Security controls bypass or absence - Session Invalidation - Java

Security controls bypass or absence - Session Invalidation - Java

Need

Implementation of proper session invalidation mechanism

Context

  • Usage of Java for building scalable and robust applications
  • Usage of javax.servlet.http.HttpSession for managing user sessions in Java web applications

Description

Non compliant code

        import javax.servlet.http.HttpSession;

public class UserMain {
    public String getMainFromSession(String sessionCode, HttpSession session) {
        if (sessionCode.contains("auto")) {
            return (String) session.getAttribute("Main");
        } else {
            return null;
        }
    }
}
        
        

The above Java code represents a servlet that is part of a backend application. This servlet has a method getMainFromSession which takes in two parameters: a sessionCode and an HttpSession object. The sessionCode is a string that is used to validate the session. If the sessionCode contains the string "auto", the method retrieves the "Main" attribute from the session and returns it.

The vulnerability lies in the condition that checks if the sessionCode contains the string "auto". This was probably used during the debugging phase to bypass the session validation mechanism and allow developers to test the application without having to provide a valid session. However, this check was left in the production code, creating a security vulnerability. By providing a sessionCode that contains the string "auto", an attacker can bypass the session validation mechanism and gain unauthorized access to the application.

The session.getAttribute("Main") retrieves the value of the attribute named "Main" from the session. This value is then returned by the getMainFromSession method. If the "Main" attribute contains sensitive information, such as user credentials or personal data, this vulnerability could lead to serious security breaches.

In addition, the method returns null if the sessionCode does not contain the string "auto". This could potentially lead to null pointer exceptions elsewhere in the application, leading to system instability or further vulnerabilities.

Steps

  • Remove the debugging code from the getMainFromSession function.
  • Implement proper session invalidation mechanism.
  • Ensure that session codes are properly validated and do not allow bypassing security controls.

Compliant code

        import javax.servlet.http.HttpSession;

public class UserMain {
    public String getMainFromSession(String sessionCode, HttpSession session) {
        // Validate session code
        if (sessionCode == null || sessionCode.isEmpty()) {
            throw new IllegalArgumentException("Invalid session code");
        }
        
        // Get Main attribute from session
        String main = (String) session.getAttribute("Main");
        
        // If Main attribute is null, invalidate the session
        if (main == null) {
            session.invalidate();
            throw new IllegalStateException("Session invalidated");
        }
        
        return main;
    }
}
        
        

The updated code now includes a check to validate the session code. If the session code is null or empty, an IllegalArgumentException is thrown. This prevents bypassing security controls by using a session code containing the word "auto".

The Main attribute is retrieved from the session. If this attribute is null, the session is invalidated and an IllegalStateException is thrown. This ensures that a proper session invalidation mechanism is in place.

By implementing these changes, we have removed the debugging code from the getMainFromSession function and ensured that session codes are properly validated and do not allow bypassing security controls.

References