Cookies are an essential part of any web application; they are used for many purposes, including user authentication. A cookie is a small piece of data that is set by a web server's response that is stored for a certain period of time on the client's computer. After a cookie has been set, all of the information within is sent in all subsequent requests to the cookie domain. Consequently, the information within a cookie is insecure; it is vulnerable to cross-site scripting (XSS) or and man-in-the-middle attacks (among others). Servers must ensure that cookies lack excess or sensitive information about users. A partial list of such information includes user names, passwords, password hashes, credit cards, and any personally identifiable information about the user.
...
| Code Block | ||
|---|---|---|
| ||
import java.util.ArrayList;
import java.util.List;
import javax.servlet.http.*;
import com.insecure.model.UserDAO;
import com.insecure.databeans.UserBean;
public class InsecureServlet extends HttpServlet {
private UserDAO userDAO;
// ...
private String login(HttpServletRequest request, HttpServletResponse response) {
List<String> errors = new ArrayList<String>();
request.setAttribute("errors", errors);
String username = request.getParameter("username");
char[] password = request.getParameter("password").toCharArray();
// Basic input validation
if (!username.matches("[\\w]*") || !password.toString().matches("[\\w]*")) {
errors.add("Incorrect user name or password format.");
return "error.jsp";
}
UserBean dbUser = this.userDAO.lookup(username);
if (!dbUser.checkPassword(password)) {
errors.add("Passwords do not match.");
return "error.jsp";
}
// Create a cookie that contains the username
Cookie userCookie = new Cookie("username", username);
// Create a cookie that contains the password
Cookie passCookie = new Cookie("password", password);
// Add the cookie information to the response that the client will receive
response.addCookie(userCookie);
response.addCookie(passCookie);
// Clear password char array
Arrays.fill(password, ' ');
return "welcome.jsp";
}
}
|
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="d2266f32d2ca7cad-710f1193-4f594d0d-87f99dc0-7112bd1d7081f57033a1d4ea"><ac:plain-text-body><![CDATA[ | [java:[MITRE 2009 | AA. Bibliography#MITRE 09]] | [CWE-539 | http://cwe.mitre.org/data/definitions/539.html] "Information Exposure Through Persistent Cookies" | ]]></ac:plain-text-body></ac:structured-macro> |
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="8cf16af8952e31fd-24420b32-4ba54e22-9331b36a-d885a12eed477e0f67c2cc68"><ac:plain-text-body><![CDATA[ | [SD:OWASP 2009] | [Session Fixation in Java | http://www.owasp.org/index.php/Session_Fixation_in_Java] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="29fb31b27652d8d5-fc81ddd7-4b8a4e74-b2beaad3-7cea4d99432ab3f7f621f4d2"><ac:plain-text-body><![CDATA[ | [SD:OWASP 2010] | [Cross-site Scripting | http://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="ae96ded9145faf18-6168da6b-4bfb4ca0-9e728436-0c93153c53e8bf35f1af7056"><ac:plain-text-body><![CDATA[ | [SD:Oracle 2010] | [javax.servlet.http Package API | http://download.oracle.com/javaee/6/api/javax/servlet/http/package-summary.html] | ]]></ac:plain-text-body></ac:structured-macro> |
...