WebApp Sec mailing list archives

Security Assessment on J2EE Environments

From: Gary Gwin <websec () cafesoft com>
Date: Wed, 19 Mar 2003 12:47:26 -0800

Iggeres,

Have you checked out the Top 10 Vulnerabilities document atwww.owasp.org? It has very good information on SQL command injection andparameter validation.

We have a white paper on our site that discusses authentication andaccess control issues with respect to Tomcat:


http://www.cafesoft.com/products/cams/tomcat-security.html

You might also find a presentation we did at JavaOne to be helpful, itdiscusses scope issues with respect to J2EE security from an enterpriseperspective. A link for this and a number of other useful J2EE securityarticles is found on our site at:


http://www.cafesoft.com/support/security/links.html

I'd be very interested in working with the community to further developinformation on security in J2EE environments.


Gary

Iggeres Bet wrote:

> Dear List,
>
> I am currently working on a Security Assessment on a
> J2EE project.
> The Assessment is based uniquely on the HTTP view of
> the application.
> It doesn't matter here if the software is buggy BUT
> not exploitable using the HTTP protocol.
> The project is based in all the keywords and buzzwords
> around: jsp, servlets, apache, tomcat, weblogic,
> oracle, struts, coocon, xml, etc, etc.
>
> The problem we found is the lack of online information
> about concrete security problems seen in these
> environments. In this particular case the application
> is so closed (and the project development team has a
> high professional quality) that our assessment is now
> focalized to:
>
> - Command Injection: in the SQL queries the
> application uses PreparedStatement and do some
> verification before.
>
> - Struts things (seeing all the actions we can execute
> and pass to java objects).
>
> - Logic problems.
>
> We have successfully inserted our own html tags inside
> some form fields in the application because we found a
> problem in the html parser trusted in the project to
> check that kind of errors.
>
> So, here are the questions:
>
> - There is some online resource about concrete
> information on security issues on this framework
> beyond the specific vunerabilities reported?
>
> - Is J2EE and all the Monster Components behind it, a
> milestone from a Security perspective?
>
>
>
> Thank You All
> Iggeres
>
>
> ___________________________________________________
> Yahoo! Messenger - Nueva versión GRATIS
> Super Webcam, voz, caritas animadas, y más...
> http://messenger.yahoo.es
>

--

Gary Gwin
http://www.cafesoft.com

*****************************************************************
*                                                               *
*   The Cafesoft Access Management System, Cams, is security    *
*   software that provides single sign-on authentication and    *
*   centralized access control for Apache, Tomcat, and custom   *
*   resources.                                                  *
*                                                               *
*****************************************************************

Current thread:

Security Assessment on J2EE Environments Iggeres Bet (Mar 19)
- Re: Security Assessment on J2EE Environments Jeff Williams @ Aspect (Mar 20)
  - Re: Security Assessment on J2EE Environments Iggeres Bet (Mar 20)
- <Possible follow-ups>
- Re: Security Assessment on J2EE Environments bugtraq (Mar 19)
- RE: Security Assessment on J2EE Environments McLean, Michael R (Mar 19)
  - Guidlines for Testing Web Applications Lecia McCalla (Mar 20)
    - Re: Guidlines for Testing Web Applications dan cuthbert (Mar 20)
- Security Assessment on J2EE Environments Gary Gwin (Mar 20)