Java/JS Secure Coding

Language Insecure Function/Practice Vulnerability Scenario Remediation/Secure Function

Language	Insecure Function/Practice	Vulnerability	Scenario	Remediation/Secure Function
Java	`ObjectInputStream.readObject`	Insecure Deserialization	A web application deserializes untrusted data from user input, leading to remote code execution.	Use a safe deserialization library like `Gson` or `Jackson`, validate and sanitize input, use `ObjectInputFilter`
Java	`PreparedStatement` without parameterized queries	SQL Injection	A web application constructs SQL queries using user input without parameterized queries.	Use parameterized queries with `PreparedStatement`
Java	`request.getParameter` without validation	Cross-Site Scripting (XSS)	A web application directly outputs user input in the HTML response.	Validate and encode user input using libraries like `ESAPI` or `OWASP Java Encoder`
Java	`HttpServletRequest.getSession` without secure attributes	Session Fixation	A web application does not set the `HttpOnly` and `Secure` attributes on session cookies.	Set `HttpOnly` and `Secure` attributes on session cookies
Java	Logging sensitive information	Information Exposure	Sensitive information like passwords or tokens is logged.	Avoid logging sensitive information, use redaction if necessary
Java	Unrestricted file upload	Unrestricted File Upload	A web application allows users to upload files without validation, leading to remote code execution.	Validate file types, use a whitelist of allowed file types, scan for malicious content
JavaScript	Direct DOM manipulation with user input	Cross-Site Scripting (XSS)	A web application directly injects user input into the DOM.	Use innerText or textContent instead of innerHTML, validate and encode user input
JavaScript	`eval` with user input	Code Injection	A web application executes user input as code using `eval`.	Avoid using `eval`, use safer alternatives like `JSON.parse` for parsing JSON data
JavaScript	`localStorage` for sensitive data	Sensitive Data Exposure	Sensitive data like tokens or passwords is stored in `localStorage`.	Store sensitive data in secure, HTTP-only cookies
JavaScript	`setTimeout` and `setInterval` with string arguments	Code Injection	A web application uses `setTimeout` or `setInterval` with user input as a string.	Use function expressions instead of string arguments
JavaScript	Insecure object property access	Prototype Pollution	A web application merges user input into objects without validation.	Validate and sanitize input before merging it into objects
JavaScript	`innerHTML` with user input	Cross-Site Scripting (XSS)	A web application uses `innerHTML` to inject user input into the DOM.	Use innerText or textContent instead of innerHTML, validate and encode user input
JavaScript	Unrestricted file upload	Unrestricted File Upload	A web application allows users to upload files without validation, leading to potential XSS or malware injection.	Validate file types, use a whitelist of allowed file types, scan for malicious content

Java

ObjectInputStream.readObject

Insecure Deserialization

A web application deserializes untrusted data from user input, leading to remote code execution.

Use a safe deserialization library like Gson or Jackson, validate and sanitize input, use ObjectInputFilter

Java

PreparedStatement without parameterized queries

SQL Injection

A web application constructs SQL queries using user input without parameterized queries.

Use parameterized queries with PreparedStatement

Java

request.getParameter without validation

Cross-Site Scripting (XSS)

A web application directly outputs user input in the HTML response.

Validate and encode user input using libraries like ESAPI or OWASP Java Encoder

Java

HttpServletRequest.getSession without secure attributes

Session Fixation

A web application does not set the HttpOnly and Secure attributes on session cookies.

Set HttpOnly and Secure attributes on session cookies

Java

Logging sensitive information

Information Exposure

Sensitive information like passwords or tokens is logged.

Avoid logging sensitive information, use redaction if necessary

Java

Unrestricted file upload

Unrestricted File Upload

A web application allows users to upload files without validation, leading to remote code execution.

Validate file types, use a whitelist of allowed file types, scan for malicious content

JavaScript

Direct DOM manipulation with user input

Cross-Site Scripting (XSS)

A web application directly injects user input into the DOM.

Use innerText or textContent instead of innerHTML, validate and encode user input

JavaScript

eval with user input

Code Injection

A web application executes user input as code using eval.

Avoid using eval, use safer alternatives like JSON.parse for parsing JSON data

JavaScript

localStorage for sensitive data

Sensitive Data Exposure

Sensitive data like tokens or passwords is stored in localStorage.

Store sensitive data in secure, HTTP-only cookies

JavaScript

setTimeout and setInterval with string arguments

Code Injection

A web application uses setTimeout or setInterval with user input as a string.

Use function expressions instead of string arguments

JavaScript

Insecure object property access

Prototype Pollution

A web application merges user input into objects without validation.

Validate and sanitize input before merging it into objects

JavaScript

innerHTML with user input

Cross-Site Scripting (XSS)

A web application uses innerHTML to inject user input into the DOM.

Use innerText or textContent instead of innerHTML, validate and encode user input

JavaScript

Unrestricted file upload

Unrestricted File Upload

A web application allows users to upload files without validation, leading to potential XSS or malware injection.

Validate file types, use a whitelist of allowed file types, scan for malicious content

PreviousC/C++ Secure Coding NextPython Secure Coding

Last updated 1 month ago