Skip to main content

Business information leak - Corporate information

Need

Protection of sensitive corporate information from unauthorized access

Context

  • Usage of Java 1.8 for running Java applications
  • Usage of javax.servlet for building Java web applications with Servlet technology
  • Usage of java.io for input and output operations in Java
  • Usage of java.util for various utility classes and data structures in Java programming

Description

Non compliant code

import javax.servlet.*;
import javax.servlet.http.*;
import java.io.*;
import java.util.*;

public class EmployeeServlet extends HttpServlet {

    private HashMap<String, Employee> employees;

    public void init() {
        employees = new HashMap<>();
        employees.put("1", new Employee("John Doe", "Manager", "[email protected]"));
        employees.put("2", new Employee("Jane Smith", "Developer", "[email protected]"));
        //... More employees
    }

    public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        String id = request.getParameter("id");
        Employee employee = employees.get(id);

        PrintWriter out = response.getWriter();
        out.println("Name: " + employee.getName());
        out.println("Role: " + employee.getRole());
        out.println("Email: " + employee.getEmail());
        //... More employee information
    }
}

This Java Servlet is designed to display information about a company's employees. It uses a HashMap to store employee data, with each employee represented as an Employee object. The Employee object contains sensitive information such as the employee's name, role, and email address.

The doGet method is where the vulnerability lies. This method retrieves an employee's ID from the request parameters and uses it to fetch the corresponding employee's information from the HashMap. It then writes this information to the response, effectively exposing it to anyone who can make a GET request to the servlet.

The problem is that there is no authentication or authorization check before the information is retrieved and sent. This means that anyone, including unauthorized users, can access this sensitive information simply by sending a GET request with a valid employee ID. This constitutes a business information leak, as it allows for unauthorized access to internal corporate information.

Steps

  • Implement access control mechanisms to restrict access to sensitive information.
  • Use authentication and authorization to ensure that only authorized users can access employee information.
  • Encrypt sensitive information, such as employee contact information, to protect it from unauthorized access.
  • Implement input validation to prevent malicious input, such as SQL injection or cross-site scripting attacks.
  • Regularly update and patch the software to fix any known vulnerabilities.
  • Implement logging and monitoring to detect and respond to any unauthorized access attempts or suspicious activities.
  • Train employees on security best practices to prevent accidental leakage of sensitive information.

Compliant code

import javax.servlet.*;
import javax.servlet.http.*;
import java.io.*;
import java.util.*;

public class EmployeeServlet extends HttpServlet {

    private HashMap<String, Employee> employees;

    public void init() {
        employees = new HashMap<>();
        employees.put("1", new Employee("John Doe", "Manager", "[email protected]"));
        employees.put("2", new Employee("Jane Smith", "Developer", "[email protected]"));
        //... More employees
    }

    public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        HttpSession session = request.getSession(false);
        if (session == null || session.getAttribute("authenticatedUser") == null) {
            response.sendRedirect("login.jsp"); // Not logged in, redirect to login page.
            return;
        }

        String id = request.getParameter("id");
        if (!isValidId(id)) {
            response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Invalid ID");
            return;
        }

        Employee employee = employees.get(id);
        if (employee == null) {
            response.sendError(HttpServletResponse.SC_NOT_FOUND, "Employee not found");
            return;
        }

        PrintWriter out = response.getWriter();
        out.println("Name: " + employee.getName());
        out.println("Role: " + employee.getRole());
        // Email is sensitive information, do not disclose.
    }

    private boolean isValidId(String id) {
        // Implement validation logic here.
        return true;
    }
}

The updated code includes several security measures to prevent unauthorized access to sensitive employee information.

  1. Authentication: The doGet method now checks if the user is logged in by checking the HTTP session. If the user is not logged in, they are redirected to the login page.

  2. Input Validation: The doGet method now validates the employee ID before trying to retrieve the employee information. This can help prevent attacks such as SQL injection.

  3. Access Control: The doGet method no longer discloses sensitive employee information such as email addresses. Only non-sensitive information like the employee's name and role is disclosed.

  4. Error Handling: The doGet method now sends an error response if the employee ID is invalid or if there is no employee with the given ID. This can help prevent information leakage through error messages.

Remember to implement the isValidId method to validate the employee ID according to your application's requirements. Also, ensure that the login mechanism sets the authenticatedUser attribute in the HTTP session after successful login.

References

Last updated on