[Owasp-leaders] Fwd: OWASP volunteer with questions on Java EE source code

Azzeddine Ramrami azzeddine.ramrami at owasp.org
Mon Aug 11 09:59:24 UTC 2014


Hi,
Yes I received it. I am on holidays until next week with no Internet
connection execpt Monday.
I will answer you email next Thursday.
Azzeddine


On Fri, Aug 8, 2014 at 10:29 PM, Luciano Sampaio <lsampaioweb at gmail.com>
wrote:

> Hi,
>
> My name is Luciano Sampaio, I am doing my masters degree here at PUC-Rio
> - Brazil, and I found out this page (
> https://www.owasp.org/index.php/Searching_for_Code_in_J2EE/Java) on
> OWASP. It contains some methods that should be sanitized but I believe it
> is not the full list.
>
> So, I have created my own list from what I found on other applications,
> blogs and etc and I was wondering if you could help me make this list
> perfect. If we manage to do this, I think it would be great to update OWASP
> page. What do you think ?
>
> With this list of methods I performed an evaluation on 5 applications
> (BlueBlog, PersonaBlog, WebGoat, Roller and Pebble) using 4 Eclipse
> plug-ins (ASIDE, CodePro, Lapse+ and ESVD(my plug-in)). I got some very
> promising results. I am really excited.
>
> Do you think there are methods missing or some of these methods should be
> removed from the list ?
>
> My plug-in is still a prototype but I am receiving some very good
> feedback. You can see more on:
> 01 -
> http://thecodemaster.net/early-vulnerability-detection-supporting-secure-programming/
> 02 -
> https://marketplace.eclipse.org/content/early-security-vulnerability-detector-esvd/
>
> My list of "Sources", "Sinks" and "Sanitization" methods:
> Sources:
>
> javax.servlet.ServletRequest
>
> getAttribute
>
> getAttributeNames
>
> getCharacterEncoding
>
> getContentType
>
> getParameter
>
> getParameterNames
>
> getParameterValues
>
> getParameterMap
>
> getProtocol
>
> getScheme
>
> getServerName
>
> getRemoteAddr
>
> getRemoteHost
>
> getLocalName
>
> getLocalAddr
>
> getReader
>
>
>
> javax.servlet.http.HttpServletRequest
>
> getAuthType
>
> getHeader
>
> getHeaders
>
> getMethod
>
> getPathInfo
>
> getPathTranslated
>
> getContextPath
>
> getQueryString
>
> getRemoteUser
>
> getRequestedSessionId
>
> getRequestURI
>
> getRequestURL
>
> getServletPath
>
>
>
> javax.servlet.http.Cookie
>
> getComment
>
> getDomain
>
> getPath
>
> getName
>
> getValue
>
>
>
> javax.servlet.ServletConfig
>
> getInitParameter
>
> getInitParameterNames
>
>
>
> javax.servlet.GenericServlet
>
> getInitParameter
>
> getInitParameterNames
>
>
>
> java.sql.ResultSet
>
> getString
>
> getString
>
>
>
> java.awt.TextComponent
>
> getSelectedText
>
> getText
>
>
>
> java.io.Console
>
> readLine
>
> readPassword
>
>
>
> java.io.DataInputStream
>
> readLine
>
> readUTF
>
>
>
> java.io.LineNumberReader
>
> readLine
>
>
>
> javax.servlet.http.HttpSession
>
> getAttribute
>
> getAttributeNames
>
> getValue
>
> getValueNames
>
>
>
> java.lang.System
>
> getProperty
>
> getProperties
>
> getenv
>
>
>
> javax.servlet.ServletContext
>
> getResourceAsStream
>
> getRealPath
>
> getHeaderNames
>
>
>
> java.util.Properties
>
> getProperty
>
>
>
> java.lang.Class
