WebObjects and HTML injection
WebObjects and HTML injection
- Subject: WebObjects and HTML injection
- From: Patrick Middleton <email@hidden>
- Date: Thu, 22 Jul 2010 12:28:07 +0100
Hi folks!
Some of our customers are commissioning penetration testing reports,
which are flagging vulnerabilities in our WebObjects applications.
The problem reported is with URLs such as .../wa/MyDirectAction?
wosid=XYZ"> , direct
actions that preserve the session ID, where the session ID can be
manipulated (at the cost of no longer being a valid session ID) to
enable injecting some executable JavaScript onto a webpage. In
principle this is a vulnerability for various attacks such as XSS,
SQL injection and so on. In practice, I'm confident there are no
exploits in the apps for which I am responsible because any useful
work is done via component actions; no valid session ID equals
nothing useful served, and a valid session ID means you can get at
what the app is supposed to let you be able to get at.
But I'd like to tighten things up so that the penetration testing
automated scanners find nothing because there's nothing to find. I
myself am still (don't laugh) working with WO4.5.1. What are things
like in 5.4.x? It seems to me that I ought to subclassing (or adding
to existing subclasses) to override these:
com.webobjects.appserver.WODirectAction
public String getSessionIDForRequest(WORequest aRequest)
public void takeFormValueArraysForKeyArray(NSArray aKeyArray)
public void takeFormValuesForKeyArray(NSArray aKeyArray)
public void takeValueForKey(Object value, String key)
com.webobjects.appserver.WOComponent
public void takeValuesFromRequest(WORequest aRequest, WOContext
aContext)
public void takeValueForKey(Object value, String key)
in order to sanitize inputs -- mostly by removing anything containing
the likes of '<script'. What do you think?
---
Regards Patrick
OneStep Solutions Plc
www.onestep.co.uk
This email, including any attachments, is confidential and intended solely for the person or organisation to whom it is addressed. If you are not the intended recipient you must not disseminate, distribute or copy any part of this email nor take any action in reliance on it.
If you have received this in error please notify the sender immediately by email or phone +44 (0)1702 426400 and delete this email and any attachments from your system.
Email transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of email transmission. If verification is required please request a hard-copy version.
OneStep Solutions LLP is registered in England and Wales under registration number OC337173 and has its registered office at 457 Southchurch Road, Southend-on-Sea, Essex SS1 2PH.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden