devkuma – Security

Secure Coding Overview

kc@example.com (kc kim) — Sat, 26 May 2018 23:03:00 +0900

Overview

Secure coding reduces application vulnerabilities, which are often the largest source of software security defects.

Impact

A weakness is a flaw that can cause a vulnerability; a vulnerability is a weakness that can be exploited in a real incident.

Countermeasures

CWE classifies common weakness patterns, while CVE identifies publicly known vulnerabilities.

Information Exposure Through Error Messages

kc@example.com (kc kim) — Sat, 26 May 2018 23:03:00 +0900

Overview

Detailed error messages can expose stack traces, paths, SQL statements, server versions, and internal identifiers.

Impact

Return a generic user-facing message and log detailed diagnostics only in a protected server-side log.

Countermeasures

Configure framework and WAS error pages so internal exception details are not shown to clients.

Examples

try {
    ....
} catch (Exception e) {
    e.printStackTrace();
    return e.getMessage();
}

try {
    ...
} catch (Exception e) {
    System.out.println("ERROR1");
    return "ERROR1";
}

Secure Coding Guide

kc@example.com (kc kim) — Sat, 26 May 2018 23:03:00 +0900

This guide summarizes common secure coding weaknesses and practical countermeasures for application development.

SQL Injection

kc@example.com (kc kim) — Sat, 26 May 2018 23:03:00 +0900

Overview

SQL injection occurs when untrusted input is combined directly into a SQL statement.

Impact

Attackers may read, modify, or delete data and may bypass authentication.

Countermeasures

Use parameterized queries, prepared statements, ORM binding, and strict input validation instead of string concatenation.

Examples

try {
    String tableName = props.getProperty("jdbc.tableName");
    String name = props.getProperty("jdbc.name");
    String query = "SELECT * FROM " + tableName + " WHERE Name =" + name;
    stmt = con.createStatement(query);
    rs = stmt.executeQuery();
   ...
} catch (SQLException sqle) { ... } finally { ... }

<select id="selectByUserId" resultType="com.devkuma.dto.User">
    SELECT user_id,
      FROM devkuma_user
     WHERE user_id = '${userId}'
</select>

String tableName = props.getProperty("jdbc.tableName");
String name = props.getProperty("jdbc.name");
String query = "SELECT * FROM " + tableName + " WHERE Name =" + name;
stmt = con.prepareStatement(query);
rs = stmt.executeQuery();
...

String tableName = props.getProperty("jdbc.tableName");
String name = props.getProperty("jdbc.name");
String query = "SELECT * FROM ? WHERE Name = ?";
stmt = con.prepareStatement(query);
stmt.setString(1, tableName); stmt.setString(2, name);
rs = stmt.executeQuery();
...

OAuth 2.0

kc@example.com (kc kim) — Wed, 04 Oct 2017 22:41:52 +0900

Overview

OAuth 2.0 lets a resource owner grant a client limited access to protected resources without sharing the owner’s password. Common roles include the resource owner, client, authorization server, and resource server. Grant flows such as authorization code, client credentials, and refresh token are selected according to the client type and trust level.

Key Points

Keep credentials and tokens protected.
Prefer current standards and well-maintained libraries.
Validate trust boundaries and expiration rules.

Cross-Site Scripting (XSS)

kc@example.com (kc kim) — Sat, 26 May 2018 23:03:00 +0900

Overview

XSS allows attacker-controlled script to run in another user’s browser.

Impact

Reflected XSS returns injected script immediately, while stored XSS persists malicious content on the server.

Countermeasures

Encode output by context, validate input, avoid unsafe DOM APIs, and apply security headers such as Content-Security-Policy.

Examples

<tr>
  <td colspan="2">${contents}</td>
</tr>

<tr>
     <td colspan="2"><c:out value="${contents}"/></td>
</tr>

String param = request.getParameter("Param");
param = param.replaceAll("<script>", "");
param = param.replaceAll("</script>", "");

<c:out value="${param}" escapeXml="false"></c:out>

Automatic Connection to an Untrusted URL

kc@example.com (kc kim) — Sat, 26 May 2018 23:03:00 +0900

Overview

Open redirects happen when an application redirects users to a URL supplied by an attacker.

Impact

They can support phishing, token theft, and trust abuse because the redirect starts from a legitimate site.