>
> getResource
>
> getResourceAsStream
>
>
>
> org.apache.xmlrpc.XmlRpcClient
>
> execute
>
> search
>
>
>
> javax.xml.xpath.XPath
>
> evaluate
>
>
>
> javax.xml.xpath.XPathExpression
>
> evaluate
>
>
> Sanitization:
>
> org.owasp.encoder.Encode
>
> forHtml
>
> forHtmlContent
>
> forHtmlAttribute
>
> forHtmlUnquotedAttribute
>
> forCssString
>
> forCssUrl
>
> forUri
>
> forUriComponent
>
> forXml
>
> forXmlContent
>
> forXmlAttribute
>
> forXmlComment
>
> forCDATA
>
> forJava
>
> forJavaScript
>
> forJavaScriptAttribute
>
> forJavaScriptBlock
>
> forJavaScriptSource
>
>
>
> java.net.URLEncoder
>
> encode
>
>
>
> java.net.URLDecoder
>
> decode
>
>
>
> org.apache.commons.lang.StringEscapeUtils
>
> escapeJava
>
> escapeJavaScript
>
> unescapeJava
>
> unescapeJavaScript
>
> escapeHtml
>
> unescapeHtml
>
> escapeXml
>
> unescapeXml
>
> escapeSql
>
> escapeCsv
>
> unescapeCsv
>
>
> Sinks:
>
> Command Injection
>
> java.lang.Runtime
>
> exec
>
>
>
> javax.xml.xpath.XPath
>
> compile
>
>
>
> java.lang.Thread
>
> sleep
>
>
>
> java.lang.System
>
> load
>
> loadLibrary
>
> org.apache.xmlrpc.XmlRpcClient
>
> XmlRpcClient
>
> execute
>
> executeAsync
>
>
>
> Cookie Poisoning
>
> javax.servlet.http.Cookie
>
> Cookie
>
> setComment
>
> setDomain
>
> setPath
>
> setValue
>
>
>
> Cross Site Scripting
>
> java.io.PrintWriter
>
> print
>
> println
>
> write
>
>
>
> javax.servlet.ServletOutputStream
>
> print
>
> println
>
>
>
> javax.servlet.jsp.JspWriter
>
> print
>
> println
>
>
>
> javax.servlet.ServletRequest
>
> setAttribute
>
> setCharacterEncoding
>
>
>
> javax.servlet.http.HttpServletResponse
>
> sendError
>
> setDateHeader
>
> addDateHeader
>
> setHeader
>
> addHeader
>
> setIntHeader
>
> addIntHeader
>
>
>
> javax.servlet.ServletResponse
>
> setCharacterEncoding
>
> setContentType
>
>
>
> javax.servlet.http.HttpSession
>
> setAttribute
>
> putValue
>
>
>
> HTTP Response Splitting
>
> javax.servlet.http.HttpServletResponse
>
> sendRedirect
>
> getRequestDispatcher
>
>
>
> LDAP Injection
>
> javax.naming.directory.InitialDirContext
>
> InitialDirContext
>
> search
>
>
>
> javax.naming.directory.SearchControls
>
> setReturningAttributes
>
> connect
>
> search
>
>
>
> Log Forging
>
> java.io.PrintStream
>
> print
>
> println
>
>
>
> java.util.logging.Logger
>
> config
>
> fine
>
> finer
>
> finest
>
> info
>
> warning
>
> severe
>
> entering
>
> log
>
>
>
> org.apache.commons.logging.Log
>
> debug
>
> error
>
> fatal
>
> info
>
> trace
>
> warn
>
>
>
> java.io.BufferedWriter
>
> write
>
>
>
> javax.servlet.ServletContext
>
> log
>
>
>
> javax.servlet.GenericServlet
>
> log
>
>
>
> Path Traversal
>
> java.io
>
> File
>
> RandomAccessFile
>
> FileReader
>
> FileInputStream
>
> FileWriter
>
> FileOutputStream
>
>
>
> java.lang.Class
>
> getResource
>
> getResourceAsStream
>
>
>
> javax.mail.internet.InternetAddress
>
> InternetAddress
>
> parse
>
>
>
> Reflection Injection
>
> java.lang.Class
>
> forName
>
> getField
>
> getMethod
>
> getDeclaredField
>
> getDeclaredMethod
>
>
>
> Security Misconfiguration
>
> java.sql.DriverManager
>
> getConnection
>
>
>
> SQL Injection
>
> java.sql.(Prepared)?Statement
>
> addBatch
