i JAVA EE FUNCTIONS THAT CAN LEAD TO VULNERABILITIES – All things in moderation

JAVA EE FUNCTIONS THAT CAN LEAD TO VULNERABILITIES

Java EE (Enterprise Editor) is the distributed programming technologies, web applications such as website, web service …

The following are Java functions you need to careful when used in your code.

Java EE functions that can lead to vulnerabilities

1. Database Access
The following java functions are used to execute SQL query and get the results. if an attacker can control user input and send the malicious SQL query to the server, then he can access to compromise with the database, also upload a file or run OS command to compromise the system.

  • java.sql.Connection.createStatement
  • java.sql.Statement.execute
  • java.sql.Statement.executeQuery

2. File and Directory Access Control
The following are java functions to access the file, if an attacker can control user input and send the malicious input to the server , then he will be able to exploit to Access the file on the server.

  • java.io.FileInputStream
  • java.io.FileOutputStream
  • java.io.FileReader
  • java.io.FileWriter

3. OS Command Execution
The following are functions used to OS command execution. If an attacker can controls input parameters to run the shell command, then compromise with the server.

  • java.lang.runtime.Runtime.getRuntime
  • java.lang.runtime.Runtime.exec

4. URL Redirection
The following functions are used to implement HTTP redirect in Java. If an attacker can control input parameters to insert some malicious URL redirection, then he will able to trick the user to redirect to another malicious website.

  • javax.servlet.http.HttpServletResponse.sendRedirect
  • javax.servlet.http.HttpServletResponse.setStatus
  • javax.servlet.http.HttpServletResponse.addHeader

Good documents to secure your code for web application

https://www.owasp.org/index.php/Injection_Prevention_Cheat_Sheet_in_Java
https://www.owasp.org/index.php/Secure_Coding_Cheat_Sheet

Leave a Reply