Re: Sample JAVA application

["Jeff Williams" <jeff.williams () aspectsecurity com>]

Have you looked at OWASP WebGoat?  It is littered with security holes that
are more-or-less realistic.  I'm a big advocate of doing your own intrusion
detection in your application.  It isn't that hard to detect requests that
are almost certain to be attacks and handle them appropriately.

--Jeff

----- Original Message ----- 
From: "Chris Vanden Berghe" <Chris () VandenBerghe org>
To: "Scott, Richard" <Richard.Scott () bestbuy com>
Cc: <webappsec () securityfocus com>
Sent: Wednesday, November 10, 2004 11:30 AM
Subject: Re: Sample JAVA application


> Hi Richard and other webappsec-readers,
>
> Thanks for your repies to my question on Java Web Application security.
>
> I'm looking into application-level intrusion detection for Java Web
> Applications and Web Services  Therefore it would handy to have some
> examples of real-world vulnerabilities discovered in Java WA/WS.
>
> While it is very easy to find some publicly available examples of PHP
> web applications with known vulnerabilities (e.g. bugtraq and an
> archived PHPnuke version), it turns out to be rather hard for Java web
> applications.  This is probably due to a combination of factors: PHP is
> more popular for non-business (e.g. open-source) web application
> development, PHP requires less programming skills than Java, and PHP is
> probably also more prone to some classes of vulnerabilities (e.g., no
> support for SQL prepared statements).
>
> So, I would be very interested in some real-world Java web applications
> with known vulnerabilities.  Does anyone have some pointers to such
> applications or vulnerable code snippets?  That would be a great help...
>
> Thanks,
> Chris.
>
> ---
> Scott, Richard wrote:
> > In my opinion, I look for lack of control particularly how the
> > applications implement authentication.  When dealing with, specifically,
> > Java based services; I've also kept a look out for such applications
> > being used as conduits to other services where buffer overflows be used.
> > Often web services act as a transport/portal to a non java based
> > application.  While this is in the minority of web services I have seen,
> > I have ran in to it a couple of times.
> >
> > For the large usage of web services, most clients look at leakage of
> > confidential information and/or unauthorized use of a sensitive
> > operation the web service offers.
> >
> > Cheers,
> > Richard
> > -----Original Message-----
> > From: Jeff Williams [mailto:jeff.williams () aspectsecurity com]
> > Sent: Sunday, October 24, 2004 9:23 PM
> > To: Chris Vanden Berghe; webappsec () securityfocus com
> > Subject: Re: Sample JAVA application
> >
> > Chris,
> >
> > We examine many large web apps and web services. The easy way to answer
> > your
> > question is that Java apps have all the common problems *except* buffer
> > overflows and related problems. The most common, in my opinion, are
> > problems
> > related to input validation, access control, and authentication.
> >
> > --Jeff
> >
> > Jeff Williams
> > Aspect Security, Inc.
> > http://www.aspectsecurity.com
> >
> > ----- Original Message ----- 
> > From: "Chris Vanden Berghe" <Chris () VandenBerghe org>
> > To: <webappsec () securityfocus com>
> > Sent: Friday, October 22, 2004 5:38 AM
> > Subject: Sample JAVA application
> >
> >
> >
> > > Hi all,
> > >
> > > I'm working on practical security of Web Applications and Web
> >
> > Services,
> >
> > > especially on applications written in Java.
> > >
> > > You find a lot of information about the typical WA vulnerabilities
> >
> > (SQL
> >
> > > inj, XSS, session handling errors, ...).  Information that is more
> > > difficult to find is on which vulnerabilities are more likely in
> > > applications written in certain programming languages (or developed
> > > using a particular framework, concepts or tools).
> > >
> > > For my work it would be interesting to have an idea about which
> > > vulnerabilities are often encountered in WA or WS written in Java
> >
> > (using
> >
> > > JSP, Servlets and EJB's).
> > >
> > > Is there anybody on this list who has seen some results of penetration
> > > tests or audits of Java WA/WS?  What are the most common
> >
> > vulnerabilities
> >
> > > discovered?
> > >
> > > Kind regards and thank you in advance,
> > > Chris.