>
> execute
>
> executeQuery
>
> executeUpdate
>
>
>
> java.sql.Connection
>
> prepareStatement
>
> prepareCall
>
>
>
> javax.persistence.EntityManager
>
> createNativeQuery
>
> createQuery
>
>
>
> (org|net.sf).hibernate.Session
>
> createSQLQuery
>
> createQuery
>
> find
>
> delete
>
> save
>
> saveOrUpdate
>
> update
>
> load
>
>
>
> XPath Injection
>
> javax.xml.xpath.XPath
>
> compile
>
> evaluate
>
>
>
> javax.xml.xpath.XPathExpression
>
> evaluate
>
>
>
> org.apache.xpath.XPath
>
> XPath
>
>
>
> org.apache.commons.jxpath.JXPath
>
> getValue
>
>
>
> org.xmldb.api.modules.XPathQueryService
>
> query
>
>
>
> org.xmldb.api.modules.XMLResource
>
> setContent
>
>
> Thank you!
> Luciano Sampaio
>
>
> On Mon, Aug 4, 2014 at 4:32 PM, Azzeddine Ramrami <
> azzeddine.ramrami at owasp.org> wrote:
>
>> Ho,
>> for Java you have the following rules:
>>
>>
>> https://www.securecoding.cert.org/confluence/display/java/The+CERT+Oracle+Secure+Coding+Standard+for+Java
>>
>> They covers Java secure coding including Java 8.
>>
>> You should also tale a look to:
>> - OWASP TOP 10
>> - SANS TOP 25
>>
>> If you need more information contact me directly.
>>
>> What are you tools specifications? What do you expect?
>>
>> Azzeddine RAMRAMI
>> Secure Coding Instructors
>> OWASP Morocco Chapter Leader
>> Mozilla Mentors
>>
>>
>>
>>
>>
>>
>> On Mon, Aug 4, 2014 at 9:22 PM, Paul Ritchie <paul.ritchie at owasp.org>
>> wrote:
>>
>>> To OWASP Leaders:   Occassionally we see these types of questions sent
>>> to OWASP, and I thought I'd forward this one on to our expert leaders
>>> group.  Anyone want to reach out and start a dialogue wtih Luciano?
>>> ------- begin message ------------
>>>
>>> Hi,   ( lsampaioweb at gmail.com )
>>>
>>> My name is Luciano Sampaio. I am creating an application that finds
>>> security vulnerabilities in the source code of Java EE applications and I
>>> was wondering if there is any list with all the "Sources", "Sinks" and
>>> "Sanitization" methods that a security application should know of ?
>>>
>>> I tried to find a list like that on the Internet and on your site but I
>>> couldn't, so I have created my own list from what I found on other
>>> applications. Do you think maybe we can create a page here with this list
>>> and help future applications ?
>>>
>>> Thank you!
>>> Luciano Sampaio
>>> ------------------------end message -----------------
>>> --
>>> Best Regards, Paul Ritchie
>>> OWASP Interim Executive Director
>>> paul.ritchie at owasp.org
>>>
>>>
>>>
>>>
>>> --
>>> Best Regards, Paul Ritchie
>>> OWASP Interim Executive Director
>>> paul.ritchie at owasp.org
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>>
>> --
>> Azzeddine RAMRAMI
>> +33 6 65 48 90 04.
>> Enterprise Security Architect
>> OWASP Leader (Morocco Chapter)
>> Mozilla Security Projects Mentor
>>
>
>
>
> --
> Atenciosamente,
> Luciano Sampaio
>



-- 
Azzeddine RAMRAMI
+33 6 65 48 90 04.
Enterprise Security Architect
OWASP Leader (Morocco Chapter)
Mozilla Security Projects Mentor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140811/9ceb15a0/attachment-0001.html>


More information about the OWASP-Leaders mailing list