Java

warning: Creating default object from empty value in /hermes/walnaweb12a/b57/moo.greydragoncom/nodsw/modules/taxonomy/taxonomy.pages.inc on line 33.
Leeland's picture

Defensive Java Programming Notes (05 of 11) SQL Injection

Problem: Embedding user input into SQL queries is BAD!

String SQL = "SELECT Username, Password " +
  "FROM users " +
  "WHERE Username='" + Username + "' " +
  "AND Password ='" + Password + "'";
s.execute(SQL)

So what if in the password field you put in: X' OR 1=1; --

That will turn the SQL statment into:

SELECT Username, Password FROM users WHERE Username='InputName'
Leeland's picture

Defensive Java Programming Notes (04 of 11) Napkin

Napkin - Encoding and Decoding Tool Napkin is an encoding and decoding tool designed for quick manipulation of information when working on web applications. It's not overly robust for large amounts of information, but it comes in handy every so often.
  • Supports multiple common encoding formats
  • Hex representation of all data
  • Can display numerical conversions
  • Can encode and decode HTML and base 64 data
Homepage at: http://www.0x90.org/releases/napkin/index.php
Leeland's picture

Defensive Java Programming Notes (03 of 11) Think Evil

As a developer you need to wear an evil hat when you think about testing your applications.

There are a proliferation of security failures, the rate of breaches and the cost of breaches are going up alarmingly.

2005 - $138 million cost of breaches
2006 - $182 million cost of breaches
2007 - $197 million cost of breaches

Proliferation:

- TJX Corporation: 95 million credit card numbers stolen
- Amertrade: 6.3 million customer records compromised
- Hannaford Bros: 4.2 million credit card numbers stolen
- Monster.com: 1.6 million customer records compromised

Leeland's picture

Defensive Java Programming Notes (02 of 11) Cross Site Scripting

Cross Site Scripting vulnerability started with Sammy on MySpace. Before that XSS vulnerability was known but not really considered a big deal.

Using XSS an attacker can:

  • Hijack your account
  • Spread web worms
  • Access your browser history and clipboard contents
  • Remotely control your browser
  • Scan and exploit you intranet appliances and applications
  • Alter your router's DNS settings and control every webpage you visit thereafter
Leeland's picture

Defensive Java Programming Notes (01 of 11) Introduction

Taking a course on Defensive Java Web Programming presented by Kevin Poniatowski from Security Innovation http://www.securityinnovation.com and there are a lot of cool things to think about and remember. So starting this thread so I can write notes essentially to myself, but hey why not share.

"Threat trend data shows that applications are more commonly attacked than the perimeter"
Depository Trust and Clearance Corporation

Leeland's picture

In Java how do you get a count of the open file handles?

I just did a code review on a change to a production service in Java which was having problems with left over open handles. Lets face it the change is so simple as to be ridiculous. We just added an explicit file.close() call.

Leeland's picture

No more 'unable to find valid certification path to requested target'

I love google... I have been having an SSL issue on and off for years, especially in test environments. Usually I fire up Mozilla grab the cert from its cache and edit a few files.

Well that was fine until I started mucking with LDAP. Here I had to go to the server and get the cert myself. Edit the same set of files and once again I am off and running.

But, not today. No today I had to trouble shoot a secure LDAP issue to a server I am NOT allowed to get onto except through LDAP. I can't get secure LDAP to be happy without a way to snag that danged certificate. Google save me!

Leeland's picture

Fabulous Mini Database in Java

I am very impressed with the HSQL (http://hsqldb.org/) product (a lightweight 100% Java SQL database engine). It is not only the best SQL relational database open source product I have ever seen, it is also one of the best written code I have seen in a long time. It is fast and lean but it doesn't skip corners for speed. Which is very nice as it means there is a higher chance of this not doing something unexpected on older or new versions of the JVM.

Thread Slivers eBook at Amazon

Syndicate content