This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
OWASP Java Table of Contents
From OWASP
Key:
- xx%: Progress status of the paragraph
- Review: The paragraph needs a review
- TD: Paragraph to be assigned
- 1 J2EE Security for Architects
- 2 J2EE Security for Developers
- 3 J2EE Security For Deployers
- 4 J2EE Security for Security Analysts and Testers
- 5 Java Resources (ongoing)
J2EE Security for Architects
Design considerations
- Architectural considerations (0%, TD)
- EJB Middle tier (0%, TD)
- Web Services Middle tier (0%, TD)
- Spring Middle tier (0%, TD)
J2EE Security for Developers
Noteworthy Frameworks
(50% ?, Claire McDonough, Ranjita Shankar Iyer, Rohyt Belani to update, Review)
- Struts
- Turbine
- JFS (MyFaces)
- Tapestry
- Webwork
- Cocoon
- Tiles
- SiteMesh
- Spring
Java Security Basics
- Class Loading (0%, Shyaam Sundar, Review)
- Bytecode verifier (0%, Shyaam Sundar, Review)
- The Security Manager and security.policy file (0%, Shyaam Sundar, Review)
Input Validation
- Overview (0%, TD)
- Dangerous calls (BufferedReader.readLine(), ServletRequest.getParameter(), etc...) (0%, TD)
- [How to add validation logic to HttpServletRequest] (100%, Jeff Williams, Review)
- [How to perform HTML entity encoding in Java] (100%, Jeff Williams, Review)
Preventing SQL Injection in Java
- Overview
- Prevention (60%, Stephen de Vries, Review)
- White Listing
- Prepared Statements
- Stored Procedures
- Hibernate
- Ibatis
- Spring JDBC
- EJB 3.0
- JDO
Preventing LDAP Injection in Java
- Overview (100%, Stephen de Vries, Review)
- Prevention (100%, Stephen de Vries, Review)
XPATH Injection
- Overview (0%, TD)
- Prevention (0%, TD)
Miscellaneous Injection Attacks
- HTTP Response splitting (0%, TD)
- Command injection - Runtime.getRuntime().exec() (0%, TD)
Authentication
- Storing credentials - (0%, Adrian San Juan, Review)
- Hashing - (100%, Michel Prunet, Review)
- SSL Best Practices - (20%, Philippe Curmin, Review)
- Using JCaptcha - (100%, Dave Ferguson, Review)
- Container-managed authentication with Realms
- Declarative Access Control in Java - (100%, Dave Ferguson, Review)
- JAAS Timed Login Module - (100%, Stephen de Vries, Review)
- JAAS Tomcat Login Module - (100%, Stephen de Vries, Review)
- Password length & complexity - (0%, Adrian San Juan, Review)
Session Management
- Logout (0%, TD)
- Session Timeout (0%, TD)
- Absolute Timeout (0%, TD)
- Session Fixation (0%, TD)
- Terminating sessions (0%, TD)
- Terminating sessions when the browser window is closed
Authorization
- Declarative v/s Programmatic (0%, TD)
- EJB Authorization (0%, TD)
- Acegi (0%, TD)
- JACC (0%, TD)
- Check horizontal privilege (0%, TD)
Encryption
- JCE (0%, TD)
- Storing db secrets (0%, TD)
- Encrypting JDBC connections (0%, TD)
- JSSE (0%, TD)
- Random number generation (0%, TD)
Error Handling & Logging
- Logging - why log? what to log? log4j, etc. (0%, TD)
- Exception handling techniques (0%, TD)
- fail-open/fail-closed
- resource cleanup
- finally block
- swallowing exceptions
- Exception handling frameworks (50%, TD)
- Servlet spec - web.xml Securing tomcat (100%, Darren Edmonds, Review)
- JSP errorPage (0%, TD)
- Web application forensics (0%, TD)
Web Services Security
- SAML (0%, TD)
- (X)WS-Security (0%, TD)
- SunJWSDP (0%, TD)
- XML Signature (JSR 105) (0%, TD)
- XML Encryption (JSR 106) (0%, TD)
Code Analysis Tools
- Introduction (0%, TD)
- Category:OWASP LAPSE Project (100%, Review)
- FindBugs (0%, TD)
- Creating custom rules
- PMD (0%, TD)
- Creating custom rules
- JLint (0%, TD)
- Jmetrics (0%, TD)
J2EE Security For Deployers
Securing Popular J2EE Servers
- Securing Tomcat - (100%, Darren Edmonds, Review)
- Securing JBoss (0%, TD)
- Securing WebLogic (0%, TD)
- Securing WebSphere (0%, TD)
- Others...
Defining a Java Security Policy
- PolicyTool (80%, Jeff Williams, Needs a new owner, Review)
- jChains (www.jchains.org) - (0%, TD)
Protecting Binaries
- Bytecode manipulation tools and techniques (0%, TD)
- Bytecode obfuscation (proguard) (0%, TD)
- Convert bytecode to native machine code (0%, TD)
- Signing jar files with jarsigner (0%, TD)
J2EE Security for Security Analysts and Testers
- Using Eclipse to verify Java applications (0%, TD)
- Using WebScarab to find vulnerabilities in J2EE applications - (0%, TD)
- Decompiling Java bytecode (0%, TD)
