Hello,
> I have no experiance when it comes to pentesting java, and ive had a
> hard time finding any decent documentation when it comes to webapps in
> java.
>
You're right. There are things such as the Java security guide, which
however focus on stand-alone apps and their security, and the basics of
the Java Security Model etc.
> Obviously XSS, would work on the HTML parts of the app, and SQL
> injections on the DB parts, but anything java specific?
>
One thing that springs to mind is XML processing - it's hardly Java
specific, but most modern Java web apps process XML at some point.
Things to look out for there are XSLT which may allow for code
execution, and the general possibility of user submitted DTDs, which may
allow for nasty little attacks such as the billion laughs recursive
resolution problem or the inclusion of arbitrary files.
One more thing: Some people do highly risky things such as accepting
serialized objects as input in their web apps.
One time, I've also seen someone loading a class from a location that
was derived from a user-controllable variable.
A lot of other things are specific to the actual web apps. Also, I don't
know Glassfish.
Cheers,
Jan
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides
www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------
Received on Jul 01 2008
Intro
