Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Java Security Traps Getting Worse



 By: Lisa Vaas
2007-05-09
Article Rating:starstarstarstarstar / 1


There are 0 user comments on this Network Security & Hardware story.


  Table of Contents:
  1. Java Security Traps Getting Worse
  2. ' XSS Is a Really '

Rate This Article:
Poor Best
Java Security Traps Getting Worse
( Page 1 of 2 )

Updated: At JavaOne last year, Fortify's Brian Chess discussed how to avoid Java security holes. A year later, with even Sun's manuals containing code with cross-site scripting vulnerabilities, we're actually w

A year ago at JavaOne, Fortify Software Founder and Chief Scientist Brian Chess gave a presentation titled "12 Java Technology Security Traps and How to Avoid Them."

A year later, how far have we come in addressing those inherent vulnerabilities, which include XSS (cross-site scripting), SQL injection and native methods that allow the import of C or C++ code—along with its bugs? Not a smidge—unless you count going backwards.

Its gotten worse, Chess said in an interview with eWEEK, "and Ive got evidence to prove it."

Fortify, which markets source-code analysis technology, has access to a large database of common Java programming errors and vulnerabilities, gleaned not only from its customers but also from a year of running the Java Open Review project.

In that project, Fortify uses FindBugs, a static analysis tool that looks for bugs in Java code, to look over code in open-source projects such as Apache, Azureus and Tomcat. Fortify does an analysis on each inspected code set, publishes online how many issues it finds and then shares with project maintainers the vulnerability specifics.

What Fortify has found from running the project is that the defect density of open-source code is "astronomical," Chess said, pointing out one project in particular that Fortify has inspected over the past year: Net Trust, with an estimated 12.215 errors per 1,000 lines of code.

Resource Library:

"Thats huge for a project with trust in its name," Chess said.

Ironically enough, Net Trust is a Google project to create a security mechanism for simple single sign-on and authentication. "But they were students doing not very good code," Chess said.

Net Trust is one of many examples that demonstrate that Java security traps, although known for some time, are snaring more programmers all the time as use of the language grows.

Java expert William Pugh agrees with Chess when it comes to Java security traps getting worse. "XSS is getting to be a very big issue," he said in an interview with eWEEK. "Tools like Fortifys tool set will look for problems with XSS, but its not easy to cleanse your code of any XSS [vulnerabilities]. The statistics weve seen is that this is on its way to becoming the biggest vulnerability" in Java applications, if not in all Web attacks, he said.

Pugh is a professor in the department of Computer Science at the University of Maryland in College Park, as well as being the author of the FindBug tool that Fortify has used in the Java Open Review project.

Beyond XSS, Pugh said that the two issues people most talk about when they talk security in Java are typically untrusted malicious code and SQL injection. "In a case where youre running applets … [the question is,] what can those applets do? Can they change the behavior of the program youre running in any way?"

"People running stuff on servers, they dont run untrusted code," he said. "[But] another type of security vulnerability thats of much bigger concern is SQL injection. … Those are all continuing to be big issues."

Adding to the problem is that the teaching of secure coding remains spotty at best.

To illustrate the lack of secure coding instruction, Chess points to a recent find he made, from none less than the Java giant, Sun. Specifically, the Sun introduction to servlet programming (Suns simplest method for hooking Java up to the Web) contains cross-site scripting vulnerabilities.

One example of an XSS vulnerability are these lines from Suns instructions:

try { firstname = request.getParameter("firstname"); } catch (Exception

e) { e.printStackTrace(); }

userName = firstname;

...

pw.print("

Thanks for your feedback, " + userName + "!

");

This code allows an attacker to inject code into the application that will be executed on a victims browser, Chess said.

"The code expects that a user has entered a name like this: Bob," Chess wrote in an e-mail exchange. "But an attacker could set it up so that the data looks like this: <script>sendDataToMotherShip()</script> and then the victims browser would execute a function named sendDataToMotherShip()."

