Skip to main content

How to avoid the top 7 Java security pitfalls

Even before the Log4j vulnerability led to the targeting of nearly one-half of global corporate networks, Java applications have presented abundant opportunities for hackers. After all, there are so many components to protect – server-side logic, client-side logic, data storage, data transportation, APIs and others – that it’s daunting to defend everything.

In fact, serious vulnerabilities exist within 44 percent of Java apps, compared to 23 percent in .NET ones. Fortunately, most vulnerabilities share the same root causes. But before you can fix them, you have to find them. And to find them, you have to know what you’re looking for. With this in mind, here’s our list of the top seven Java security pitfalls – and what you should do about them:

XXE attacks. This happens when cyber adversaries exploit an extensible markup language (XML) parser to read arbitrary files on your server. They can then deploy an XML external entity (XXE) to retrieve user information, configuration files or even credentials for cloud environments. Most Java XML parsers enable XXE requirements by default, so you should proactively disable these to avoid XXE attacks.

Insecure deserialization. During serialization, an object in a programing language is converted into a format that you can save to a database or transfer over a network. During deserialization, the opposite occurs: The serialized object is read from a file or network so you can convert it back into an object.

However, hackers will seek vulnerabilities in the form of insecure deserialization, so they can manipulate the serialized object to launch authentication bypass, denial of service or arbitrary code execution attacks.

To prevent this, you need to stay up-to-date with patches. You should also make sure your third-party code meets your standards for defense, because many insecure deserialization-caused vulnerabilities are introduced via dependencies.

Remote code execution. Hackers commit remote code execution (RCE) when they execute their code on your machine, often through command injection vulnerabilities – an RCE in which user input is linked directly to a system command. Your app can’t tell the difference between where the user input is and where the system command is, so it executes the user input as code. This allows the hackers to execute arbitrary commands on the machine.

Your best countermove here is to come up with an effective allowlist, which will ensure robust input validation.

SQL injection. Broadly defined, injections emerge when apps cannot properly distinguish between untrusted user data and legitimate/valid code. In operating system commands, this will lead to command injection.

In the case of structured query language (SQL) injections, adversaries inject data to manipulate SQL commands. If the app cannot validate user input properly, the adversaries will insert characters designated for the SQL language to disrupt the query’s logic and execute arbitrary SQL code. They can take advantage of the compromised query structure to modify or steal data and/or execute arbitrary commands in the operating system.

That’s why you have to leverage parameterized statements to make SQL injections virtually impossible, by pre-compiling SQL statements so you strictly supply the parameters (or variables/inputs) which you are seeking to insert into the statement to execute it.

NoSQL injection. “Not only SQL” (NoSQL) databases don’t use the SQL language. During NoSQL injections, hackers will inject data into the logic of the database languages to enable authentication bypasses and RCE. MongoDB, Couchbase, Cassandra, HBase and additional NoSQL databases are vulnerable to these attacks.

NoSQL query syntax is database-specific, and queries are often written in the programming language of the app. So you must resort to database-specific methods to block NoSQL injections. We’ve provided more detailed guidance on securing the individual, major databases here.

LDAP injection. Lightweight directory access protocol (LDAP) enables developers to query a directory service about a system’s users and devices. But when an app allows untrusted input in these queries, hackers can submit crafted inputs to bypass authentication and tamper with data stored in the directory. Again, parameterized queries remain effective in prevention here.

Log injection. Security teams rely on system logging to detect malicious activities in the network. But adversaries are aware of this, and will frequently alter log files to cover up their tracks during an attack. Through a typical log injection, they will trick the app into writing fake entries in your log files.

They may, for example, look for apps that do not sanitize new line characters in input written to logs, to introduce their own new line character and insert new app log entries. Or they will inject malicious HTML into log entries to launch a cross-site scripting (XSS) attack on the browser of the administrator who oversees the logs.

To avoid this, you need to distinguish between real log entries and fake ones, by prefixing each log entry with a timestamp, process ID, hostname and other forms of meta-data. In applying the principles of zero trust, you should treat log file content as untrusted input until you have fully validated it for access and operations.

The list of Java security pitfalls is hardly contained to these seven, as we are planning to publish in the near future an e-book with detailed summaries of 29 of the most common vulnerabilities. We are happy to provide this because, as the time-tested adage goes, knowledge is power. When teams are aware of what exists in their Java apps which could expose them, they are much closer to finding – and removing – the issues that leave them open to an attack.

The post How to avoid the top 7 Java security pitfalls appeared first on SD Times.



from SD Times https://ift.tt/7BPhJm6

Comments

Popular posts from this blog

Difference between Web Designer and Web Developer Neeraj Mishra The Crazy Programmer

Have you ever wondered about the distinctions between web developers’ and web designers’ duties and obligations? You’re not alone! Many people have trouble distinguishing between these two. Although they collaborate to publish new websites on the internet, web developers and web designers play very different roles. To put these job possibilities into perspective, consider the construction of a house. To create a vision for the house, including the visual components, the space planning and layout, the materials, and the overall appearance and sense of the space, you need an architect. That said, to translate an idea into a building, you need construction professionals to take those architectural drawings and put them into practice. Image Source In a similar vein, web development and design work together to create websites. Let’s examine the major responsibilities and distinctions between web developers and web designers. Let’s get going, shall we? What Does a Web Designer Do?

A guide to data integration tools

CData Software is a leader in data access and connectivity solutions. It specializes in the development of data drivers and data access technologies for real-time access to online or on-premise applications, databases and web APIs. The company is focused on bringing data connectivity capabilities natively into tools organizations already use. It also features ETL/ELT solutions, enterprise connectors, and data visualization. Matillion ’s data transformation software empowers customers to extract data from a wide number of sources, load it into their chosen cloud data warehouse (CDW) and transform that data from its siloed source state, into analytics-ready insights – prepared for advanced analytics, machine learning, and artificial intelligence use cases. Only Matillion is purpose-built for Snowflake, Amazon Redshift, Google BigQuery, and Microsoft Azure, enabling businesses to achieve new levels of simplicity, speed, scale, and savings. Trusted by companies of all sizes to meet

2022: The year of hybrid work

Remote work was once considered a luxury to many, but in 2020, it became a necessity for a large portion of the workforce, as the scary and unknown COVID-19 virus sickened and even took the lives of so many people around the world.  Some workers were able to thrive in a remote setting, while others felt isolated and struggled to keep up a balance between their work and home lives. Last year saw the availability of life-saving vaccines, so companies were able to start having the conversation about what to do next. Should they keep everyone remote? Should they go back to working in the office full time? Or should they do something in between? Enter hybrid work, which offers a mix of the two. A Fall 2021 study conducted by Google revealed that over 75% of survey respondents expect hybrid work to become a standard practice within their organization within the next three years.  Thus, two years after the world abruptly shifted to widespread adoption of remote work, we are declaring 20