Week 7 - Secure Programming Java Flashcards

1
Q

What are bugs in programming?

A

A bug is an error, flaw, or fault in the design, development, or operation in a program.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Why are security bugs bad?

A

A security bug or security defect can be exploited to gain unauthorized access or privileges on a computer system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is directory/path traversal?

A

Is a web/enterprise application security vulnerability that allows an attacker to read arbitrary files on the host machine without having privileges.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

In a Java application, what are the two ways path traversal can manifest?

A
  1. Traversal Attempts
    - Attackers manipulate the user input by including special characters like “../” or “%2e%2e%2f” (URL encoded representation of aforementioned) to navigate up the directory structure.
  2. Unauthorized Access
    - If application fails to validate the input correctly, it may allow the attacker to access files or directories outside of the intended scope.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

How to mitigate path traversal?

A
  1. Input Validation
    - Always validate & sanitize user input before using it in file operations. Ensure that user-supplied paths are within the intended directory structure.
  2. Canonicalization
    - Use built-in Java methods like File.getCanonicalPath() to canonicalize file paths, which helps eliminate directory traversal attempts by resolving paths to their absolute forms.
  3. Security Libraries
    - Utilize security libraries like Apache Commons IO’s FilenameUtils or Path class in Java’s java.nio.file package, which can help prevent path traversal vulnerabilities.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is an integer overflow?

A

Occurs when arithmetic operation attempts to create a numeric value that is outside of the range that can be represented with a given number of digits.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the main concern of integer overflow?

A

May give results leading to unintended behavior. It can compromise a program’s reliability and security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

List the three consequences of integer overflows.

A
  1. Wraparound
  2. Incorrect Calculations
  3. Security Risks
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is wraparound, in the context of integer overflow?

A

Occurs when an arithmetic operation on integers attempts to create a numeric value that is outside of the range that can be represented with a given number of digits

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

In the context of integer overflows, what can happen during incorrect calculations?

A

The result may be incorrect, leading to erroneous program behavior.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What could happen if an integer overflow occurs in security critical code?

A

If integer overflow occurs in security-critical code, it can potentially be exploited by attackers to manipulate the program’s behavior or security checks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

How to mitigate integer overflow?

A
  1. Choose appropriate data types
    - Use data types that can accommodate the expected range of values in your calculations.
  2. Range checking
    - Implement range checks and error handling to detect and handle potential overflows gracefully.
  3. Use libraries
    - Libraries like Apache Commons Lang provide utilities for safe arithmetic operations that can help avoid integer overflows.
  4. Upcasting
How well did you know this?
1
Not at all
2
3
4
5
Perfectly