• Post Reply Bookmark Topic Watch Topic
  • New Topic

Security Related Error in Servlet Application

 
Baseet Ahmed
Ranch Hand
Posts: 225
Java Notepad Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Season Greeting!

Well, again after a long time, I am posting on Javaranch..now Coderanch, in the Servlet domain.

Recently we faced few issues in our application,that are related to security and could be useful for Hacker.
Therefore we are trying to remove it from our Application.

1- Whenever any error/exception occured,it unfortunately displays the system details with application architecture, like:ServletExceptionur jsp name with path etc.

2- Injection of data during applicatoin access. i.e when we login thru id 'abc', it should remain same till the end of sesssion,but how to prevent it from injection,so that any thirdparty should not change the login id.
Does encoding parameters would help in this case?If yes,then please help with example.

3- Facing cross site script attack.. i.e it is being reflected back to the browser(user).

Hope you might have face such kind of problems.

Please suggest...

-------------------
Regards
Baseet Ahmed
 
Ulf Dittmer
Rancher
Posts: 42970
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
1- Whenever any error/exception occured,it unfortunately displays the system details with application architecture, like:ServletException:our jsp name with path etc.

Sounds like you need an error-page element in your web.xml. Even better would be to catch exceptions in your servlet/application code, and thus handle them before they ever reach any JSP page.

2- Injection of data during applicatoin access. i.e when we login thru id 'abc', it should remain same till the end of sesssion,but how to prevent it from injection,so that any thirdparty should not change the login id.

What do you mean by "injection", and who is a "third party" in this context? Once a session is created, it should not be possible to change anything as fundamental as the userID it's associated with.

3- Facing cross site script attack.. i.e it is being reflected back to the browser(user).

Any text entered by the user that is then displayed on the web page needs to be sanitized with regards to HTML and JavaScript. A first step would be to replace all < and > characters by &lt; and &gt;
 
Baseet Ahmed
Ranch Hand
Posts: 225
Java Notepad Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ulf,

Thank you for your inputs.


For 2nd issue, what I mean to say, if we are having Application access with particular user id, the Application should keep eye on that,the same user id is being used through out the access period. How to achieve this?

For Hacker/attackers/anybody else who do not suppose to interfere in that session,I used Third party term.

For 3rd issue, please let me know how to tackle with Cross site scripting attack ?



-------------------
Regards
Baseet Ahmed
 
Ulf Dittmer
Rancher
Posts: 42970
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
For 2nd issue, what I mean to say, if we are having Application access with particular user id, the Application should keep eye on that,the same user id is being used through out the access period.

I'm not quite following what you're trying to guard against. The userID is determined upon login, put into the session, and never changed after that. Why (or how) would the application use a different one? Any parameters passed in from the client are suspect, of course, and can't be trusted, but the userID is assigned by the server.

For 3rd issue, please let me know how to tackle with Cross site scripting attack ?

Are you asking how to replace certain substrings of a request parameter with certain other substrings before using/storing them? If so, check out regular expressions, especially the String.replaceAll method. Note that some of the characters involved are regexp special characters, so you need to escape them. The javadocs for the java.util.regex.Pattern class explain all about that.
 
Baseet Ahmed
Ranch Hand
Posts: 225
Java Notepad Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm not quite following what you're trying to guard against. The userID is determined upon login, put into the session, and never changed after that. Why (or how) would the application use a different one? Any parameters passed in from the client are suspect, of course, and can't be trusted, but the userID is assigned by the server.


See, what I want in my case,is to prevent the login id from getting change by anyone. Can you please explain with example code?

Are you asking how to replace certain substrings of a request parameter with certain other substrings before using/storing them? If so, check out regular expressions, especially the String.replaceAll method. Note that some of the characters involved are regexp special characters, so you need to escape them. The javadocs for the java.util.regex.Pattern class explain all about that.


I am asking that, if we are showing some custom error message with dynamic data(like user id),. then it should not get affected with Cross site script attack. i.e "Following user id does not exist:<script>alert("")</script> "
How to prevent such kind of thing?


-------------------
Regards
Baseet Ahmed
 
Ulf Dittmer
Rancher
Posts: 42970
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
what I want in my case,is to prevent the login id from getting change by anyone.

How would the login ID get changed? It's kept on the server, and there should be no way to change it. Can you describe an attack scenario where you think it might get changed?

I am asking that, if we are showing some custom error message with dynamic data(like user id),. then it should not get affected with Cross site script attack. i.e "Following user id does not exist:<script>alert("")</script> "
How to prevent such kind of thing?

By making sure that in all text that is entered by a user anything that is an HTML or JavaScript tag is properly escaped before it gets displayed in a web page. It's a simple string search-and-replace.
For instance, if the user enters "Baseet <script>alert('got you!')</script> Ahmed", then that needs to get changed to "Baseet &lt;script&gt;alert('got you!')&lt;/script&gt; Ahmed" so that the script tag not interpreted as JavaScript by the browser.
 
Baseet Ahmed
Ranch Hand
Posts: 225
Java Notepad Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Thank you for the answers of my queries...

One problem,I found while resolving the 1st isssue...While adding the exception handling mechanism(thru <error-page> techinque in web.xml) in our application, we are still getting the problem(i.e the system details with application architecture get displayed). Since we are using Tiles feature for inserting jsp page...Unable to resolve it.


Please suggest how to track this.in case we got runtime error on jsp/java file.


-------------------
Regards
Baseet Ahmed
 
Ulf Dittmer
Rancher
Posts: 42970
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Is the error JSP that you created being used? If so, you can have it display whatever you want it to display.

I'm not familiar enough with Tiles to know how it interacts with error pages. Check its documentation, or ask in the Struts forum.
 
Baseet Ahmed
Ranch Hand
Posts: 225
Java Notepad Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ulf,

Can you please,help in moving this thread to Strust Forum?



-------------------
Regards
Baseet Ahmed
 
Ulf Dittmer
Rancher
Posts: 42970
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think you should just post a new question to the Struts forum with the specific problem about Tiles and error pages. All that was discussed above really has nothing to do with Struts.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!