Notices
 

Security vulnerabilities and their solutions (Struts 2.0)

For page specific messages
For page author info
Aashutosh's picture

Submitted by Aashutosh on Mon, 01/01/2018 - 02:30

Hi friends, once again I am here. I am the part of development team of e-aushadhi (A complete supply chain management system). Presently, we deployed this system for two state Meghalaya and Manipur. Before deployment, we faced securities audit for these websites. 

During the security audit, we found vulnerabilities and resolved them. I am listing those vulnerabilities with their solutions below.

 

Session ID Fingerprinting

Cookie name clashes by reusing the session ID values across different servers. A common use case for changing the JSESSIONID cookie name results from cookie name clashes due to HTTP proxy server usage.

<Context path="/yourApp" sessionCookieName="<your-new-session-id-name>">

 

Authentication Bypass

Every server requests should be authenticated first, before allowing to read or write any data.  

For all requests, XSSInterceptor does authentication validations.

 

Session Fixation

Session Fixation is an attack that permits an attacker to hijack a valid user session. When authenticating a user, it doesn’t assign a new session ID, making it possible to use an existent session ID.

((SessionMap)this.session).invalidate();

this.session = ActionContext.getContext().getSession();

Insert the same in both after successful Login, logout and is expired method.

 

Session HIjacking

Session Hijacking, sometimes also known as cookie hijacking is the exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized access to information or services in a computer system.

<session-config>

         <cookie-config>

            <http-only>true</http-only>

            <secure>true</secure>

         </cookie-config>

         <tracking-mode>COOKIE</tracking-mode>

  </session-config>

And for avoiding cross browser Session ID sharing, I have used browser User Agent hash and stored in session. And correspondence validation added in XSSInterceptor as this is called on every request.

 

XSS

For not accepting any metacharacter, I made interceptor for checking parameter value has any metacharacter or not.

 

Anti CSRF

In struts2, anti-CSRF can be implemented by the following steps:

  1. Adding a token filed in every form.

              <s:token name="token"></s:token>

  1. And validation in struts2 xml.

           <interceptor-ref name="token"/>

           <result name="invalid.token">redirection page on invalid token</result>

 

HTML Injection

XSSInterceptor also encodes any HTML tag passed in the form field.

 

Form Autocomplete

Forms autocomplete should be off.

 

 

REFERENCES:- 

 

 

 

 

   

Exclude node summary : 

n
 
X