Java has been a cornerstone of programming for nearly 30 years, and as its usage has evolved, so too have the tactics of cybercriminals targeting Java applications.
Cybersecurity professionals are in an endless cycle of eliminating and discovering new vulnerabilities, so if you’re developing with Java, you need to know the inherent vulnerabilities you’re working with and what you can do about them.
There are several ways that malevolent actors can use your Java application against you. Most of these Java security risks involve three ingredients:
In this article, we’ll examine some of the most prevalent types of attacks Java applications can fall prey to—and how software composition analysis can protect you from them:
Skip to:
One of my colleagues worked as a Starbucks barista as a teenager and once told me how baristas would play pranks on each other by “hacking” the drink ordering system.
In the late 2000s, if you ordered a drink at Starbucks, your cashier would ring up your order and then call your order to the barista making the drinks. If you listened carefully, you would notice that the way the cashier would call the drink wasn’t always word-for-word what you said; they had a system for efficiently translating your order (the user input) into commands for the barista (the calling code).
For example, if you ordered a “small iced latte with an extra shot and skim milk,” your cashier would call for an “iced, double, Tall, nonfat latte.”
If you understood this code, you could game the system to order drinks at a discount—or free altogether. One infamous example was the “no-water cup of water” trick. The menu item “cup of water” was free. Several drink parameters were also free, including:
A cup of milk would normally cost $1.00, but if it were rung up as an “iced, Tall, add milk, no-ice, no-room, no-water cup of water,” it would be free!
This was all in good fun, and the human barista would quickly realize what was going on, laugh it off, and charge the other barista the correct price.
But imagine there were no humans taking orders and making drinks—only robots. They might not catch on, and the store could be easily exploited until someone finds a way to get the robots to reject spurious orders. And if customers got really clever, they might be able to order their drinks in such a way that convinced robots that “milk” really meant $100 bills—effectively getting cups of money for free!
But what does Starbucks have to do with Java?
The point of this story is to illustrate that if someone knows how the system works, they can manipulate it.
Baristas would hack their system for harmless fun, but when hackers attack your applications, they’re after more than just a laugh.
Java security vulnerabilities can be exploited to steal your customers’ information, alter user experience, corrupt your database, or even delete your whole application.
Java developers should familiarize themselves with security vulnerabilities to protect against them when setting up user input fields on websites and apps.
Below is an overview of the ways hackers exploit vulnerabilities in Java applications. These are board-level categories, and this article is not an exhaustive list. However, understanding how vulnerabilities work is the first step to securing your application.
If you don’t already, set security processes to prevent these attacks from being executed. And if you’re curious whether or not these vulnerabilities are lurking within your code, a robust software composition analysis (SCA) tool will let you know if these kinds of vulnerabilities (and others) pose a threat to your current version.
One of the most prevalent attacks in the Java world, SQL injections, gives hackers access to your queryable information—and potentially lets them steal, destroy, or corrupt your database. This commonly occurs when malevolent actors use user input fields to upload SQL code to your application.
To use SQL injections, Hackers must make assumptions about how your user input fields translate to SQL commands within your app. If they correctly guess the way you’ve coded your application, they can enter SQL code that your application runs unbeknownst to you.
Hackers may run queries, execute commands, or even store scripts in your database that execute when queried later (i.e., a second-order SQL injection).
You can protect against these attacks by adding SQL parameters to your queries before they are executed. These function as guardrails, which prevent malicious SQL commands from being executed.
For further reading on SQL injections:
An XPath injection attack occurs when a hacker uses user inputs to construct an XPath query to access XML data. This type of attack is very dangerous, and it’s becoming more prevalent as more organizations adopt microservices architecture.
Because microservices involve many small applications accessing XML resources, organizations using this infrastructure are especially vulnerable to this sort of attack. When exploited, hackers can see how you’ve structured your XML data, access confidential information, and even hijack your authentication protocols to gain privileges.
For further reading on XPath injections:
A cross-site scripting vulnerability arises when hackers can use your website to attack your users, i.e., malevolent actors attack users across your site. This attack’s two most common varieties are reflected XSS and stored XSS.