A secure version of the server-side code, Chess said, would check input to make sure that it only contains an expected set of characters and no executable scripts.

"SQL injection problems still do sit at the top of the list" of Java security traps, he said. "[Developers are] trusting input they shouldnt trust."

Next Page: XSS is a really easy mistake to make.





  Reader Comments: Java Security Traps Getting Worse
>>> Be the FIRST to comment on this article!
 


 
 
>>> More Network Security & Hardware Articles          >>> More By Lisa Vaas
 


xv6(;^+(g٦xn)K&|,-J$!)9^%3~UxDJ٧-`U* w~ I ӞKXXcӱGMIj}ݻ@AifAU 5 Je>HwW7nSYS;^> \?g#Q;Y|}^qjN[ .hѱ LIA#T9a?xh @IR(#Ѻ8!QQXqD'H;*#'x8׽i/DeO‡^b&{Bq25;^;0k}Ba5w0vK]K<$#M-G ؓ ۭA lvy!h #gKݻHݠLo@d`jI:D:"4#2R!p `p)zDtGL: nK> P:x }3~bArxflQO*! lpi+j%yyyN ]tY֡_׽ƷHM=gadYofAvQKv TmO |l ݟQ~$OL"3Nˡ,Fp0-s|Wi #MTZ]QJrG╇i΃oⳉSqs˯ j4.W ? n8th;ʠm%k%Cq={grعx'Z;AW@o&1`ZLTQRhd" ̆N׳P? u/kQ2Z-_ 4ʍhGZIAv,f3} 3+i3* dnxp*?[:WM!MsYf0ZiCA+Wt?{sL{uڻ퓳 9|t G|D  Wh N/`6['^=:$~<=|kh`=v8LwzҐ ?N;d[/' mDO `mDm[ܹ*BRKEǛʃ3ReQ o(n>@|Ӡd 2Tc]vj\Ӭh4xka 43@_x0ND0f4M5 ,eg{05AM)61rGv!fByM)oz@U@ZR~nV(9U7$ٛ"G;z̈_"ʥgp1S{fwsY 9tmpq^oV͉:]X[u5jZnE?´;{:n:ݻeoǫg%",$ꨦժt ~JjGexQio+&r/ f[Ԗ-Pò˔A' ~ẏ>cD>O=sjysvi(|I}Ѧ>:7}<3 @ L^a ;p|g<-v1 a {>0sN}Y`IE 6]LR}j;>tHhS0<xw0ܛ[s_#]ӽ[:F?L`= 0.Z- Be^~}¢8 B7}ٜ릥L L<ģbL RP|'sZ( 7^bS2(%%E2G 4.gP)AH =[h 99~ ޑvZ)'JPl=!ԑtLZ|΍gJ9eb -d[b~Il eV&vϏxbB|#'bXr`Y \h+|i)lc dje[J,4T(/1#FEQ q +:dS7mrHמx: xtwO8fÂ[zdbMXhl:ʚ"/d<ShƏ0Y0UEXl&G[cBB1[0 =gΠ:'_ǖ0.'˗јSQrRҋsMh +gYA3'|(@]4>+WuPÃ"`"+42[m̞f; kkF3UʝWQy'gz)5WMyքc$C ֳ6_2}=ӧΜ9Esr:w'ѫU?