Metadata with sensitive information
Need
Protection of sensitive information in metadata files
Context
- Usage of Java 8 for developing applications with enhanced features and performance
- Usage of javax.servlet-api for developing Java web applications with Servlet technology
Description
Non compliant code
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Enumeration;
public class MetadataServlet extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
Enumeration<String> headerNames = request.getHeaderNames();
while (headerNames.hasMoreElements()) {
String headerName = headerNames.nextElement();
response.getWriter().write("Header Name: " + headerName + ", Value: " + request.getHeader(headerName));
}
}
}
The above code is a simple example of a servlet that exposes sensitive information through public metadata files.
In this servlet, we have a doGet method that handles all GET requests. The method retrieves all the headers from the incoming HTTP request via request.getHeaderNames(). It then iterates over these headers and writes them directly to the HTTP response using response.getWriter().write().
The vulnerability lies in the fact that HTTP headers often contain sensitive information. For example, they may include cookies, authentication tokens, IP addresses, and other user-specific details. By writing all these headers directly to the HTTP response, the servlet is effectively exposing this sensitive information to anyone who can access the response.
This exposure could potentially be exploited by an attacker to gain unauthorized access to sensitive user data. For example, if the headers include a cookie with a session ID, an attacker could use this session ID to impersonate the user.
A secure alternative would be to filter out sensitive headers before writing them to the response, or not to include header information in the response at all.
Steps
- Avoid exposing sensitive information through public metadata files.
- Review the metadata files and remove any sensitive information.
- Implement access controls to restrict access to sensitive metadata.
- Use encryption or obfuscation techniques to protect sensitive metadata.
- Regularly update and patch the system to address any known vulnerabilities.
- Perform security testing and code reviews to identify and fix any potential vulnerabilities.
- Follow secure coding practices and guidelines to prevent information exposure.
Compliant code
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Enumeration;
public class MetadataServlet extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
Enumeration<String> headerNames = request.getHeaderNames();
while (headerNames.hasMoreElements()) {
String headerName = headerNames.nextElement();
// Check if the header contains sensitive information
if (!isSensitiveHeader(headerName)) {
response.getWriter().write("Header Name: " + headerName + ", Value: " + request.getHeader(headerName));
}
}
}
// Method to check if a header is sensitive
private boolean isSensitiveHeader(String headerName) {
// List of sensitive headers
String[] sensitiveHeaders = {"Authorization", "Cookie", "Set-Cookie"};
for (String sensitiveHeader : sensitiveHeaders) {
if (sensitiveHeader.equalsIgnoreCase(headerName)) {
return true;
}
}
return false;
}
}
The original code was vulnerable because it exposed all the headers of the HTTP request, including potentially sensitive ones, to the client. This could lead to information exposure, which is a serious security risk.
The fixed code includes a method isSensitiveHeader that checks if a header is sensitive. This method contains a list of sensitive headers (like "Authorization", "Cookie", "Set-Cookie") and checks if the current header is in this list. If it is, the method returns true, indicating that the header is sensitive.
In the doGet method, before writing the header name and value to the response, we now check if the header is sensitive using the isSensitiveHeader method. If it is, we skip it and don't write it to the response.
This way, we avoid exposing sensitive information through public metadata files, addressing the vulnerability.