2. About Me
• 20+ professional experience
• SoRware engineer, architect, head of
soRware R&D
• Author and speaker
• JavaOne, Devoxx, JavaZone, TheServerSide
Java Symposium, Jazoon, OOPSLA, ASE,
others
• Top 10 Women in Tech 2016 in Poland
• Founder and CTO of Yon Labs/Yonita
• Consul9ng, trainings and code audits
• Automated detec9on and refactoring of
soRware defects
• Security, performance, concurrency,
databases
• Twi]er @yonlabs
3. About Me
• 20+ professional experience
• SoRware engineer, architect, head of soRware
R&D
• Author and speaker
• JavaOne, Devoxx, JavaZone, TheServerSide
Java Symposium, Jazoon, OOPSLA, ASE, others
• Top 10 Women in Tech 2016 in Poland
• Founder and CTO of Yon Labs and Yonita
• Bridge the gap between the industry and the
academia
• Automated detec9on and refactoring of
soRware defects
• Trainings and code reviews
• Security, performance, concurrency, databases
• Twi]er @yonlabs
7. Simple SQL/ORM Injection
7
String custId = request.getParameter(”cust_id”)
String sqlQuery = ”SELECT * FROM ACCOUNT WHERE CUST_ID=“ + custId;
String jpqlQuery = ”from Account where custId=“ + custId
http://www.example.com/app/accountView?cust_id=0 or 1=1
http://www.example.com/app/accountView?cust_id%3D0%20or%201%3D1%0A
SELECT * FROM ACCOUNT WHERE CUST_ID=0 or 1=1
from Account where custId=0 or 1=1
22. Hashed Passwords
• Login
• Hash provided password
• Search for User in mongodb with a given username and hashed
password
• Dic9onary search
• Many users => some have simple passwords
• Use salted passwords
• e.g. bcrypt