Published on

Java Security - Part 14: Preventing common security vulnerabilities in Java (SQL injection, cross-site scripting)

Authors

Arr matey! Strap yourself to the mast, 'cause we're about to brave the stormy seas of common security vulnerabilities in Java. We've got two notorious scoundrels on our hands: SQL injection and cross-site scripting (XSS). These two be as infamous in the coding world as Blackbeard and Captain Kidd be in the high seas!

First up, SQL Injection, the bane of databases across the Seven Seas! This happens when you create a SQL query by concatenating user input directly into the query. Like this:

📚 Java Security Series Navigation

This article is part of our comprehensive Java Security series. Follow along as we explore each aspect:

  1. Introduction to Java Security
  2. Java Cryptography Architecture (JCA) and Extension (JCE)
  3. Java Authentication and Authorization Service (JAAS)
  4. Symmetric Encryption
  5. Asymmetric Encryption
  6. Digital Signatures
  7. Hashing and Message Digests
  8. Secure Key Management
  9. Secure Storage of Sensitive Information
  10. Secure Session Management
  11. Role-Based Access Control
  12. SSL/TLS Protocol
  13. Secure Socket Extension
  14. Preventing Common Vulnerabilities (You are here)
  15. Security Coding Practices
  16. Security Manager and Policy Files
String query = "SELECT * FROM users WHERE username = '" + userInput + "'";

If someone enters ' OR '1'='1, that turns the query into SELECT * FROM users WHERE username = '' OR '1'='1', which returns all users. Yarrr, that be a disaster!

Instead, use a PreparedStatement. This be like making your parrot deliver the message instead of shouting it out for the whole crew to hear:

String query = "SELECT * FROM users WHERE username = ?";
PreparedStatement pstmt = connection.prepareStatement(query);
pstmt.setString(1, userInput);
ResultSet results = pstmt.executeQuery();

The '?' in the query is a placeholder, and we're setting its value using setString(). This way, no matter what the user input be, it can't change the structure of the query.

Now, let's set our spyglass on Cross-Site Scripting (XSS). This be when someone tricks your site into running malicious JavaScript. Let's say you have a comment section on your site and you display comments like this:

out.println("<h2>" + userComment + "</h2>");

If some scurvy dog enters <script>/* bad stuff */</script> as their comment, you're in for a nasty surprise! To prevent this, escape user input before displaying it. Most modern Java web frameworks do this for you, but if you're writing your own HTML:

out.println("<h2>" + escapeHtml(userComment) + "</h2>");

This will replace < with &lt;, > with &gt;, and so on. The trick is to treat all user input as untrustworthy - assume it's a mutinous crew member waiting for the right moment to pounce!

Keep these lessons in mind, and you'll ward off the threats of SQL injection and XSS like a seasoned sea dog fending off a kraken. Yarrr!


🚀 Continue Your Journey

Ready to dive deeper into Java Security? Continue to Part 15: Security Coding Practices

Or explore other essential Java topics: