Skip to content

Instantly share code, notes, and snippets.

@DerSchimi

DerSchimi/gist:86b2a06be0d117f44ff0487d43429890

Last active December 9, 2025 06:43
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save DerSchimi/86b2a06be0d117f44ff0487d43429890 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save DerSchimi/86b2a06be0d117f44ff0487d43429890 to your computer and use it in GitHub Desktop.
Download ZIP
🚀 Veracode Java Findings — GitHub-Style Cheat Sheet
Raw
gistfile1.txt
Top 10 typische Findings • inkl. Fixes & Codebeispiele
1. SQL Injection
Problem: Unvalidierte Eingaben landen direkt in SQL → kompletter Datenbankkompromiss möglich.
Fix: Prepared Statements + Parameterbindung.
❌ Unsicher
String sql = "SELECT * FROM users WHERE name = '" + username + "'";
Statement st = conn.createStatement();
ResultSet rs = st.executeQuery(sql);
âś… Sicher
String sql = "SELECT * FROM users WHERE name = ?";
PreparedStatement ps = conn.prepareStatement(sql);
ps.setString(1, username);
ResultSet rs = ps.executeQuery();
2. Cross-Site Scripting (XSS)
Problem: Benutzerinput wird ungefiltert in HTML ausgegeben.
Fix: HTML-Escaping (z. B. OWASP ESAPI, Spring Encoder).
❌ Unsicher
out.println("Hello " + request.getParameter("name"));
âś… Sicher
String safe = Encode.forHtml(request.getParameter("name"));
out.println("Hello " + safe);
3. Hardcoded Credentials
Problem: Passwörter/Secrets im Code führen zu sofortigem Anwendungskomprimat.
Fix: Nutzung von Vault, AWS Secrets Manager oder Environment Variables.
❌ Unsicher
String password = "SuperSecret123";
âś… Sicher
String password = System.getenv("DB_PASSWORD");
4. Insecure Randomness
Problem: java.util.Random ist vorhersagbar → Token/Session gefährdet.
Fix: SecureRandom.
❌ Unsicher
Random r = new Random();
int token = r.nextInt();
âś… Sicher
SecureRandom sr = new SecureRandom();
int token = sr.nextInt();
5. Path Traversal
Problem: Angreifer können beliebige Dateien lesen.
Fix: Canonical Path Validierung.
❌ Unsicher
File f = new File("/data/uploads/" + filename);
âś… Sicher
File base = new File("/data/uploads/");
File f = new File(base, filename).getCanonicalFile();
if (!f.getPath().startsWith(base.getCanonicalPath())) {
throw new SecurityException("Invalid file path");
}
6. Insecure Deserialization
Problem: Untrusted Objekte ermöglichen RCE.
Fix: ObjectInputFilter + Whitelist.
đź’ˇ Sicherer Ansatz
ObjectInputFilter filter =
ObjectInputFilter.Config.createFilter("com.example.MyClass;!*");
in.setObjectInputFilter(filter);
7. Missing Input Validation
Problem: Ungültige Eingaben → XSS, SQLi, Exceptions.
Fix: Regex, Range Checks, TypprĂĽfungen.
đź’ˇ Sicherer Ansatz
String age = request.getParameter("age");
if (!age.matches("\\d{1,3}"))
throw new IllegalArgumentException();
int val = Integer.parseInt(age);
8. Weak Cryptography
Problem: MD5/SHA1 kompromittierbar.
Fix: PBKDF2, bcrypt, scrypt, Argon2.
❌ Unsicher
MessageDigest md = MessageDigest.getInstance("MD5");
âś… Sicher
PBEKeySpec spec = new PBEKeySpec(password, salt, 10000, 256);
SecretKeyFactory skf =
SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");
byte[] hash = skf.generateSecret(spec).getEncoded();
9. Trust Boundary Violation
Problem: Externe Daten (Header, Query Params) werden blind vertraut.
Fix: Identität und Rollen serverseitig prüfen.
❌ Unsicher
String role = request.getHeader("X-Role");
âś… Sicher
String role = session.getAttribute("role").toString();
10. Information Leakage
Problem: Stacktraces oder interne Details werden an den User gesendet.
Fix: Generische Fehlermeldungen, Logging intern.
đź’ˇ Sicherer Ansatz
try {
...
} catch (Exception e) {
logger.error("Error processing request", e);
out.println("An unexpected error occurred.");
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment