security aspects specific to the Java programming language and libraries.
5
votes
5answers
175 views
Is sending plain passwords over SSL as part of a password update process bad?
The Web application I'm working on is 100% SSL secured (or rather TLS as it is called today...). The application recently has been audited by a security company. I mostly agree with their results but ...
1
vote
1answer
16 views
What are the risks when processing a document with Apache POI?
Apache POI is a Java library for processing office documents.
What are the risks associated with processing untrusted documents? For example, a web site that allows users to upload documents that are ...
2
votes
2answers
27 views
Is there a website or other resource that lists operating systems/platforms and the included root certificates?
I need to choose a certification authority (CA), to get a certificate, but I noticed that there are several of these only present in some operating systems/platforms like windows. I need to choose one ...
1
vote
1answer
27 views
How does Java connect via SSL to a server without me providing any private/public key for the communication? [duplicate]
I am talking about server side auth only.
Does Java create an internal self-signed cert for this communication?
AFAIK from TLS protocol, we both need to create a shared secret, which is based on what ...
0
votes
0answers
6 views
Logging out programmatically after providing credentials using HttpClient [closed]
I'm using the Apache HttpClient 4.3.4 library in Java to programmatically provide credentials to a URL that requires authentication. This is what I have in my code:
public static void ...
0
votes
0answers
16 views
How to install SSL certificate in the Trusted Root Certification Authorities Store? [migrated]
Apologies in advance, I do not have an IT background and have never done this before, yet I am being asked to figure this out and to do so as soon as possible. Our organization is trying to update ...
0
votes
1answer
102 views
SQL injection is possible but selected queries not working
I'm black-box testing an application which uses java spring framework and MySQL in the back-end.
When I insert a single quote (') in a text box field, the server returns a HTTP status code 500 ...
0
votes
0answers
20 views
Bad Padding Exception - RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING in pkcs11 [migrated]
My application is accessing e-Token for decrypting the response coming from the server
The session key from the server is encrypted using :-
RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING
I am using ...
1
vote
3answers
93 views
Are there commercially available hardware encryption devices over USB? [closed]
I'm designing a system where some combination of hardware and software (lets call it an appliance...) sends asynchronous secure archival to the cloud. By secure, I mean, AES-256 encrypted, with AES ...
2
votes
1answer
37 views
How many bits of entropy does an identifier contain?
According to https://www.owasp.org/index.php/Insufficient_Session-ID_Length:
Assuming that the session identifiers are being generated using a good source of random numbers, we will estimate the ...
1
vote
0answers
26 views
Checkmarx's vulnerability scanner reports Java's HibernateTemplate.find() method to be vulnerable to SQLi attacks [migrated]
I'm developing a Java application using Hibernate and the Spring Framework. When I scan the project with Checkmarx's vulnerability scanner, it reports several SQL injection vulnerabilities in the ...
0
votes
1answer
25 views
Executing external process from Java security
What are security implications of executing external processes using Java ProcessBuilder/Process? Example:
Runtime rt = Runtime.getRuntime();
Process proc = rt.exec("processExecutable");
InputStream ...
1
vote
1answer
37 views
Storing encryption passphrases in memory in Dalvik?
Given KeePassDroid, I'm considering some of the security implications of accessing KeePass databases on an Android device.
In the native applications for Windows, OSX, and Linux, whenever the ...
1
vote
1answer
51 views
Why are certain languages chosen for security application development over others?
Specifically, why are the most popular attack proxies written in java? Is there any particular security posture to the design of the java language that makes writing tools like these simpler? Easier ...
0
votes
3answers
68 views
Java AES encryption output length
I am trying to encrypt few database columns (string values) using Java AES algorithm. This is to protect certain sensitive data. For some users these data should decrypted.
In Java AES encryption, if ...
0
votes
1answer
34 views
Private and public key need to have same algorithm?
The private and the public key from the cert must have the same algorithm, correct?
EDIT: Yes of course pub / priv are a key pair.
So this code would be legal, to be more flexible (e.g. ECDSA or DSA):
...
