# Java/JS Secure Coding | Language | Insecure Function/Practice | Vulnerability | Scenario | Remediation/Secure Function | | ---------- | --------------------------------------------------------- | -------------------------- | ----------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------- | | Java | `ObjectInputStream.readObject` | Insecure Deserialization | A web application deserializes untrusted data from user input, leading to remote code execution. | Use a safe deserialization library like `Gson` or `Jackson`, validate and sanitize input, use `ObjectInputFilter` | | Java | `PreparedStatement` without parameterized queries | SQL Injection | A web application constructs SQL queries using user input without parameterized queries. | Use parameterized queries with `PreparedStatement` | | Java | `request.getParameter` without validation | Cross-Site Scripting (XSS) | A web application directly outputs user input in the HTML response. | Validate and encode user input using libraries like `ESAPI` or `OWASP Java Encoder` | | Java | `HttpServletRequest.getSession` without secure attributes | Session Fixation | A web application does not set the `HttpOnly` and `Secure` attributes on session cookies. | Set `HttpOnly` and `Secure` attributes on session cookies | | Java | Logging sensitive information | Information Exposure | Sensitive information like passwords or tokens is logged. | Avoid logging sensitive information, use redaction if necessary | | Java | Unrestricted file upload | Unrestricted File Upload | A web application allows users to upload files without validation, leading to remote code execution. | Validate file types, use a whitelist of allowed file types, scan for malicious content | | JavaScript | Direct DOM manipulation with user input | Cross-Site Scripting (XSS) | A web application directly injects user input into the DOM. | Use innerText or textContent instead of innerHTML, validate and encode user input | | JavaScript | `eval` with user input | Code Injection | A web application executes user input as code using `eval`. | Avoid using `eval`, use safer alternatives like `JSON.parse` for parsing JSON data | | JavaScript | `localStorage` for sensitive data | Sensitive Data Exposure | Sensitive data like tokens or passwords is stored in `localStorage`. | Store sensitive data in secure, HTTP-only cookies | | JavaScript | `setTimeout` and `setInterval` with string arguments | Code Injection | A web application uses `setTimeout` or `setInterval` with user input as a string. | Use function expressions instead of string arguments | | JavaScript | Insecure object property access | Prototype Pollution | A web application merges user input into objects without validation. | Validate and sanitize input before merging it into objects | | JavaScript | `innerHTML` with user input | Cross-Site Scripting (XSS) | A web application uses `innerHTML` to inject user input into the DOM. | Use innerText or textContent instead of innerHTML, validate and encode user input | | JavaScript | Unrestricted file upload | Unrestricted File Upload | A web application allows users to upload files without validation, leading to potential XSS or malware injection. | Validate file types, use a whitelist of allowed file types, scan for malicious content |