Ŀ\?MVZd݋$/gcPoWuJ@[&9ފ9e_sf<6B񕖲HD,Pc/XKkezd(U6LF%IokwCSsbR6qcR5J Ȕe8+Վ4Q>ڹc3%P$wCJ$l%UH׋w@4-=]OL<}_lNϣ )a!w1N)>C TXfRhj]L-F ?|(+Gұ箩 ʢY]S4~5'|2t:歰C`V9aNg43aJ }z"{Owg=)V}溝AlX(%Uij"yd\s˰e0Lb2hp B@U.)L19j 2b*[PTB$漋tW\܁ĒbtXQ }:^x}Sː 0gtWed- IV/굘frhUUԎjV9 _VŅ_2:Ew: pp7poj-O@(1] e!1`<}׽~w]f#r?D)z%<4W{u!XT^wp-z_5>6 `i4~{D(}G7{5eu{^0lgAhy+ @$+ǽw)\owėtOz~J\t:R1AZ`'M}}uu4)$E}~|hqZ&IEqDcxH;~idLiWqݜvn8`LRX5c-ɅHgB fx|Fp6 9 ºUXȬe`|PH2XaHHR ~ti}N .@$BAnpkz!NU He*4Д+%IA%vNz7mx<|mr/HUɉ C^4} y*}y:}_exB+ǻBɘ{pУ3YJqvi#]c~:)}CON9Y~DҼ"7.9o l"HtSC23 &rޚS%[BcsOӖO|BXaJ;Da2u?I{uYXX$<3OђN)tJȓ$F=)jZ$jRSfj# $_2 I,v+2B:Tz{ gaM.m2jt/6Dr0@u\e0 `q0螴/‰@P V0k{R̵jПd A ̯> H-@^_ ޼=2'oQp]9Qz AC~oN~\4107yv߶rO0cݥoR:i?{޽Ҿ2CWq [:+`*9$ThH^ݍd_"2NIJa/:}L9zdM#}ӹJfz7ki^x̠tl>g[f1viéfGP/b{~sIU~(TR=/aO"J麇\%(]MT,^\RK>\k՛@" b]_ I{Oz[2YXtjQWgo ?M'|ȞF8^XDcxSyg!,da}3G0[)=)Ι2F'`'-ݺܭ)³$`GDAR7}igA j(l N XW+Oiƿ_BWc+YT>9bG^}E^iK%8q]R1">! $[Wb/CPO&NoĤ IU%-^IC)1m4Xx/G)Dzt9>$0I.uhtt l +GCh"@E#Є*di=®Z$imw ܃=#L3K|ڭ$L5ڎEk_#k_'WGp+}5mᮽp8ꆉD# ĊG(1 (FnbP.f ]mPyW[.)j簔r2rCUC||||ߪh|j^ŊD2  a9 j"t[pyCwH1]%A9cj5> 46rd>J &R 2T%c4.n3zfwljE_m3Dq#jM5^0!pNO@Ah'ﱳ9ң%`t9`"p6?΃E)վZsz>-|j"|J=hNaStM=vōi~whq㳤"gR(Y3?w}2{4(PG>k~~i//m~ZأŹe^,6K@{4I7mqg'!ZpP]}zUccjhj"j8Ǟ6;1K1w=ǘ}f][G?$ƁrQo|֊[NiΞC.tėq0}ŞΈ[AqCb$Skux'Ҏ7a3 0.$o,}{4 *S\0k\'긯 7v.FKHLKfQXܷ_EW̹xnG¤Zt'O|,D2~(^Ax8n eK{{[$6"PK.}KRG*+N+ߕtW BZcĻlWes[ɣ.j", jDc0Z`oh1]?)fFllz^C Ӎ`5`vX5Vڹq yK-y-J4s35a0Y}ο=R[TnZo@V`m 4,\ $:BπTaA4`C"iR%<j;O{TOiwCO;|7yj]SjZYq +*PVl> #F#xإ)C`z%Ed#us{敊V.ի);g=#T EL>F9e1O}TK;RI`m3_wOye`\z1ĖV]Oj$ K3%[ $0kh h_awᷭA91Y|aΝWD ]%FJ%͂4KHJ -g~1~"js{#C!ce~,MWlfmmEUk ַg%.04%XnMPwq߷~-JJ06b̦[q{Za`^",?