Sensitive information sent via URL parameters - Session
Need
Secure transmission of sensitive information in session tokens
Context
- Usage of Java 8 for developing applications with enhanced features and performance
- Usage of javax.servlet-api for building Java web applications with servlets
Description
Non compliant code
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
public class SessionServlet extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
String token = request.getParameter("token");
// do something with the token
}
}
The above code represents a Servlet that handles GET requests. In the doGet method, it extracts a parameter named "token" from the request URL. This token is assumed to be a JWT session token.
The vulnerability lies in the line where we extract the token from the URL:
String token = request.getParameter("token");
This is a security vulnerability because it exposes sensitive information, the JWT session token, in the URL. URLs are logged in various places such as browser history, web server logs, and network equipment. If an attacker gains access to any of these logs, they can extract the token and potentially use it to impersonate a user's session.
In addition, URLs can be leaked through the Referer header when the user clicks on a link to another site from the page that contains the sensitive information. This could allow an external site to gain access to the token.
Finally, URLs are displayed in the browser address bar and can be seen or captured by shoulder surfing, further increasing the exposure of the token.
Therefore, sending sensitive information such as session tokens via URL parameters is not a secure practice and should be avoided.
Steps
- Remove the sensitive information from the URL parameters.
- Use a more secure method to transmit the session token, such as using HTTP headers or request body.
- Implement secure session management techniques, such as using secure cookies or session tokens with short expiration times.
- Encrypt the session token to protect it from being easily intercepted or tampered with.
- Implement secure coding practices to prevent other vulnerabilities that could compromise the session token, such as input validation and output encoding.
Compliant code
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
public class SessionServlet extends HttpServlet {
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException {
String token = request.getHeader("Authorization");
// do something with the token
}
}
The above code fixes the vulnerability by changing the method of transmitting the session token from URL parameters to HTTP headers. This is done in the following way:
-
Change the HTTP method from GET to POST: The
doGetmethod is changed todoPost. This is because sensitive data should not be sent in the URL, as it can be cached in the browsing history. POST requests do not have this issue as they send data in the request body. -
Retrieve the token from the Authorization header: Instead of getting the token from the URL parameters with
request.getParameter("token"), the token is now retrieved from the Authorization header withrequest.getHeader("Authorization"). This is a more secure way of transmitting the token as it is not exposed in the URL.
Remember, this is just one part of securing the session token. Other techniques should also be implemented, such as using secure cookies or session tokens with short expiration times, encrypting the session token, and implementing secure coding practices like input validation and output encoding.