Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: J2EE Application Security Code Review

from [Andrew van der Stock] Network Security [Permanent Link]
Subject: Re: J2EE Application Security Code Review
Date: Fri, 28 Oct 2005 21:10:00 +1000 
Yousef,

The best bet is to read the OWASP Guide 2.0 (http://www.owasp.org) and look at Howard and Le Blanc's excellent Writing Secure Code. WSC contains the Microsoft Threat Modeling process, which is the best way to concentrate on those issues which could cause actual loss. You can also find this info on the Microsoft Patterns and Practices (PAG) website:

http://msdn.microsoft.com/practices/default.aspx?pull=/library/en-us/ dnpag2/html/tmwa.asp

Once you have detailed the threats, you should use the OWASP Guide to help you find if the code sticks to best practices and have a look if it is sub-standard in any.

In J2EE, the primary things to look for are:

a) the use of Struts. I like it because by default <bean:write> and friends are nearly XSS proof

Struts also has validation.xml - apps should be using this. If not, start using it. It's a freebie that makes parameter tampering that much harder (still allows * injection though for strings)

b) JSPs should in WEB-INF - prevents source code inclusion and direct access

c) Make sure that if JAAS is in use, that the actions (foo.do etc) are access controlled via JAAS rather than just allowing all. If JAAS is not in use, find out why and see if you can fix that.

d) In your container's security manager configuration, look at the permissions the Java code is running under. It should be minimalist - unfortunately, it's normally AllPermission (slackers!)

Start with nothing and watch for stack traces for permission errors. Allow those only after you have assured yourself that the code is properly protecting itself (for example, if it wants file access, make sure you've dealt with file ACLs, file system traversal, etc) before allowing access to the local file system.

e) Find any use of Runtime - access to the local environment is usually fairly woeful.

Other than that, the things in OWASP Guide should give you plenty to get on with - I'll give a secret away - I wrote or revised most of the controls in the Guide at night whilst doing J2EE code reviews during the day, so many controls are already slanted to J2EE :)

I'm sure many others will chip in on J2EE code reviews.

thanks,
Andrew

On 28/10/2005, at 8:02 PM, Yousef Syed wrote:

Hi,
I've been tasked with performing a Code Review on for Security on a
J2EE Application's code.
Though I've taken part in numerous Code Reviews, I've never done one
searching for Security issues.

Can someone please advise me on what I should be looking for?
Where can I get further information on the procedure that should be followed?
Are there any Standards/Best Practices for Securing J2EE applications?

Thanx,
ys

--
Yousef Syed



[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: J2EE Application Security Code Review, Jeff Robertson
Next by Date:  Re: J2EE Application Security Code Review, crazy frog crazy frog
Previous by Thread:  Re: J2EE Application Security Code Review, Eoin Keary
Next by Thread:  Re: J2EE Application Security Code Review, crazy frog crazy frog
Indexes:  [Date] [Thread] [Top] [All Lists]