This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Searching for Code in J2EE/Java"

From OWASP
Jump to: navigation, search
m (Review - spelling etc)
 
(27 intermediate revisions by 5 users not shown)
Line 1: Line 1:
== Searching for key indicators ==
+
{{LinkBar
The basis of the code review is to locate and analyse areas of code which may have application security implications.
+
  | useprev=PrevLink | prev=Crawling Code | lblprev=
Assuming the code reviewer has a thorough understanding of the code, what it is intended to do and the context upon which it is to be used, firstly one needs to sweep the code base for areas of interest.
+
  | usemain=MainLink | main=OWASP Code Review Guide Table of Contents | lblmain=Table of Contents
 +
  | usenext=NextLink | next=Searching for Code in Classic ASP | lblnext=
 +
}}
 +
__TOC__
  
This can be done by performing a text search on the code base looking for keywords relating to API's and functions.
+
==Input and Output Streams==
Below is a guide for .NET framework 1.1 & 2.0
+
These are used to read data into one’s application. They may be potential entry points into an application. The entry points may be from an external source and must be investigated. These may also be used in path traversal attacks or DoS attacks.  
  
=== Searching for code in .NET ===
+
Java.io <br>
 +
java.util.zip <br>
 +
java.util.jar <br>
 +
FileInputStream <br>
 +
ObjectInputStream <br>
 +
FilterInputStream <br>
 +
PipedInputStream <br>
 +
SequenceInputStream <br>
 +
StringBufferInputStream <br>
 +
BufferedReader <br>
 +
ByteArrayInputStream <br>
 +
CharArrayReader <br>
 +
File <br>
 +
ObjectInputStream <br>
 +
PipedInputStream <br>
 +
StreamTokenizer <br>
 +
getResourceAsStream <br>
 +
java.io.FileReader <br>
 +
java.io.FileWriter <br>
 +
java.io.RandomAccessFile <br>
 +
java.io.File <br>
 +
java.io.FileOutputStream <br>
 +
mkdir <br>
 +
renameTo <br>
 +
java.io.File.delete  <br>
 +
java.io.File.listFiles  <br>
 +
java.io.File.list  <br>
  
Firstly one needs to be familiar with the tools one can use in order to perform text searching following on from this one need to know what to look for.
+
==Servlets==
+
These API calls may be avenues for parameter, header, URL, and cookie tampering, HTTP Response Splitting and information leakage. They should be examined closely as many of such APIs obtain the parameters directly from HTTP requests.
In this section we will assume you have a copy of Visual Studio (VS) .NET at hand. VS has two types of search "'''Find in Files'''" and a cmd line tool called '''Findstr'''
 
 
 
The test search tools in XP is not great in my experience and if one has to use this make sure SP2 in installed as it works better.
 
To start off one should scan thorough the code looking for common patterns or keywords such as "User", "Password", "Pswd", "Key", "Http", etc...
 
This can be done using the "Find in Files" tool in VS or using findstring as follows:
 
 
[Find In Files HERE]
 
  
'''findstr /s /m /i /d:c:\projects\codebase\sec "http" *.*'''
+
javax.servlet.* <br>
 +
getParameterNames<br>
 +
getParameterValues<br>
 +
getParameter<br>
 +
getParameterMap<br>
 +
getScheme<br>
 +
getProtocol<br>
 +
getContentType<br>
 +
getServerName<br>
 +
getRemoteAddr<br>
 +
getRemoteHost<br>
 +
getRealPath<br>
 +
getLocalName<br>
 +
getAttribute<br>
 +
getAttributeNames<br>
 +
getLocalAddr<br>
 +
getAuthType<br>
 +
getRemoteUser<br>
 +
getCookies<br>
 +
isSecure<br>
 +
HttpServletRequest<br>
 +
getQueryString<br>
 +
getHeaderNames<br>
 +
getHeaders<br>
 +
getPrincipal<br>
 +
getUserPrincipal<br>
 +
isUserInRole<br>
 +
getInputStream<br>
 +
getOutputStream<br>
 +
getWriter<br>
 +
addCookie<br>
 +
addHeader<br>
 +
setHeader<br>
 +
setAttribute<br>
 +
putValue<br>
 +
javax.servlet.http.Cookie<br>
 +
getName<br>
 +
getPath<br>
 +
getDomain<br>
 +
getComment<br>
 +
getMethod<br>
 +
getPath<br>
 +
getReader<br>
 +
getRealPath<br>
 +
getRequestURI<br>
 +
getRequestURL<br>
 +
getServerName<br>
 +
getValue<br>
 +
getValueNames<br>
 +
getRequestedSessionId<br>
  