Reflected XSS
Web applications and websites often allow users to input information—e.g., search queries, comments, etc. When a user completes the input, the site may return a results page with a URL including the user input (or some function thereof).
However, if the user input contains a malicious script, then the input can hijack the “trusted” website. This means that hackers can exploit this vulnerability by creating URLs with the malicious script already queued up. They can then trick users into clicking on a link to the malicious URL.
The user’s browser won’t stop the script from executing because it’s happening on a “trusted” website. This can give the hacker control of what the user sees on the target site, allowing them to direct the user to take harmful actions.
Stored XSS (or persistent XSS)
Stored XSS is even more dangerous and occurs when a malicious user injects a script on a target site in such a way that the site stores it and serves it up to users. In this scenario, the target site attacks users automatically, triggering the malicious script when users visit a page the script is injected into.
Sites that allow users to input information that is served to other users (like social media platforms, forums, and blogging platforms) are especially vulnerable to this sort of attack.
For further reading on Cross-site scripting (XSS):
Applications often use buffers to hold data (including user inputs) while it is being moved from one place to another. If a malicious user correctly estimates how much memory space is allotted to a given buffer, they may input more data than the buffer is meant to hold—causing your application to overwrite other code within your application. If a hacker uploads more data than your buffer can hold, it may force your application to write the rest of their input over other code you’ve written.
This can leave you vulnerable to foreign code being written over your code, leading to crashes, errors, or actions the software was never meant to perform.
For further reading on buffer overflows:
A critically dangerous type of attack, remote code execution lets an attacker execute commands on the target’s device even if the attacker is not in the same location. The hacker can use someone else’s computer from anywhere, often through malware installed on the target computer. Once a malicious actor has gained access to another computer, they can deploy several of the other kinds of attacks listed in this article.
The log4j exploit is a recent (and disastrous) example of such an attack.
For further reading on remote code execution (RCE):
Serialization is the process of transforming objects into a serial form (such as a JSON payload), making them more portable. Deserialization is the process of turning these serial elements back into the objects they represent.
If a valid serialized object falls into the wrong hands, hackers can alter it to include malevolent code. This might involve modifying the object’s attributes and data types or inserting commands to execute processes your application was never intended to do. If your application or API deserializes the compromised object, these changes can affect your software—corrupting your data, altering its structure, and potentially giving the hacker the ability to execute an RCE.
For further reading on serialization and deserialization attacks:
Command injections go straight for your operating system. If a hacker deduces that one of your features involves user inputs in system commands, they can give foreign commands to your operating system by including them in their inputs.
If your application doesn’t have privileges to execute system commands, these sorts of attacks won’t work. (The user can’t command the application to do something it isn’t authorized to do.) But if it does, it’s imperative to sanitize all user-provided data before use—otherwise, a command injection could access privileged information, delete files, or even shut down your entire application.
For further reading on command injections:
The Lightweight Directory Access Protocol (LDAP) is a popular software protocol for authenticating users and allowing them to access other entities within a network. If you don’t have parameters around your LDAP query interfaces, hackers may insert LDAP queries in user input forms, which allow them to look up otherwise private information within your database. LDAP injections may also allow attackers to change users’ permissions, status, and privileges.
For further reading on LDAP injections:
If your application names resources based on user input, hackers may find opportunities to change resource identifiers (e.g., port numbers, file names, etc.). This type of attack may give the hacker access to resources they shouldn’t have, hide resources from the application, or even turn file names into malicious scripts themselves.
For further reading on resource injections:
Connection strings define the way your application connects to data sources. Connection string injection attacks take place when hackers add extra parameters to connection strings, which can allow them to bypass proper authentication, hijack credentials, or even gain control over the database server.
For further reading on connection string injections:
Your developers should be building applications that protect against these types of attacks—but what about vulnerabilities in the components you’ve sourced from third parties?
Software composition analysis (SCA) tools can scan your components for known vulnerabilities so that you know which parts of your software are open to attack.
Finite State is an advanced SCA tool that provides more than just vulnerability reports. With Finite State, your developers can see where vulnerabilities lie within your application, how much of a risk they pose, and what available patches are compatible with your current application.
Hackers are always looking for a way in—but Finite State gives you peace of mind. If you want to see how Finite State can help keep your Java application secure, talk to us today!