Password change without identity check
Need
Enforce identity verification for password changes
Context
- Usage of Java for building robust and scalable applications
- Usage of javax.servlet for building Java web applications with Servlet technology
- Usage of javax.servlet.http for handling HTTP requests and responses in Java Servlets
Description
Non compliant code
import javax.servlet.*;
import javax.servlet.http.*;
public class ChangePasswordServlet extends HttpServlet {
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
String newPassword = request.getParameter("newPassword");
User user = (User) request.getSession().getAttribute("user");
if (newPassword != null && !newPassword.isEmpty()) {
user.setPassword(newPassword);
}
}
}
The above code is a simple servlet that handles password changes for a user. The servlet retrieves the new password from the request parameters and the user object from the session. Then, it checks if the new password is not null and not empty, and if so, it sets the new password to the user.
This servlet is vulnerable because it doesn't validate the identity of the user who is trying to change the password. It simply assumes that the user is already authenticated and authorized to change the password because the user object is stored in the session.
However, an attacker could potentially hijack the user's session and change the password without the user's knowledge. The system should enforce an additional identity verification mechanism, such as requesting the old password or a two-factor authentication, before changing the password.
Steps
- Implement a proper identity verification mechanism before allowing password change.
- Require the user to provide their current password as part of the password change process.
- Use strong password policies to ensure the new password meets certain complexity requirements.
- Consider implementing multi-factor authentication to provide an additional layer of security.
- Encrypt and securely store user passwords in the database to protect against unauthorized access.
Compliant code
import javax.servlet.*;
import javax.servlet.http.*;
public class ChangePasswordServlet extends HttpServlet {
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
String currentPassword = request.getParameter("currentPassword");
String newPassword = request.getParameter("newPassword");
User user = (User) request.getSession().getAttribute("user");
if (newPassword != null && !newPassword.isEmpty() && currentPassword != null && !currentPassword.isEmpty()) {
if(user.getPassword().equals(currentPassword)) {
// Add password complexity check here
user.setPassword(newPassword);
} else {
// Handle invalid current password
}
} else {
// Handle missing parameters
}
}
}
The updated code now requires the user to provide their current password as part of the password change process. This is done by getting the current password from the request parameters and checking it against the stored password for the user. If the current password is correct, the password is updated to the new password. If the current password is incorrect or if any of the parameters are missing, appropriate error handling should be implemented.
In addition, a placeholder for password complexity check is added. This is where you can implement your own password complexity requirements, such as minimum length, requiring a mix of uppercase and lowercase letters, numbers, and special characters.
This code does not include multi-factor authentication or password encryption, which are recommended for additional security. Multi-factor authentication would require additional infrastructure and user interaction, while password encryption would require changes to how passwords are stored and verified.
Remember to never store passwords in plain text in your database. Always use a secure method of storing passwords, such as hashing and salting, to protect against unauthorized access.