Prevent injection by using parameterized queries, query builders, and input validation; 2. Secure authentication with Spring Security or Apache Shiro, enforce strong passwords, MFA, and secure session cookies; 3. Protect sensitive data via bcrypt/PBKDF2 for passwords, AES-256-GCM encryption, HTTPS, and sanitized logs; 4. Block XXE by disabling DTDs in XML parsers or using JSON instead; 5. Enforce broken access control using backend role-based checks with Spring Security’s @PreAuthorize and test manually; 6–10. Avoid security misconfiguration with dependency scanning, prevent XSS via output encoding, block insecure deserialization, patch vulnerable components using automated tools, and ensure sufficient logging of security events—security is a development habit, not a feature, so integrate threat modeling, code reviews, and automated scans early and consistently to address the OWASP Top 10 effectively.
Securing Java applications against the OWASP Top 10 isn’t about slapping on a few libraries or running a scanner—it’s about baking security into your development lifecycle from day one. Java’s strong ecosystem gives you powerful tools, but you still need to know how and where to apply them. Here's how to tackle the most critical risks:
1. Injection (e.g., SQL, Command, LDAP)
This is still #1 for a reason—Java apps are vulnerable if you’re concatenating strings into queries.
Fix it:
- Use parameterized queries with
PreparedStatementor JPA/Hibernate named parameters. - For dynamic queries, use query builders like JOOQ or Criteria API.
- Validate and sanitize all inputs—even if they come from "trusted" sources.
Example:
?String query = "SELECT * FROM users WHERE id = " userId;
?String query = "SELECT * FROM users WHERE id = ?"; ps.setInt(1, userId);
2. Broken Authentication
Java apps often roll their own auth logic—which is risky. Even with Spring Security, misconfigurations happen.
Fix it:
- Use Spring Security or Apache Shiro—don’t write your own session/token management.
- Enforce strong password policies (length, complexity, no reuse).
- Implement multi-factor authentication (MFA) where possible.
- Set secure session cookies:
HttpOnly,Secure, andSameSite=Strict.
Pro tip:
Enable CSRF protection in Spring Security—it’s on by default but easy to accidentally disable.
3. Sensitive Data Exposure
If you’re storing passwords in plain text or using weak crypto, you’re asking for trouble.
Fix it:
- Hash passwords with bcrypt, scrypt, or PBKDF2—never MD5 or SHA-1.
- Encrypt sensitive data at rest (use JCE with AES-256-GCM).
- Use HTTPS everywhere—no exceptions. Spring Boot makes this easy with SSL config.
Don’t forget:
Log files and stack traces can leak secrets. Sanitize logs using tools like Logback filters or OWASP ESAPI.
4. XML External Entity (XXE) Processing
Common in apps that parse XML from untrusted sources—like file uploads or APIs.
Fix it:
- Disable DTDs and external entities in your XML parsers:
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); - Or switch to JSON—it’s simpler and safer for most use cases.
5. Broken Access Control
Just because someone is logged in doesn’t mean they should see everything—this is where role-based checks fail silently.
Fix it:
- Enforce role-based access control (RBAC) on every request—not just the UI.
- Use Spring Security’s
@PreAuthorize("hasRole('ADMIN')")on methods. - Test access control manually—try accessing
/adminas a regular user.
Real-world issue:
A common mistake is checking permissions only on the frontend. Always re-check on the backend.
6–10 (Brief but Critical):
- Security Misconfiguration: Use tools like OWASP Dependency-Check to scan for outdated libs. Keep Tomcat, Spring, and dependencies updated.
-
Cross-Site Scripting (XSS): Escape output with OWASP Java Encoder or Thymeleaf’s
th:text(auto-escapes by default). - Insecure Deserialization: Never deserialize untrusted data. If you must, use signed objects or switch to JSON.
-
Using Components with Known Vulnerabilities: Run
mvn dependency:analyzeand integrate OWASP Dependency-Check into CI/CD. - Insufficient Logging & Monitoring: Log auth failures, input validation errors, and access denied events. Use structured logging (e.g., JSON logs) for easier analysis.
Bottom line:
Java gives you the tools—Spring Security, Hibernate, OWASP libraries—but security is a habit, not a feature. Start with threat modeling, code reviews, and automated scans (like SonarQube Dependency-Check), and you’ll cover 80% of the OWASP Top 10 without breaking a sweat.
