Security Assessment on J2EE Environments

[Iggeres Bet <iggeres () yahoo es>]

Dear List,

I am currently working on a Security Assessment on a
J2EE project.
The Assessment is based uniquely on the HTTP view of
the application.
It doesn't matter here if the software is buggy BUT
not exploitable using the HTTP protocol.
The project is based in all the keywords and buzzwords
around: jsp, servlets, apache, tomcat, weblogic,
oracle, struts, coocon, xml, etc, etc.

The problem we found is the lack of online information
about concrete security problems seen in these
environments. In this particular case the application
is so closed (and the project development team has a
high professional quality) that our assessment is now
focalized to:

- Command Injection: in the SQL queries the
application uses PreparedStatement and do some
verification before.

- Struts things (seeing all the actions we can execute
and pass to java objects).

- Logic problems.

We have successfully inserted our own html tags inside
some form fields in the application because we found a
problem in the html parser trusted in the project to
check that kind of errors.

So, here are the questions:

- There is some online resource about concrete
information on security issues on this framework
beyond the specific vunerabilities reported?

- Is J2EE and all the Monster Components behind it, a
milestone from a Security perspective?



Thank You All
Iggeres


___________________________________________________
Yahoo! Messenger - Nueva versión GRATIS
Super Webcam, voz, caritas animadas, y más...
http://messenger.yahoo.es