- Types of Authentication
- Using Security Annotations
- Verifying User Identity Programmatically
- Common Attacks on JSP Pages
- Conclusion
Common Attacks on JSP Pages
Let's examine some security weaknesses that are exploited to crack the integrity of JSP files. The goal here is to make you aware of some of these malicious techniques and suggest a few ideas to decrease their applicability to your JSPs.
Cross-Site Scripting
Cross-site scripting (abbreviated XSS) occurs when a user submits vicious HTML or XML tags (for example, <FORM>, <EMBED>, <SCRIPT>, <OBJECT>, or <APPLET>) in client-side executable scripts (usually in JavaScript) or any other component that can be part of a dynamically generated page using JSP. The goal of cross-site scripting may be basic damage (such as ruining the page design) or causing real security problems (such as accessing protected information). You also should be careful about cross-site request forgery, which exploits the trust of a website in its users. (These attacks are more complicated than XSS attacks, and therefore more difficult to prevent.)
XSS attacks usually are aimed at other clients, rather than the server.
Example:
http://.../....jsp?css=<SCRIPT>CrossSiteScriptingCode</SCRIPT>
Address this type of attack with the following solutions:
- Server-side validation of embedded tags
- Escaping unsafe syntactic elements
- Replacing syntactic elements with trusted ones
- Canceling the use of the affected constructs
Secure Data in GET Request
This is quite simple. Because GET requests expose information as simple text, anyone can access and use that information. It's only a tiny step from there to malicious attacks.
The target of this type of attack is servers and other clients.
Example:
http://.../...jsp?creditcard=039383383&pin=33222
Address this type of attack by using the POST method instead of GET, and an SSL transport mechanism.
Secure Data in Cookies
Cookies are bits of information stored by servers on client machines, to be used later in session recovery. In this type of attack, clients explore and modify the info in a stored cookie; for example, a user may respond to the server with an arbitrarily forged cookie.
The target of this attack is servers.
To address this type of attack, never place sensitive information in cookies.
Container Vulnerabilities
Before putting your trust in a platform, you have to be aware of its vulnerabilities. For example, a well-known problem of Tomcat is that this container offers access to the JSP source by requesting the page as in the following example:
http://server/page.js%2570
where %25 is a URL encoded % and 70 is the hexadecimal value for p.
The target of this attack is both clients and servers.
To address this type of attack, be aware of container vulnerabilities, and employ vendor-specific security support that addresses the specified vulnerabilities.
SQL Injection
SQL injection is a technique of replacing existing SQL queries with malicious SQL queries. Using various special characters, an attacker can access databases without following the correct route. Obviously, no site wants to reveal database content to users who are not authorized to see that kind of information.
The attack target in this case is servers and server databases.
Suppose a JSP file contains a SQL query like this:
SELECT * FROM users WHERE username='mike' AND pass='abcde'
The query is implemented like this:
String sql = "SELECT * FROM users WHERE username='" + form_user_field + "' AND pass='" + form_pass_field + "'";
If the client inserts the following in a login form:
'' OR 1=1 -- as user (form_user_field) and anything as password (form_pass_field), then the SQL variable becomes the following:
String sql = "SELECT * FROM users WHERE username='' OR 1=1 –- AND pass='anything'";
In MySQL, this query will return all rows of the users table, because the double hyphen (--) marks the rest of the query as a comment, which will be ignored by the MySQL server.
To address this type of attack, use the following techniques:
- Don't place SQL queries in JSP files.
- Write powerful filters for data.
- Use simple quotes (apostrophes) to put data in databases.
- Use an escape function.