Java Developer Tools

Audit - Rules - Servlets

Description
This group contains audit rules that look for the correct implementation of servlets within your code.

Rules:

Details

Missing Catch of Exception

Summary
The methods doGet(), doPost(), and others should catch ALL Exceptions.

Description
This audit rule violates HttpServlet serving methods that do not catch all exceptions.

Security Implications
Exceptions thrown from a servlet usually end with a stack trace printed to the end user. This stack trace may contain details of your system's architecture that provide valuable information for the attacker.

Example
The following code would be flagged as a violation because it does not catch Exceptions, including runtime ones, that may possibly be thrown from calcDefaultResponse() method:

    public class MissingCatchOfExceptionTest extends HttpServlet {
        protected void doGet(HttpServletRequest req, HttpServletResponse resp)
                throws ServletException, IOException {
            try {
                resp.getWriter().write(calcDefaultResponse());
            } catch (IOException e) {
                e.printStackTrace();
            }
        }
    }

Request Parameters In Session

Summary
Request parameters and other tainted data should not be passed into Session without sanitizing.

Description
Sessions should only store trusted data, so that the developer accessing the data stored in a session would not have to decide whether to sanitize it.

Security Implications
Data stored in a session is usually considered by a developer as a safe one to use. If this data is not checked, it could get into the security-sensitive parts of an application, opening it to all kinds of injection attacks.

Example
The following code uses receives data via HttpServletRequest#getParameter() call and does not clean it before putting it into the session:

    login = request.getParameter("login");
    session.setAttribute(ATTR_LOGIN, login);

Sockets in Servlets

Authentication required

You need to be signed in with Google+ to do that.

Signing you in...

Google Developers needs your permission to do that.