Re: Sample JAVA application

[<el () securenet de>]

In-Reply-To: <050f01c4ba39$906029e0$13bf3b0a () intranet aspectsecurity com>

Jeff,

I agree to you. Thats exactly the result of our security audits of Web Applications written in Java.
But I would add one more *except*. 
In Java applications you usually don't have systemcalls  and even if you have "systemcall injection" like "cat 
/etc/passwd" the output will not be directed to the browser like in CGI applications.

Ernst Leonhard
--------------
SecureNet GmbH, München - http://www.securenet.de

> Received: (qmail 14701 invoked from network); 26 Oct 2004 01:33:16 -0000
> Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com) (205.206.231.26)
>  by mail.securityfocus.com with SMTP; 26 Oct 2004 01:33:16 -0000
> Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
>       by outgoing2.securityfocus.com (Postfix) with QMQP
>       id 4DDD7143746; Mon, 25 Oct 2004 19:36:18 -0600 (MDT)
> Mailing-List: contact webappsec-help () securityfocus com; run by ezmlm
> Precedence: bulk
> List-Id: <webappsec.list-id.securityfocus.com>
> List-Post: <mailto:webappsec () securityfocus com>
> List-Help: <mailto:webappsec-help () securityfocus com>
> List-Unsubscribe: <mailto:webappsec-unsubscribe () securityfocus com>
> List-Subscribe: <mailto:webappsec-subscribe () securityfocus com>
> Delivered-To: mailing list webappsec () securityfocus com
> Delivered-To: moderator for webappsec () securityfocus com
> Received: (qmail 29724 invoked from network); 24 Oct 2004 20:14:24 -0000
> Message-ID: <050f01c4ba39$906029e0$13bf3b0a () intranet aspectsecurity com>
> Reply-To: "Jeff Williams" <jeff.williams () aspectsecurity com>
> From: "Jeff Williams" <jeff.williams () aspectsecurity com>
> To: "Chris Vanden Berghe" <Chris () VandenBerghe org>,
>       <webappsec () securityfocus com>
> References: <1098437902.2419.76.camel@localhost.localdomain>
> Subject: Re: Sample JAVA application
> Date: Sun, 24 Oct 2004 22:23:06 -0400
> Organization: Aspect Security, Inc.
> MIME-Version: 1.0
> Content-Type: text/plain;
>       charset="Windows-1252"
> Content-Transfer-Encoding: 7bit
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook Express 6.00.2800.1437
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
>
> Chris,
>
> We examine many large web apps and web services. The easy way to answer your
> question is that Java apps have all the common problems *except* buffer
> overflows and related problems. The most common, in my opinion, are problems
> related to input validation, access control, and authentication.
>
> --Jeff
>
> Jeff Williams
> Aspect Security, Inc.
> http://www.aspectsecurity.com
>
> ----- Original Message ----- 
> From: "Chris Vanden Berghe" <Chris () VandenBerghe org>
> To: <webappsec () securityfocus com>
> Sent: Friday, October 22, 2004 5:38 AM
> Subject: Sample JAVA application
>
>
> > Hi all,
> >
> > I'm working on practical security of Web Applications and Web Services,
> > especially on applications written in Java.
> >
> > You find a lot of information about the typical WA vulnerabilities (SQL
> > inj, XSS, session handling errors, ...).  Information that is more
> > difficult to find is on which vulnerabilities are more likely in
> > applications written in certain programming languages (or developed
> > using a particular framework, concepts or tools).
> >
> > For my work it would be interesting to have an idea about which
> > vulnerabilities are often encountered in WA or WS written in Java (using
> > JSP, Servlets and EJB's).
> >
> > Is there anybody on this list who has seen some results of penetration
> > tests or audits of Java WA/WS?  What are the most common vulnerabilities
> > discovered?
> >
> > Kind regards and thank you in advance,
> > Chris.