This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "CRV2 FrameworkSpecIssuesJava"

From OWASP
Jump to: navigation, search
(Created page with "=Proper secure configuration of Web.xml= The Web.xml file is the main configuration document responsible for secure configurations in Java Applications. The following section...")
 
Line 1: Line 1:
=Proper secure configuration of Web.xml=
+
=Secure configurations in Web.xml=
  
The Web.xml file is the main configuration document responsible for secure configurations in Java Applications. The following sections describe important components necessary to secure them
+
The Web.xml file is the main configuration document responsible for securing configurations in Java Applications. The following section information is based on the article written by Fran Kim(2010) which describes important configuration necessary to protect them.
  
 
==Configure Custom Error pages==
 
==Configure Custom Error pages==
Line 43: Line 43:
 
  </cookie-config>
 
  </cookie-config>
 
  </session-config>
 
  </session-config>
 +
 +
==Setting a time out session==
 +
Undefined time out sessions allows hackers to execute CRSF attacks and hijacking the session
 +
make sure that <session-timeout> property is set to a time (in munites)
 +
 +
==References==http://software-security.sans.org/blog/2010/08/11/security-misconfigurations-java-webxml-files/ accessed on 4rd October 2013
 +
Fran Kim, 2010 "Seven Security (Mis)Configurations in Java web.xml Files" available at

Revision as of 13:15, 4 October 2013

Secure configurations in Web.xml

The Web.xml file is the main configuration document responsible for securing configurations in Java Applications. The following section information is based on the article written by Fran Kim(2010) which describes important configuration necessary to protect them.

Configure Custom Error pages

All errors generated by the application, such as 404, 500 etc, must be configured in order to redirect the user to a proper Error page instead of allowing him to see the errors generated by the application. This can serve as a starting point to an attacker to reverse engineer the application and create a specific attack using this information

<error-page>
<error-code>505</error-code>
<location>/error/error.html</location>
</error-page>

Protect data in transit

In order to secure sensitive data, is essential to secure the communication channel and sessions using SSL. Once this has been configured in the server, doesn’t mean that it will be automatically be setup in the web application the developer is trying to secure. For this purpose, it is essential to add in the web.xml file the following configuration(Kim, 2010) :

<security-constraint>
...
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

Configuring proper Authentication and Authorization to directories

Failure to configure proper authentication and authorization of directories, will allow anonymous users to see unprotected files of the web application. Therefore, consider always to set-up proper access controls in the following sections. The following code, for example, makes sure that the ‘Accountant’ role, is the only one able to access directory “accounting”

<security-constraint>
<web-resource-collection>
<web-resource-name>accounting</web-resource-name>
<url-pattern>/accounting/*</url-pattern>
…
</web-resource-collection>
<auth-constraint>
<role-name>accountant</role-name>
</auth-constraint>
</security-constraint>

Configure http methods

Allow only the necessary http methods to execute in the application, such as the case of GET and POST requests. If the methods are not overtly listed are by default allowed. This will allow an attacker to bypass the web.xml configuration. By removing <http-method> elements from the web.xml and this will offer the proper security.

Use Secure Flag

Make sure that the cookie is created using the seucre flag, otherwise exposes the session cookie to hijacking.

<session-config>
<cookie-config>
<secure>true</secure>
</cookie-config>
</session-config>

Setting a time out session

Undefined time out sessions allows hackers to execute CRSF attacks and hijacking the session make sure that <session-timeout> property is set to a time (in munites)

==References==http://software-security.sans.org/blog/2010/08/11/security-misconfigurations-java-webxml-files/ accessed on 4rd October 2013 Fran Kim, 2010 "Seven Security (Mis)Configurations in Java web.xml Files" available at