• Code Pattern: Look for code where the developer is attempting to use a blacklisting approach to validate user inputs

Recommendation: Use a whitelisting based validation approach to validate your inputs

Code Review for Client-side Validation Approach

  • Code Pattern: Look for code where the developer is attempting to use only client-side input validation script to validate user inputs

Recommendation: Client-side validation can be bypassed easily. Use both client and server-side validation techniques to validate user inputs

Code Review for Non-parametrized SQL Query

  • Code Pattern: Look for code where the developer is attempting to write a non-parametrized query

Recommendation: Always use parametrized query to avoid SQL injection attacks

Code Review for XSS Vulnerability

  • Code Pattern: Look for code where the developer is attempting to render output without encoding

Recommendation: Always encode your output to avoid XSS

Code Review for weak Password Authentication

  • Code Pattern: Look for code where the developer is attempting to authenticate users with a weak password condition

Recommendation: Always use strong password rules or conditions to authenticate users

Code Review for Hard-coded Passwords

  • Code Pattern: Look for code where the developer is attempting to use hard-coded password

Recommendation: Never use hard-coded secrets such as passwords in coding. Hard-coded passwords can be an easy target for attackers

Code Review for Empty Password in Connection String

  • Code Pattern: Look for code where the developer is attempting to use an empty password to connect to a remote database server

Recommendation: Never set empty or plain text for connection string as this will facilitate dictionary attacks or brute force attacks

Code Review for Insecure Basic Authentication

Code Pattern: Look for code where the developer is attempting to use basic authentication add HTTP connection without using TLL

Recommendation: Use SSL for basic authentication so that credential can not be decoded easily

Code Review for Open Redirect

Code Pattern: Look for code where the developer is attempting to bto the path that created from user supplied input

Recommendation: Always avoid using redirects or forwards. User input should not be used to construct the source path. If it is necessary to send a parameter then check if the parameter is valid. Ensure that the user is authorized to browse the constructed URL

Code Review for Insecure LDAP Authentication

  • Code Pattern: Look for code where the developer is attempting to use “simple" basic authentication which weak attachers can easily get cleartext

Recommendation: Always use secure mechanisms like those listed in LDAP. LDAP supports SASL mechanism, SASL provides a security layer for authentication between client and server

Code Review for Insecure Authorization Mechanism

  • Code Pattern: Look for code where the developer is attempting to use an inadequate authorization mechanism by which the code becomes complex and also hard to maintain. Even if the mistake is simple, an attacker can easily abuse the code

Recommendation: Always use a proper authorization method which is secure and easy to be altered

Code Review for Weak Password Length

  • Code Pattern: Look for code where the developer is attempting to set passwords with a weak hashing algorithm

Recommendation: Set passwords with a strong hashing function like Bcrypt to make it unbreakable

Code Review for Use of Weak Hashing Algorithm

  • Code Pattern: Look for code where the developer is attempting to set a weak hashing algorithm

Recommendation: Always use strongest hashing algorithm

Code Review for Use of Weak Random Number Generator

  • Code Pattern: Look for code where the developer is using a weak random number generation method. An 8 character string can be predicted by an attacker

Recommendation: To prevent an attacker from predicting random numbers, use a string with more than 8 characters to generate random numbers

Code Review for Use of Insecure PBE Work Factor

  • Code Pattern: Look for code where the developer is using with a work factor of 5000 which is considered to be insecure

Recommendation: The developer should use big iteration value which generates complex hashing to prevent the password from being predicted

Code Review for Use of Weak Encryption Algorithm

  • Code Pattern: Look for code where the developer is attempting to set a weak encryption algorithm

Recommendation: Always use the strongest encryption algorithm

Code Review for Use of Insufficient Encryption Key Size

  • Code Pattern: Look for code where the developer is attempting to set an insufficient encryption key size

Recommendation: Always use a secure algorithm with sufficient key size for setting passwords

Code Review for Unsafe Decoding

  • Code Pattern: Look for code where the developer is attempting to decode cookie value, if cookies are not safely decoded, attacker can easily abuse the code

Recommendation: Always cross check the cookie value before use and confirm whether it is double encoded

Code Review for Use of SSL

  • Code Pattern: Look for code where the developer is attempting to set a false value to the SSLEnabled attribute in server.xml file

Recommendation: Always set the SSLEnabled attribute to true

Code Review for OS Command Injection

  • Code Pattern: Look for code where the developer is allowing the OS command to execute from the application. Attackers can misuse this functionality and can execute any arbitrary command

Recommendation: Developers should avoid executing OS command using runtime.exec. Instead use Java API’s to execute any OS related command

Code Review for LDAP Injection

  • Code Pattern: Look for code where the developer allows the search filter without validation so attackers can input any malicious character and invoke the method. Example: EmpInfo()

Recommendation: Always use a whitelist to validate user input so the user input contains only valid characters such as passwords containing only alphanumeric characters

Code Review for XML Injection

  • Code Pattern: Look for code where the developer is attempting to use xml for writing data streams write() method which doesn’t apply any meta character encoding

Recommendation: Always use meta character encoding while writing data into xml

Code Review for Unsafe use of request parameter to execute SQL Query

  • Code Pattern: Look for code where the developer is attempting to execute a query directly received as request parameter. Attackers can manipulate these request parameters and execute a malicious query

Recommendation: Never use a request parameter for executing a query

Code Review for Insecure File Upload

  • Code Pattern: Look for code where the developer is attempting to upload a file without proper validation. An attacker can send any file and execute a command from the file

Recommendation: Always validate file extensions while uploading files

Code Review for Directory Traversal

Code Pattern: Look for code where the developer is attempting to read a file if the file exists. Attackers can manipulate path variables and can access restricted files and directories

Recommendation: Always validate the location of a file and read file from that location

Code Review for Sensitive Information Exposure

  • Code Pattern: Look for code where the developer is attempting to store sensitive information into a cookie. A cookie can be read by attackers

Recommendation: Do not store sensitive information in cookies

Code Review for Sensitive Information Leakage

  • Code Pattern: Look for code where the developer is using printStackTrace while handling exceptions. printStackTrace gives detailed information about the exception occurred

Recommendation: Do not print the stack trace when the exception is caught