what are the possibile Attacks that can be done on a web Application or web site

HI,
I just finished making my spring mvc java based web application. Although i am running it only on my local computer.
Later i discovered there is a flaw in the code... And the Web app can be exploited through XSS cross site scripting
attack.
although i can now take care of it.
But how do i find out what other possible attacks my Web Application may be suceptible to.
Is there any way to check this ? or a list consisting of possible hacks of a website which one should follow.

Thanks
Rohit BajajAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

dgrafxCommented:
Here is one list of security concerns - not a list of hacks: http://www.javaworld.com/article/2076292/core-java/secure-a-web-application--java-style.html
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
Shiuld really based minimal baseline n OWASP vulnerability listing and best to run. Appl and cide scanner against it ti surface the flaws. You can see this a starter.
https://www.owasp.org/index.php/OWASP_Java_Table_of_Contents
Likewise fir the cheatsheets of against vulnerability specific. https://www.owasp.org/index.php/OWASP_Cheat_Sheet_Series

The toolset listed can help in the scanning effort too. Suggest you also look at SSLlab for the ssl check to surface weak ciphers.
https://www.owasp.org/index.php/Phoenix/Tools
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

btanExec ConsultantCommented:
For Spring MVC, it has been closely linked to using HDIV  to cover the OWASP risk which I shared in earlier post. http://www.hdiv.org/
For scanner findings, you can check out what  they using acunetix scanner against sample and esp if CVE come up in findings (or from any scanner), that is key gaps to close as mostly due to unpatched SDK, OS or apps version  http://www.hdiv.org/blog/hdiv-protection-tested-against-acunetix-web-vulnerability-scanner/
But do note Spring do have security framework as well
Spring Security:

-Authentication and session management: covered by application servers and Spring Security
-Output Encoding: covered by web frameworks tags (in that case Spring MVC) to avoid XSS (escape functions). Not covered for other kind of encoding like encoding to avoid SQL Injection.
-Cryptographic functions: covered by Spring Security (http://docs.spring.io/spring-security/site/docs/3.1.7.RELEASE/reference/crypto.html) or also ESAPI.
-Parameter-specific input validation: covered by all web frameworks (Struts, Spring MVC, etc.)
http://www.hdiv.org/blog/differences-between-hdiv-and-esapi/
0
Loganathan NatarajanLAMP DeveloperCommented:
It is very hard to predict the possible attacks from hackers. You can prevent the common security issues like SQL injections, XSS attack, validation, etc. Take a look at this link http://www.experts-exchange.com/Programming/Languages/.NET/Q_28316569.html
0
btanExec ConsultantCommented:
kill off the low hanging as that is totally naked to the attacker scavenging for those and scanner is just one part of the testing regime, do not be overly obsessed with scanning tools eventually we talking about secure coding and doing best to make sure bugs and holes are removed - manual testing by peer will help if there is some code review expertise in your team...
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Development

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.