SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 29

changes.mady.by.user Ryan Hall

Saved on

compared with

New Version 30

changes.mady.by.user Robert Seacord (Manager)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: minor edits

...

Noncompliant Code Example

In this non compliant noncompliant code example, we can see that the servlet stores the user name in the cookie to identify the user for authentication purposes.

Code Block
bgColor#FFcccc
import java.util.ArrayList;
import java.util.List;
import javax.servlet.http.*;
import com.insecure.model.UserDAO;
import com.insecure.databeans.UserBean;

public class InsecureServlet extends HttpServlet {
  private UserDAO userDAO;

  // ...

  private String login(HttpServletRequest request, HttpServletResponse response) {
    List<String> errors = new ArrayList<String>();
    request.setAttribute("errors", errors);
        
    String username = request.getParameter("username");
    String password = request.getParameter("password");
        
    // Basic input validation
    if(!username.matches("[\\w]*") || !password.matches("[\\w]*")) {
      errors.add("Incorrect user name or password format.");
      return "error.jsp";
    }
      
    UserBean dbUser = this.userDAO.lookup(username);
    if(!dbUser.checkPassword(password)) {
      errors.add("Passwords do not match.");
      return "error.jsp";
    }
        
    Cookie userCookie = new Cookie("username", username); // Create a cookie that contains the username
    Cookie passCookie = new Cookie("password", password); // Creates a cookie that contains the password
    response.addCookie(userCookie); // Send the cookie information to the client
    response.addCookie(passCookie);

    return "welcome.jsp";
  }
}

Note that the above non compliant noncompliant code example stores the user name and password within the cookie for authentication purposes. This particular code example is insecure because an attacker could possibly perform a cross-site scripting attack or sniff packets to find this information. Once the attacker finds this information, they have free reign to log in to the user's account. On the other hand, if the application only stored the user name within the cookie for authentication purposes, an attacker could still use the user name to forge their own cookie and bypass the authentication system.

Compliant Solution

The non compliant previous noncompliant example above can be resolved by using the HttpSesssion class within the javax.servlet.http package ?to store user information as opposed to cookies. Since HttpSession objects are server-side, it is impossible for an attacker to gain access to the session information directly through cross-site scripting or man-in-the-middle attacks. Instead, a session id is stored within the cookie to refer to the user's HttpSession object stored on the server. As a result, the attacker must first gain access to the session id and only then do they have a chance of gaining access to a user's account details.

Code Block
bgColor#ccccff
public class InsecureServlet extends HttpServlet {
  private UserDAO userDAO;

  // ...

  private String login(HttpServletRequest request, HttpServletResponse response) {
    List<String> errors = new ArrayList<String>();
    request.setAttribute("errors", errors);

    String username = request.getParameter("username");
    String password = request.getParameter("password");

    // Basic input validation
    if(!username.matches("[\\w]*") || !password.matches("[\\w]*")) {
      errors.add("Incorrect user name or password format.");
      return "error.jsp";
    }

    UserBean dbUser = this.userDAO.lookup(username);
    if(!dbUser.checkPassword(password)) {
      errors.add("Passwords do not match.");
      return "error.jsp";
    }

    HttpSession session = request.getSession();
    session.invalidate(); // Invalidate old session id
    session = request.getSession(true); // Generate new session id
    session.setMaxInactiveInterval(2*60*60); // Set session timeout to two hours
    session.setAttribute("user", dbUser); // Store user bean within the session

    return "welcome.jsp";
  }
}

Wiki Markup
This solution uses a session and not a cookie to store user information. Additionally, the current session is invalidated and a new session is created to avoid session fixation attacks as noted by The Open Web Application Security Project \[OWASP 2009\] .  The timeout of the session has also been set to two hours to minimize the window that an attacker has to perform any a session hijacking
In the above solution, we have switched from a cookie to a session to store user information. Additionally, the current session is invalidated and a new session is created in order to avoid session fixation attacks as noted by The Open Web Application Security Project (OWASP 2009). The timeout of the session has also been set to two hours to minimize the window that an attacker has to perform any a session hijacking 
attack.

Risk Assessment

Noncompliance may lead to sensitive information being stored within a cookie, which may be accessible via packet sniffing or cross-site scripting attacks.

...