[Owasp-leaders] Call for research: Dangerous or 'security interesting' methods in popular Java Libraries/Frameworks

Dave Wichers dave.wichers at owasp.org
Mon Oct 31 14:58:03 UTC 2016


Hey everyone,

We keep working on improving the OWASP Benchmark and one of the areas ripe
for improvement is adding support for the most popular Java libraries and
frameworks.

In Benchmark v1.2 we have a few Spring MVC SQL injection test cases, but
there are LOTS more we could add both within Spring MVC and with other
popular libraries as well. I'm wondering if any of you in the OWASP
community have already done some good research or are aware of some good
research we could leverage.

Here is specifically what I'm looking for in each popular library. (e.g.,
Spring MVC, Struts 2, Hibernate, JSF, ...)

1) Dangerous sinks in that library. - i.e., methods provided by that
library that if you send untrusted data to could result in a vulnerability
(like SQLi, XSS, whatever). The full list of CWE types we are currently
looking at are here:
https://www.owasp.org/index.php/Benchmark#tab=Test_Cases

2) Security controls provided by that library - i.e., if we use those
controls, such as input validators, output encoders, whatever, they make
something untrusted now safe.

3) New ways of getting input from an HTTP request - i.e., rather than
calling the traditional request.getParameter() there are new/easier ways
when using this library/framework to get input into your application (e.g.,
Spring MVC has method annotations that allow you to automatically pull in
request parameters or parts of the URL into designated variables)

4) Interesting data flows provided by the library - if the library provides
new data types for setting/getting/manipulating data, we'd like to see if
code level analysis tools understand these objects and how data flows
through them. i.e., if data flows into them and goes into a black hole from
an analysis perspective, that would be bad.

The Benchmark project contributors will take this research and convert it
into test cases for you so you don't have to write code for us, but if you
have done or are willing to do some research in this area and can provide
it to us, that would be very helpful to the project.

Please let me know if you are interested in helping, or simply forward
whatever research or pointers to such research you are aware of.

Thanks, Dave

Dave Wichers
OWASP Benchmark Project Lead
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161031/83a0c48b/attachment.html>


More information about the OWASP-Leaders mailing list