3
votes
2answers
91 views
Is AES(Rijndael) faster than Blowfish?
I know theoretical that blowfish is much faster than aes. But I benchmarked several algorithms including aes and blowfish for 1MB, 5MB, 10MB etc. files in java 8 platform and bouncy castle library. In ...
0
votes
0answers
19 views
Using JCE Ciphers as a Digest? [migrated]
Some of the BouncyCastle methods take a Digest as input. According to http://en.wikipedia.org/wiki/Cryptographic_hash_function#Hash_functions_based_on_block_ciphers and ...
0
votes
0answers
99 views
Share and store RSA - public key in java server and vice versa
My requirements are:
Requirement 1: Share public key to java server.
Steps:
Generate public-private keys in iOS app.
Store the generated keys in keychain.
Send generated public key to java server.
...
75
votes
7answers
8k views
Why do I hear about so many Java insecurities? Are other languages more secure?
I really like the Java programming language, but I continuously hear about how insecure it is. Googling 'java insecure' or 'java vulnerabilities' brings up multiple articles talking about why you ...
0
votes
1answer
63 views
How can I get confirmation of new security problem in struts2?
I just read about this new struts2 security problem. I want to tell our developers to patch it, but I wish for some more sources first. The only source he cites is in another language. I guess I ...
1
vote
1answer
175 views
Is it safe to use localstorage to store session variables and user password? [closed]
I'm trying to make a web application in Java with a login/session system using com.sun.net.httpserver and as far I know, it does not have an inbuilt method to this. So, I had the following idea:
1 - ...
2
votes
2answers
189 views
Can you write OS-related virus using high level languages like Python
It is a well known fact that OS-related viruses are commonly written in low level languages like C or C++ which require direct access to the kernel of the CPU , I am just wondering if its possible ...
3
votes
1answer
278 views
Decrypt Passwords based on using a user's password
I am creating a database to store our client's information at work (a heritage center specializing in DNA based genealogy). Once the results of a test come back, we have people that use the ...
1
vote
1answer
97 views
Auto deploy war file (backdoor/shell) to particular folder
I am in the midst of a pentest. I have managed to uploaded a war shell (backdoor) in c:\test\ which is automatically deployed in a folder, for example c:\test\tmpbrowser.war.
The application which I ...
0
votes
2answers
155 views
Doesn't the same string encrypted with the same key generate the same encrypted value?
This is my page and class to encrypt the string entered and saved in database.
Each time, the Key__c is the same, as I take it from custom settings.
But when I enter abc and save two times, the ...
22
votes
3answers
2k views
Why did Java (JRE) vulnerabilities peak in 2012-2013?
I've taken a graph of the amount of CVE reports concerning the JRE per Year.
Now as you can see this spiked in 2012-2013, which could have been guessed easily, if you look at the amount of news items ...
1
vote
2answers
137 views
How do I Mitigate Directory Traversal when User-Supplied Input is a Mandatory Business Case?
I have an instance where we have an application that requires the ability to set up sftp commands that are specified by administrative users. They are configured through the front-end of the ...
0
votes
1answer
109 views
What are the security features of JRE 8?
I was tasked with finding the security features of JRE 1.8 and compare it to JRE 1.7 update 51. When I try to look for new security though, it only shows ">JDK< Security Enhancements" (ie. Not ...
17
votes
4answers
3k views
How secure is Java's hashCode()?
On our views in a Java web application, currently I am using hashCode as Id's for objects so that at server end I can get the same object back.
However, I am wondering how secure Java's hashCode ...
1
vote
0answers
72 views
Checklist for securing JBoss
Is there a security checklist for auditing JBoss configuration files ?
CIS and DISA provides security checklist only for Tomcat and Apache server. Is there any other ressources ?
0
votes
2answers
104 views
Anti Virus Intergration
we have found an issue with some production systems that the Anti-Virus causes the program to become slow a lot of the times and generally interferes with the activity of our software. Now as far as I ...
