yoorijoriinfo

  What is XXE  XXXE (XML External Entities) is a security vulnerability that occurs during XML parsing, and is an attack that can use external entities to perform malicious actions. primarily malicious XML documents can allow attacks such as access to the server's file system, remote code execution, and denial of service. - If DTD cannot be completely disabled or disabled, external entities and external document type declarations must be disabled in a unique way for each parser Solution plan 1. When use DocumentBuilderFactory .setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD,"");    .setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");   2.  When use  SAXParser  .setProperty(XMLConstants.ACCESS_EXTERNAL_DTD,"");  .setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");   3.  When use  SAXParserFactory  .setFeature("http://....", true);  4.  When use  TransformerFactory .setAttribut...

  Security weakness that allows access or identification of system resources such as files and servers through unverified external input values, allows arbitrary access to the resources protected by the system through input value manipulation. By utilizing path manipulation and resource insertion weaknesses, attackers can cause service failures due to modification and deletion of resources, leakage of system information, and conflicts between system resources. That is, through path manipulation and resource insertion, an attacker can acquire disallowed rights to change or execute files related to settings. Wring ex) How to solve? If an external input is used as an identifier for a resource (file, port of socket, etc.), ensure that it undergoes appropriate verification or is selected from a predefined appropriate list. In particular, if the external input is a file name, a character at risk of a directory traversal attack (" / ￦...").. Use a filter that can remove etc. Right e...

The main advantages of using the Electronic Government Framework (eGovFrame, based on JAVA, JSP) in Korea are Accelerating Government Projects and System Development: eGovFrame is a standard framework used by various ministries and agencies of the Korean government to help public organizations quickly and efficiently start software development and system construction. This can shorten the development cycle of public projects and deliver results quickly. Standardized architectures and components: eGovFrame provides standardized architectures and components to help developers develop applications in a consistent manner. This keeps the code consistent and makes maintenance easier. Security and Reliability: Because government agencies deal with sensitive information, eGovFrame provides features and guidelines that focus on security and reliability. This allows the developed system to operate safely. Different modules and libraries: eGovFrame offers different modules and libraries to suppor...

I would like to briefly explain why JAVA is popular among many programming languages in Korea. 1. Wide use in industry and academia: JAVA is one of the languages widely used in various industrial fields and academia. Software developed by JAVA is used in a variety of fields, especially finance, gaming, mobile application development, large enterprise systems, and web applications. 2. Platform independence: JAVA is known for its slogan "Write Once, Run Anywhere," meaning that once a JAVA application is written, it can run on a variety of operating systems and hardware platforms. This platform independence provides significant benefits for developers, making it easy to deploy and maintain applications across a variety of devices and operating systems. 3. Strong community and support: JAVA has a large community and a diverse ecosystem of developer tools and libraries. These communities and resources help developers solve problems and share knowledge. In addition, major companies...

Log4j records logs divided into 7 levels of Event Level Depending on the config level setting, the log can be set as follows!!   FATAL > ERROR > WARN > INFO > DEBUG > TRACE TRACE ->  Specify more granular information than DEBUG DEBUG ->  Specify information for debugging programs INFO ->  Specifying informational messages such as status changes WARN ->  Specify a workable issue, warning message that may cause future system errors ERROR ->  If there is a problem processing your request FATAL ->  Serious error that may interrupt the program, if it is inoperable When carrying out the project, the development guide is generally required to print out four types of DEBUG, INFO, WARN, and ERROR separately!! Pattern Options %m : Output log content %p : debug, info, warn, error, fatal sort of priority print %r : Outputs in milliseconds after application starts until event occurs %c : package output %c{n} : Outputs n (numer...

Wring ex ) sql.append("SELECT \n"); sql.append("  COUNT(*) CNT \n"); sql.append("FROM TABLE WHERE 1=1 AND COL " + type + " AND COL2 = '1' \n"); pstmt = conn.prepareStatement(sql); Rigth ex ) sql.append("SELECT \n"); sql.append("  COUNT(*) CNT \n"); sql.append("FROM TABLE WHERE 1=1 AND COL ? AND COL2 = '1' \n"); pstmt = conn.prepareStatement(sql); pstmt.setString(1, type); You must not use variables in conditional clauses use like this -> pstmt.setString(1, type);  this is same condition like when we use jdbcTemplate 😀 Thank you !! 고마워 !!

request.getParameter("param") : get parameter ( type : String ) request.getParameterValues("param") : get parameter ( type : String[] ) request.getParameterMap() : getting all of parameter  ( type : Map ) - key : param ( type : String ) - value : param values ( type : String[] ) request.getParameterNames() : getting all of parameter's name ( type : Enumeration ) 😀 Thank you !! 감사합니다 !!

To quickly take System.out.print from Eclipse After entering it like this (Sys or sys, case-sensitive!!) Press Ctrl + space to display sysout on the right If you double-click this cool ~~ 😀 Thank you !! 고마워 !!

  It's because we didn't finally release the resources It corresponds to a violation of the web vulnerability. ex) Connection conn = null; PreparedStatement pstmt = null; ResultSet rs = null; try { // conn , pstmt , rs code }catch(NullPointerException e){ finally{ if(rs!=null){rs.close();} if(pstmt!=null){pstmt.close();} if(conn!=null){conn.close();} } 😀 Thank you !! 감사합니다 !!

Errors or error information should not be exposed to the console or on the screen. Use simple phrases only if necessary. Error information or system information should not be printed on the console or browser, but should be logged or printed in simple phrases if necessary Example of system data information disclosure (removal target code) Syste m.out.println(e.getMessage());, System.out.println(e);, e.printStackTrace();, out.println(e.getMessage()); Wrong ex) }catch(NullPointerException e){ System.out.println("Error : "+e); } } Right ex) }catch(NullPointerException e){ logger.error("ERROR-01 NullPointerException"); OR System.out.println("ERROR-01 NullPointerException"); } } 😀 Thank you !! 고마워 !!

Throwable,Exception,RuntimeException must be that  It should not be widely held, but specific exceptions such as FileNotFoundException, SQLException, IOException, ClassNotFoundEXception, etc. should be handled  !! Wring ex) } catch(Exception e) { logger.error("ERROR-01 Exception"); } Right ex) } catch( SQLException e) { logger.error("ERROR-01 SQLException"); } 😀 Thank you!! 고마워!!

class Star{ public static void main(String[] args){ for(int a=1; a<10; a=a+2){ // 1 3 5 7 9 for(int b=10; b>a; b=b-2){ // 10 8 6 4 2  System.out.print(" "); } for(int c=0; c<a; c=c+1){ // 0 1 2 3 4 5 6 7 8  System.out.print("*"); }     System.out.println(); } } } an) 😀 Thank you!! 고마워!!