Top 10 Vulnerabilities in Your Java Applications
Securing your web application against outside threats can seem a daunting task. Where do you start? One good approach is to start with the top 10 security issues in web applications as identified by the Open Web App Security Project (OWASP). In this article, we’ll describe each vulnerability. You’ll also learn how Kiuwan uses rules to identify each of these vulnerabilities in your code. What’s the OWASP Top 10? OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate and maintain applications that can be trusted. OWASP is an international non-profit organization dedicated to analyzing, documenting and spreading the principles for the safe and vulnerability-free software development. Every few years, OWASP produces a list of major vulnerabilities, called the OWASP Top 10 — most recently in 2017. According to OWASP, “The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Adopting the OWASP Top Ten is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code“. How can I detect vulnerabilities in my application? An application can be vulnerable to attack through any component in a production system, such as servers, networks, endpoints, access to related systems, etc. However, most vulnerabilities can be prevented by writing source code which is secure and protected against potential threats. Kiuwan Code Security helps to detect insecure code that could be corrected to prevent a security problem in the future. Let’s review the OWASP TOP TEN and see how Kiuwan rules can identify these vulnerabilities in the coding phase: A1 Injection in Top 10 Vulnerabilities Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. In addition, there are several Kiuwan rules to verify that your code is not vulnerable to the most common security problem: Avoid non-neutralized user-controlled input in the LDAP search filters (OPT.JAVA.SEC_JAVA.LdapInjectionRule): Software constructs all or part of an LDAP query using externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when sent to the LDAP server. Improper Neutralization of Special Elements used in an SQL Command ‘SQL Injection’ (OPT.JAVA.SEC_JAVA.SqlInjectionRule): The software constructs all or part of an SQL command using externally-controlled input, but it does not neutralize properly that input that could modify the intended SQL command when it is sent to a database interaction method. Read more here. Improper Neutralization of Special Elements used in an OS Command ‘OS Command Injection’ (OPT.JAVA.SEC_JAVA.CommandInjectionRule): The software constructs all or part of an operating system command using externally-controlled input, but it does not neutralize properly that input that could modify the intended command when it is sent to a method that executes the command. Improper neutralization of special elements in data query logic ‘NoSQL injection’ (OPT.JAVA.SEC_JAVA.NoSQLInjection): The application generates a query intended to access or manipulate data in a data store such as a NoSQL database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query. XML Injection (aka Blind XPath Injection) (OPT.JAVA.SEC_JAVA.XsltInjection): If the software allows untrusted inputs to control part or all of an XSLT stylesheet, an attacker may change the structure and […]
