Page History

...

Code Block

bgColor	#ccccff

public class InsecureServlet extends HttpServlet {
  private UserDAO userDAO;

  // ...

  private String login(HttpServletRequest request) {
    List<String> errors = new ArrayList<String>();
    request.setAttribute("errors", errors);

    String username = request.getParameter("username");
    char[] password = request.getParameter("password").toCharArray();

    // Basic input validation
    if (!username.matches("[\\w]*") || !password.toString().matches("[\\w]*")) {
      errors.add("Incorrect user name or password format.");
      return "error.jsp";
    }

    UserBean dbUser = this.userDAO.lookup(username);
    if (!dbUser.checkPassword(password)) {
      errors.add("Passwords do not match.");
      return "error.jsp";
    }

    HttpSession session = request.getSession();
    // Invalidate old session id
    session.invalidate();
    // Generate new session id
    session = request.getSession(true);
    // Set session timeout to one hour
    session.setMaxInactiveInterval(60*60);
    // Store user bean within the session
    session.setAttribute("user", dbUser.getUsername());

    // Clear password char array
    Arrays.fill(password, ' ');

    return "welcome.jsp";
  }
}

Wiki MarkupThis solution also invalidates the current session and creates a new session to avoid session fixation attacks; see \ [SD:OWASP 2009\]. The solution also reduces the window in which an attacker could perform a session hijacking attack by setting the session timeout to one.

Risk Assessment

Violation of this rule places sensitive information within cookies, making the information vulnerable to packet sniffing or cross-site scripting attacks.

Rule	Severity	Likelihood	Remediation Cost	Priority	Level
FIO14-J	medium	probable	medium	P8	L2

Related Guidelines

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="b747da60-48eb-4a36-a60f-3d7d90fa0285"><ac:plain-text-body><![CDATA [ [java:[MITRE 2009AA. References#MITRE 09]]

[CWE-539http://cwe.mitre.org/data/definitions/539.html] "Information Exposure through Persistent Cookies" ]]></ac:plain-text-body></ac:structured-macro>

Bibliography

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="dce4d15a-4749-4aaf-aad2-9fafc257dd50"><ac:plain-text-body><![CDATA[	[SD:OWASP 2009]	[Session Fixation in Java	http://www.owasp.org/index.php/Session_Fixation_in_Java]	]]></ac:plain-text-body></ac:structured-macro>	<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="1d393241-2cc8-47b4-9721-b1328ed241a8"><ac:plain-text-body><![CDATA[
[SD:OWASP 2010]	[Cross-site Scripting
http://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29]	]]></ac:plain-text-body></ac:structured-macro>	<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="298353b4-6093-4a55-90c1-72214c0bd7f7"><ac:plain-text-body><![CDATA[	[SD:Oracle 2010]	[javax.servlet.http Package API	http://download.oracle.com/javaee/6/api/javax/servlet/http/package-summary.html]	]]></ac:plain-text-body></ac:structured-macro>
The World Wide Web Security FAQ

...

Space shortcuts

Page tree

Versions Compared

Old Version 58

New Version 59

Key

Risk Assessment

Related Guidelines

Bibliography