SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 46

changes.mady.by.user Tracey Tamules

Saved on

compared with

New Version 47

changes.mady.by.user Robert Seacord (Manager)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: done

Cookies are an essential part of any web application; they are used for many purposes, including user authentication. A cookie is a small piece of data that is set by a web server's response that will be is stored for a certain period of time on the client's computer. After a cookie has been set, all of the information within is sent in all subsequent requests to the cookie domain. Consequently, the information within a cookie is insecure; it is vulnerable to cross-site scripting (XSS) or man-in-the-middle attacks (among others). Servers must ensure that cookies lack excess or sensitive information about users. A partial list of such information includes user names, passwords, password hashes, credit cards, and any personally identifiable information about the user.

...

Code Block
bgColor#FFcccc
import java.util.ArrayList;
import java.util.List;
import javax.servlet.http.*;
import com.insecure.model.UserDAO;
import com.insecure.databeans.UserBean;

public class InsecureServlet extends HttpServlet {
  private UserDAO userDAO;

  // ...

  private String login(HttpServletRequest request, HttpServletResponse response) {
    List<String> errors = new ArrayList<String>();
    request.setAttribute("errors", errors);
 
    String username = request.getParameter("username");
    char[] password = request.getParameter("password").toCharArray();
  
    // Basic input validation
    if (!username.matches("[\\w]*") || !password.toString().matches("[\\w]*")) {
      errors.add("Incorrect user name or password format.");
      return "error.jsp";
    }
 
    UserBean dbUser = this.userDAO.lookup(username);
    if (!dbUser.checkPassword(password)) {
      errors.add("Passwords do not match.");
      return "error.jsp";
    }
 
    // Create a cookie that contains the username
    Cookie userCookie = new Cookie("username", username);
    // Create a cookie that contains the password
    Cookie passCookie = new Cookie("password", password);
    // Add the cookie information to the response that the client will receive
    response.addCookie(userCookie);
    response.addCookie(passCookie);

    // Clear password char array
    Arrays.fill(password, ' ');

    return "welcome.jsp";
  }
}

Note that the noncompliant code example stores the user name and password within two cookie objects, which are sent to the client to be stored in a cookie. This code example is insecure because an attacker can discover this information by performing a cross-site scripting attack or by sniffing packets. Once the attacker gains access to the username user name and password, he or she can freely log in to the user's account. Even if the application had stored only the user name within the cookie for authentication purposes, an attacker could still use the user name to forge his or her own cookie and consequently bypass the authentication system.

...

Code Block
bgColor#ccccff
public class InsecureServlet extends HttpServlet {
  private UserDAO userDAO;

  // ...

  private String login(HttpServletRequest request) {
    List<String> errors = new ArrayList<String>();
    request.setAttribute("errors", errors);

    String username = request.getParameter("username");
    char[] password = request.getParameter("password").toCharArray();

    // Basic input validation
    if (!username.matches("[\\w]*") || !password.toString().matches("[\\w]*")) {
      errors.add("Incorrect user name or password format.");
      return "error.jsp";
    }

    UserBean dbUser = this.userDAO.lookup(username);
    if (!dbUser.checkPassword(password)) {
      errors.add("Passwords do not match.");
      return "error.jsp";
    }

    HttpSession session = request.getSession();
    // Invalidate old session id
    session.invalidate();
    // Generate new session id
    session = request.getSession(true);
    // Set session timeout to one hour
    session.setMaxInactiveInterval(60*60);
    // Store user bean within the session
    session.setAttribute("user", dbUser.getUsername());

    // Clear password char array
    Arrays.fill(password, ' ');

    return "welcome.jsp";
  }
}

Wiki Markup
This solution also invalidates the current session and creates a new session  to avoid session fixation attacks; see \[SD:OWASP 2009\].  The solution also reduces the window in which an attacker could perform a session hijacking attack by setting the session timeout to one.

...

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="670e277ad896ee24-e957f863-42844bc5-a2319773-5d22f4c4b1bb3967258578c7"><ac:plain-text-body><![CDATA[

[SD:OWASP 2009]

[Session Fixation in Java

http://www.owasp.org/index.php/Session_Fixation_in_Java]

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="3f819857c234c076-9456909e-474d43d7-99048570-72d0893cec1489be71770be4"><ac:plain-text-body><![CDATA[

[SD:OWASP 2010]

[Cross-site Scripting

http://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29]

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="242b42a9f46ab7e0-86b81fb8-4a224a2c-8db58505-309ec2eaa22ea8d6f54524de"><ac:plain-text-body><![CDATA[

[SD:Oracle 2010]

[javax.servlet.http Package API

http://download.oracle.com/javaee/6/api/javax/servlet/http/package-summary.html]

]]></ac:plain-text-body></ac:structured-macro>

The World Wide Web Security FAQ

...