Java Security   «Prev  Next»

Injection and Inclusion

Injection attacks allow an attacker to supply untrusted input to a program, which gets processed by an interpreter as part of a command or query which alters the course of execution of that program. This is a very common form of attack and a major problem in web security.

Guideline 1:

Generate valid formatting
Important Points: Many attacks involve exploiting special characters in an input string, incorrect escaping, or partial removal of special characters. Parsing and canonicalization should be done before validation.
  1. If possible, reject invalid data and any subsequent data without attempting correction.
  2. Use well tested libraries instead of ad hoc code;

Guideline 2:

Avoid dynamic SQL. Dynamically created SQL statements using inputs from a user are another common problem.
1. Use java.sql.PreparedStatment or java.sql.CallableStatement instead of java.sql.Statement

Guideline 3:

XML and HTML generation requires care.
Points: Untrusted data should be properly sanitized before being included in HTML or XML output, to avoid such security issues as cross site scripting (XSS) and XML injection vulnerabilities. a. You can implement sanitation in one of two ways.
  1. Characters that are problematic for the specific type of output can be filtered, escaped, or encoded. This approach starts with the problematic characters, and assumes they are all known. Characters that are known to be safe can be allowed, and everything else can be filtered, escaped, or encoded. This latter approach is preferable, as it does not require identifying and enumerating all characters that could potentially cause problems.
  2. It is better to use a library to perform data sanitation and encoding during HTML or XML construction.

Guideline 4:

Avoid any untrusted data on the command line.
Important Points: Any data that needs to be passed to a new process should be passed in one of these ways.
  1. Pass as encoded arguments (for example base 64)
  2. store in a temporary file
  3. Pass through an inherited channel

Guideline 5:

Restrict XML inclusion
Points: 1. XML document type definition (DTD) allow URL's to be defined as system entities, such as local files and HTTP URLs within the local intranet or local host. An attacker could insert local files into XML data which may then be accessible by the client. To get around this problem
  1. reduce privileges
  2. Use the most restrictive configuration possible for the XML parser
  3. XML parsers can also be configured to limit functionality, such as disallowing external entities or disabling DTDs altogether.

Guideline 6:

Care with BMP file (BMP) Bitmap file Important Points: BMP image files may contain references to local ICC files.
Attempting to read these files may be an issue. Either avoid BMP files or reduce privileges.

Guideline 7:

Disable HTML display in swing components .
Points: Many Swing pluggable look and feels interpret text in certain components starting with the <html> tag as HTML, which you can disable for untrusted sources. Set the html.disable client property of each component to Boolean.TRUE.

Guideline 8:

Take care interpreting untrusted code .
Points: Code can be hidden in a number of places. Some examples where you need to be diligent, first testing inputs in a sandbox environment.
  1. Scripts run through the javax.script scripting API or similar.
  2. By default the Oracle implementation of the XSLT. Interpreter enables extensions to call Java code. You can disable it.
  3. Java Sound will load code through the javax.sound.midi.MidiSystem.getSoundbank methods.
  4. RMI may allow loading of remote code specified by remote connection, the Oracle JDK disables this by default.
  5. LDAP (RFC 2713) allows loading of remote code in a server response. The Oracle JDK disables this by default.

Guideline 9:

Prevent injection of exceptional floating point values
Points: Floating point numbers require care when imported from untrusted source . The (NaN) not a number were or infinite values could be injected into applications.
  1. The Double and Float classes help with sanitization by providing the isNan and isInfinite methods.
  2. Comparing instances of Double.NaN by means of the equality operator always returns false, so test isNan before testing equality.
Package Summary