btbytes.com

Iron-Clad Java

3 min read

These are the notes from the book - ‘Iron-Clad Java: Building Secure Web Applications’ by Jim Manico, August Detlefsen and others, published by Oracle Press.

I picked up the book from our local library on a whim and decided to give it a go. The book was published in 2015, and so hopefully it is not too out of date.

Web application security basics

As expected in a book from Oracle, the book appears to focus on Java and J2EE technologies from the get go.

Untrusted data: any data that enters your web application from an outside source, even databases and other applications within your organization, should be treated as untrusted. Untrusted data can be any part of the HTTP request . Do not trust any aspect of it. Attacked can and will modify all aspects of a HTTP request to exploit your web application.

Intercepting proxies are important tools in intercepting and modifying requests from users (human and machines). Attackers can use these proxy tools to:

  • modify user-entered input
  • add/modify/delete headers, cookies, and HTTP verbs(GET, POST, DELETE)

Some well known intercepting proxies are:

  1. Burp suite
  2. OWASP ZAP
  3. OWASP WebScarab
  4. Firefox plug-in Tamper Data

Safe handling of dat means properly validating all sources of data that enter your web application and also properly encoding data when it the application to a web page, database or other location.

Security is often lumped into non-functional business requirement like performance. Security requirements have to be fluid in order to adapt to the ever-evolving threat landscape (and businesss requirements — ed).

Security Quality — business rules to ensure that the data is consistent with business business requirements.

HTTP security considerations

HTTP is a stateless, request and response protocol that drives the vast majority of web traffic.

HTTPS allows for:

  1. confidentiality — protect your data from being seen
  2. integrity — protect your data from being changed
  3. authenticity — assure that the domain you are visiting is really the real version of that domain

Cipher suits are negotiated between browser and server to determine the cryptographic strength of the session transport. This meanss the cryptographic strength of an HTTPS connection can vary widely between diffetnt HTTPS servers.

HTTP/S GET request

components of a HTTP request

  • HTTP verb: GET
  • Resource: https://www.btbytes.com/
  • Version: HTTP/1.1
  • Request Headers:
    • User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:2232.0)
    • Accept: text/html
    • Accept-Language: en-US, en; q=0.5
    • Connection: keep-alive
    • Host: www.btbytes.com

Questions:

  1. what are the valid values for these request headers?
  2. how much are they validated by servers?
  3. are they used as attack vectors?
  4. what are the well known exploits around Request Headers.

Graph View