Security concepts while developing web applications in Java

Few Security concepts while developing web applications in Java

1) Difference between Hashing and Encryption:
 Hashing takes any amount of data (binary or text) and creates a constant-length hash representing 
 a checksum for the data. For example, the hash might be 16 bytes. Different hashing algorithms produce 
 different size hashes. You obviously cannot re-create the original data from the hash, but you can 
 hash the Original data again to see if the same hash value is generated. 
 Ex: Unix-based passwords work this way. The password is stored as a hash value, and to log onto a system, 
 the password you type is hashed, and the hash value is compared against the hash of the real password. 
 If they match, then you must've typed the correct password. 

 Encryption: Encryption means you are encrypting the Original Data into some un-readable format
 using some Key or Algorithms and store it or send through Network. Again you can decrypt the same
 un-readable data using same Key or Algorithm and generates Original Data.

2) Points to be taken while writing Dynamic Queries in application to prevent Hacking:
 a) SQL injection example one:

 SELECT * FROM admin_auth_user WHERE Firstname='Obopay' AND FamilyName='Admin';
 //8 records returned

 SELECT * FROM admin_auth_user WHERE Firstname='Obopay' AND FamilyName='Admin' OR '1'=1;
 //ALL 26 records returned, adding the OR clause makes WHERE clause condition always TRUE, so this query becomes:
 SELECT * FROM admin_auth_user;


 b) SQL injection example two:
 //Your application query:
 SELECT * FROM items WHERE owner = '" +hackerName+ "' AND itemname = '" +name+"'";

 //Query is modified by Hackers using some script in URL and added something like below,
 //This will delete all records from table on those DB which supports Batch Execution, eg: SQL server-2000, 
 //Oracle doesn't support this.
 SELECT * FROM items WHERE owner = '" +hackerName+ "' AND itemname = '" +name+ "';DELETE FROM items;SELECT * FROM 
 items WHERE 'a'='a'";

 #######################################
 A safe version of the above SQL statement could be coded in Java as:

 String firstname = req.getParameter("firstname");
 String lastname = req.getParameter("lastname");
 //FIXME: Do your own validation to detect attacks
 String query = "SELECT id, firstname, lastname FROM authors WHERE forename = ? and surname = ?";
 PreparedStatement pstmt = connection.prepareStatement( query );
 pstmt.setString( 1, firstname );
 pstmt.setString( 2, lastname );
 try {
    ResultSet results = pstmt.execute( );
 }
 catch(Exception e){}
 ########################################

 c) Visible Content
 Having a simple page, which displays article with given ID as the parameter, the attacker may 
 perform a couple of simple tests if a page is vulnerable to SQL Injection attack.
 
 Example URL:
    http://newspaper.com/items.php?id=2
 Sends the following query to the database:
    SELECT title, description, body FROM items WHERE ID = 2;   //Assume: Returns 1 record

 The attacker may try to inject any (even invalid) query, that may cause the query to return no results:
    http://newspaper.com/items.php?id=2 and 1=2
 Now the SQL query should looks like this:
    SELECT title, description, body FROM items WHERE ID = 2 and 1=2;   //No records will return as 1=2 is False.

 Which means that the query is not going to return anything. Use Again PreparedStatements to fetch only Id.

3) Writing and Inserting Java Script to steal SessionId for a user and use it:

 It is easy to steal SessionId cookies with javascript functions planted in trusted sites by 
 other users. Here we are discussing the possible counter-measures for this kind of attack.

 How Hackers do this:
 <script>document.cookie</script>

 Help is taken from this site (Open Web Application Security Project):
 https://www.owasp.org/index.php/HttpOnly
---------------------END---------------------