...
| Code Block | ||
|---|---|---|
| ||
import java.util.ArrayList;
import java.util.List;
import javax.servlet.http.*;
import com.insecure.model.UserDAO;
import com.insecure.databeans.UserBean;
public class InsecureServlet extends HttpServlet {
private UserDAO userDAO;
// ...
private String login(HttpServletRequest request, HttpServletResponse response) {
List<String> errors = new ArrayList<String>();
request.setAttribute("errors", errors);
      Â
String username = request.getParameter("username");
char[] password = request.getParameter("password").toCharArray();
     Â
// Basic input validation
if(!username.matches("[\\w]*") || !password.toString().matches("[\\w]*")) {
errors.add("Incorrect user name or password format.");
return "error.jsp";
}
    Â
UserBean dbUser = this.userDAO.lookup(username);
if(!dbUser.checkPassword(password)) {
errors.add("Passwords do not match.");
return "error.jsp";
}
  Â
// Create a cookie that contains the username
Cookie userCookie = new Cookie("username", username);
// Create a cookie that contains the password
Cookie passCookie = new Cookie("password", password);
// Add the cookie information to the response that the client will receive
response.addCookie(userCookie);
response.addCookie(passCookie);
// Clear password char array
Arrays.fill(password, ' ');
return "welcome.jsp";
}
}
|
...
| Wiki Markup |
|---|
\[SD:OWASP 2009\] [Session Fixation in Java|http://www.owasp.org/index.php/Session_Fixation_in_Java] \[SD:OWASP 2010\] [Cross-site Scripting|http://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29] \[SD:Oracle 2010\] [javax.servlet.http Package API|http://download.oracle.com/javaee/6/api/javax/servlet/http/package-summary.html] [The World Wide Web Security FAQ|http://www.w3.org/Security/Faq/wwwsf2.html] |
...
FIO10FIO14-J. Do not let Runtime.exec() fail or block indefinitelyUse an int to capture the return value of functions that read a character or byte 12. Input Output (FIO) 13. Input Validation and Data Sanitization (IDS)