Insecure HTTP methods enabled - Java

Insecure HTTP methods enabled - Java

Need

Secure HTTP methods configuration

Context

  • Usage of Java 8 for developing applications with enhanced features and performance
  • Usage of javax.servlet-api for building Java web applications with Servlets

Description

Non compliant code

        import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import javax.servlet.ServletException;

public class VulnerableServlet extends HttpServlet {

    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        // your GET logic here
    }

    @Override
    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        // your POST logic here
    }

    @Override
    protected void doPut(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        // your PUT logic here
    }

    @Override
    protected void doDelete(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        // your DELETE logic here
    }

    @Override
    protected void doTrace(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        // your TRACE logic here
    }
}
        
        

The above code is an example of a Servlet that has enabled insecure HTTP methods such as TRACE, PUT, and DELETE.

The doGet and doPost methods are commonly used HTTP methods for reading and writing data respectively. However, the doPut, doDelete, and doTrace methods can pose security risks if not properly managed.

The doPut method allows a client to place a file in a specified location on the server and can be exploited if an attacker gains access to it.

The doDelete method allows a client to delete a specified resource on the server. If this method is enabled and not properly secured, an attacker could potentially delete files on the server.

The doTrace method allows a client to see what is being returned by the HTTP request. This method is often used for debugging and diagnostic purposes. However, if left enabled in a production environment, it can be exploited for Cross-Site Tracing (XST) attacks, where an attacker can steal cookie information.

In summary, the code above is vulnerable because it enables HTTP methods that can be exploited if not properly secured.

Steps

  • Disable or restrict the use of insecure HTTP methods such as TRACE, PUT, and DELETE.
  • Review and update the logic in each HTTP method to ensure proper validation and authorization checks.
  • Implement secure alternatives for the functionality provided by the insecure HTTP methods.
  • Consider implementing a security framework or library that handles HTTP method security automatically.
  • Regularly update and patch the server and its dependencies to ensure the latest security fixes are applied.

Compliant code

        import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import javax.servlet.ServletException;

public class SecureServlet extends HttpServlet {

    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        // your GET logic here
    }

    @Override
    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        // your POST logic here
    }

    // Disabled insecure HTTP methods
    /*
    @Override
    protected void doPut(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        // your PUT logic here
    }

    @Override
    protected void doDelete(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        // your DELETE logic here
    }

    @Override
    protected void doTrace(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        // your TRACE logic here
    }
    */
}
        
        

The updated code disables the insecure HTTP methods PUT, DELETE, and TRACE by commenting them out. This prevents potential attackers from using these methods to include and/or delete files, or perform cross-site tracing attacks.

In addition to disabling these methods, it's important to review and update the logic in each remaining HTTP method (GET and POST in this case) to ensure proper validation and authorization checks are in place. This can help prevent other types of attacks, such as SQL injection or cross-site scripting (XSS).

For the functionality that was provided by the now-disabled HTTP methods, consider implementing secure alternatives. For example, if the PUT method was used to update resources, you could implement a POST method that includes additional validation and authorization checks.

Finally, consider implementing a security framework or library that handles HTTP method security automatically. This can help ensure that your server remains secure even as new vulnerabilities are discovered. Regularly updating and patching the server and its dependencies is also crucial for maintaining security.

References