+
==Cross Site Scripting==
====Http Request Strings====
+
javax.servlet.ServletOutputStream.print <br>
Requests from external sources are obviously a key area of a secure code review. We need to ensure that all HTTP requests received are data validated for composition, max and min length and if the data falls with the realms of the parameter white-list.
+
javax.servlet.jsp.JspWriter.print <br>
Bottom-line is this is a key area to look at and ensure security is enabled.
+
java.io.PrintWriter.print <br>
  
request.querystring
+
==Response Splitting==
request.form
+
javax.servlet.http.HttpServletResponse.sendRedirect <br>
request.cookies
+
addHeader, setHeader <br>
request.certificate
 
request.servervariables
 
request.IsSecureConnection
 
request.TotalBytes
 
request.BinaryRead
 
  
====HTML Output====
+
==Redirection==  
Here we are looking for responses to the client. Responses which go unvalidated or which echo external input without data validation are key areas to examine. Many client side attacks result from poor response validation. XSS relies on this somewhat.
+
sendRedirect <br>
 +
setStatus <br>
 +
addHeader, setHeader <br>
  
response.write
+
==SQL & Database==
<% =
+
Searching for Java Database related code this list should help you pinpoint classes/methods which are involved in the persistence layer of the application being reviewed.
HttpUtility
 
HtmlEncode
 
UrlEncode
 
innerText
 
innerHTML
 
  
 +
jdbc <br>
 +
executeQuery <br>
 +
select <br>
 +
insert <br>
 +
update <br>
 +
delete <br>
 +
execute <br>
 +
executestatement <br>
 +
createStatement <br>
 +
java.sql.ResultSet.getString <br>
 +
java.sql.ResultSet.getObject <br>
 +
java.sql.Statement.executeUpdate <br>
 +
java.sql.Statement.executeQuery <br>
 +
java.sql.Statement.execute <br>
 +
java.sql.Statement.addBatch <br>
 +
java.sql.Connection.prepareStatement <br>
 +
java.sql.Connection.prepareCall <br>
  
====SQL & Database====
+
==SSL==
Locating where a database may be involved in the code is an important aspect of the code review. Looking at the database code will help determine if the application is vulnerable to SQL injection. One aspect of this is to verify that the code uses either ''SqlParameter'', ''OleDbParameter'', or ''OdbcParameter''(System.Data.SqlClient). These are typed and treats parameters as the literal value and not executable code in the database.  
+
Looking for code which utilises SSL as a medium for point to point encryption. The following fragments should indicate where SSL functionality has been developed.  
  
exec sp_executesql
+
com.sun.net.ssl <br>
execute sp_executesql
+
SSLContext <br>
select from
+
SSLSocketFactory <br>
Insert
+
TrustManagerFactory <br>
update
+
HttpsURLConnection <br>
delete from where
+
KeyManagerFactory <br>
delete
 
