Blog

OWASP Top Ten Project 2013 No 1 – Injection

To avoid SQL injection vulnerabilities only prepared statements with parameter binding should be used: String custname = request.getParameter(“customerName”); String query = “SELECT account_balance FROM user_data WHERE user_name = ?”; PreparedStatement pstmt = connection.prepareStatement(query); pstmt.setString(1, custname); ResultSet results = pstmt.executeQuery(); Intershop

OWASP Top Ten Project 2013 No 6 – Sensitive Data Exposure

Sensitive File Content Certain files in the Intershop Commerce Management installation contain sensitive information like database passwords or an encryption pass phrase. Unfortunately, sensitive information in files cannot be completely avoided. For ICM sensitive data is stored in: <eserver>/share/system/config/cluster/orm.properties intershop.jdbc.user=<database