Java Application Security: Top 10 Vulnerabilities — Part 2

In the first part, we covered the first five critical vulnerabilities of Java applications. Today we continue learning and look at the remaining five threats that every developer should know. Java for beginners and experienced programmers — this information will help you write more secure code. In the world of programming, security is not an option, but a necessity.

6. External XML Entities (XXE)

XXE attacks occur when an application processes XML documents containing references to external entities. An attacker can read local files, perform an SSRF attack, or cause a denial of service.

Vulnerable Code

DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();DocumentBuilder builder = factory.newDocumentBuilder();Document doc = builder.parse(new InputSource(new StringReader(xmlData)));

Protection

• Disable external entities and DTD
• Use secure parsers

DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);factory.setFeature("http://xml.org/sax/features/external-general-entities", false);factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

7. Insecure Deserialization

Deserialization of untrusted data can lead to arbitrary code execution. This is one of the most dangerous vulnerabilities in Java, as it often allows an attacker to fully compromise the server.

Attack Example

ObjectInputStream ois = new ObjectInputStream(new FileInputStream("data.ser"));Object obj = ois.readObject(); // dangerous!

Protection Methods

• Do not deserialize data from untrusted sources
• Use class whitelists
• Apply alternative formats (JSON, Protocol Buffers)

8. SQL Injections

Although this is a classic in programming, SQL injections still occur in Java applications. Always use parameterized queries.

Incorrect (vulnerable)

String query = "SELECT * FROM users WHERE name = '" + userName + "'";Statement stmt = connection.createStatement();ResultSet rs = stmt.executeQuery(query);

Correct (secure)

String query = "SELECT * FROM users WHERE name = ?";PreparedStatement pstmt = connection.prepareStatement(query);pstmt.setString(1, userName);ResultSet rs = pstmt.executeQuery();

For Java for beginners, this rule should become an axiom: never concatenate strings for SQL queries.

9. Authentication and Session Management Flaws

Weak authentication, vulnerable sessions, and improper password management are common problems in Java web applications.

Recommendations

• Use modern password hashing algorithms (bcrypt, Argon2)
• Configure proper session lifetime
• Apply secure cookies (HttpOnly, Secure, SameSite)
• Implement multi-factor authentication

10. Using Components with Known Vulnerabilities

The Java ecosystem is rich in libraries, but many projects use outdated versions with public CVEs. This is one of the most common security problems.

How to Protect Yourself

• Regularly update dependencies
• Use analysis tools (OWASP Dependency-Check, Snyk)
• Subscribe to security notifications for the libraries you use
• Auto