OWASP Java Table of Contents

Key:

• xx%: Progress status of the paragraph
• Review: The paragraph needs a review
• TD: Paragraph to be assigned

J2EE Security for Architects

Design considerations

• Architectural considerations (0%, TD)
  • EJB Middle tier (0%, TD)
  • Web Services Middle tier (0%, TD)
  • Spring Middle tier (0%, TD)

J2EE Security for Developers

Noteworthy Frameworks

(50% ?, Claire McDonough, Ranjita Shankar Iyer, Rohyt Belani to update, Review)

• Struts
• Turbine
• JFS (MyFaces)
• Tapestry
• Webwork
• Cocoon
• Tiles
• SiteMesh
• Spring

Java Security Basics

• Class Loading (0%, Shyaam Sundar, Review)
• Bytecode verifier (0%, Shyaam Sundar, Review)
• The Security Manager and security.policy file (0%, Shyaam Sundar, Review)

Input Validation

• Overview (0%, TD)
• Dangerous calls (BufferedReader.readLine(), ServletRequest.getParameter(), etc...) (0%, TD)
• [How to add validation logic to HttpServletRequest] (100%, Jeff Williams, Review)
• [How to perform HTML entity encoding in Java] (100%, Jeff Williams, Review)

Preventing SQL Injection in Java

• Overview
• Prevention (60%, Stephen de Vries, Review)
  • White Listing
  • Prepared Statements
  • Stored Procedures
  • Hibernate
  • Ibatis
  • Spring JDBC
  • EJB 3.0
  • JDO

Preventing LDAP Injection in Java

• Overview (100%, Stephen de Vries, Review)
• Prevention (100%, Stephen de Vries, Review)

XPATH Injection

• Overview (0%, TD)
• Prevention (0%, TD)

Miscellaneous Injection Attacks

• HTTP Response splitting (0%, TD)
• Command injection - Runtime.getRuntime().exec() (0%, TD)

Authentication

• Storing credentials - (0%, Adrian San Juan, Review)
• Hashing - (100%, Michel Prunet, Review)
• SSL Best Practices - (20%, Philippe Curmin, Review)
• Using JCaptcha - (100%, Dave Ferguson, Review)
• Container-managed authentication with Realms
  • Declarative Access Control in Java - (100%, Dave Ferguson, Review)
• JAAS Timed Login Module - (100%, Stephen de Vries, Review)
• JAAS Tomcat Login Module - (100%, Stephen de Vries, Review)
• Password length & complexity - (0%, Adrian San Juan, Review)

Session Management

• Logout (0%, TD)
• Session Timeout (0%, TD)
• Absolute Timeout (0%, TD)
• Session Fixation (0%, TD)
• Terminating sessions (0%, TD)
  • Terminating sessions when the browser window is closed

Authorization

• Declarative v/s Programmatic (0%, TD)
• EJB Authorization (0%, TD)
• Acegi (0%, TD)
• JACC (0%, TD)
• Check horizontal privilege (0%, TD)

Encryption

• JCE (0%, TD)
• Storing db secrets (0%, TD)
• Encrypting JDBC connections (0%, TD)
• JSSE (0%, TD)
• Random number generation (0%, TD)

Error Handling & Logging

• Logging - why log? what to log? log4j, etc. (0%, TD)
• Exception handling techniques (0%, TD)
  • fail-open/fail-closed
  • resource cleanup
  • finally block
  • swallowing exceptions
• Exception handling frameworks (50%, TD)
  • Servlet spec - web.xml Securing tomcat (100%, Darren Edmonds, Review)
  • JSP errorPage (0%, TD)
• Web application forensics (0%, TD)

Web Services Security

• SAML (0%, TD)
• (X)WS-Security (0%, TD)
• SunJWSDP (0%, TD)
• XML Signature (JSR 105) (0%, TD)
• XML Encryption (JSR 106) (0%, TD)

Code Analysis Tools

• Introduction (0%, TD)
• Category:OWASP LAPSE Project (100%, Review)
• FindBugs (0%, TD)
  • Creating custom rules
• PMD (0%, TD)
  • Creating custom rules
• JLint (0%, TD)
• Jmetrics (0%, TD)

J2EE Security For Deployers

Securing Popular J2EE Servers

• Securing Tomcat - (100%, Darren Edmonds, Review)
• Securing JBoss (0%, TD)
• Securing WebLogic (0%, TD)
• Securing WebSphere (0%, TD)
• Others...

Defining a Java Security Policy

• PolicyTool (80%, Jeff Williams, Needs a new owner, Review)
• jChains (www.jchains.org) - (0%, TD)

Protecting Binaries

• Bytecode manipulation tools and techniques (0%, TD)
• Bytecode obfuscation (proguard) (0%, TD)
• Convert bytecode to native machine code (0%, TD)
• Signing jar files with jarsigner (0%, TD)

J2EE Security for Security Analysts and Testers

• Using Eclipse to verify Java applications (0%, TD)
• Using WebScarab to find vulnerabilities in J2EE applications - (0%, TD)
• Decompiling Java bytecode (0%, TD)

Java Resources (ongoing)