Countermeasures

Allow only trusted destinations, map redirect IDs to server-side URLs, and reject external or malformed targets.

Examples

<html>
<head>
</head>
<body>
    URL : ${param.url}
  <%
       if (request.getParameter("url") != null)
           response.sendRedirect(request.getParameter("url"));
  %>
</body>
</html>

System Data Information Exposure

kc@example.com (kc kim) — Sat, 26 May 2018 23:03:00 +0900

Overview

System data exposure leaks internal configuration, directory paths, account information, or environment details.

Impact

Such information helps attackers understand the system and select more effective attacks.

Countermeasures

Minimize exposed diagnostics, sanitize responses, restrict management endpoints, and review deployment error handling.

Examples

...
public void foo() {
    try {
        go();
    } catch(IOException e) {
        out.println(e.getMessage());
    }
}
...

...
public void foo() {
    try {
        go();
    } catch(IOException e) {
        System.err.println("IOException Occurred");
    }
}
...

Upload of Dangerous File Types

kc@example.com (kc kim) — Sat, 26 May 2018 23:03:00 +0900

Overview

Dangerous file upload allows executable scripts or active content to be stored and later executed.

Impact

Validate extensions and MIME types, inspect file content, rename files, and store uploads outside the web root.

Countermeasures

Run malware scanning and enforce size, count, and permission limits.

Path Manipulation and Resource Injection

kc@example.com (kc kim) — Sat, 26 May 2018 23:03:00 +0900

Overview

Path manipulation occurs when user input controls file paths or resource identifiers.

Impact

Attackers may read arbitrary files, overwrite resources, or access restricted data.

Countermeasures

Normalize paths, use an allowlist of resource names, block traversal sequences, and enforce access checks after resolving the path.

Examples

public void download(HttpServletRequest request, HttpServletResponse response) throws Exception {
    String filepath = request.getParameter("filepath");

    if (filepath == null)
        return;

    filepath= PathUtil.getHome() + "/web/board_attach/" + filepath;

    DownloadUtil.download(response, filepath);
}

public void download(HttpServletRequest request, HttpServletResponse response) throws Exception {
    String filepath =request.getParameter("filepath");

    if (filepath == null)
        return;

    filepath = filepath.replaceAll("/","");
    filepath = filepath.replaceAll ("\\\\","");
    filepath = filepath.replaceAll ("\\.","");
    filepath = filepath.replaceAll ("&","");
    filepath = PathUtil.getHome() + "/web/board_attach/" + filepath;

    DownloadUtil.download(response, filepath);
}

Hard-coded Passwords

kc@example.com (kc kim) — Sat, 26 May 2018 23:03:00 +0900

Overview

Hard-coded passwords and secrets are easily leaked through source code, binaries, backups, and logs.

Impact

Once exposed, the same secret may compromise every deployed environment that uses it.

Countermeasures

Use a secret manager or protected environment configuration, rotate secrets, and keep credentials out of source control.

Examples

public Connection DBConnect(String url, String id) {
    try {
        String url = props.getProperty("url");
        String id = props.getProperty("id");
        conn = DriverManager.getConnection(url, id, "tiger");
    } catch (SQLException e) {
        System.err.println("...");
    }
    return conn;
}

public Connection DBConnect(String url, String id) {
    try {
        String url = props.getProperty("url");
        String id = props.getProperty("id");
        String pwd = props.getProperty("passwd");
    ...
    byte[] decrypted_pwd = cipher.doFinal(pwd.getBytes());
    pwd = new String(decrypted_pwd);
    conn = DriverManager.getConnection(url, id, pwd);
    } catch (SQLException e) {
        System.err.println("...");
    }
    return conn;
}

Weak Password Requirements

kc@example.com (kc kim) — Sat, 26 May 2018 23:03:00 +0900

Overview

Weak password policies allow short, common, or predictable passwords.

Impact

This increases the success rate of brute-force, credential stuffing, and dictionary attacks.

Countermeasures

Require sufficient length, block known compromised passwords, rate-limit attempts, and support multi-factor authentication.

