CertGear - Certification Practice Tests /Exams For PHR, SPHR, GPHR, SCWCD, SCBCD, SCDJWS, SCJP, PMP Java / Web Application Security - Guidelines For Secure Web Component Development
CertGear Products - Certification Practice Tests For PHR, SPHR, GPHR, SCWCD, SCBCD, SCDJWS, SCJP, PMPCertGear Products - Certification Practice Tests For PHR, SPHR, GPHR, SCWCD, SCBCD, SCDJWS, SCJP, PMPAbout CertGearCertGear Affiliates ProgramCertGear Technical SupportCertGear Product Downloads - Certification Practice Tests For PHR, SPHR, GPHR, SCWCD, SCBCD, SCDJWS, SCJP, PMP
Practice Tests
SCJP Practice Exams
SCWCD Practice Exams
SCBCD Practice Exams
SCDJWS Practice Exams
PHR Certification
PHR / SPHR Certification
PMP Practice Tests GPHR Certification CISSP Exam CISA Exam

 

Company
 
 Java & Web Application Security  

Untrusted user input is, in practice, all user input. It originates from the client but can reach the server through many different channels. Some source of user input for a JSP server include, but are not limited to:

  • the parameter string portion of the request URL,
  • data submitted by HTML forms through POST or GET requests,
  • queries to databases,
  • environment variables set by other processes.

The problem with user input is that it can be interpreted by the server-side applications and thus an attacker can craft the incoming data so as to control some vulnerable aspect of the server. These vulnerabilities often manifest themselves as points of access to data identified by user-supplied qualifiers, or through execution of external functionality.

Naturally, JSP can make calls to native code stored in libraries (through JNI) and execute external commands. The class Runtime provides the exec() method which interprets its first argument as a command line to execute in a separate process. If parts of this string must be derived from user input, this input must first be filtered to ensure that only the intended commands are executed, with only the intended arguments.

In addition, it is possible under certain circumstances for an attacker to modify environment variables in the server environment and in this way to affect the execution of external commands, for example by changing the PATH variable to point to a malicious program disguised under the name of the program called by Runtime's exec(). To avoid this risk it is advisable to always set the environment explicitly before making external calls.

In addition, access to files, databases, or other network connections must NOT depend on unvalidated user input. This is especially true for SQL queries. The following JSP construct accessing the JDBC API is highly insecure, since an attacker can embed command separation characters in the submitted input and thus execute unwanted commands on the SQL server: 

<!-- Some code here to open a SQL connection -->
  <%
    Statement stmt = connection.getStatement();
    String query = "SELECT * FROM EMPLOYEE_RECORDS WHERE USER = " +
      request.getParameter("employee");
    ResultSet result = Statement.executeQuery(query); 
  %>

If employee contains a semicolon for instance, as in 

  http://server/db.jsp?
    employee=bob;SELECT%20*%20FROM%20SYSTEM_RECORDS

the attacker can gain access to (or damage) parts of the database to which they are not entitled (assuming the Web server has privileges to access these parts). In the example attack above, some SQL servers will ignore the whole query, but others will proceed to execute the two commands.

Mitigation of these problems is achieved through appropriate input validation.

 

Page: 1 2 3 4 NEXT


 

  PHR SPHR Certifications :  PHR, SPHR, GPHR   |    PMI Certifications: PMP
Java Certifications :  SCWCD, SCBCD, SCJDWS, SCJP  | Security Certifications: CISSP, CISA