Common Attacks on JSP Pages
Let's examine some security weaknesses that are exploited to crack the integrity of JSP files. The goal here is to make you aware of some of these malicious techniques and suggest a few ideas to decrease their applicability to your JSPs.
XSS attacks usually are aimed at other clients, rather than the server.
Address this type of attack with the following solutions:
- Server-side validation of embedded tags
- Escaping unsafe syntactic elements
- Replacing syntactic elements with trusted ones
- Canceling the use of the affected constructs
Secure Data in GET Request
This is quite simple. Because GET requests expose information as simple text, anyone can access and use that information. It's only a tiny step from there to malicious attacks.
The target of this type of attack is servers and other clients.
Address this type of attack by using the POST method instead of GET, and an SSL transport mechanism.
Secure Data in Cookies
Cookies are bits of information stored by servers on client machines, to be used later in session recovery. In this type of attack, clients explore and modify the info in a stored cookie; for example, a user may respond to the server with an arbitrarily forged cookie.
The target of this attack is servers.
To address this type of attack, never place sensitive information in cookies.
Before putting your trust in a platform, you have to be aware of its vulnerabilities. For example, a well-known problem of Tomcat is that this container offers access to the JSP source by requesting the page as in the following example:
where %25 is a URL encoded % and 70 is the hexadecimal value for p.
The target of this attack is both clients and servers.
To address this type of attack, be aware of container vulnerabilities, and employ vendor-specific security support that addresses the specified vulnerabilities.
SQL injection is a technique of replacing existing SQL queries with malicious SQL queries. Using various special characters, an attacker can access databases without following the correct route. Obviously, no site wants to reveal database content to users who are not authorized to see that kind of information.
The attack target in this case is servers and server databases.
Suppose a JSP file contains a SQL query like this:
SELECT * FROM users WHERE username='mike' AND pass='abcde'
The query is implemented like this:
String sql = "SELECT * FROM users WHERE username='" + form_user_field + "' AND pass='" + form_pass_field + "'";
If the client inserts the following in a login form:
'' OR 1=1 -- as user (form_user_field) and anything as password (form_pass_field), then the SQL variable becomes the following:
String sql = "SELECT * FROM users WHERE username='' OR 1=1 –- AND pass='anything'";
In MySQL, this query will return all rows of the users table, because the double hyphen (--) marks the rest of the query as a comment, which will be ignored by the MySQL server.
To address this type of attack, use the following techniques:
- Don't place SQL queries in JSP files.
- Write powerful filters for data.
- Use simple quotes (apostrophes) to put data in databases.
- Use an escape function.