OS injection attacks. Java linking to the native OS can cause serious issues and potentially give rise to total server compromise.
java.lang.Runtime.exec
java.lang.Runtime.getRuntime
Logging
We may come across some information leakage by examining code below contained in one’s application.
java.io.PrintStream.write
log4j
jLo
Lumberjack
MonoLog
qflog
just4log
log4Ant
JDLabAgent
Architectural Analysis
If we can identify major architectural components within that application (right away) it can help narrow our search, and we can then look for known vulnerabilities in those components and frameworks:
### Ajax
XMLHTTP
### Struts
org.apache.struts
### Spring
org.springframework
### Java Server Faces (JSF)
import javax.faces
### Hibernate
import org.hibernate
### Castor
org.exolab.castor
### JAXB
javax.xml
### JMS
JMS
Generic Keywords
Developers say the darnedest things in their source code. Look for the following keywords as pointers to possible software vulnerabilities:
Hack
Kludge
Bypass
Steal
Stolen
Divert
Broke
Trick
FIXME
ToDo
Password
Backdoor
WEB 2.0
Ajax and JavaScript
Look for Ajax usage, and possible JavaScript issues:
document.write
eval
document.cookie
window.location
document.URL
Code Execution
The following may lead to arbitrary java code execution if source of input data is entrusted or not validated.
java.lang.ClassLoader.defineClass
java.net.URLClassLoader
java.beans.Instrospector.getBeanInfo
System.load
System.loadLibrary
Runtime.exec
ProcessBuilder (constructor)
javax.script.ScriptEngine.eval
XMLHTTP
window.createRequest