WebApp Sec mailing list archives
Re: Security Assessment on J2EE Environments
From: Iggeres Bet <iggeres () yahoo es>
Date: Thu, 20 Mar 2003 05:02:03 +0100 (CET)
--- "Jeff Williams @ Aspect" <jeff.williams () aspectsecurity com> wrote:
You might start with the information in the OWASP "top ten" paper.
Yes, we are using the OWASP document too.
Also, it sounds like you are focusing on an external penetration test.
We are doing a mix between an external penetration test and doing a security code review. Formally speaking we are seeing the code and showing the insecurities within. (The code is really big!)
There's nothing magical about J2EE security. Most J2EE applications contain security holes.
Yes, I think there is not something magical "per se" but if the development team is good and knows where to put all the screws, the final product has better security quality than any normal enterprise product. Thank You All Iggeres
--Jeff Jeff Williams Aspect Security, Inc. http://www.aspectsecurity.com ----- Original Message ----- From: Iggeres Bet To: webappsec () securityfocus com Sent: Wednesday, March 19, 2003 10:02 AM Subject: Security Assessment on J2EE Environments Dear List, I am currently working on a Security Assessment on a J2EE project. The Assessment is based uniquely on the HTTP view of the application. It doesn't matter here if the software is buggy BUT not exploitable using the HTTP protocol. The project is based in all the keywords and buzzwords around: jsp, servlets, apache, tomcat, weblogic, oracle, struts, coocon, xml, etc, etc. The problem we found is the lack of online information about concrete security problems seen in these environments. In this particular case the application is so closed (and the project development team has a high professional quality) that our assessment is now focalized to: - Command Injection: in the SQL queries the application uses PreparedStatement and do some verification before. - Struts things (seeing all the actions we can execute and pass to java objects). - Logic problems. We have successfully inserted our own html tags inside some form fields in the application because we found a problem in the html parser trusted in the project to check that kind of errors. So, here are the questions: - There is some online resource about concrete information on security issues on this framework beyond the specific vunerabilities reported? - Is J2EE and all the Monster Components behind it, a milestone from a Security perspective? Thank You All Iggeres ___________________________________________________ Yahoo! Messenger - Nueva versión GRATIS Super Webcam, voz, caritas animadas, y más... http://messenger.yahoo.es
___________________________________________________ Yahoo! Messenger - Nueva versión GRATIS Super Webcam, voz, caritas animadas, y más... http://messenger.yahoo.es
Current thread:
- Security Assessment on J2EE Environments Iggeres Bet (Mar 19)
- Re: Security Assessment on J2EE Environments Jeff Williams @ Aspect (Mar 20)
- Re: Security Assessment on J2EE Environments Iggeres Bet (Mar 20)
- <Possible follow-ups>
- Re: Security Assessment on J2EE Environments bugtraq (Mar 19)
- RE: Security Assessment on J2EE Environments McLean, Michael R (Mar 19)
- Guidlines for Testing Web Applications Lecia McCalla (Mar 20)
- Re: Guidlines for Testing Web Applications dan cuthbert (Mar 20)
- Guidlines for Testing Web Applications Lecia McCalla (Mar 20)
- Security Assessment on J2EE Environments Gary Gwin (Mar 20)
- Re: Security Assessment on J2EE Environments Jeff Williams @ Aspect (Mar 20)