Security

Java Security Checklist — 8 Vulnerabilities to Check

Java is widely used in enterprise applications, banking, and government systems — making it a high-value target. This checklist covers the 8 most critical Java security vulnerabilities with real code examples and secure fixes.

What is Java security vulnerabilities?

Java's verbose type system and mature ecosystem provide some safety — but enterprise Java applications regularly appear in breach reports. JDBC string concatenation, JSP/Thymeleaf XSS, Java deserialization, and XML parsing are Java-specific attack vectors that developers frequently overlook.

SQL Injection via JDBC Statement

Using Statement instead of PreparedStatement is the most common Java security mistake.

❌ Statement with concatenation

String username = request.getParameter("user");
// Attacker: user=' OR '1'='1
Statement stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery(
    "SELECT * FROM users WHERE user='" + username + "'");

✅ PreparedStatement always

String username = request.getParameter("user");
PreparedStatement pstmt = conn.prepareStatement(
    "SELECT * FROM users WHERE user = ?");
pstmt.setString(1, username);  // Safely escaped
ResultSet rs = pstmt.executeQuery();

XSS in JSP / Thymeleaf

Rendering unescaped user data in templates is the Java XSS vector.

❌ Unescaped JSP expression

<%-- JSP — attacker sends name=<script>alert(1)</script> --%>
<p>Hello <%= request.getParameter("name") %></p>

<!-- Thymeleaf unescaped: th:utext also dangerous with user input -->
<p th:utext="${userInput}"></p>

✅ Escaped output

<%-- JSP — c:out escapes all HTML entities --%>
<p>Hello <c:out value="${param.name}"/></p>

<!-- Thymeleaf — th:text is safe (escapes by default) -->
<p th:text="${userInput}"></p>
<!-- Only use th:utext for pre-sanitized, trusted HTML -->

Hardcoded Credentials

Hardcoded database passwords and API keys in Java source are discovered in git and in compiled .class files via decompilation.

❌ Hardcoded in source

public class DatabaseConfig {
    private static final String PASSWORD = "Secr3t!123";
    private static final String API_KEY  = "Bearer abc123xyz";
    // Visible in git history AND in decompiled .class files
}

✅ Environment variables

public class DatabaseConfig {
    private static final String PASSWORD = System.getenv("DB_PASSWORD");
    private static final String API_KEY = System.getenv("API_KEY");
    // Or use Spring @Value annotation with application.properties
    // Never commit application.properties with real values
}

💡

Pro tip: For Spring Boot applications: use Spring Security's built-in CSRF protection, enable Content Security Policy headers via HttpSecurity.headers(), and always use JPA/Hibernate instead of raw JDBC — it uses PreparedStatements automatically.

Scan Your Java Code for Security Issues

Paste your code — LearnCodeGuide detects all these issues automatically using GPT-4o + Claude Sonnet. Free to start.

Analyze Java Code →

Published by LearnCodeGuide Team · Last reviewed: November 2025