exec sp_
 
execute sp_
 
exec xp_
 
execute sp_
 
exec @
 
execute @
 
executestatement
 
executeSQL
 
setfilter
 
executeQuery
 
GetQueryResultInXML
 
adodb
 
sqloledb
 
sql server
 
driver
 
Server.CreateObject
 
.Provider
 
.Open
 
ADODB.recordset
 
New OleDbConnection
 
ExecuteReader
 
DataSource
 
SqlCommand
 
Microsoft.Jet
 
SqlDataReader
 
ExecuteReader
 
GetString
 
SqlDataAdapter
 
CommandType
 
StoredProcedure
 
System.Data.sql
 
  
====Cookies====
+
==Session Management==
Cookie manipulation can be key to various application security exploits such as session hijacking/fixation and parameter manipulation. One should examine any code relating to cookie functionality as this would have a bearing on session security.
+
getSession <br>
System.Net.Cookie
+
invalidate <br>
[[HTTPOnly]]
+
getId <br>
  document.cookie
 
  
==== HTML Tags====
+
==Legacy Interaction==
Many of the HTML tags below can be used for client side attacks such as cross site scripting. It is important to examine the context in which these tags are used and to examine any relevant data validation associated with the display and use of such tags within a web application.
+
Here we may be vulnerable to command injection attacks or OS injection attacks. Java linking to the native OS can cause serious issues and potentially give rise to total server compromise.  
  
HtmlEncode
+
java.lang.Runtime.exec <br>
URLEncode
+
java.lang.Runtime.getRuntime <br>
<applet>
 
<frameset>
 
<embed>
 
<frame>
 
<html>
 
<iframe>  
 
<img>  
 
<style>
 
<layer>
 
<ilayer>
 
<meta>
 
<object>
 
<body>
 
<frame security
 
<iframe security
 
  
====Input Controls====
+
==Logging==
The input controls below are server classes used to produce and display web application form fields. Looking for such references helps locate entry points into the application.
+
We may come across some information leakage by examining code below contained in one’s application.  
  
system.web.ui.htmlcontrols.htmlinputhidden
+
java.io.PrintStream.write <br>
system.web.ui.webcontrols.textbox
+
log4j <br>
system.web.ui.webcontrols.listbox
+
jLo <br>
system.web.ui.webcontrols.checkboxlist
+
Lumberjack <br>
system.web.ui.webcontrols.dropdownlist
+
MonoLog <br>
 +
qflog <br>
 +
just4log <br>
 +
log4Ant <br>
 +
JDLabAgent <br>
  
====web.config====
+
==Architectural Analysis==
The .NET Framework relies on .config files to define configuration settings. The .config files are text-based XML files. Many .config files can, and typically do, exist on a single system. Web applications refer to a web.config file located in the application’s root directory. For ASP.NET applications, web.config contains information about most aspects of the application’s operation.
+
If we can identify major architectural components within that application (right away) it can help narrow our search, and we can then look for known vulnerabilities in those components and frameworks:
  
requestEncoding
+
<nowiki>### Ajax </nowiki><br>
responseEncoding
+
XMLHTTP <br>
trace
 
authorization
 
CustomErrors
 
httpRuntime
 
maxRequestLength
 
debug
 
forms protection
 
appSettings
 
ConfigurationSettings
 
authentication mode
 
allow
 
deny
 
credentials
 
identity impersonate
 
timeout
 
  
====global.asax====
+
<nowiki>### Struts </nowiki><br>
Each application has its own Global.asax if one is required. Global.asax sets the event code and values for an application using scripts. One must ensure that application variables do not contain sensitive information, as they are accessible to the whole application and to all users within it.
+
org.apache.struts <br>
  
Application_OnAuthenticateRequest
+
<nowiki>### Spring </nowiki><br>
Application_OnAuthorizeRequest
+
org.springframework <br>
Session_OnStart
 
Session_OnEnd
 
  
====Logging====
+
<nowiki>### Java Server Faces (JSF) </nowiki><br>
Logging can be a source of information leakage. It is important to examining all calls to the logging subsystem and to determine if any sensitive information is being logged. Common mistakes are logging userID in conjunction with passwords within the authentication functionality or logging database requests which may contains sensitive data.
+
import javax.faces <br>
  
log4net
+
<nowiki>### Hibernate </nowiki><br>
Console.WriteLine
+
import org.hibernate <br>
System.Diagnostics.Debug
 
