Year Of Security for Java – Week 8 – HTTP Strict Transport Security

Tweet What is it and why should I care? HTTP Strict Transport Security (HSTS) is a new(ish) technology that allows an application to force browsers to only use SSL/TLS (HTTPS, not HTTP) when visiting their application. This occurs when the application sets an HSTS specific HTTP response header. Browsers that support HSTS recognize the response […]

Year Of Security for Java – Week 7 – Content Security Policy

Tweet What is it and why should I care? Content Security Policy (CSP) is a new(ish) technology put together by Mozilla that web apps can use as an additional layer of protection against Cross Site Scripting (XSS), which is the primary goal of the technology. A secondary goal is to protect against clickjacking. XSS is […]

Year Of Security for Java – Week 6 – CSRF Prevention in Java

Tweet What is it and why should I care? Cross Site Request Forgery (CSRF) is an attack wherein a victim is forced to execute unknown and/or undesired requests to a website at which he/she is currently authenticated. It exploits the fact that the “credentials” needed to perform a function on a website are generally loaded […]

Year Of Security for Java – Week 5 – Clickjacking Prevention

Tweet What is it and why do I care? Clickjacking is a type of “web framing” or “UI redressing” attack. What that simply means in practice is that: 1. A user (victim) is shown an innocuous, but enticing web page (think watch online video) 2. Another web page (that generally does something important – think […]

Year Of Security for Java – Week 4 – Session Cookie HttpOnly Flag

Tweet What is it and why do I care? Session cookies (or the cookie containing the JSESSIONID to Java folks) are the cookies used to perform session management for web applications. These cookies hold the reference to the session identifier for a given user, and the same identifier is maintained server-side along with any session […]

Year Of Security for Java – Introduction

Tweet Year Of Security for Java This will serve as the introduction for a new series that will have roughly 1 article per week for a year. This series will be different from my last series (OWASP Top Ten – Java) in that each article will be pretty short and focused. There are several motivations […]

Beware the HTTP path parameter

Tweet Please forgive the title, but today’s topic is something to be wary of if you write (or use) any access control / authorization type code in web-based j2ee apps: HTTP URL path parameters. Many people are unfamiliar with them (as they are uncommon), but they are something you should be aware of. A nice […]

Application Intrusion Detection with OWASP AppSensor

Tweet Introduction This article is a basic introduction to AppSensor, an OWASP project that’s been gaining a lot of traction recently. It’s a fairly simple concept, and one that I think (and hope) will be implemented in lots of applications in the near future. If you’d rather watch a video about AppSensor, here is a […]

Preventing Log Forging in Java

Tweet This article will provide a quick overview of log forging and discuss a couple simple solutions to prevent it. First, what is log forging? Logging is one of the most common things that an application does. Logging is a very generic term that can mean lots of different things, from debug style logging for […]

The OWASP Top Ten and ESAPI – Final Summary

Tweet Ok, well now we’ve been through all the issues listed in the 2007 version of the Top Ten. The new 2010 version is very similar with a couple discrepancies. I may follow up on those couple of issues at a later time. Hopefully you’ve seen through all the articles in this series that ESAPI […]