Re: Security Assessment on J2EE Environments

I haven't found any resources with exactly what you are looking for. There are lots of papers about JVM security models, applet security, and Java security class libraries. But you're looking for information about finding flaws in a custom J2EE application.

I think the reason that you can't find this information is because most websites have implemented their own security -- so it's difficult to generalize about flaws. Struts, for example, is a framework that takes quite a bit of customization to work. There are just too many ways for developers to blow it. So you'll have to rely on a more general description and tailor it for your review.

You might start with the information in the OWASP "top ten" paper. The goal of your test should be to validate that the app doesn't contain any of the top ten (and the additional items listed in the conclusion). We've seen serious problems in J2EE apps with access control, session management, authentication flaws, cryptography, etc...

Also, it sounds like you are focusing on an external penetration test. If it's possible, you should consider a security code review to find the problems. Reviewers should check the code for the top ten verify the design. Pretty soon, you'll have validated the top ten with a much higher degree of completeness than a penetration test.

There's nothing magical about J2EE security. Most J2EE applications contain security holes. Sure they're not susceptible to buffer overflows. And if they use PreparedStatements, they are less likely to have SQL injection holes. But the rest of the top ten holes are common. Check out OWASP's WebGoat if you want to practice on a J2EE web app that's full of holes.

--Jeff

Jeff Williams
Aspect Security, Inc.
http://www.aspectsecurity.com

• Original Message ----- From: Iggeres Bet To: webappsec@securityfocus.com Sent: Wednesday, March 19, 2003 10:02 AM Subject: Security Assessment on J2EE Environments

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Dear List,

I am currently working on a Security Assessment on a J2EE project.
The Assessment is based uniquely on the HTTP view of the application.
It doesn't matter here if the software is buggy BUT not exploitable using the HTTP protocol. The project is based in all the keywords and buzzwords around: jsp, servlets, apache, tomcat, weblogic, oracle, struts, coocon, xml, etc, etc.

The problem we found is the lack of online information about concrete security problems seen in these environments. In this particular case the application is so closed (and the project development team has a high professional quality) that our assessment is now focalized to:

• Command Injection: in the SQL queries the application uses PreparedStatement and do some verification before.
• Struts things (seeing all the actions we can execute and pass to java objects).
• Logic problems.

We have successfully inserted our own html tags inside some form fields in the application because we found a problem in the html parser trusted in the project to check that kind of errors.

So, here are the questions:

• There is some online resource about concrete information on security issues on this framework beyond the specific vunerabilities reported?
• Is J2EE and all the Monster Components behind it, a milestone from a Security perspective?

Thank You All
Iggeres