System.Diagnostics.Trace
 
  
====Machine.config====
+
<nowiki>### Castor </nowiki><br>
Its important that many variables in machine.config can be overridden in the web.config file for a particular application.
+
org.exolab.castor <br>
validateRequest
 
enableViewState
 
enableViewStateMac
 
  
====Threads and Concurrency====
+
<nowiki>### JAXB </nowiki><br>
Locating code that contains multithreaded functions. Concurrency issues can result in race conditions which may result in security vulnerabilities. The Thread keyword is where new threads objects are created. Code that uses static global variables which hold sensitive security information may cause session issues. Code that uses static constructors may also cause issues between threads. Not synchronizing the Dispose method may cause issues if a number of threads call Dispose at the same time, this may cause resource release issues.
+
javax.xml <br>
  
Thread
+
<nowiki>### JMS </nowiki><br>
Dispose
+
JMS <br>
  
====Class Design====
+
==Generic Keywords==
Public and Sealed relate to the design at class level. Classes which are not intended to be derived from should be sealed. Make sure all class fields are Public for a reason. Don't expose anything you don't need to.
+
Developers say the darnedest things in their source code. Look for the following keywords as pointers to possible software vulnerabilities:
  
Public
+
Hack <br>
Sealed
+
Kludge <br>
 +
Bypass <br>
 +
Steal <br>
 +
Stolen <br>
 +
Divert <br>
 +
Broke <br>
 +
Trick <br>
 +
FIXME <br>
 +
ToDo <br>
 +
Password <br>
 +
Backdoor <br>
  
====Reflection, Serialization====
+
==WEB 2.0==
Code may be generated dynamically at runtime. Code that is generated dynamically as a function of external input may give rise to issues. If your code contains sensitive data does it need to be serialized.
+
'''Ajax and JavaScript'''
  
Serializable
+
Look for Ajax usage, and possible JavaScript issues:
AllowPartiallyTrustedCallersAttribute
 
GetObjectData
 
StrongNameIdentityPermission
 
StrongNameIdentity
 
System.Reflection
 
  
====Exceptions & Errors====
+
document.write <br>
Ensure that the catch blocks do not leak information to the user in the case of an exception. Ensure when dealing with resources that the finally block is used. Having trace enabled is not great from an information leakage perspective. Ensure customised errors are properly implemented.
+
eval <br>
 +
document.cookie <br>
 +
window.location <br>
 +
document.URL <br>
  
  catch{
+
==Code Execution==
  Finally
+
The following may lead to arbitrary java code execution if source of input data is entrusted or not validated.
  trace enabled
+
java.lang.ClassLoader.defineClass  <br>
  customErrors mode
+
java.net.URLClassLoader  <br>
 +
java.beans.Instrospector.getBeanInfo  <br>
 +
System.load  <br>
 +
System.loadLibrary <br>
 +
Runtime.exec <br>
 +
ProcessBuilder (constructor) <br>
 +
javax.script.ScriptEngine.eval <br>
  
====Crypto====
+
==XMLHTTP==
If cryptography is used then is a strong enough cipher used i.e. AES or 3DES. What size key is used, the larger the better. Where is hashing performed. Are passwords that are being persisted hashed, they should be.
+
window.createRequest
How are random numbers generated? Is the PRNG "random enough"?
 
  
RNGCryptoServiceProvider
+
{{LinkBar
SHA
+
  | useprev=PrevLink | prev=Crawling Code | lblprev=
MD5
+
  | usemain=MainLink | main=OWASP Code Review Guide Table of Contents | lblmain=Table of Contents
base64
+
  | usenext=NextLink | next=Searching for Code in Classic ASP | lblnext=
xor
+
}}
DES
 
RC2
 
System.Random
 
Random
 
System.Security.Cryptography
 
  
====Storage====
 
If storing sensitive data in memory recommend one uses the following.
 
