Hi friends, once again I am here. I am the part of development team of e-aushadhi (A complete supply chain management system). Presently, we deployed this system for two state Meghalaya and Manipur. Before deployment, we faced securities audit for these websites.
During the security audit, we found vulnerabilities and resolved them. I am listing those vulnerabilities with their solutions below.
Session ID Fingerprinting
Cookie name clashes by reusing the session ID values across different servers. A common use case for changing the JSESSIONID cookie name results from cookie name clashes due to HTTP proxy server usage.
<Context path="/yourApp" sessionCookieName="<your-new-session-id-name>">
Every server requests should be authenticated first, before allowing to read or write any data.
For all requests, XSSInterceptor does authentication validations.
Session Fixation is an attack that permits an attacker to hijack a valid user session. When authenticating a user, it doesn’t assign a new session ID, making it possible to use an existent session ID.
this.session = ActionContext.getContext().getSession();
Insert the same in both after successful Login, logout and is expired method.
Session Hijacking, sometimes also known as cookie hijacking is the exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized access to information or services in a computer system.
And for avoiding cross browser Session ID sharing, I have used browser User Agent hash and stored in session. And correspondence validation added in XSSInterceptor as this is called on every request.
For not accepting any metacharacter, I made interceptor for checking parameter value has any metacharacter or not.
In struts2, anti-CSRF can be implemented by the following steps:
Adding a token filed in every form.
And validation in struts2 xml.
<result name="invalid.token">redirection page on invalid token</result>
XSSInterceptor also encodes any HTML tag passed in the form field.
Forms autocomplete should be off.