The above is the detailed content of Securing Java Applications against OWASP Top 10. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undress AI Tool
Undress images for free
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Preventing man-in-the-middle attacks in Java
Aug 11, 2023 am 11:25 AM
Preventing man-in-the-middle attacks in Java Man-in-the-middle Attack is a common network security threat. An attacker acts as a man-in-the-middle to steal or tamper with communication data, making the communicating parties unaware of the communication between them. Being hijacked. This attack method may cause user information to be leaked or even financial transactions to be tampered with, causing huge losses to users. In Java development, we should also add corresponding defensive measures to ensure the security of communication. This article will discuss how to prevent
Prevent file upload vulnerabilities in Java
Aug 07, 2023 pm 05:25 PM
Preventing File Upload Vulnerabilities in Java File upload functionality is a must-have feature in many web applications, but unfortunately, it is also one of the common security vulnerabilities. Hackers can exploit the file upload feature to inject malicious code, execute remote code, or tamper with server files. Therefore, we need to take some measures to prevent file upload vulnerabilities in Java. Back-end verification: First, set the attribute that limits the file type in the file upload control on the front-end page, and verify the file type and
How to carry out security protection and vulnerability scanning for Java development projects
Nov 02, 2023 pm 06:55 PM
How to carry out security protection and vulnerability scanning for Java development projects. With the rapid development of the Internet, Java development projects are becoming more and more widely used. However, due to the proliferation of network attacks and vulnerabilities, ensuring the security of Java development projects has become particularly important. This article will introduce how to perform security protection and vulnerability scanning of Java development projects to improve the security of the project. 1. Understand the common types of security vulnerabilities. Before performing security protection and vulnerability scanning on Java development projects, you first need to understand the common types of security vulnerabilities. Common Ja
Preventing security misconfigurations in Java
Aug 09, 2023 pm 02:09 PM
Preventing security configuration errors in Java Introduction: In the Java development process, security configuration is an essential link. Properly configuring system security can protect the system from malicious attacks and illegal access. However, due to complex configuration parameters and imperfect security settings, it is easy for security configuration errors to occur in the code, leading to potential security risks. This article will explore several common Java security configuration errors and provide corresponding solutions and code examples. 1. Wrong password storage Password is sensitive information in the system. If
Preventing Session Fixation Attacks: Improving Java Security
Jun 30, 2023 am 08:21 AM
Java is a widely used programming language that is widely used in Internet applications and large enterprise systems. However, due to its breadth and complexity, Java systems are often targeted by hackers. Session fixation attacks are a common attack method in which hackers gain access to users by hijacking their session tokens. This article will introduce the principles and preventive measures of session fixation attacks to help Java developers enhance system security. A session fixation attack is an attack that uses session tokens to gain user privileges. In Ja
Methods to solve Java security exceptions (SecurityException)
Aug 25, 2023 pm 04:09 PM
Overview of methods to solve Java security exceptions (SecurityException): SecurityException in Java is a common exception, which is usually thrown in operations involving security management. The main purpose of security exceptions is to prevent malicious code from gaining unauthorized access to the system. In this article, we will explore some common SecurityException scenarios and provide methods and sample code to resolve these exceptions. File system access permission exception: when
Tips to Prevent Java SQL Injection Attacks
Jun 30, 2023 am 09:18 AM
Java is a programming language widely used for developing enterprise-level applications. However, as network security threats continue to emerge, protecting applications from malicious attacks has become one of the important tasks for developers. Among them, preventing SQL injection attacks is one of the most critical security issues during the development process. This article will introduce some tips to prevent SQL injection attacks to help Java developers better protect their applications. First, it is crucial to understand what a SQL injection attack is. SQL injection attack is an exploit application
How does Java security mechanism work with other security technologies?
Apr 18, 2024 pm 06:51 PM
Java's powerful security mechanisms work in conjunction with other security technologies to protect applications: java.security.Manager controls permissions, such as access to the file system; code signing verifies code authenticity; and access control restricts access to resources. In practice, sensitive files can be protected by coordinating these technologies, such as restricting application access to the file system, adding code to check access permissions, and using digital certificates to sign applications.
