WebApp Sec mailing list archives
Security Assessment on J2EE Environments
From: Gary Gwin <websec () cafesoft com>
Date: Wed, 19 Mar 2003 12:47:26 -0800
Iggeres,Have you checked out the Top 10 Vulnerabilities document at www.owasp.org? It has very good information on SQL command injection and parameter validation.
We have a white paper on our site that discusses authentication and access control issues with respect to Tomcat:
http://www.cafesoft.com/products/cams/tomcat-security.htmlYou might also find a presentation we did at JavaOne to be helpful, it discusses scope issues with respect to J2EE security from an enterprise perspective. A link for this and a number of other useful J2EE security articles is found on our site at:
http://www.cafesoft.com/support/security/links.htmlI'd be very interested in working with the community to further develop information on security in J2EE environments.
Gary Iggeres Bet wrote: > Dear List, > > I am currently working on a Security Assessment on a > J2EE project. > The Assessment is based uniquely on the HTTP view of > the application. > It doesn't matter here if the software is buggy BUT > not exploitable using the HTTP protocol. > The project is based in all the keywords and buzzwords > around: jsp, servlets, apache, tomcat, weblogic, > oracle, struts, coocon, xml, etc, etc. > > The problem we found is the lack of online information > about concrete security problems seen in these > environments. In this particular case the application > is so closed (and the project development team has a > high professional quality) that our assessment is now > focalized to: > > - Command Injection: in the SQL queries the > application uses PreparedStatement and do some > verification before. > > - Struts things (seeing all the actions we can execute > and pass to java objects). > > - Logic problems. > > We have successfully inserted our own html tags inside > some form fields in the application because we found a > problem in the html parser trusted in the project to > check that kind of errors. > > So, here are the questions: > > - There is some online resource about concrete > information on security issues on this framework > beyond the specific vunerabilities reported? > > - Is J2EE and all the Monster Components behind it, a > milestone from a Security perspective? > > > > Thank You All > Iggeres > > > ___________________________________________________ > Yahoo! Messenger - Nueva versión GRATIS > Super Webcam, voz, caritas animadas, y más... > http://messenger.yahoo.es > -- Gary Gwin http://www.cafesoft.com ***************************************************************** * * * The Cafesoft Access Management System, Cams, is security * * software that provides single sign-on authentication and * * centralized access control for Apache, Tomcat, and custom * * resources. * * * *****************************************************************
Current thread:
- Security Assessment on J2EE Environments Iggeres Bet (Mar 19)
- Re: Security Assessment on J2EE Environments Jeff Williams @ Aspect (Mar 20)
- Re: Security Assessment on J2EE Environments Iggeres Bet (Mar 20)
- <Possible follow-ups>
- Re: Security Assessment on J2EE Environments bugtraq (Mar 19)
- RE: Security Assessment on J2EE Environments McLean, Michael R (Mar 19)
- Guidlines for Testing Web Applications Lecia McCalla (Mar 20)
- Re: Guidlines for Testing Web Applications dan cuthbert (Mar 20)
- Guidlines for Testing Web Applications Lecia McCalla (Mar 20)
- Security Assessment on J2EE Environments Gary Gwin (Mar 20)
- Re: Security Assessment on J2EE Environments Jeff Williams @ Aspect (Mar 20)