Technical information leak - Credentials
Need
Protection of sensitive credentials from being exposed
Context
- Usage of Java 8 for developing applications with enhanced features and performance
- Usage of javax.servlet-api for building Java web applications with Servlets
Description
Non compliant code
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;
public class LoginServlet extends HttpServlet {
private static final String SECRET_KEY = "BotChatDirectLineSecretKey";
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
response.setContentType("text/html");
PrintWriter out = response.getWriter();
String user = request.getParameter("user");
String password = request.getParameter("password");
// Validate user credentials
// ...
// Send secret key in response
out.println("<script>");
out.println("var secretKey = '" + SECRET_KEY + "';");
out.println("</script>");
}
}
The above code is a simple Java Servlet that handles the login requests. When a POST request is made to this servlet with user credentials, it validates the user credentials and sends a response back to the client.
The vulnerability lies in the way the response is constructed. The SECRET_KEY which is supposed to be a secret is being sent in the response inside a script tag in plaintext. This secret key is the BotChat Direct Line Secret Key which should not be exposed to the client side.
Since the script is not minified or obfuscated, anyone who intercepts the response or inspects the response in the browser's developer tools can easily read the secret key. This is a serious security flaw as it leads to exposure of sensitive information which can be exploited by malicious actors.
This kind of vulnerability is categorized as a Technical Information Leak, specifically leaking of credentials. It is crucial to always keep sensitive information like keys, passwords, etc., hidden and never expose them in client-side code or responses.
Steps
- Avoid storing sensitive information, such as secret keys, directly in the code.
- Use environment variables or configuration files to store sensitive information.
- Ensure that the sensitive information is properly protected, such as by encrypting it.
- Avoid including sensitive information in the response sent to the client.
- Implement proper access controls to restrict access to sensitive information.
Compliant code
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;
public class LoginServlet extends HttpServlet {
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
response.setContentType("text/html");
PrintWriter out = response.getWriter();
String user = request.getParameter("user");
String password = request.getParameter("password");
// Validate user credentials
// ...
// Do not send secret key in response
}
}
The original code had a major security vulnerability where it was sending the BotChat Direct Line Secret Key in the response to the client. This is a serious issue as it exposes sensitive information that could be used maliciously.
The fixed code removes this vulnerability by simply not including the secret key in the response. The secret key is no longer stored directly in the code, which is a good practice for maintaining security.
Sensitive information like secret keys should be stored in a secure manner, such as in environment variables or configuration files that are not accessible to unauthorized users. This way, even if someone gains access to the code, they will not be able to obtain the secret key.
Furthermore, sensitive information should be properly protected, such as by encrypting it. This way, even if someone manages to obtain the information, they will not be able to use it without the decryption key.
Finally, proper access controls should be implemented to restrict access to sensitive information. This includes both physical access controls (like keeping servers in a secure location) and digital access controls (like requiring authentication to access certain parts of the system).