Introduction

This article is focused on providing clear, simple, actionable guidance for getting started reviewing the source code of applications written using the Grails web application framework for potential security flaws, whether architectural or implementation-related. Reviewing Grails application source code can be tricky, for example it is very easy even for an experienced code reviewer to unintentionally skip past (i.e. not review) parts of a Grails application because of certain features of the language and the framework. This is in short because of Groovy programming language-specific and Grails framework-specific language considerations that are explored in this article. This article can be used as a checklist for reviewing Grails application source code for both architectural and implementation-related potential security flaws. Guidance provided can be used to support manual analysis, automated analysis, or combinations thereof, depending on the resources that you might have available.

Groovy Language Basics

TODO

“.groovy” Files

TODO

“.gsp” Files

TODO

Grails Framework Basics

Wikipedia describes the Grails framework as... TODO

Grails Programming Languages

TODO

Grails Application Directory Structure

TODO

Why Can’t I Just Scan The Byte Code Compiled From The Generated Java Classes?

Well, you can. But, even assuming that you can (1)build the code or get the compiled bytecode, and (2)have access to a decent automated static analysis tool, you’re going to find yourself with very noisy results that can’t easily be acted upon by developers. Since, the developers will need findings for generated code translated into findings mapped back to the original Groovy code in order to make fixes that are appropriate to their Grails and Groovy language solution stack (i.e. using a Java language fix or a Java language library such as OWASP’s ESAPI may not be appropriate or actionable for technical or non-technical reasons). Further, you’re going to find that Groovy language-specific considerations, along with Grails library and framework-specific considerations are not being analyzed. ... TODO... Code Narc not enough...

Getting Started Reviewing Groovy Language Source Code Files

TODO

Reviewing Groovy Language Files (.groovy and .gsp)

TODO

Groovy Language Considerations

TODO

Groovy Library and Framework Considerations

TODO

Reviewing Grails Framework Groovy Language Files

TODO

Grails Model Considerations

TODO

Grails View Considerations

TODO

Grails Controller Considerations

TODO

Grails Service Considerations

TODO

Reviewing Java In Groovy Language Files (.groovy and .gsp)

TODO

Getting Started Reviewing Java Language Source Code Included in Grails Applications

TODO

Reviewing Java In Java Language Files (.java and .jsp)

... Review like any other Java app... TODO...

Reviewing Other Java Language File Types

... Review like any other Java app... TODO...

Getting Started Reviewing Other Types of Source Code And Functionality Included in Grails Applications

TODO

Reviewing Other Types Included For Use by the Grails Framework

TODO

Reviewing Other Types Included For Use by Java Language Source Code

TODO

Code Review Tool Configuration Summary

TODO

References and Further Reading

...Groovy pages... Grails security pages....etc...TODO

Authors and Primary Editors

Mike Boberski - boberski_michael[at]bah.com

Other Cheat Sheets

OWASP Cheat Sheets Project Homepage

• OWASP Cheat Sheet Series

[Collapse] V - T - E Cheat Sheets
Developer / Builder	3rd Party Javascript Management Access Control AJAX Security Cheat Sheet Authentication (ES) Bean Validation Cheat Sheet Choosing and Using Security Questions Clickjacking Defense Credential Stuffing Prevention Cheat Sheet Cross-Site Request Forgery (CSRF) Prevention Cryptographic Storage C-Based Toolchain Hardening CSS Security Deserialization DOM based XSS Prevention Forgot Password HTML5 Security HTTP Strict Transport Security Injection Prevention Cheat Sheet Injection Prevention Cheat Sheet in Java JSON Web Token (JWT) Cheat Sheet for Java Input Validation Insecure Direct Object Reference Prevention JAAS Key Management LDAP Injection Prevention Logging Mass Assignment Cheat Sheet .NET Security OS Command Injection Defense Cheat Sheet OWASP Top Ten Password Storage Pinning Query Parameterization REST Security Ruby on Rails Session Management SAML Security SQL Injection Prevention Transaction Authorization Transport Layer Protection TLS Cipher String Configuration Unvalidated Redirects and Forwards User Privacy Protection Web Service Security XSS (Cross Site Scripting) Prevention XML External Entity (XXE) Prevention Cheat Sheet
Assessment / Breaker	Attack Surface Analysis REST Assessment Web Application Security Testing XML Security Cheat Sheet XSS Filter Evasion
Mobile	Android Testing IOS Developer Mobile Jailbreaking
OpSec / Defender	Virtual Patching Vulnerability Disclosure
Draft and Beta	Application Security Architecture Business Logic Security Content Security Policy Denial of Service Cheat Sheet Grails Secure Code Review IOS Application Security Testing PHP Security Regular Expression Security Cheatsheet Secure Coding Secure SDLC Threat Modeling
All Pages In This Category