SCABBA Vulnerabilities & Solution Approach

SCABBA Vulnerabilities & Solution Approach

1.    Persistent Cross-Site Scripting

2.    SQL injection

3.    Privilege Escalation - Application Design Error (One)

4.    Privilege Escalation - Application Design Error (Two)

5.    Cross site request forgery

Persistent Cross-Site Scripting

Category - Input Validation:

The input should never be trusted, so we have implemented strong and positive validation on the server side in order to ensure that the received information accomplishes what the application is expecting.

Approach followed:

Validating user input on server side we have implemented three centralized methods, which is ensure all received information from the user. In our application we have been using two kinds of input getaway.

One is Input Text Box and Text Area.

Other one is Input Html Editor.

Recommendations: In both cases you need to avoid blacklisting instead of whitelisting, because an attacker could send strings in a different encoding and reach a successful attack.

You could implement something like the code below:

String validCharacters = "ABC123";  

Pattern pattern = Pattern.compile(validCharacters);  

String Fname = request.getParameter("fname"); 

Matcher matcher = pattern.matcher(Fname);

boolean matchFound = matcher.matches();

if (matchFound){

    //Actions to perform

    }

For isNameStringValid(String name) you are not validating any possible XSS, the strings "<script>" and "</script>" are not interpreted as XSS because the browser will parse them as html entities (text) and they are not part of the html code.

isValidHtmlDesc(String htmlDesc)	This method is ensuring, all input Html Editor should not allow any script tags. Example -- <script>alert(9)</script>
isNameStringValid(String name)	Every input from user is going through this method, which is responsible to check a valid whitelisted characters. Example -- dash - , parenthesis ( )

 public static boolean isNameStringValid(String name)

    {

        boolean valid = true;

        if (!isEmpty(name))

        {

            String[] invalidCharacters = { "[", "]", "{", "}", "_", "@", "~", "\\", "|", "<", ">" };

            for (int i = 0; i < invalidCharacters.length; i++)

            {

                if (name.trim().contains(invalidCharacters[i]))

                {

                    valid = false;

                    break;

                }

            }

        }

        else

        {

            valid = false;

        }

        return valid;

    }

public static boolean isValidHtmlDesc(String htmlDesc)

    {

        boolean validDesc = true;

        if (!isEmpty(htmlDesc))

        {

            if (htmlDesc.toLowerCase().trim().contains("&lt;script&gt;")

                    && htmlDesc.toLowerCase().trim().contains("&lt;/script&gt;"))

            {

                validDesc = false;

            }

        }

        return validDesc;

    }

SQL injection

Category: Input Validation

SQL injection attack consists on the insertion of SQL statement via input data from user to the application.

Approach followed:

We have used Prepared Statement objects in order to avoid the risk of this type of attacks.

Hibernate parameter binding works like prepared statements.

Recomantations: It is OK. There are better practices to implement Hibernate, but it is useful to avoid SQL injection.

Prepared Statements

Query q = session.createQuery("from BoeTable boeTable where boeTable.name =:name"); q.setString(name, "Izi"); Iterator listOfNames = q.iterate();

public List<BoeQstn> getAllQstnSeqId(BoeJobAnlysTmplt myTemId)     {         List<BoeQstn> listOfQstnSeqId = new ArrayList<BoeQstn>();         Session session = null;         try         {             session = createHibernateSession();             Query query = session                     .createQuery("from BoeJaTmpltQstn boeJaTmpltQstn  where boeJaTmpltQstn.boeJobAnlysTmplt =:id");             query.setParameter("id", myTemId);             listOfQstnSeqId = query.list();         }         catch (Exception e)         {             e.printStackTrace();         }         finally         {             if (session != null)                 session.close();         }         return listOfQstnSeqId;     }

Privilege Escalation - Application Design Error (One)

Category: Access Control

Steps to Reproduce Exploit and Tested in Dev:

1.       UserA Login to the Application as a “Process Admin”

2.       UserB Login to the Application as another “Process Admin”

3.       UserA was login as “Process Admin ” and doing their work in the application.

4.       Just meanwhile, UserB Remove the “Process Admin” role from one of the UserA

5.       After successful remove Privilege as  “Process Admin” from Manage Role for UserA.

6.       Then UserA raise an event or Click on any Page or Tab which has only available for “Process Admin” role and UserA has now not a “Process Admin”.

7.       Next he will be redirect to Login Page automatically.

8.        After next login of UserA he will found there is no “Process Admin” Role for him.

Recommendations: I don’t have all the necessary information but if you are not  implementing a framework that supports roles, as you say you can use a session parameter that includes the user role  and read it every time a new action is done, CRUD any information. But you need to be careful if the role of a user is changed during an open session, because normally the parameters of a userBean such as role are set on login, so the role needs to be read from the database again to avoid a privilege escalation.

Approach followed:

We have been adopting above functionality for other roles, the below is the piece of code which has been implemented for other roles also.

public void redirectToJATemplatePage() throws IOException {       if (loginService.checkAdminAvail(boePrsnMstr.getPrtySeqId()))         {              .. .. ..             //A valid process admin              .. .. ..         } else         {            //invalid process admin so logout form the application             loginMB.logout();         }  }

 

Privilege Escalation - Application Design Error (Two)

Category: Access Control

Steps to Reproduce Exploit:

1.       UserA Login to the application as PEL role.

2.       Then click one Proposal PID, it will forward to proposal general.

3.      All buttons are enable for this PEL role,

4.       Now UserA copy the URL of proposal general page.

5.       Then change his role to BOE author.

6.       Pest that copied URL in the address bar and viewing that Buttons are still enable though he is not a authorized role to view enable buttons for Proposal General page, but after clicking any button it will not allow the BOE Author to make any action.

Recommendations:  The same recommendation as above.

Approach followed:

isVelidUserForThisPage(userRole)

We are going to implement a new method, which is ensure, only valid user can able to view the page and page must behave according to the users role. This method takes a “userRole” parameter which will come from session.

public boolean isVelidUserForThisPage(BoeUserRole boeUserRole)     {         boolean status = false;         if (checkVelidRole(boeUserRole))         {             status = true;         }         return status;     }

Cross site request forgery

Category: Input Validation.

Approach followed:

Using a difficult token which is travel with request in addition to session id, after first time user login to the application , collect the session id and until log out that session id and token must flow with the request and event raised by the user.

Recommendations:  It is good to use tokens in every action don by the application, with this I mean that the token has to be included on every form that is sent to the server, so if the token is not valid the action is not taken.  It is better to create a different token from every time a new form is displayed so the attacker cannot include this token in his attack.

public class Global     {         public static int myTokenSession;         public static int getMyTokenSession()         {             return myTokenSession;         }         public static void setMyTokenSession(int myTokenSession)         {             Global.myTokenSession = myTokenSession;         }     }

 

Global global = new Global(); global.setMyTokenSession(“15484154aws8654186sasd548”);

 

1.       Create a Random Method which reatrn a 16 Deisigt Number In BoeUtil.java File

2.       Then First time when user login to Application and going to set user and role in session at that time call the Random Method and Session.setAttribute(7847984849879,“tokenKey”);

3.       And send that token key to URL and append with a tokenKey means we r now in legal.jsp page wiht  tokenKey=xxx1

4.       Then i click on Approve Button.

5.       Redirect to Welcome Page Now again Random Method Call and set again to Session.setAttribute(1245874849494794,“tokenKey”);

6.       And append it with URL