0
votes
1answer
46 views
How to modify a certificate using getTBSCertificate() method
I want to show that if I modify one bit or byte from a given X509 certificate the signature verification results false (because this modification results different hash value from the certificate). ...
0
votes
1answer
76 views
what freeware tool for java source code review? [closed]
I need freeware tool for source code review for my application which used WebSphere Portal and Java as technology. Please provide me relevant information or links regarding this.
2
votes
1answer
2k views
Java Applet - Need Code Signing Certificate vs SSL Certificate
I'm working on a Java Applet that used to be self-signed. Now that java 7u51 is being used, I am working to get the jar for the Applet signed.
I used the certificate/key used for the apache2 ssl ...
1
vote
2answers
54 views
How to avoid log4j output external modification
I had a request to find a solution for making a log file secure from editing from the user (not root user) running the JBoss instance of an application (Linux environment)
First idea I had is to use ...
1
vote
0answers
111 views
Can a Java servlet filter be used to pull out scripts that aren't whitelisted?
I might be asking a similar question to this: Whitelisting DOM elements to defeat XSS
But I think my proposed solution is different and I was wondering if I could get the community to comment on ...
7
votes
3answers
843 views
Is Java relevant to Information Security?
I'm currently studying Computer Science, where we're teached Java programming. I want to get into the IT-security field, but it seems to me that Ruby and Python are more relevant for that, so I have a ...
1
vote
0answers
53 views
Need help to Webservice in Axis2 with https in java
I have written my webservice with https. but as per requirement i should provide authentication. so thought of going with https ssl. could any one help me with steps like moving http to https and ssl ...
4
votes
3answers
208 views
Android and FIPS
I've recently been tasked with a research project to write a "secure messaging application" using "government approved protocols" (the government being the USA). I'm taking this to mean asymmetric ...
1
vote
2answers
226 views
How can I determine the Java version running on a remote server?
Short version
How can I determine the Java version a remote server is running if I only have access to the server through port 443?
Long version
I am validating a pentest run by another group. ...
1
vote
4answers
152 views
How to store passphrase in this situation?
How to store a passphrase with a Java application that periodically needs access to its plaintext form? It is a strange situation, but I am wedged in it. If providing a decent security mechanism is ...
0
votes
1answer
129 views
Java Drive By & Stub - Explanation [closed]
I have been trying to make some extensions for chrome lately to block some unwanted stuff. I have also been searching for quite some time to find what a JDB does.So , the applet downloads a file , ...
1
vote
1answer
429 views
How securely random is Oracle's java.security.SecureRandom
There was a lot of news in the past year about exploitable weaknesses in cryptography which originated from weak random number generators. In some cases it was negligence on side of the developers, in ...
0
votes
1answer
218 views
Learning to script tools in Python and general Pen Testing
I want to learn Pen Testing and already know Java and have been learning Python and am fairly comfortable with Python syntax. I also have some knowledge on Linux and TCP/IP.
My questions are:
How can ...
3
votes
1answer
407 views
Salt usage for Spring security?
I use the Spring security for Java web applications and I have written an authenticationprovider which is working without salt and now I want to either add salt or alternatively use the builtin ...
4
votes
1answer
136 views
What are the major vulns that affect the Dalvik VM of Android?
I frequently hear about the security risks of using Android. But few people who write articles on this subject ever identify what parts of Android are at fault, nor do they identify design flaws. Can ...
0
votes
1answer
178 views
encrypting a file with an RSA key
I wrote a java program to encrypt and decrypt files using AES algorithm in CBC mode and a random initialization vector. but there is something fundamental I'm not understanding:first I generate a ...
0
votes
1answer
749 views
Java SSL factory connection to SSL server (with just public-key and certificate)
I am trying to connect to a SSL web server. We currently have a pkcs12 file and connect, that is our private-key and certificate. Is it possible to connect using Java code with a public-key and ...
0
votes
2answers
489 views
Client Authentication by certificates in Google APP Engine java
I am writing an application in Google APP Engine java which authenticate the user by its certificate. I have created a self signed certificate using keytool at client side. I also enable the HTTPS ...
