Java & Web Security Training

This week I attended a 3 days training on Java and web security with Ernő Jeges from SEARCH-LAB.
It was nice to refresh my memory on the theoretical part, and I also got the chance to study and test many vulnerabilities.

Below some notes I took:
intro:
- running away of competition not of the hackers (bear story)
- SPIT = spam over voice over ip
- $1000 - sharing bootnets for spam delivery or 1 mil email addresses
- www.eegs.com
- Common Criteria - security standard

java:
- applets can only talk with the origin server
- jca/jce - core of java security
- jca: for data integrity
- jce: for confidentiality/encryption
- jaas: authentication & authorization

- use RSA for encrypting a secret key to be used for symmetric encryption because RSA is CPU expensive
- blind signature
- checkout SecureRandom

vulnerabilities:
- google: mysql injection cheat sheet
- sql injection
- xss
- upload a php/jsp page instead of a image
- hasing passwords is not enough, always use hash(password, salt) or hash(password, rand) and store the rand number also.
- SecureData example: make the class final, or disable avoid clonnable
- JVM does not support inner classes, so the compiler will create separate classes, and will generate getter/setters for the inner class
- OWASP - checkit out
- http://tomcat.apache.org/security-6.html
- rsa timer attack
- fast exponentiation

Comments

Post a Comment

Popular posts from this blog

What an architect should first think about

I'm currently reading the book Beautiful Architecture . In one of the chapters the author outlines what an architect should take into consideration when thinking of a new system. There are 9 things. Functionality What functionality does the product offer to its users? Changeability What changes may be needed in the software in the future, and what changes are unlikely and need not be especially easy to make in the future? Performance What will the performance of the product be? Capacity How many users will use the system simultaneously? How much data will the system need to store for its users? Ecosystem What interactions will the system have with other systems in the ecosystem in which it will be deployed? Modularity How is the task of writing the software organized into work assignments (modules), particularly modules that can be developed independently and that suit each other's needs precisely and easily? Buildability How can the software b...
Read more

Notes from Release It! Book

Unbounded Result Sets / Unbounded Capacity In any API or protocol, the caller should always indicate how much of a response it is prepared to accept. TCP does this in the "window" header field. Search engine APIs allow the caller to specify how many results to return and what the starting offset should be. Limit results coming out from the database. SELECT TOP 15 colspec FROM tablespec SELECT colspec FROM tablespec WHERE rownum <=15 SELECT colspec FROM tablespec LIMIT 15
Read more