PenTest Playbook
  • Welcome!
  • Web App Pentesting
    • SQL Injection
    • NoSQL Injection
    • XSS
    • CSRF
    • SSRF
    • XXE
    • IDOR
    • SSTI
    • Broken Access Control/Privilege Escalation
    • Open Redirect
    • File Inclusion
    • File Upload
    • Insecure Deserialization
      • XMLDecoder
    • LDAP Injection
    • XPath Injection
    • JWT
    • Parameter Pollution
    • Prototype Pollution
    • Race Conditions
    • CRLF Injection
    • LaTeX Injection
    • CORS Misconfiguration
    • Handy Commands & Payloads
  • Active Directory Pentest
    • Domain Enumeration
      • User Enumeration
      • Group Enumeration
      • GPO & OU Enumeration
      • ACLs
      • Trusts
      • User Hunting
    • Domain Privilege Escalation
      • Kerberoast
        • AS-REP Roast (Kerberoasting)
        • CRTP Lab 14
      • Targeted Kerberoasting
        • AS-REP Roast
        • Set SPN
      • Kerberos Delegation
        • Unconstrained Delegation
          • CRTP Lab 15
        • Constrained Delegation
          • CRTP Lab 16
        • Resource Based Constrained Delegation (RBCD)
          • CRTP Lab 17
      • Across Trusts
        • Child to Parent (Cross Domain)
          • Using Trust Tickets
            • CRTP Lab 18
          • Using KRBTGT Hash
            • CRTP Lab 19
        • Cross Forest
          • Lab 20
        • AD CS (Across Domain Trusts)
          • ESC1
            • CRTP Lab 21
        • Trust Abuse - MSSQL Servers
          • CRTP Lab 22
    • Lateral Movement
      • PowerShell Remoting
      • Extracting Creds, Hashes, Tickets
      • Over-PassTheHash
      • DCSync
    • Evasion
      • Evasion Cheetsheet
    • Persistence
      • Golden Ticket
        • CRTP Lab 8
      • Silver Ticket
        • CRTP Lab 9
      • Diamond Ticket
        • CRTP Lab 10
      • Skeleton Key
      • DSRM
        • CRTP Lab 11
      • Custom SSP
      • Using ACLs
        • AdminSDHolder
        • Rights Abuse
          • CRTP Lab 12
        • Security Descriptors
          • CRTP Lab 13
    • Tools
    • PowerShell
  • AI Security
    • LLM Security Checklist
    • GenAI Vision Security Checklist
    • Questionnaire for AI/ML/GenAI Engineering Teams
  • Network Pentesting
    • Information Gathering
    • Scanning
    • Port/Service Enumeration
      • 21 FTP
      • 22 SSH
      • 25, 465, 587 SMTP
      • 53 DNS
      • 80, 443 HTTP/s
      • 88 Kerberos
      • 135, 593 MSRPC
      • 137, 138, 139 NetBios
      • 139, 445 SMB
      • 161, 162, 10161, 10162/udp SNMP
      • 389, 636, 3268, 3269 LDAP
      • Untitled
      • Page 14
      • Page 15
      • Page 16
      • Page 17
      • Page 18
      • Page 19
      • Page 20
    • Nessus
    • Checklist
  • Mobile Pentesting
    • Android
      • Android PenTest Setup
      • Tools
    • iOS
  • DevSecOps
    • Building CI Pipeline
    • Threat Modeling
    • Secure Coding
      • Code Review Examples
        • Broken Access Control
        • Broken Authentication
        • Command Injection
        • SQLi
        • XSS
        • XXE
        • SSRF
        • SSTI
        • CSRF
        • Insecure Deserialization
        • XPath Injection
        • LDAP Injection
        • Insecure File Uploads
        • Path Traversal
        • LFI
        • RFI
        • Prototype Pollution
        • Connection String Injection
        • Sensitive Data Exposure
        • Security Misconfigurations
        • Buffer Overflow
        • Integer Overflow
        • Symlink Attack
        • Use After Free
        • Out of Bounds
      • C/C++ Secure Coding
      • Java/JS Secure Coding
      • Python Secure Coding
  • Malware Dev
    • Basics - Get detected!
    • Not so easy to stage!
    • Base64 Encode Shellcode
    • Caesar Cipher (ROT 13) Encrypt Shellcode
    • XOR Encrypt Shellcode
    • AES Encrypt Shellcode
  • Handy
    • Reverse Shells
    • Pivoting
    • File Transfers
    • Tmux
  • Wifi Pentesting
    • Monitoring
    • Cracking
  • Buffer Overflows
  • Cloud Security
    • AWS
    • GCP
    • Azure
  • Container Security
  • Todo
Powered by GitBook
On this page
  1. DevSecOps
  2. Secure Coding

Java/JS Secure Coding

Language
Insecure Function/Practice
Vulnerability
Scenario
Remediation/Secure Function

Java

ObjectInputStream.readObject

Insecure Deserialization

A web application deserializes untrusted data from user input, leading to remote code execution.

Use a safe deserialization library like Gson or Jackson, validate and sanitize input, use ObjectInputFilter

Java

PreparedStatement without parameterized queries

SQL Injection

A web application constructs SQL queries using user input without parameterized queries.

Use parameterized queries with PreparedStatement

Java

request.getParameter without validation

Cross-Site Scripting (XSS)

A web application directly outputs user input in the HTML response.

Validate and encode user input using libraries like ESAPI or OWASP Java Encoder

Java

HttpServletRequest.getSession without secure attributes

Session Fixation

A web application does not set the HttpOnly and Secure attributes on session cookies.

Set HttpOnly and Secure attributes on session cookies

Java

Logging sensitive information

Information Exposure

Sensitive information like passwords or tokens is logged.

Avoid logging sensitive information, use redaction if necessary

Java

Unrestricted file upload

Unrestricted File Upload

A web application allows users to upload files without validation, leading to remote code execution.

Validate file types, use a whitelist of allowed file types, scan for malicious content

JavaScript

Direct DOM manipulation with user input

Cross-Site Scripting (XSS)

A web application directly injects user input into the DOM.

Use innerText or textContent instead of innerHTML, validate and encode user input

JavaScript

eval with user input

Code Injection

A web application executes user input as code using eval.

Avoid using eval, use safer alternatives like JSON.parse for parsing JSON data

JavaScript

localStorage for sensitive data

Sensitive Data Exposure

Sensitive data like tokens or passwords is stored in localStorage.

Store sensitive data in secure, HTTP-only cookies

JavaScript

setTimeout and setInterval with string arguments

Code Injection

A web application uses setTimeout or setInterval with user input as a string.

Use function expressions instead of string arguments

JavaScript

Insecure object property access

Prototype Pollution

A web application merges user input into objects without validation.

Validate and sanitize input before merging it into objects

JavaScript

innerHTML with user input

Cross-Site Scripting (XSS)

A web application uses innerHTML to inject user input into the DOM.

Use innerText or textContent instead of innerHTML, validate and encode user input

JavaScript

Unrestricted file upload

Unrestricted File Upload

A web application allows users to upload files without validation, leading to potential XSS or malware injection.

Validate file types, use a whitelist of allowed file types, scan for malicious content

PreviousC/C++ Secure CodingNextPython Secure Coding

Last updated 9 months ago