Hard Code Key Primer for Java Developers

Untrusted user input

The use of hard coded cryptographic keys within software greatly increases the possibility that encrypted data may be uncovered. If the code is open source then everyone can read the keys. If the source is stored privately, attackers can possibly still get access to the code or partial snippets of the source code if they […]

Expression Languages (EL) Injection Primer for Java Developers

Expression language injection

Expression Languages Injection (EL Injection) happens when an attacker can control, in part or whole, the data into the expression language. For example, Spring allows for the capabilities of an EL called Spring Expression Language (SpEL), which is a language that can support queries and can manipulate object graphs at runtime. The JavaServer Pages (JSP) […]

Electronic Code Block (ECB) Primer for Java Developers

electronic code blocking

Electronic Code Block (ECB) mode is an implementation that divides the original message into blocks and each block is encrypted separately. The problem with ECB is that it is not semantically secure. The worst parts is that in ECB mode encryption of the same block of plaintext will yield the same block of ciphertext, this […]

AWS Query Injection Primer for Java Developers

aws

AWS Query Injection can occur within AWS as a result from misusing AWS’s Java SDK – AmazonSimpleDBClient. If the application is performing select requests with user inputs, the user inputs could be crafted to allow query access to other information outside the access scope of the permissions of the user. Impact CWE-943 : Improper Neutralization of […]