03 Jan, 2005
Secure Web Applications
As I see it their are 3 main weak areas in Java webs applications
- CSS weaknesses (e.g. redisplaying HTML)
- Input Validation on initial input
- Selecting an item from the list and a naugthy user changing the id to something they cannot normally see
I have been working with Anite on Turbine-Review which solves 2. It basically ensures all fields have some validation run against them. This framework has now been tested and used in anger for quite a while and does solve most of this. However far too often I am seeing examples of no or 'AllwaysTrue' validators being used.
1 has been solved by Penguin (an add-on to Turbine review) and by other frameworks e.g. Tapestry. As the author of Penguin I must say I think Tapestry's approach (assume all output should be esacaped unless told otherwise) is better - but I cannot think of a way to make velocity do that.
3 does not seem to be solved by any framework - it may be Tapestry could help as it has quite a strong table model which could potentially automatically check a selected row was on the source table.
I have been looking around frameworks this seems to be a little discussed topic - it may be that most developers don't really think about this (which would explain the vast number of insecure websites around).