Risk Name | Risk Description | Prevention |
SQL Injection | Input some sql statement in html form's text field (For example, search condition), which may cause additional harmful SQL (Eg. delete) to be executed when server executes the search sql and comprosing data safety. | Use preparedStatement with parameters instead of dire string concatiation to form a SQL statement. |
JS Injection | Input some javascript in html form's text field. On submission, the javascript will be saved, without proper escaping, the next time the field value is displayed, the script can be automatically executed | Use jstl tag <c:out ...> to display which performs proper xml escaping on displaying Also on form submission, a Filter can be implemented to scan all request parameters and leverage apache commons' StringEscapeUtils.escapeXml to to perform proper escaping |
Session hijacking | Steal customer's jsessionId cookie to simulate a logged on user. Then the attacker can gain access to user's sensitive or even modify user's data. Eg. As an example, an attacker may post a message on www.example.com with the following link: Cross-site scripting: a cookie that should be only exchanged between a server and a client is sent to another party. When another user clicks on this link, the browser executes the piece of code within the onclick attribute, thus replacing the string document.cookie with the list of cookies that are accessible from the current page. As a result, this list of cookies is sent to the attacker.com server. If the attacker's malicious posting is on an HTTPS website https://www.example.com, secure cookies will also be sent to attacker.com in plain text. | SessionFixationProtection: Eg: Spring security can use the following configuration <security:session-management session-fixation-protection="migrateSession" /> This virtually creates a new session on user login and copy all attributes to the new session. Do not use url rewritting to track session: Before tomcat 7. server.xml: <Context path="xxx" docBase="xxx" disableURLRewriting="true"> After tomcat 7: this is part of the servlet 3's standard feature. In web.xml: <session-config> |
XSS Attack | XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. | Use a XSSFilter that use regular expression pattern matching to strip potential XSS chars xss.filter.rule.script_fragments=(?i)<script>(.*?)</script> |
Replay Attack | Intercept user's request and send the same request again. Data encryption cannot prevent such attack and user's data may be comproised. Eg. Deduct from bank account twice | CSRF Token
|
Data integrity tampering | One possible form of man-in-the-middle attack. Attacker can assume the identity of the user and send some malicous information to server, or intercept the user's request and modify some key information. | Digital signature Client and server use a shared secret with private/public key pair. Before sending a request to server, client computes a hash of the critical information and encrypt it with its private key as a digital signature. Once the server received the request it will decrpt the information using the client's public key, then compute a hash of the crital information again. If the decryption is successful and the hash matches. It can be assured that the integreity and authenticity of the critial information |
Other things to notice:
Always use POST/PUT for data submission
Always force HTTPS for sensitive data communication with server:
In Spring security configuration: <security:intercept-url pattern="xxxx" requires-channel="https"></security:intercept-url> and define port mapping as <security:port-mappings><security:port-mapping http="80" https="443" /></security:http> The server will send a redirect response automatically to HTTPS
Always send cookie via HTTPS channel:
For cookies that contain sensitive information, always set the attribute "secure" as "true". In web.xml for servlet 3:
<session-config><cookie-config><secure>true</secure></cookie-config></session-config>
Prevent Javascript from manipulating cookie:
For cookies that contain sensitive information, always set the attribute "httponly" as "true". In web.xml for servlet 3:
<session-config><cookie-config
><http-only>true</http-only>
</cookie-config></session-config>
In tomcat's server.xml: <Context path="xxx" docBase="xxx" useHttpOnly="true">
转载于:https://blog.51cto.com/shadowisper/1901722