File Upload Filename Primer for Java Developers

file upload filename

File upload filename happens in the process of performing an upload file function within a web application, the filename and file contents are uploaded within a single or multi-request handshake between the client and the server. Tainted Filename Read is a vulnerability that allows the direct passing-in of the filename into the filesystem’s API. An […]

Untrusted User Input Primer for Java Developers

Untrusted user input

When software does not validate input properly, an attacker is able to craft the input in a form that is not expected by the rest of the application. This will lead to parts of the system receiving unintended input, which may result in altered control flow, arbitrary control of a resource, or arbitrary code execution. […]

Object Deserielization Primer for Java Developers

  Serialization is the processing of converting an object, within a computer program to some form of permanent storage, into a stream or onto the network. Deserialization is the opposite of serialization, transforming the serialized data from storage or network to a program object. The ability to exploit insecure deserialization is to abuse data from […]

XML External Entity (XXE) Primer for Java Developers

  XML External Entity Injection (XXE) and Expansion (XEE) are security vulnerabilities that allow an attacker to exploit weaknesses within the processing of XML documents. Applications built for XML processing usually use a standard library for converting XML text into instance objects within the application. XXE and XEE vulnerabilities arise due to the XML specification […]

Insecure Logging Primer for Java Developers

Insecure-logging

Insecure logging can occur if a developer either intentionally or unintentionally logs sensitive information, this can lead to unintended consequences. If, for example, the application logs Personally Identifiable Information (PII) then the attacker could perform identity theft attacks on users. If it contains credential or session information then the attacker could hijack the user’s account. […]

Remote Code Execution (RCE) Primer for Java Developers

remote code execution

Remote Code Execution (RCE) is a general vulnerability that can be exploited in many forms based upon the language and framework of choice. At the basic level, it allows an agent to run arbitrary code operations on the target machine/device. By having the ability to run arbitrary code on the target machine, the execution can […]