SecureString
 
ProtectedMemory
 
  
====Authorization, Assert & Revert====
 
Bypassing the code access security permission? Not a good idea. Also below is a list of potentially dangerous permissions such as calling unmanaged code, outside the CLR.
 
  
.RequestMinimum
 
.RequestOptional
 
Assert
 
Debug.Assert
 
CodeAccessPermission
 
ReflectionPermission.MemberAccess
 
SecurityPermission.ControlAppDomain
 
SecurityPermission.UnmanagedCode
 
SecurityPermission.SkipVerification
 
SecurityPermission.ControlEvidence
 
SecurityPermission.SerializationFormatter
 
SecurityPermission.ControlPrincipal
 
SecurityPermission.ControlDomainPolicy
 
SecurityPermission.ControlPolicy
 
  
====Legacy methods====
+
[[Category:OWASP Code Review Project]]
printf
 
strcpy
 
 
 
=== Searching for code in J2EE/Java ===
 
 
 
====Input and Output Streams====
 
These are used to read data into ones application. They may be potential entry points into an application. The entry points may be from an external source and must be investigated. These may also be used in path traversal attacks or DoS attacks.
 
 
 
Java.io
 
FileInputStream
 
ObjectInputStream
 
FilterInputStream
 
PipedInputStream
 
SequenceInputStream
 
StringBufferInputStream
 
BufferedReader
 
ByteArrayInputStream
 
CharArrayReader
 
File
 
ObjectInputStream
 
PipedInputStream
 
StreamTokenizer
 
getResourceAsStream
 
java.io.FileReader
 
java.io.FileWriter
 
java.io.RandomAccessFile
 
java.io.File
 
java.io.FileOutputStream
 
 
 
====Servlets====
 
These API calls may be avenues for parameter, header, URL & cookie tampering, HTTP Response Splitting and information leakage. They should be examined closely as many of such API's obtain the parameters directly from HTTP requests.
 
javax.servlet.
 
getParameterNames
 
getParameterValues
 
getParameter
 
getParameterMap
 
getScheme
 
getProtocol
 
getContentType
 
getServerName
 
getRemoteAddr
 
getRemoteHost
 
getRealPath
 
getLocalName
 
getAttribute
 
getAttributeNames
 
getLocalAddr
 
getAuthType
 
getRemoteUser
 
getCookies
 
isSecure
 
HttpServletRequest
 
getQueryString
 
getHeader
 
getPrincipal
 
isUserInRole
 
getOutputStream
 
getWriter
 
addCookie
 
addHeader
 
setHeader
 
javax.servlet.http.Cookie
 
getName
 
getPath
 
getDomain
 
getComment
 
getValue
 
getRequestedSessionId
 
'''Cross site scripting'''
 
javax.servlet.ServletOutputStream.print
 
javax.servlet.jsp.JspWriter.print
 
java.io.PrintWriter.print
 
 
 
'''Response Splitting'''
 
javax.servlet.http.HttpServletResponse.sendRedirect
 
 
 
====SQL & Database====
 
Searching for Java Database related code this list should help you pinpoint classes/methods which are involved in the persistence layer of the application being reviewed.
 
jdbc
 
executeQuery
 
select
 
insert
 
update
 
delete
 
execute
 
executestatement
 
java.sql.ResultSet.getString
 
java.sql.ResultSet.getObject
 
java.sql.Statement.executeUpdate
 
java.sql.Statement.executeQuery
 
java.sql.Statement.execute
 
java.sql.Statement.addBatch
 
java.sql.Connection.prepareStatement
 
java.sql.Connection.prepareCall
 
 
 
====SSL====
 
 
 
Looking for code which utilises SSL as a medium for point to point encryption. The following fragments should indicate where SSL functionality has been developed.
 
