Java/JS Secure Coding
Language | Insecure Function/Practice | Vulnerability | Scenario | Remediation/Secure Function |
---|---|---|---|---|
Java |
| Insecure Deserialization | A web application deserializes untrusted data from user input, leading to remote code execution. | Use a safe deserialization library like |
Java |
| SQL Injection | A web application constructs SQL queries using user input without parameterized queries. | Use parameterized queries with |
Java |
| Cross-Site Scripting (XSS) | A web application directly outputs user input in the HTML response. | Validate and encode user input using libraries like |
Java |
| Session Fixation | A web application does not set the | Set |
Java | Logging sensitive information | Information Exposure | Sensitive information like passwords or tokens is logged. | Avoid logging sensitive information, use redaction if necessary |
Java | Unrestricted file upload | Unrestricted File Upload | A web application allows users to upload files without validation, leading to remote code execution. | Validate file types, use a whitelist of allowed file types, scan for malicious content |
JavaScript | Direct DOM manipulation with user input | Cross-Site Scripting (XSS) | A web application directly injects user input into the DOM. | Use innerText or textContent instead of innerHTML, validate and encode user input |
JavaScript |
| Code Injection | A web application executes user input as code using | Avoid using |
JavaScript |
| Sensitive Data Exposure | Sensitive data like tokens or passwords is stored in | Store sensitive data in secure, HTTP-only cookies |
JavaScript |
| Code Injection | A web application uses | Use function expressions instead of string arguments |
JavaScript | Insecure object property access | Prototype Pollution | A web application merges user input into objects without validation. | Validate and sanitize input before merging it into objects |
JavaScript |
| Cross-Site Scripting (XSS) | A web application uses | Use innerText or textContent instead of innerHTML, validate and encode user input |
JavaScript | Unrestricted file upload | Unrestricted File Upload | A web application allows users to upload files without validation, leading to potential XSS or malware injection. | Validate file types, use a whitelist of allowed file types, scan for malicious content |
Last updated