This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

CRV2 FrameworkSpecIssuesJava

From OWASP
Jump to: navigation, search

Secure configurations in Web.xml

The Web.xml file is the main configuration document responsible for securing configurations in Java Applications. The following section information is based on the article written by Frank Kim(2010) which describes important configuration necessary to protect them.

Configure Custom Error pages

All errors generated by the application, such as 404, 500 etc, must be configured in order to redirect the user to a proper Error page instead of allowing him to see the errors generated by the application. This can serve as a starting point to an attacker to reverse engineer the application and create a specific attack using this information

<error-page>
<error-code>505</error-code>
<location>/error/error.html</location>
</error-page>

Protect data in transit

In order to secure sensitive data, is essential to secure the communication channel and sessions using SSL. Once this has been configured in the server, doesn’t mean that it will be automatically be setup in the web application the developer is trying to secure. For this purpose, it is essential to add in the web.xml file the following configuration(Kim, 2010) :

<security-constraint>
...
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

Configuring proper Authentication and Authorization to directories

Failure to configure proper authentication and authorization of directories, will allow anonymous users to see unprotected files of the web application. Therefore, consider always to set-up proper access controls in the following sections. The following code, for example, makes sure that the ‘Accountant’ role, is the only one able to access directory “accounting”

<security-constraint>
<web-resource-collection>
<web-resource-name>accounting</web-resource-name>
<url-pattern>/accounting/*</url-pattern>
…
</web-resource-collection>
<auth-constraint>
<role-name>accountant</role-name>
</auth-constraint>
</security-constraint>

Configure http methods

Allow only the necessary http methods to execute in the application, such as the case of GET and POST requests. If the methods are not overtly listed are by default allowed. This will allow an attacker to bypass the web.xml configuration. By removing <http-method> elements from the web.xml and this will offer the proper security.

Use Secure Flag

Make sure that the cookie is created using the seucre flag, otherwise exposes the session cookie to hijacking.

<session-config>
<cookie-config>
<secure>true</secure>
</cookie-config>
</session-config>

Setting a time out session

Undefined time out sessions allows hackers to execute CRSF attacks and hijacking the session make sure that <session-timeout> property is set to a time (in munites)

References

Fran Kim, 2010 "Seven Security (Mis)Configurations in Java web.xml Files" available at http://software-security.sans.org/blog/2010/08/11/security-misconfigurations-java-webxml-files/ accessed on 4rd October 2013