Examples

try {
  String id = request.getParameter("id");
  String passwd = request.getParameter("passwd");
}
catch (SQLException e){ ...... }

try {
    String id = request.getParameter("id");
    String passwd = request.getParameter("passwd");
    if (passwd == null || "".equals(passwd))
        return;
    if (!passwd.matches("") && (passwd.indexOf("@!#") > 0) && (passwd.length() > 7)) {
      ...
  } catch (SQLException e) { ...... }

One-way Hash Functions Without Salt

kc@example.com (kc kim) — Sat, 26 May 2018 23:03:00 +0900

Overview

Unsalted hashes produce identical values for identical passwords and are vulnerable to precomputed attacks.

Impact

A unique salt per password prevents simple reuse of rainbow tables.

Countermeasures

Use password hashing algorithms such as bcrypt, scrypt, Argon2, or PBKDF2 with appropriate cost parameters.

Examples

import java.security.MessageDigest;

public byte[] getHash(String password) throws NoSuchAlgorithmException {
    MessageDigest digest = MessageDigest.getInstance("SHA-255");
    digest.reset();
    return digest.digest(password.getBytes("UTF-8"));
}

Use of Weak Cryptographic Algorithms

kc@example.com (kc kim) — Sat, 26 May 2018 23:03:00 +0900

Overview

Weak cryptographic algorithms such as MD5, SHA-1, DES, or RC4 no longer provide adequate protection.

Impact

Collisions, small key sizes, and known attacks can undermine integrity and confidentiality.

Countermeasures

Use current, approved algorithms and libraries, such as SHA-256 or stronger hashes, AES-GCM, and modern TLS configurations.

Examples

public String getCryptedPassword(String salt, String password) {
    return new MD5HashGenerator().getValue(password);
}

public String getSalt(String userId, String password) {
    return SHA256HashGenerator.getInstance().getValue("--" + Calendar.getInstance().getTime().toString() + "--" + userId + "--");
}

public String getCryptedPassword(String salt, String password) {
    return SHA256HashGenerator.getInstance().getValue("nest--" + salt + "--" + password + "--");
}

Missing Limits on Repeated Authentication Attempts

kc@example.com (kc kim) — Sat, 26 May 2018 23:03:00 +0900

Overview

Without limits on repeated authentication attempts, attackers can automate password guessing.

Impact

Excessive attempts may also degrade service availability.

Countermeasures

Apply rate limiting, temporary lockouts, progressive delays, IP and account monitoring, and multi-factor authentication.

Operating System Command Injection

kc@example.com (kc kim) — Sat, 26 May 2018 23:03:00 +0900

Overview

OS command injection occurs when user input is passed to shell commands.

Impact

Attackers may execute arbitrary commands with the application’s privileges.

Countermeasures

Avoid shell execution, call safe APIs directly, allowlist arguments, escape only as a last resort, and run with least privilege.

Examples

Set<String> filterSet = new HashSet<String>();
filterSet.add("del");
filterSet.add("rmdir");
String year = request.getParameter("year");
for (String filter : filterSet) {
    year = year.replace(filter, "##" + filter.trim() + "## ");
}
File exeFile = new File(...);
FileUtil.write(exeFile, file.getAbsolutePath() + " " + year);
Process process = Runtime.getRuntime().exec(exeFile.getPath(), null, file.getParentFile());

Null Pointer Dereference

kc@example.com (kc kim) — Sat, 26 May 2018 23:03:00 +0900

Overview

Null pointer dereference happens when code uses a value after it may be null.

Impact

It can cause application crashes and may lead to denial of service.

Countermeasures

Check return values, fail fast on invalid state, use Optional-style APIs where suitable, and keep null checks close to use sites.

Examples

public Object returnNull() {
    return null;
}

public void testNull() {
    String str = returnNull().toString();
}

public void getInputFromFile() {
    try {
    BufferedReader br = new BufferedReader(new FileReader("input.dat"));
    String str = br.readLine();
    str.toUpperCase();
   ...
}

public class ForwardNullEx {
    public void test() {
        String uppercased = toUpperCase(null);
    }

    public String toUpperCase(String arg) {
       arg.toUpperCase();
    }
}

public class UncheckedNullEx {
    public void test(String x) {
        String str = "";
        System.out.println(str);
        if(x != null) {
            str = x.toUpperCase();
        }
        x.toString();
    }
}

Improper Resource Release

kc@example.com (kc kim) — Sat, 26 May 2018 23:03:00 +0900

Overview

Improper resource release occurs when files, streams, sockets, database connections, or locks are not closed.

