I’m trying to understand how exactly can someone that doesn’t already have access to the source code exploit a non-final class that has a constructor which invokes overridable functions (functions not marked final). This question comes from the fact that after scanning my source code with a Source Code Analyzer (Fortify), it showed a few findings about “Code Correctness: Constructor
Tag: security
Search in List of X509CRL’s
I have a list of X509 CRL’s. I need to identify some of them somehow. Right now I do it using issuer: But there’s gotta be a better way to do that using knowledge of CRL file format, maybe with comparing public keys or something like that, but I don’t know much about X509CRL’s. Can someone help me out? Answer
SecurityFilterChain Bean doesn’t protect app
I am in the middle of process of mirgation my Spring Security Configuration from WebSecurityConfigurerAdapter (deprecated) to configuration with beans. My config class now looks like I understand that this configuration doesn’t make any behavior settings, but shouldn’t it return a SecurityFilterChain bean that will act like the default SecurityFilterChain (as if no configuration was specified)? When I start my
XML parsers should not be vulnerable to XXE attacks. Best way to solve with ZERO impact?
I have a few SonarQube vulnerabilities and one of them caught my eye. As you can see in my code, I have a new DocumentBuilder(); and then I parse this: The Sonar “solution” is to do one of the following things: This is legacy code and I am quite lost here. Could someone explain me the differences between the three
Best practice for storing TOKEN/password in Java
I’m working on a Java application that interacts with a REST API. To communicate with this API, I must use TOKEN, all these TOKEN are sensitive data and I cannot write in my code. So I’m looking for a way like a configuration file to store the TOKEN and access it. Currently, I made an XML file with all my
CWE 73 External Control of file name or Path
I am working to fix Veracode vulnerability CWE-73 (https://cwe.mitre.org/data/definitions/73.html) for my application in which the input filename is dynamically sent by our other application it starts with static names like abc, xyz but full file name usually like abc_1234567.txt. Snippet of existing app code: call methodA(inputdirectory, inputfile, X, Y) -> veracode is reporting for inputfile in this case I have
About Dell server’s virtual terminal
(I haven’t ssh password T_T) When I try to start virtual terminal from Dell server panel ,The server give me a file:”viewer.jnlp…”. I run this file by javaws.exe and it has some error: Unsigned applications requesting unrestricted access to the system The following resources have been signed using the weak signature algorithm MD5withRSA and are considered unsigned. How I solve
How to fix net::ERR_INCOMPLETE_CHUNKED_ENCODING 200 java web app?
I am working on a java web app and I am setting the jsessionid attributes: HttpOnly, Secure and SameSite in the doFilter() method of InitSession class. I have this set as such: When navigating to the 3rd page in the app I get the error: net::ERR_INCOMPLETE_CHUNKED_ENCODING 200 This only started happening after I setHeader with the code above. Any ideas
Log4j vulnerability – Is Log4j 1.2.17 vulnerable (was unable to find any JNDI code in source)?
With regard to the Log4j JNDI remote code execution vulnerability that has been identified CVE-2021-44228 – (also see references) – I wondered if Log4j-v1.2 is also impacted, but the closest I got from source code review is the JMS-Appender. The question is, while the posts on the Internet indicate that Log4j 1.2 is also vulnerable, I am not able to
Algorithm constraints check failed on signature algorithm: SHA256WithRSAEncryption
For sometime I am noticing following error consistently, when servers are trying to connect other services using https. What action is to be taken to resolve this. Interestingly, it is happening only on few servers. Answer Thanks all, but I found the answer to this problem. Had an older version of bouncy castle jar, after upgrading the the jar bcprov-jdk15on-1.58.jar,