# Java/JS Secure Coding

| Language   | Insecure Function/Practice                                | Vulnerability              | Scenario                                                                                                          | Remediation/Secure Function                                                                                       |
| ---------- | --------------------------------------------------------- | -------------------------- | ----------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------- |
| Java       | `ObjectInputStream.readObject`                            | Insecure Deserialization   | A web application deserializes untrusted data from user input, leading to remote code execution.                  | Use a safe deserialization library like `Gson` or `Jackson`, validate and sanitize input, use `ObjectInputFilter` |
| Java       | `PreparedStatement` without parameterized queries         | SQL Injection              | A web application constructs SQL queries using user input without parameterized queries.                          | Use parameterized queries with `PreparedStatement`                                                                |
| Java       | `request.getParameter` without validation                 | Cross-Site Scripting (XSS) | A web application directly outputs user input in the HTML response.                                               | Validate and encode user input using libraries like `ESAPI` or `OWASP Java Encoder`                               |
| Java       | `HttpServletRequest.getSession` without secure attributes | Session Fixation           | A web application does not set the `HttpOnly` and `Secure` attributes on session cookies.                         | Set `HttpOnly` and `Secure` attributes on session cookies                                                         |
| Java       | Logging sensitive information                             | Information Exposure       | Sensitive information like passwords or tokens is logged.                                                         | Avoid logging sensitive information, use redaction if necessary                                                   |
| Java       | Unrestricted file upload                                  | Unrestricted File Upload   | A web application allows users to upload files without validation, leading to remote code execution.              | Validate file types, use a whitelist of allowed file types, scan for malicious content                            |
| JavaScript | Direct DOM manipulation with user input                   | Cross-Site Scripting (XSS) | A web application directly injects user input into the DOM.                                                       | Use innerText or textContent instead of innerHTML, validate and encode user input                                 |
| JavaScript | `eval` with user input                                    | Code Injection             | A web application executes user input as code using `eval`.                                                       | Avoid using `eval`, use safer alternatives like `JSON.parse` for parsing JSON data                                |
| JavaScript | `localStorage` for sensitive data                         | Sensitive Data Exposure    | Sensitive data like tokens or passwords is stored in `localStorage`.                                              | Store sensitive data in secure, HTTP-only cookies                                                                 |
| JavaScript | `setTimeout` and `setInterval` with string arguments      | Code Injection             | A web application uses `setTimeout` or `setInterval` with user input as a string.                                 | Use function expressions instead of string arguments                                                              |
| JavaScript | Insecure object property access                           | Prototype Pollution        | A web application merges user input into objects without validation.                                              | Validate and sanitize input before merging it into objects                                                        |
| JavaScript | `innerHTML` with user input                               | Cross-Site Scripting (XSS) | A web application uses `innerHTML` to inject user input into the DOM.                                             | Use innerText or textContent instead of innerHTML, validate and encode user input                                 |
| JavaScript | Unrestricted file upload                                  | Unrestricted File Upload   | A web application allows users to upload files without validation, leading to potential XSS or malware injection. | Validate file types, use a whitelist of allowed file types, scan for malicious content                            |


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://playbook.sidthoviti.com/devsecops/secure-coding/java-js-secure-coding.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.