Impact

Leaked resources can exhaust memory, handles, connections, or locks and reduce availability.

Countermeasures

Use structured cleanup such as try-with-resources or finally blocks and verify cleanup on both success and failure paths.

Examples

try {
    OutputStream os = response.getOutputStream();
    FileInputStream fis = new FileInputStream(file);
    FileCopyUtils.copy(fis, os);
    fis.close();
    return true;
} catch (IOException e) {
    logger.error(e, e);
}

OutputStream os = null;
FileInputStream fis = null;
try {
    os = response.getOutputStream();
    fis = new FileInputStream(file);
    FileCopyUtils.copy(fis, os);
} catch (IOException e) {
    logger.error(e.getMessage());
} finally {
    try {
        fis.close();
        os.close();
    } catch (IOException e) {
        logger.error(e.getMessage());
    }
}

OutputStream os = null;
FileInputStream fis = null;
try {
    os = response.getOutputStream();
    fis = new FileInputStream(file);
    FileCopyUtils.copy(fis, os);
} catch (IOException e) {
    logger.error(e.getMessage());
} finally {
    try {
         if (fis =! null)
             fis.close();
    } catch (IOException e) {
        logger.error(e.getMessage());
    }
    try {
         if (os =! null)
             os.close();
    } catch (IOException e) {
        logger.error(e.getMessage());
    }    
}

Improper Authorization

kc@example.com (kc kim) — Sat, 26 May 2018 23:03:00 +0900

Overview

Improper authorization allows authenticated users to access functions or data outside their privileges.

Impact

It can expose sensitive data or allow unauthorized modification.

Countermeasures

Enforce authorization on the server for every request, check object ownership, and deny by default.

Kerberos

kc@example.com (kc kim) — Wed, 21 Dec 2022 16:27:45 +0900

Overview

Kerberos authenticates users through tickets issued by a trusted Key Distribution Center. The main components are the client, service server, Authentication Server, Ticket Granting Server, and encrypted tickets. This model supports single sign-on but depends heavily on time synchronization and the availability of the KDC.

Key Points

Keep credentials and tokens protected.
Prefer current standards and well-maintained libraries.
Validate trust boundaries and expiration rules.

Examples

$ yum install -y krb5-workstation krb5-libs

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 allow_weak_crypto = true

[realms]
  EXAMPLE.COM = {
  kdc = kdc.example.com.:88
  admin_server = kdc.example.com
  default_domain = example.com
 }

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM

$ kinit

$ klist

SAML (Security Assertion Markup Language)

kc@example.com (kc kim) — Thu, 15 Sep 2022 11:36:00 +0900

Overview

SAML is an XML-based standard for exchanging authentication and authorization assertions between an identity provider and a service provider. It is widely used for enterprise single sign-on, especially between organizations and SaaS services.

Key Points

Keep credentials and tokens protected.
Prefer current standards and well-maintained libraries.
Validate trust boundaries and expiration rules.

Cryptography

kc@example.com (kc kim) — Tue, 05 Oct 2021 10:24:00 +0900

Overview

One-way cryptography uses hash functions to transform data so the original value cannot be practically restored. Two-way cryptography encrypts data so it can be decrypted later with the correct key. Hashing is common for integrity checks and password verification, while encryption is used when data must be recovered.

Key Points

Keep credentials and tokens protected.
Prefer current standards and well-maintained libraries.
Validate trust boundaries and expiration rules.

What is JWT?

kc@example.com (kc kim) — Fri, 07 May 2021 09:37:47 +0900

Overview

JWT consists of a header, payload, and signature separated by dots. The payload stores claims such as issuer, subject, audience, expiration, and custom application data. Because the payload is Base64URL-encoded rather than encrypted, sensitive data should not be stored there unless JWE or another encryption layer is used.

Key Points

Keep credentials and tokens protected.
Prefer current standards and well-maintained libraries.
Validate trust boundaries and expiration rules.

Examples

HEADER.PAYLOAD.SIGNATURE

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

{
  "alg": "HS256",
  "typ": "JWT"
}

{
  "http://www.devkuma.com/": true
}