 
 
com.sun.net.ssl
 
SSLContext
 
SSLSocketFactory
 
TrustManagerFactory
 
HttpsURLConnection
 
KeyManagerFactory
 
 
 
====Session Management====
 
getSession
 
invalidate
 
getId
 
 
 
====Data Validation====
 
 
 
====Legacy Interaction====
 
Here we may be vulnerable to command injection attacks or OS injection attacks. Java linking to the native OS can cause serious issues and potentially give rise to total server compromise.
 
 
 
java.lang.Runtime.exec
 
 
 
====Logging====
 
We may come across some information leakage by examining code below contained in ones application.
 
 
 
java.io.PrintStream.write
 
log4j
 
jLo
 
Lumberjack
 
MonoLog
 
qflog
 
just4log
 
log4Ant
 
JDLabAgent
 
 
 
====Architectural Analysis====
 
If we can identify major architectural components within that application (right away) it can help narrow our search, and we can then look for known vulnerabilities in those components and frameworks:
 
 
 
### Ajax
 
XMLHTTP
 
### Struts
 
org.apache.struts
 
### Spring
 
org.springframework
 
### Java Server Faces (JSF)
 
import javax.faces
 
### Hibernate
 
import org.hibernate
 
### Castor
 
org.exolab.castor
 
### JAXB
 
javax.xml
 
### JMS
 
JMS
 
 
=== Searching for code in Classic ASP ===
 
 
 
====Inputs====
 
Request
 
Request.QueryString
 
Request.Form
 
Request.ServerVariables
 
Query_String
 
hidden
 
include
 
.inc
 
 
====Output====
 
response.write
 
<%=
 
HtmlEncode
 
UrlEncode
 
innerText
 
innerHTML
 
 
 
====Cookies====
 
.cookies
 
 
====Error Handling====
 
  err.
 
  Server.GetLastError
 
  On Error Resume Next
 
  On Error GoTo 0
 
 
 
====Information in URL====
 
location.href
 
location.replace
 
method="GET"
 
 
====Database====
 
commandText
 
select from
 
update
 
insert into
 
delete from where
 
exec
 
execute
 
.execute
 
.open
 
ADODB.
 
commandtype
 
 
====Session====
 
session.timeout
 
session.abandon
 
session.removeall
 
 
====DoS Prevention====
 
server.ScriptTimeout 
 
IsClientConnected
 
 
 
====Logging====
 
WriteEntry
 
 
====Redirection====
 
Response.Redirect
 
Server.Transfer
 
Server.Execute
 
 
 
===Generic keywords===
 
Developers say the darnedest things in their source code.  Look for the following keywords as pointers to possible software vulnerabilities:
 
 
 
Hack
 
Kludge
 
Bypass
 
Steal
 
Stolen
 
Divert
 
Broke
 
Trick
 
Fix
 
ToDo
 
 
 
===Web 2.0===
 
 
 
====Ajax and JavaScript====
 
Look for Ajax usage, and possible JavaScript issues:
 
 
 
document.write
 
eval(
 
document.cookie
 
window.location
 
document.URL
 
XMLHTTP
 
window.createRequest
 

Latest revision as of 22:44, 18 April 2016

«««« Main
(Table of Contents)
»»»»

Input and Output Streams

These are used to read data into one’s application. They may be potential entry points into an application. The entry points may be from an external source and must be investigated. These may also be used in path traversal attacks or DoS attacks.

