Insecure or unset HTTP headers - X-Permitted-Cross-Domain-Policies - Java

Need

Secure configuration of HTTP headers - X-Permitted-Cross-Domain-Policies

Context

Usage of Java 8 for developing applications with enhanced features and performance
Usage of HttpServletResponse for handling HTTP responses in Java Servlets
Usage of javax.servlet.http.HttpServlet for handling HTTP requests in Java Servlets
Usage of javax.servlet.ServletException for handling servlet-related exceptions
Usage of java.io.IOException for handling input/output exceptions in Java

Description

Non compliant code

        import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServlet;
import javax.servlet.ServletException;
import java.io.IOException;

public class VulnerableServlet extends HttpServlet {
    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        // The application lacks the X-Permitted-Cross-Domain-Policies header
        response.getWriter().write("Hello, World!");
    }
}

In the provided Java servlet code, the HTTP response lacks the X-Permitted-Cross-Domain-Policies header.

This header is used to provide a policy file that allows cross-domain data loading for Adobe's Flash Player, Microsoft's Silverlight, and Acrobat.

Without this header, or if it is set to an insecure value, an attacker can potentially load data across domains, which can lead to various types of attacks such as Cross-Site Request Forgery (CSRF) or data theft.

In the provided code, the doGet() method is writing a response to the client without setting this header. This means that any response from this servlet is potentially vulnerable to cross-domain data loading attacks.

Steps

Set the X-Permitted-Cross-Domain-Policies header in the HTTP response.
Choose a secure value for the header to prevent cross-domain policy vulnerabilities.
Ensure that the header is set for all relevant HTTP responses in the application.
Test the application to verify that the header is correctly set and does not introduce any issues.

Compliant code

        import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServlet;
import javax.servlet.ServletException;
import java.io.IOException;

public class SecureServlet extends HttpServlet {
    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        // Set the X-Permitted-Cross-Domain-Policies header in the HTTP response
        response.setHeader("X-Permitted-Cross-Domain-Policies", "none");
        response.getWriter().write("Hello, World!");
    }
}

The above code fixes the vulnerability by setting the X-Permitted-Cross-Domain-Policies header in the HTTP response. This header is used to control the cross-domain policies of Adobe products, such as Flash Player and Acrobat.

The value of none is chosen for the header, which means that no policy files are allowed anywhere on the target server, including this master policy file. This is the most secure setting, effectively blocking any cross-domain requests.

The header is set in the doGet method of the servlet, which is invoked for HTTP GET requests. This ensures that the header is set for all relevant HTTP responses in the application.

After applying this fix, it is recommended to test the application to verify that the header is correctly set and does not introduce any issues. This can be done by inspecting the HTTP response headers in a web browser or using a tool like curl or Postman.

References

137. Insecure or unset HTTP headers - X-Permitted-Cross-Domain-Policies