Security Attacks
From Resin 3.0
(New page: == Cross-site scripting == <p>Cross-site scripting occurs when a web-site inadvertantly includes HTML tags or scripting code that has come from an untrusted source (such as a form submit)<...) |
|||
Line 13: | Line 13: | ||
<p>For more information on cross-site scripting, the | <p>For more information on cross-site scripting, the | ||
− | + | [http://www.cert.org/advisories/CA-2000-02.html CERT | |
− | advisory | + | advisory] on the topic is a useful resource.</p> |
=== Protecting your site from cross-site scripting === | === Protecting your site from cross-site scripting === | ||
Line 93: | Line 93: | ||
<p> | <p> | ||
For a less extreme DoS attack, you can use | For a less extreme DoS attack, you can use | ||
− | + | [http://www.caucho.com/resin/doc/filter-library.xtp#ThrottleFilter com.caucho.filters.ThrottleFilter] | |
− | + | ||
to minimize the number of concurrent | to minimize the number of concurrent | ||
requests. | requests. | ||
Line 100: | Line 99: | ||
<p> | <p> | ||
− | In configurations that use a | + | In configurations that use a [http://www.caucho.com/resin/doc/resin-load-balance.xtp load balancer], the |
ThrottleFilter should be used on the front-end server that is running the | ThrottleFilter should be used on the front-end server that is running the | ||
<code>LoadBalanceFilter</code>. If using IIS or Apache then throttling features | <code>LoadBalanceFilter</code>. If using IIS or Apache then throttling features |
Revision as of 02:02, 4 February 2008
Contents |
Cross-site scripting
Cross-site scripting occurs when a web-site inadvertantly includes HTML tags or scripting code that has come from an untrusted source (such as a form submit)
Cross-site scripting is primarily an application issue, not an app-server issue. An audit of your code will help you identify any areas that may be vulnerable to cross-site scripting issues.
The only case where it could be a Resin issue is for Resin's error messages, like 404 messages, and these have been carefully audited to prevent the possibilty of cross-site scripting.
For more information on cross-site scripting, the [http://www.cert.org/advisories/CA-2000-02.html CERT advisory] on the topic is a useful resource.
Protecting your site from cross-site scripting
The main source of vulnerability is from malicious posting of request parameters by users. The following steps are a good start to protecting your site.
- Escape incoming request parameters to remove HTML code. This is usually accomplished by changing all instances of the '<' and '>' characters in form parameters to corresponding entities like < and >. The Quercus example application that comes with Resin contains code that you can use as a basis.
- Beware of values used in database calls As you are forming SQL statements to use in JDBC, take care that a request parameter value does not end up becoming part of an SQL statement in such a way that it could change the intended function of the SQL statement.
- Allow for unexpected submission of parameters When developing the code to handle a form submission, or handle request parameters in general, do not assume that the parameters are valid. It is quite easy for a malicious user to make their own form, or their own URL, and specify whatever form parameters they want.
- Do not assume the value of hidden form fields are valid A common practice is to use hidden form fields to hold values that your application needs on subsequent requests. It is very easy for a user to change these values and make a submission.
Serving of raw JSP/php files
A potentially dangerous security problem is the inadvertant serving of .jsp files in raw form, exposing information about the underlying system.
The most significant area of concern for this with Resin is when Resin is used as a servlet runner. A raw jsp could potentially be served up by the main webserver (IIS or Apache, for example) if it does not recognize that the page should be handlecd by Resin.
Since this is a configuration issue, it should appear during your testing and not suddenly become a problem in a production environment that has not had the configuration changed.
There are also some issues regarding this with the underlying filesystem, for example a jsp name being passed in such a way that it does not match the pattern for jsp files but is recognized by the OS/filesystem as a valid filename. We have covered all of these areas that have come to our attention.
</s1>
Session stealing
Resin establishes a session with the user by assigning an id, which is then included in subsequent requests as either a cookie or as part of the URL. It is conceivable that someone could use a packet sniffer to find the session id of a user and then make a fake request to Resin thus gaining access to the session. This can be avoided by using HTTPS.
</s1>
Denial of Service (DoS) attacks
The most common method used in DoS attacks on a server is to flood the server with useless traffic, overloading the network's capacity. A real DoS attack is best handled by a firewall or operating system. Any real DoS attack is going to try to overwhelm your TCP, so you need the OS kernel to refuse to accept packets for the offending system.
For a less extreme DoS attack, you can use com.caucho.filters.ThrottleFilter to minimize the number of concurrent requests.
In configurations that use a load balancer, the
ThrottleFilter should be used on the front-end server that is running the
LoadBalanceFilter
. If using IIS or Apache then throttling features
of those servers should be used.
ThrottleFilter to manage DoS attacks
<filter filter-name="throttle"
filter-class="com.caucho.filters.ThrottleFilter">
<init max-concurrent-requests="5"/>
</filter>
<filter-mapping url-pattern="/*" filter-name="throttle"/>