49
votes
Poor error handling source code review
I think you are correct that those issues are more related to code quality rather than security, and none of them are exploitable in any obvious way. I would not call them "vulnerabilities".
But ...
- 65.9k
47
votes
Accepted
Am I protected from Log4j vulnerability if I run Java 8u121 or newer?
No, you really need to update log4j.
Here is an excerpt from LunaSec's announcement:
According to this blog post (see translation), JDK versions greater than 6u211, 7u201, 8u191, and 11.0.1 are not ...
- 2,430
34
votes
Sending password from client app to server with Java
Use TLS for the connection to the server.
The purpose of securely hashing a password is to make it more difficult to attack if the database is ever stolen. It is not designed to prevent sniffing the ...
- 67.8k
25
votes
Accepted
What are the differences of checking a self-signed certificate vs ignore it?
If it's an official service you are integrating with the provider should really have a valid, publicly signed certificate installed for the sake of security.
Assuming that you need to continue on ...
- 3,802
24
votes
Accepted
How are code-branch side channel attacks mitigated on Java?
While you can make some attempt towards constant-time code in general purpose JITed languages like Java, you generally run into some problems:
The runtime implementation is, generally, intended to be ...
- 136k
21
votes
Timing attacks in password hash comparisons
The first algorithm is sensitive to timing attacks, while the second looks better (but I don't know for sure if it's vulnerable or not). However, there is a bug with potential security implications in ...
- 65.9k
16
votes
What are the differences of checking a self-signed certificate vs ignore it?
By importing a known good self-signed certificate where the private key is unique and not compromised, the connection is just as safe as a full global CA PKI signed certificate. Those are after all ...
- 820
16
votes
Am I protected from Log4j vulnerability if I run Java 8u121 or newer?
https://research.kudelskisecurity.com/2021/12/10/log4shell-critical-severity-apache-log4j-remote-code-execution-being-actively-exploited-cve-2021-44228/
No, you're not safe. Currently we have to ...
- 337
11
votes
Why do I need to add intermediate CA certificates to JVM's cacerts file?
The Oracle JRE can automatically download the intermediate certificate:
Support for the Authority Information Access (AIA) Extension
Support
for the caIssuers access method of the Authority ...
11
votes
Poor error handling source code review
How are these related to security? According to my understanding it
seems like the above issues are code quality issues.
These are code quality issues. From the name, it looks like they are straight ...
- 3,951
11
votes
Timing attacks in password hash comparisons
You're both right, but you've both missed the point :)
You are correct: this is a classic example of a timing weakness and creates a possible side channel attack.
Your coder is correct: given network ...
- 31.9k
10
votes
What is the best practice to store private key, salt and initialization vector in database?
I will answer your question in two parts since you asked it in two parts:
Question 1:
Is it secure to store salt and vector in database same table with private key? Currently I encode public and ...
- 2,781
9
votes
Accepted
What is the process of finding deep links from an Android application?
A deep link is similar to opening a URL with an application in other operating systems. You can run firefox https://example.com to open that URL in your browser, and applications can tell the ...
- 33.3k
8
votes
Accepted
Does Java anti-decompiler software really work as claimed?
No, these do not work in the way claimed. They do not and cannot prevent reverse engineering and decompiling. The most they can possibly do is obfuscate Java to make it more difficult to understand, ...
- 67.8k
8
votes
Generating and securing gift card codes
To prevent fraud, you need a sufficiently low probability of the attacker guessing any valid code.
For 1 million cards, a 10^16 code will be guessed on the average each 10^10 attempts. If your site is ...
- 2,900
8
votes
Timing attacks in password hash comparisons
The second piece of code you showed is still susceptible to timing attacks. This is because how many times the if-branch is taken, and in what sequence it is taken, are dependent on the input data.
...
- 259
7
votes
SSL Newbie : Does HTTPS client also need a certificate?
No. I've tried it and the client definitely does not need a certificate or predefined key.
Rather, after receiving a public key (which is part of the certificate) from the server, the client makes up ...
- 71
7
votes
Accepted
Vulnerable CRLF environment
PHP - 4.2.1 - CVE - Or see the Anders answer.
TOMCAT - Before 6.0.37 / 7.0.30 - CVE
Since CRLF Injection is directly related to HTTP response splitting attacks, I recommend you to read the question I ...
- 1,403
6
votes
What is the best practice to store private key, salt and initialization vector in database?
Yep. It's safe to store the Salt and IV next to the encrypted entry.
To understand why, you need to dig into just what the Salt and IV are intended to do.
Salt is meant as a way of making it so ...
- 902
6
votes
Could this list of ciphersuites be improved on?
A simple grep would not provide enough context to determine if there is a problem. Even if your find actual uses for these less secure algorithms (contrary to just finding code which uses these names ...
- 213k
6
votes
Poor error handling source code review
Bad guys start an attack by learning as much as possible about the target system. An improperly handled exception can reveal sensitive information to the calling client.
In a REST API for example, a ...
- 177
6
votes
Poor error handling source code review
I have been dealing with code audits, security analysis like this one and ethical hacking runs for a decade and a half now, so let me share some of my experience.
Every single boss and team lead I've ...
- 225
6
votes
Accepted
Is DPAPI still valid option to protect eg. encryption key?
The question of whether to use DPAPI vs. other encryption methods is not necessarily material to your actual goal, which is to prevent an attacker who compromises the system from reading sensitive ...
- 136k
5
votes
Accepted
How does one determine what strength parameter to pass to BCryptEncoder (default is 10) in Spring Java?
Adding one to the parameter doubles cost for both defender and attacker. You want to maximize cost for the attacker, while keeping the cost for the defender acceptable.
Benchmark it for different ...
- 12.2k
5
votes
Accepted
Is OWASP ESAPI still the recommended way to secure JSP pages
The OWASP ESAPI is no longer considered a flagship or even an active project. Kevin Wall, the project owner for the Java implementation, himself back in 2014 conceded that the project is dying and ...
- 2,850
5
votes
Accepted
Is supporting older version of Java dangerous
Is there a security risk involved with have the Java 1.7 JDK installed on our build machine if all it is being used for is to compile the jar file?
Probably not, but there's no need to do that: javac ...
- 66
5
votes
Accepted
Firefox sending Application Data in middle of SSL handshake
You are in fact seeing TLS False Start. The client sends application data right after its own ChangeCipherSpec and Finished messages, but before receiving the ChangeCipherSpec and Finished messages ...
- 6,168
5
votes
Accepted
Is the JDK standard EC KeyPairGenerator suitable for use with both ECDSA and ECDH algorithms?
Oracle Java documentation is a little sparse on the topic, but it does look like with the SunJCE, a key generated asEC can be used with either ECDH or ECDSA. (source):
(I'm not an Elliptic curve ...
- 59.6k
5
votes
Is Java's probablePrime used in production?
The important part is "The probability that a BigInteger returned by this method is composite does not exceed 2e-100"
Hardware isn't perfectly reliable: https://community.hiveeyes.org/t/soft-...
- 2,014
5
votes
Accepted
Semicolon's relation with reverse proxy
Java Servlet and JAX-WS have support for so-called Matrix Parameters: each component path can have a series of parameters.
For example:
/foo;param1=a;param2=b/bar;param3=c;param4=d
In the servlet ...
- 2,615
Only top scored, non community-wiki answers of a minimum length are eligible