Need pointer to Java/JSP security

[Fingolfin]

Hello,

I'm planning this college project in which I would make a JSP (java) web
page and show how to secure it in numerous ways against all kinds of
attacks and I'm wondering if you guys know some links like this:

http://www.developer.com/java/article.php/883381/JSP-Security.htm

So, I would greatly appreciate if you could point me to some site where
I could find more source code that can be used to secure a web page
against SQL injection attacks, more on XSS and anything else you can
think of...

I've already found some links, but they cover security from more
theoretical point of view rather then practical with examples.

Regards.

[markspace]

Fingolfin wrote:

> I'm planning this college project in which I would make a JSP (java) web
> page and show how to secure it in numerous ways against all kinds of
> attacks and I'm wondering if you guys know some links like this:

<http://en.wikipedia.org/wiki/Computer_insecurity>

<http://en.wikipedia.org/wiki/SQL_injection>

<http://en.wikipedia.org/wiki/Cross-site_scripting>

<http://www.ethicalhack3r.co.uk/damn-vulnerable-web-app/>

<http://en.wikipedia.org/wiki/HTTP_header_injection>

Each of those contains many references for you to check out and search on.

[Arne Vajhøj]

That link is rather old and not very Java EE oriented. Most of the
techniques are more ASP like than JSP like.

You use a web framework with builtin support for validators
and use those to reject invalid input. Struts, JSF etc. provides
such functionality.

You use a persistence framework or at the very least prepared
statements that protects against SQL injection.

Arne

[Steve Sobol]

In article <4af8d134$0$270$1472...@news.sunsite.dk>, ar...@vajhoej.dk
says...

> You use a persistence framework or at the very least prepared
> statements that protects against SQL injection.

+1

SQL injection is a big problem, but it's so easy to prevent that it shouldn't be a problem at all.

--
Steve Sobol, Victorville, California, USA
sjs...@JustThe.net

[Fingolfin]

Arne Vajhøj wrote:
> That link is rather old and not very Java EE oriented. Most of the
> techniques are more ASP like than JSP like.

I see..

>
> You use a web framework with builtin support for validators
> and use those to reject invalid input. Struts, JSF etc. provides
> such functionality.
>
> You use a persistence framework or at the very least prepared
> statements that protects against SQL injection.

I know I could use one of those frameworks, but the idea is that I show
and get rid of security issues myself, without a framework. And all that
using various code for many kinds of attacks not just SQL injection.

After I would present that code, I would explain it a bit as well as the
possible attack that could happen if I didn't put that in my web site.

That's why I need pointers, links, to security examples, as I'm having
trouble finding them through Google.

[John B. Matthews]

In article <hdb633$4s2$1...@news2.carnet.hr>, Fingolfin <spa...@bla.com>
wrote:

In his response, markspace offers several sites [1] that outline some
of the problems you'll want to study. Arne's and Steve's responses
amplify on standard practices that have evolved since.

Your original request was for "source code that can be used to secure a
web page..." IIUC, no such thing exists, as proof of a program's
correctness is undecidable [2, 3]. Absent a framework, focus on known
classes of vulnerabilities and ways to preclude them, e.g. SQL
injection [4], cross-site scripting [5] and certain known patterns [6].

The top hit for "jsp+security" [7] is the very link you posted
initially [8]. Despite it's age, the article is a good summary that
describes other classes of attack for which you can search.

[1]<http://groups.google.com/group/comp.lang.java.programmer/msg/bc0326bb6e2f9204>
[2]<http://en.wikipedia.org/wiki/List_of_undecidable_problems>
[3]<http://www.cs.umd.edu/~jfoster/papers/issre04.pdf>
[4]<http://www.integrigy.com/security-resources/whitepapers/Integrigy_Oracle_SQL_Injection_Attacks.pdf>
[5]<http://www.ibm.com/developerworks/tivoli/library/s-csscript/>
[6]<http://findbugs.sourceforge.net/bugDescriptions.html>
[7]<http://www.google.com/search?q=jsp+security>
[8]<http://www.developer.com/java/article.php/883381/JSP-Security.htm>

--
John B. Matthews
trashgod at gmail dot com
<http://sites.google.com/site/drjohnbmatthews>

[Arne Vajhøj]

But what is the point in showing examples of code that should
not be used in the real world?

Arne

[Fingolfin]

John B. Matthews wrote:
> In article <hdb633$4s2$1...@news2.carnet.hr>, Fingolfin <spa...@bla.com>
> wrote:
>

> /cut

I'm sorry for my late response, I've been very busy last few days.

But thank you for your insight and links. I was especially interested
with link # [6].

[Fingolfin]

Arne Vajhøj wrote:

>> Arne Vajhøj wrote:
>
> But what is the point in showing examples of code that should
> not be used in the real world?
>
> Arne

I believe code examples that are bad can help me and anyone else better
understand the problem. I mean, of course there will be much more
emphasis on code examples that are correct, however, in a written part
of the project I want to show "the bad coding" to better explain "the
right one".

I may not have been clear enough, the actual program will be only as a
'showcase' to written part of my project. However, a 'showcase' or not,
it should be resistant to various attacks, and I want to accomplish that
without frameworks because security issues there are lost in a 'jungle'
of other code, but also someday a need could arise that I jump in some
company development sector and need to work on and upgrade their current
framework, so it sure will be useful to have this kind of knowledge.

[John B. Matthews]

In article <hdf78s$6p9$1...@news2.carnet.hr>, Fingolfin <spa...@bla.com>
wrote:

> John B. Matthews wrote:
> > In article <hdb633$4s2$1...@news2.carnet.hr>, Fingolfin <spa...@bla.com>
> > wrote:
> >
> > /cut
>
> I'm sorry for my late response, I've been very busy last few days.

No problem.

> But thank you for your insight and links. I was especially interested
> with link # [6].

Excellent. It was recommended by a respected contributor in another
thread, and I found it compelling. For perspective, don't overlook the
comparison of similar tools, linked from that same site:

<http://www.cs.umd.edu/~jfoster/papers/issre04.pdf>

[Fingolfin]

John B. Matthews wrote:
> It was recommended by a respected contributor in another
> thread, and I found it compelling. For perspective, don't overlook the
> comparison of similar tools, linked from that same site:
>
> <http://www.cs.umd.edu/~jfoster/papers/issre04.pdf>
>

Very interesting, I'm sure it will help and be a nice way to add 'an
extra spice' to my project.

[Arne Vajhøj]

Fingolfin wrote:
> Arne Vajhøj wrote:
>>> Arne Vajhøj wrote:
>>
>> But what is the point in showing examples of code that should
>> not be used in the real world?
>

> I believe code examples that are bad can help me and anyone else better
> understand the problem. I mean, of course there will be much more
> emphasis on code examples that are correct, however, in a written part
> of the project I want to show "the bad coding" to better explain "the
> right one".

I don't have a problem with showing bad code to illustrate the
problem.

I am skeptical about showing bad code to illustrate the solution.

> I may not have been clear enough, the actual program will be only as a
> 'showcase' to written part of my project. However, a 'showcase' or not,
> it should be resistant to various attacks, and I want to accomplish that
> without frameworks because security issues there are lost in a 'jungle'
> of other code, but also someday a need could arise that I jump in some
> company development sector and need to work on and upgrade their current
> framework, so it sure will be useful to have this kind of knowledge.

To be able to help such a company it is relevant to know the
right way of solving the problems.

Arne