Oracle Banking Corporate Lending uses Prepared Statement with bind variables to construct and execute SQL statements in JAVA.

Oracle Banking Corporate Lending is a web based application, the request data from browser to server is passed using request headers and request parameters. All the request fields coming from the client are validated using white list validation to prevent cross site scripting.

User defined method validateParameter() is used for input validation which checks each character of the request field with a range of allowed characters.

User defined methods escapeJavaScript(), escapeHTML() and escapeURL() sanitizes the output data before flushing it into client browser.

escapeJavaScript() escapes all characters except immune JavaScript characters and alphanumeric characters in the ASCII character set. All other characters are encoded using the \\xHH or \\uHHHH notation for representing ASCII or Unicode sequences.

escapeHTML() escapes the characters with equivalent HTML entities obtained from the lookup map. Lookup map has entities such as amp, quot, lt, gt, and so on.

escapeURL() encodes the URL using URLEncoder class.

White list validation is also used to restrict Image/signature/excel upload and to check rights for every operation performed by user.

Signature upload checks for image type and image content using the inbuilt classes (ImageIO and JarFile) available in java.

Field level validations exist for all mandatory fields. Database too had limits on the type and the length of data. Blacklisted characters are not allowed in the mandatory fields. Nevertheless, Oracle Banking Corporate Lending has free-text fields, which takes all data, entered by the user, as a String.

Similar to white list validation black list validation is also used for validating the request fields. Oracle Banking Corporate Lending uses blacklist validation to check whether the request xml contains unwanted tags like scripting tag, html tag, anchor tag, and so on, inside the xml content. It is also used for the advance summary field’s validation to check whether proper request fields are coming from the browser.

Below table shows the list of bad characters which are not allowed in URL path but the Oracle Banking Corporate Lending operations requires many of the below characters to be passed in the request. So Oracle Banking Corporate Lending encodes the below bad characters before sending them through the URL and same is decoded at the server to prevent the hacker from modifying the request.

Oracle Banking Corporate Lending has blacklist validation for unwanted tag in xml like scripting tag or html tag inside xml content particularly in the header.