Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > webappsec > 02 > 120144.html (Request Expert securityfocus.com Support)

Re: JSP Security - Limiting URL's

From: Steve Posick <steve.posick(at)advansol.com>
Date: Tue Dec 10 2002 - 09:48:02 EST


The idea of a Finite State Machine (FSM) is a good one for the example that the author used, an exam. It would fit nicely for any application that requires the user to follow a specific set of paths through the application and his use of XML as a state definition language is very elegant. However, most web applications are not developed in this fashion. From my experience most web applications are hybrids of static and dynamic HTML with no set defined paths for the use to follow. There are times in the web site, especially on data entry, where the user needs to follow a set path through the application such as wizard style entry forms. This approach would be excellent for those cases. As for the rest of the time, the old tried and true methods are still the best. Here are some things I do to help protect the applications, some required a fair level of security.

  1. Use a Servlet (in an MVC architecture) or Filter to authenticate/verify all requests to HTML, JSP, XML, ... formats. Ignore images and style sheets if performance is an issue.
  2. Interrogate the request parameters (recursively decoding until nothing is encoded) and deny any requests that contain '<', '>', '|' (the pipe symbol) or 'javascript'. I usually use regular expression and look up the rejection patterns from a properties file.
  3. Rely on the permission system built into the container for ACLs.
  4. When needed I will sign the Session ID and other information about the client using the JCE and store the signature as a session cookie in the client browser. This cookie is used to authenticate the request later on. I do this if the Session ID is not cryptographically sound, such as the Session IDs generated by JRun 3.0 and lower (Don't know if the corrected the issue in 4.0).

All in all though I would classify the FSM as a security mechanism. It will be overly complicated to implement for large applications (containing lots of states) and require an expert programmer to maintain the application, forget about you web designers and standard web masters. And as we all know the more complicated the application, the harder it is to secure (the KISS principal).

I guess what I'm trying to say is that the only security benefit that the FSM provides is flow control. A user cannot jump from page to page at random and must follow predefined paths. It does not help protect you're application from XSS attacks, improper implementation of permissions, directory traversals, poor implementations of system calls or cryptographically weak authentication schemes. But if used where it is needed I can see a benefit (The code used in the examples looks a little overly complex as well, the FSM code should DEFINATELY be in a Servlet (MVC) and NOT in the JSP.

At 02:42 PM 12/9/2002 -0800, securityarchitect@hush.com wrote:

>http://www.onjava.com/pub/a/onjava/2001/06/27/java_security.html

Steven J. Posick, CISSP
CEO - Systems Architect
AdvanSol LLC.
EMail: steve.posick@advansol.com
Phone: (203) 257-0037

www.libertylost.org - America the land of the free? Received on Tue Dec 10 10:02:46 2002

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:46 EDT

Do you need help?X
Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library