`{O_ňVR>fDk9-CCKOckӘPt>c\TeLW<05# gզٝ$7ygF]ٿ[!g=Jl~#&-C*4;R7-΢A Jt Mx57+ Sx C7))ځUޒߙi4<~}A6ڔyiN&$Y c r/o@\Ix#k3dv*+_!߰VIm{7R[ $yґ?Z,DD$ is^m3tnaCcoMdם:/y.fK? ` (^31Faŷ~(l;b21bHc$; +D:DR7 (aWU T, !L)%n67p>9ow[X,a49`F"Sc8= 3ܕmxndn,Eǥ}-AG͚G71=` ?v^!usx\jHIcPB<_DRfndƙqwgؗYZ#AaP8Z  +z+uT'I]WP)9CȮ KDU8|.OOcyݬd/co*\iBR. ?h$@&쌆xɺxu0 }a3brtncվDz7Mn:p?^+rܹ(lkMQwqIYs}ӽZg31F;6/M&E`"eje) C9?[Ԟrm.4 "GȁW.}Q X\mę_?>bD(/& F^mÀec}zz|jŵN|vuI鲫fΧ6A{ m~nj4}V08SD~s2 Nn"(%W(5oOrʑ@NN d}r>?@nu.ZӜr_7^C9_h)埲/E|Z9s _ /}/s{ ̡%%e^^'UWcN9 S~ 90W9{s#?W0~W9׃r?=/r qu7?799~A .!>BǼrc~~sw y9{  wɹNr!(oYNoR89B8_*Uy@a uuSހ}VU<_`k9t _s ̭L_'BX\jzr+^vieq  | #r75iohg?>/ydV֫k+#B5AfПb 9?&OxVf}4;(fi3Q*5ýEyR780׀z#/)`wN>tkҹj_ ;졽7K쓥?M}̃oDV)pF ;F,R+|c ,~v)hعjzrt=på6@$ߛt1OD$w1eM+5VkZpWrDaDD1A jJUN-ժJRL3BAzG l]{ۦJ̾ZCO3CX)x}̺lk %qnq|5h_Yt[H-'g@诿N`Xkt83o6N7"f8̆I ůD|݅N,ga"<T#0?Ǻӳ׎m(bmzmWw-m~K5 D 9b[L1L%e%$2(~1'~#pIi/ 1IBm`Z(>/A^KŞfs(NZ&h[l,)1{;Kh.NH+`+594Ǟ"0ـħ%NA1W]fA_f|bOh6MxYum&d v"ѱy4q+WVX#e ^3P3Fӽ&}Z7l 2& 6LG4 (= >IϐR$xK9o̮hF<.u[#rɶz/1F#qy] YV8[T"?]zYrKY^ ҽLS̤c? `nwfں=Pŗ;wisF)f'NFptYӧ7-["@F'pG!mX=>;Oulם@ P⁜0ћKxǹ_ԕu`g#~"3V[œA>hxM(Fْ[0F=u}^nT02+1<&wEߟ2"L- Ԣ?͛sg(\*],1Ał?9g;i : Ǣ8"U]x[9ԋO0xeӵh_ɬqY?[ m-p5"`:=Vڕ+zyL1e~}=3G(q2,@P݌^5`y+@4> q-E6<:=܈x?ƃna@ZY LN 6뱊v9E=b\ Ѩ -**3ߙn﹨]e!+ 7I;s[_@U =[?܋;ɾ N|L/Xטl g)C2^#s!oYX&7ę /O ChXj=E"ҁ )Q~ fK#fE)[Rj2 19.f@9xI1%h3l䃈mAb?k2ǏxDh\N"?hTU9w, j3+[Ȁ7H>Y{D,5Rb:(/z0  [1nB< .&DW6K5Ƙb~v1yLX+0_e 92lt* X>ˣ`oٵBRKnrmmk )60M؏Ä "5poq3yezЙJpKZ8 g!0X^ZpTT/>%hw2b5#ʧ=M~q ĸ03Vt*NO  <] e!$g~V;~v?;w a% ѨT\vkOz,,}|K'}:Š#EKBݜv D>V}zڽzuK+_/0dF[Wy&FϦkMUjD;ydMn+:cQEae=i(ziKmN~늘p6JL?-۔9MR"GZk/%!zR4r0>dv=,Mӝo3a-d4džIkckj K)