Lack of data validation - Trust boundary violation - Java

Lack of data validation - Trust boundary violation - Java

Need

Enforce strict data validation and ensure proper trust boundaries

Context

  • Usage of Java for building cross-platform applications
  • Usage of javax.servlet for building Java web applications with servlets
  • Usage of javax.servlet.http for handling HTTP requests and responses in Java web applications

Description

Non compliant code

        import javax.servlet.*;
import javax.servlet.http.*;

public class TrustBoundaryViolation extends HttpServlet {

    protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        String trustedData = "This data is trusted";
        String untrustedData = request.getParameter("untrustedData");
        
        // Mixing trusted and untrusted data
        String mixedData = trustedData + untrustedData;
        
        // Use the mixed data
        response.getWriter().write(mixedData);
    }
}
        
        

The above code represents a Trust Boundary Violation vulnerability due to the lack of data validation.

In the doPost method, the servlet mixes trusted data ( trustedData) and untrusted data ( untrustedData) that comes directly from the user request without any validation or sanitization. This untrusted data is retrieved using request.getParameter("untrustedData"), which could potentially contain malicious input from the user.

This mixed data ( mixedData) is then written to the HTTP response using response.getWriter().write(mixedData).

The danger here is that the untrusted data could contain malicious input, such as scripts for Cross-site Scripting (XSS) attacks, SQL commands for SQL Injection attacks, or commands for Command Injection attacks. Since the application does not validate or sanitize the untrusted data before mixing it with the trusted data, it could potentially execute the malicious input when the mixed data is used, leading to various security issues.

Steps

  • Separate trusted and untrusted data
  • Validate and sanitize untrusted data
  • Use appropriate data structures to keep trusted and untrusted data separate
  • Apply input validation and filtering techniques
  • Implement proper data validation and sanitization methods
  • Use parameterized queries or prepared statements to prevent SQL injection
  • Implement output encoding to prevent cross-site scripting (XSS) attacks
  • Implement secure coding practices and follow security guidelines

Compliant code

        import javax.servlet.*;
import javax.servlet.http.*;
import org.owasp.esapi.ESAPI;
import org.owasp.esapi.Validator;
import org.owasp.esapi.errors.ValidationException;

public class TrustBoundaryViolation extends HttpServlet {

    protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        String trustedData = "This data is trusted";
        String untrustedData = request.getParameter("untrustedData");
        
        // Create a validator instance
        Validator validator = ESAPI.validator();
        
        // Validate and sanitize untrusted data
        String safeUntrustedData = "";
        try {
            safeUntrustedData = validator.getValidInput("HTTP parameter", untrustedData, "SafeString", 200, false);
        } catch (ValidationException ve) {
            // Handle the exception
        }
        
        // Separate trusted and untrusted data
        String mixedData = trustedData + safeUntrustedData;
        
        // Use the mixed data
        response.getWriter().write(ESAPI.encoder().encodeForHTML(mixedData));
    }
}
        
        

The fixed code separates trusted and untrusted data by validating and sanitizing the untrusted data before mixing it with the trusted data.

The OWASP Enterprise Security API (ESAPI) is used to validate and sanitize the untrusted data. The getValidInput method of the Validator class is used to validate the untrusted data against a defined set of rules (in this case, "SafeString" which allows alphanumeric characters and has a maximum length of 200). If the untrusted data does not meet these rules, a ValidationException is thrown.

The validated and sanitized untrusted data is then concatenated with the trusted data to form the mixed data.

Finally, before the mixed data is written to the HTTP response, it is encoded for HTML to prevent cross-site scripting (XSS) attacks. The encodeForHTML method of the Encoder class is used to encode the mixed data. This method encodes special characters that have significance in HTML to their corresponding HTML entities, thereby preventing any malicious scripts from being executed.

References