Java.io
java.util.zip
java.util.jar
FileInputStream
ObjectInputStream
FilterInputStream
PipedInputStream
SequenceInputStream
StringBufferInputStream
BufferedReader
ByteArrayInputStream
CharArrayReader
File
ObjectInputStream
PipedInputStream
StreamTokenizer
getResourceAsStream
java.io.FileReader
java.io.FileWriter
java.io.RandomAccessFile
java.io.File
java.io.FileOutputStream
mkdir
renameTo
java.io.File.delete
java.io.File.listFiles
java.io.File.list

Servlets

These API calls may be avenues for parameter, header, URL, and cookie tampering, HTTP Response Splitting and information leakage. They should be examined closely as many of such APIs obtain the parameters directly from HTTP requests.

javax.servlet.*
getParameterNames
getParameterValues
getParameter
getParameterMap
getScheme
getProtocol
getContentType
getServerName
getRemoteAddr
getRemoteHost
getRealPath
getLocalName
getAttribute
getAttributeNames
getLocalAddr
getAuthType
getRemoteUser
getCookies
isSecure
HttpServletRequest
getQueryString
getHeaderNames
getHeaders
getPrincipal
getUserPrincipal
isUserInRole
getInputStream
getOutputStream
getWriter
addCookie
addHeader
setHeader
setAttribute
putValue
javax.servlet.http.Cookie
getName
getPath
getDomain
getComment
getMethod
getPath
getReader
getRealPath
getRequestURI
getRequestURL
getServerName
getValue
getValueNames
getRequestedSessionId

Cross Site Scripting

javax.servlet.ServletOutputStream.print
javax.servlet.jsp.JspWriter.print
java.io.PrintWriter.print

Response Splitting

javax.servlet.http.HttpServletResponse.sendRedirect
addHeader, setHeader

Redirection

sendRedirect
setStatus
addHeader, setHeader

SQL & Database

Searching for Java Database related code this list should help you pinpoint classes/methods which are involved in the persistence layer of the application being reviewed.

jdbc
executeQuery
select
insert
update
delete
execute
executestatement
createStatement
java.sql.ResultSet.getString
java.sql.ResultSet.getObject
java.sql.Statement.executeUpdate
java.sql.Statement.executeQuery
java.sql.Statement.execute
java.sql.Statement.addBatch
java.sql.Connection.prepareStatement
java.sql.Connection.prepareCall

SSL

Looking for code which utilises SSL as a medium for point to point encryption. The following fragments should indicate where SSL functionality has been developed.

com.sun.net.ssl
SSLContext
SSLSocketFactory
TrustManagerFactory
HttpsURLConnection
KeyManagerFactory

Session Management

getSession
invalidate
getId

Legacy Interaction

Here we may be vulnerable to command injection attacks or OS injection attacks. Java linking to the native OS can cause serious issues and potentially give rise to total server compromise.

java.lang.Runtime.exec
java.lang.Runtime.getRuntime

Logging

We may come across some information leakage by examining code below contained in one’s application.

java.io.PrintStream.write
log4j
jLo
Lumberjack
MonoLog
qflog
just4log
log4Ant
JDLabAgent

Architectural Analysis

If we can identify major architectural components within that application (right away) it can help narrow our search, and we can then look for known vulnerabilities in those components and frameworks:

### Ajax
XMLHTTP

### Struts
org.apache.struts

### Spring
org.springframework

### Java Server Faces (JSF)
import javax.faces

### Hibernate
import org.hibernate

### Castor
org.exolab.castor

### JAXB
javax.xml

### JMS
JMS

Generic Keywords

Developers say the darnedest things in their source code. Look for the following keywords as pointers to possible software vulnerabilities:

Hack
Kludge
Bypass
Steal
Stolen
Divert
Broke
Trick
FIXME
ToDo
Password
Backdoor

WEB 2.0

Ajax and JavaScript

Look for Ajax usage, and possible JavaScript issues:

document.write
eval
document.cookie
window.location
document.URL

Code Execution

The following may lead to arbitrary java code execution if source of input data is entrusted or not validated. java.lang.ClassLoader.defineClass
java.net.URLClassLoader
java.beans.Instrospector.getBeanInfo
System.load
System.loadLibrary
Runtime.exec
ProcessBuilder (constructor)
javax.script.ScriptEngine.eval

XMLHTTP

window.createRequest


«««« Main
(Table of Contents)
»»»»