Java Reference
In-Depth Information
6.4.4.1 Input Validation and Output Encoding
Script injection and SQL injection attacks in a Web application rely on the lack of user input
validation and lack of output encoding in a Web application. All user input needs to be validated
by strong server-side input validation routines validating the data entered by a user against a set
of explicitly allowed inputs. Output encoding will also be adopted to ensure that malicious user
input (containing JavaScript) is encoded while being rendered as output in the Web application,
thereby nullifying the efect of the malicious script.
6.4.4.2 Secure Database Access
Applications using raw SQL queries to make database calls are found to be vulnerable to SQL
injection. he attacker can use crafted SQL queries to deride the existing SQL query and extract
information from the database. Panthera's Web application will utilize parameterized SQL queries
in conjunction with strong input validation implementation to ensure that SQL injection attacks
are averted.
6.4.4.3 Error Handling
Default Web application error pages contain several bits of key information that are very useful to
the attacker. In several cases, default error pages also contain information relating to exceptions
that occur or failed SQL queries, providing invaluable information to the attacker, which may
lead to a subsequent compromise of the Web application. Panthera's e-commerce application will
implement customized error pages, which will only convey the minimum amount of information
about the Web/application server and version. hese customized error pages will also be conig-
ured not to contain messages of application exception and their details, which may aid an attacker
in compromising an application.
Section 3 of this topic will explore the Java implementations for authentication and authoriza-
tion, data protection, logging, and secure coding practices in detail.
6.5 Summary
his chapter has delved into the risk assessment phase for Panthera's e-commerce application. he
processes of system characterization, threat analysis, and risk mitigation strategy have been exem-
pliied, keeping in mind a typical e-commerce application. he outcome from the risk assessment
activity is the creation of the detailed security requirements for the Web application, which have
been detailed in this chapter. he security requirements are for authentication and authorization,
data protection (cryptography), logging, and secure coding practices to be followed for the security
functionality of the e-commerce Web application.
Search WWH ::
Custom Search