Business information leak - Token
Need
Protection of user's sensitive information in session tokens
Context
- Usage of Java 8 for developing applications with enhanced features and performance improvements
- Usage of javax.servlet-api for building Java web applications with servlets
Description
Non compliant code
import javax.servlet.http.HttpSession;
public class UserController {
public void login(String email, String password, HttpSession session) {
User user = userService.authenticate(email, password);
if (user != null) {
session.setAttribute("user", user);
session.setAttribute("token", user.getEmail() + ":" + user.getFullName());
}
}
public User getUserFromSession(HttpSession session) {
return (User) session.getAttribute("user");
}
}
The above code is a simple representation of a user authentication process in a Java-based backend application using javax.servlet.http.HttpSession.
The login method accepts an email and password, and uses a hypothetical userService.authenticate method to validate these credentials. If the user is authenticated, the user object is stored in the session and a token is created by concatenating the user's email and full name, then this token is also stored in the session.
The getUserFromSession method retrieves the user object from the session.
The vulnerability in this code lies in the token generation and storage process. The token is created by simply concatenating the user's email and full name, which are sensitive pieces of information. This token is then stored in the session, where it could potentially be accessed and exploited, leading to a business information leak.
Steps
- Do not include sensitive information in the session token
- Store sensitive information securely, such as in a database
- Use a unique identifier in the session token instead of user-specific information
- Encrypt the session token to protect the information it contains
- Implement proper access controls to restrict access to sensitive information
Compliant code
import javax.servlet.http.HttpSession;
import java.util.UUID;
public class UserController {
public void login(String email, String password, HttpSession session) {
User user = userService.authenticate(email, password);
if (user != null) {
session.setAttribute("user", user);
String token = UUID.randomUUID().toString();
session.setAttribute("token", token);
}
}
public User getUserFromSession(HttpSession session) {
return (User) session.getAttribute("user");
}
}
The updated code now generates a unique identifier using UUID.randomUUID().toString() for the session token instead of using user-specific information. This prevents sensitive user information from being included in the session token, mitigating the risk of business information leakage.
The UUID.randomUUID().toString() generates a random UUID, which is a universally unique identifier. This identifier is highly unlikely to be duplicated, making it a good choice for a session token.
The session.setAttribute("token", token); line sets the session token to the newly generated UUID. This token is stored in the session and can be used to identify the session without revealing any sensitive user information.
The getUserFromSession(HttpSession session) method remains unchanged as it retrieves the User object stored in the session, which does not contain sensitive information.
Please note that this code assumes the existence of a userService object and a User class, which are not defined in the provided code. The User class should be designed to securely store user information, and the userService.authenticate(email, password) method should be implemented to securely authenticate users.
This code does not include encryption of the session token or implementation of access controls, as these would depend on the specific requirements and infrastructure of your application. However, these are important considerations for further enhancing the security of your application.