Week 7 - Secure Programming Java Flashcards
What are bugs in programming?
A bug is an error, flaw, or fault in the design, development, or operation in a program.
Why are security bugs bad?
A security bug or security defect can be exploited to gain unauthorized access or privileges on a computer system.
What is directory/path traversal?
Is a web/enterprise application security vulnerability that allows an attacker to read arbitrary files on the host machine without having privileges.
In a Java application, what are the two ways path traversal can manifest?
- Traversal Attempts
- Attackers manipulate the user input by including special characters like “../” or “%2e%2e%2f” (URL encoded representation of aforementioned) to navigate up the directory structure. - Unauthorized Access
- If application fails to validate the input correctly, it may allow the attacker to access files or directories outside of the intended scope.
How to mitigate path traversal?
- Input Validation
- Always validate & sanitize user input before using it in file operations. Ensure that user-supplied paths are within the intended directory structure. - Canonicalization
- Use built-in Java methods like File.getCanonicalPath() to canonicalize file paths, which helps eliminate directory traversal attempts by resolving paths to their absolute forms. - Security Libraries
- Utilize security libraries like Apache Commons IO’s FilenameUtils or Path class in Java’s java.nio.file package, which can help prevent path traversal vulnerabilities.
What is an integer overflow?
Occurs when arithmetic operation attempts to create a numeric value that is outside of the range that can be represented with a given number of digits.
What is the main concern of integer overflow?
May give results leading to unintended behavior. It can compromise a program’s reliability and security.
List the three consequences of integer overflows.
- Wraparound
- Incorrect Calculations
- Security Risks
What is wraparound, in the context of integer overflow?
Occurs when an arithmetic operation on integers attempts to create a numeric value that is outside of the range that can be represented with a given number of digits
In the context of integer overflows, what can happen during incorrect calculations?
The result may be incorrect, leading to erroneous program behavior.
What could happen if an integer overflow occurs in security critical code?
If integer overflow occurs in security-critical code, it can potentially be exploited by attackers to manipulate the program’s behavior or security checks.
How to mitigate integer overflow?
- Choose appropriate data types
- Use data types that can accommodate the expected range of values in your calculations. - Range checking
- Implement range checks and error handling to detect and handle potential overflows gracefully. - Use libraries
- Libraries like Apache Commons Lang provide utilities for safe arithmetic operations that can help avoid integer overflows. - Upcasting