...
Java software components provide many opportunities to output sensitive information. Several rules address the mitigation of sensitive information disclosure, including EXC06-J. Do not allow exceptions to expose sensitive information and FIO08-J. Do not log sensitive information.
In particular, security sinks are often components that accept string data that specifies commands or instructions to a the component. String data passed to these components may contain special characters that can trigger commands or actions, resulting in a software vulnerability.
Examples of components which can interpret commands:
- Operating system command interpreter (see guideline IDS06-J. Prevent OS Command Injection)
- A data repository with an SQL-compliant interface (see guideline IDS07-J. Prevent SQL Injection)
- XML parser (see guideline IDS08-J. Prevent XML Injection)
- XPath evaluators (see guideline IDS09-J. Prevent XPath Injection)
- A SAX (Simple API for XML) or a DOM (Document Object Model) parser (see guideline IDS10-J. Prevent XML external entity attacks)
- Lightweight Directory Access Protocol (LDAP) directory service (see guideline IDS11-J. Prevent LDAP injection)
- Script engines (see guideline IDS12-J. Prevent code injection)
Guidelines
| Content by Label | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
...