logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Security controls bypass or absence - Session Invalidation - Java

Need

Implementation of proper session invalidation mechanism

Context

  1. Usage of Java for building scalable and robust applications
  2. Usage of javax.servlet.http.HttpSession for managing user sessions in Java web applications

Description

Insecure Code Example

import javax.servlet.http.HttpSession;

public class UserMain {
    public String getMainFromSession(String sessionCode, HttpSession session) {
        if (sessionCode.contains("auto")) {
            return (String) session.getAttribute("Main");
        } else {
            return null;
        }
    }
}

The above Java code represents a servlet that is part of a backend application. This servlet has a method `getMainFromSession` which takes in two parameters: a `sessionCode` and an `HttpSession` object. The `sessionCode` is a string that is used to validate the session. If the `sessionCode` contains the string "auto", the method retrieves the "Main" attribute from the session and returns it. The vulnerability lies in the condition that checks if the `sessionCode` contains the string "auto". This was probably used during the debugging phase to bypass the session validation mechanism and allow developers to test the application without having to provide a valid session. However, this check was left in the production code, creating a security vulnerability. By providing a `sessionCode` that contains the string "auto", an attacker can bypass the session validation mechanism and gain unauthorized access to the application. The `session.getAttribute("Main")` retrieves the value of the attribute named "Main" from the session. This value is then returned by the `getMainFromSession` method. If the "Main" attribute contains sensitive information, such as user credentials or personal data, this vulnerability could lead to serious security breaches. In addition, the method returns `null` if the `sessionCode` does not contain the string "auto". This could potentially lead to null pointer exceptions elsewhere in the application, leading to system instability or further vulnerabilities.

Steps

  1. Remove the debugging code from the getMainFromSession function.
  2. Implement proper session invalidation mechanism.
  3. Ensure that session codes are properly validated and do not allow bypassing security controls.

Secure Code Example

import javax.servlet.http.HttpSession;

public class UserMain {
    public String getMainFromSession(String sessionCode, HttpSession session) {
        // Validate session code
        if (sessionCode == null || sessionCode.isEmpty()) {
            throw new IllegalArgumentException("Invalid session code");
        }
        
        // Get Main attribute from session
        String main = (String) session.getAttribute("Main");
        
        // If Main attribute is null, invalidate the session
        if (main == null) {
            session.invalidate();
            throw new IllegalStateException("Session invalidated");
        }
        
        return main;
    }
}

The updated code now includes a check to validate the session code. If the session code is null or empty, an `IllegalArgumentException` is thrown. This prevents bypassing security controls by using a session code containing the word "auto". The `Main` attribute is retrieved from the session. If this attribute is null, the session is invalidated and an `IllegalStateException` is thrown. This ensures that a proper session invalidation mechanism is in place. By implementing these changes, we have removed the debugging code from the `getMainFromSession` function and ensured that session codes are properly validated and do not allow bypassing security controls.

References

  • 345 - Security controls bypass or absence - Session Invalidation

    • Last updated

    2023/09/18