We often use fortify which is a security tool to scan our secruity issue when we prepare to release a new version. This lead us have to fix our issue in a very tense situation, but more important is that some time it is difficult to make a corresponding adjustment at this time because it will affect design or the overall structure.

So I put forward the following two suggestions:

  • Every developer need konw the common security rules and abide by the rules.
  • We should use the fortify scan every time the code is submitted and should not wait until the end.


This is topic we need offen update, because security issues are constantly changing, here I summarize what we often encounter.

Issue For Exception

  • Empty catch block. The exception will be ignored. Bad case:
    catch (final JaloItemNotFoundException e)   {
        // Todo
  • We can not directly catch base exception, we should add more type of exception to handle error. Bad case:
    catch (final Exception e)   {
        // Todo
  • We should not direct print the details info of the Exception Object in catch, we shoud wrap the exception. Bad case:
    catch (final Exception e)   {


The initBinder is a check for the form submit. We can set the AllowedFields and DisallowedFields to filter the form submit. But actually, we already have the check of the form submit in the frontend. We set the DisallowedFields to be empty, to allow all the form submit fileds.

public void initBinder(WebDataBinderbinder) {



When the form labels are used, it is better to use the form label which Spring offers, do not use form labels directly. It will support csrf validation.

<%@ page trimDirectiveWhitespaces="true"%>
<%@ taglib prefix="c" uri="https://java.sun.com/jsp/jstl/core"%>
<%@ taglib prefix="template" tagdir="/WEB-INF/tags/responsive/template"%>
<%@ taglib prefix="cms" uri="https://hybris.com/tld/cmstags"%>
<%@ taglib prefix="spring" uri="https://www.springframework.org/tags"%>
<%@ taglib prefix="form" uri="https://www.springframework.org/tags/form"%>
<%@ taglib prefix="formElement" tagdir="/WEB-INF/tags/responsive/formElement"%>
<%@ taglib prefix="ycommerce" uri="https://hybris.com/tld/ycommercetags"%>
<%@ taglib prefix="fn" uri="https://java.sun.com/jsp/jstl/functions"%>
class="container-lg col-md-6">
                code="text.account.notificationPreference.notificationPreferenceForm" />


class="container-lg col-md-6">
"${action}" method="post"
                    "channel" items="email,sms" delims="," varStatus="loop">
                            if test="${not empty notificationPreferenceForm.emailAddress && channel == 'email'}">
                                "${channel}NotificationChannel" path="${channel}Enabled"tabindex="${loop.index}"/>
                            if test="${not empty notificationPreferenceForm.mobileNumber && channel == 'sms'}">
                                "${channel}NotificationChannel" path="${channel}Enabled"tabindex="${loop.index}"/>

class="col-sm-6 col-sm-push-6">
                                    "notificationPreferenceSetting.submit" text="Update Password" />


class="col-sm-6 col-sm-pull-6">
                                    "notificationPreferenceSetting.cancel" text="Cancel" />






Weak Cryptographic Hash

Weak cryptographic hashes cannot guarantee data integrity and should not be used in security-critical contexts. We should use sha256 or at the same level.

This case is not safe enough:


Mass Assignment: Insecure Binder Configuration

The framework binder used for binding the HTTP request parameters to the model class has not been explicitly configured to allow, or disallow certain attributes.

@RequestMapping(method = RequestMethod.POST)
    public String updateNotificationPreference(final NotificationPreferenceForm notificationPreferenceForm,
            final BindingResult bindingResult, final Model model, final RedirectAttributes redirectModel)

Open Redirect

The file MyInterestsPageController.java passes unvalidated data to an HTTP redirect function on line 115. Allowing unvalidated input to control the URL used in a redirect can aid phishing attacks.

final String showUrl = getConfigurationService().getConfiguration().getString(urlKey) + "/" + productCode;
return "redirect:" + showUrl;

Header Manipulation

The method post() in WeChatPayHttpClient.java includes unvalidated data in an HTTP response header on line 69. This enables attacks such as cache-poisoning, cross-site scripting, cross-user defacement, page hijacking, cookie manipulation or open redirect.

post.setEntity(new StringEntity(requestBody, ContentType.create(MediaType.APPLICATION_XML.toString(), CharEncoding.UTF_8)));

Hidden field

sing the input  hidden to save variable in jsp files. The variable will be exposed.

<input type="hidden" name="${var.key}" value="${var.value}" />
<input name="${var.key}" value="${var.value}" readonly style="display: none;"/>

Java Details

  • Parse Double, use this case
  • StringUtils.EMPTY, use this case
    String temp = StringUtils.EMPTY;

New NetWeaver Information at SAP.com

Very Helpfull

User Rating: Be the first one !