Absent Member.
Absent Member.
4626 views

Need to Add Protection to Java Web Application. Where to start?

I work on a web application, written in Java and JSF, that needs to add cross site scripting, cross site request forgery, SQL injection protection etc.  How do I get started here?  Are there free HP products I can integrate into our solution?

0 Likes
5 Replies
Absent Member.
Absent Member.

Good morning, don't look for HP solutions for this, instead look to OWASP and built-in Java/JavaScript functionality.

CSRF - OWASP CSRFGuard

XSS - OWASP Stinger or Java Struts for input validation and OWASP Java Encoder Project for output encoding.  (always check both directions!)

SQLi - Hibernate

0 Likes
Micro Focus Expert
Micro Focus Expert

Hi Patrick,

HP Fortify has a number of tools for runtime, static and dynamic testing of Java applications that offer free trials you can use.

0 Likes
Absent Member.
Absent Member.

He wasn't asking for free trials of testing software, he was asking for frameworks to perform the listed functions.

0 Likes
Micro Focus Expert
Micro Focus Expert

I saw "...that needs to add cross site scripting, cross site request forgery, SQL injection protection etc...." and we offer free trials of application protection at runtime using App Defender and AppView. My apologies Patrick if I misread your question about "HP products" that can integrate into your solution. We have free trials but nothing free for continual use.

0 Likes
Absent Member.
Absent Member.

Thanks for the information guys!  Actually I'm looking for both; software to integrate into our solution to beef up security and testing tools to verify that we're safe.

I have Fortify SCA on my PC and use it frequently.  I wish I had WebInspect.

In regards to software to integrate in,  I've got to believe that somewhere in HP someone has developed a CSRFGuard-like solution for an JSF application to prevent CSRF and has also developed a servlet filter that prevents XSS attacks.  Rather than recreate the wheel I was wondering/hoping there'd be some software we could reuse or leverage.

FYI: I've researched OWASP and have taken a close look at CSRFGuard3.  The currently available CSRFGuard3 only supports JSP (it does not support JSF).  Our application is not allowed to use JavaScript.  The good news is that CSRF prevention is available in JSF 2.2 via a "protectedViews" element.  My current project is using JSF 2.1 but we're planning to upgrade soon.

I'll have to take a look at Stinger and the Java Encoder project for XSS prevention.

ApplicationDefender sounds intriguing to me.  I've passed that information onto the solution architect.  It'd be nice if it was free.  It might be a hard sell to our customer.

Thanks again.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.