recently after scanning our project we can across with Veracode warnings on CRLF neutralization. please find my error code below.
Cookie[] c = request.getCookies();
c[i].setValue("");
c[i].setMaxAge(0);
getting the issue on below line
response.addCookie(c[i]);
Solutions Tried:
1.setValue("") tried replacing with \r or \n
2. used Encode.forJava(String)
3. Used ESAPI, but our project is running on Java 1.6. No suitable ESAPI jar was found.
Any recommendations here? am I missing anything? Am I going in the wrong direction? Can anyone help me with this?
I don't think output encoding is the right approach here. Unless you are rendering the cookie name and/or value, the issue is not XSS, but rather HTTP Response Splitting.
Strict allow-listing is the best approach, here but if find that impossible (because you are not sure what the allowed values are supposed to be, which might be the case if you were writing an HTTP library or getting values from downstream processes, etc.), then go with block-list data validation. For the block-list approach, I recommend either outright rejecting any cookie containing ':', '=', '\r', or '\n' (and log an appropriate error) and redirect the user to any appropriate error page. Alternately, if you detect anything in the block list, you could simply ignore those values by just silently stripping them out (although you many want to log them).
Related
While checking my veracode issue, i found this CWE 259 Use of Hard-coded Password in one of my class file. while checking that file, the 1st line of the file is responsible to this vulnerability, which is my package name. Can any one tell me why this is occurring or is this some flaw with veracode scan logic.
Inside this class file they are some place where word "password" is printed. as a precaution i tried by commenting those lines and scan it again. but the issue was thrown on the same line.
package com.name.ta.etc.cse;
The page for CWE 259 at MITRE specifies exactly what the vulnerability means and provides example of it, as well as suggest ideas in order to correct or mitigate the vulnerability in your application.
Code inspection tools like Veracode or SonarQube can also flag false positives (they detect the vulnerability, but it isn't there). I had a case with Sonar flagging this issue where I had a static final variable (ie: a constant) with the word PASSWORD in its name and Sonar thought it was the actual password, when in reality it was the key to find the password from the properties.
From your description, it might be the case here (extreme conditional, as you don't provide near enough code to judge). If you can refactor your code by changing the word password to any other, without changing the underlying logic, nor breaking incoming or outgoing authentication, then that's most likely the case here.
There is no flaw in veracode. Its scanning correctly. if it will find any keyword like "pass" or "paswd" or "password" it will raise it as "Flaw" so you have to mandatory remove/replace these kind for keyword to resolve it.
Remove/Replace the keyword scan your application again and check.
There is no real security concern until you are not storing password as plain text.
Using owasp.esapi for to filter incoming request parameters and headers, I'm stumbling on an issue where apparently the Referer header contains a value that is considered as using "multiple encoding".
An example:
http://123.abc.xx/xyz/input.xhtml?server=http%3A%2F%2F123.abc.xx%3A7016%2Fxyz&o=1&language=en&t=a074faf3
To me though, that URL seems to be correctly encoded, and decoding it results in a perfectly readable and correct url.
So, can anyone explain the issue here, and how to handle this?
ESAPI reports the error when running this method on the header value:
value = ESAPI.encoder().canonicalize(value);
Output:
SEVERE: [SECURITY FAILURE] INTRUSION - Mixed encoding (2x) detected
As a matter of fact yes. I fixed this bug in the upcoming release of ESAPI but it will require an API change, perhaps one that might have a bug based on your data here.
In short, prior to my fix, ESAPI just did a Regex against the URI. The problem and slew of bug reports on this, is that URI’s are not a regular language. They are a language themselves. So what would happen is that the URI in question would have parameters that contained HTML entities, only, some random data variants would align to known HTML entities such as ¶m=foo which would be interpreted as the entity ¶ which is paragraph. There were also some issues in regards to ASCII vs Unicode (non bmp encodings.).
At any rate there will be a new method to use in the release candidate for our next library, Encoder.getCanonicalizedURI();
This will be safe to regex against as it will be broken down and checked for mixed/multiple encoding. The method you’re currently using is now deprecated.
My project (built on JSP,Struts,hibernate) takes an input from user and saves it in the database. To make my application secure I have used ESAPI jar.
I am getting exception
org.owasp.esapi.errors.IntrusionException: Input validation failure
at the method ESAPI.encoder().canonicalize();
This exception is generally coming when we are copying and pasting data from skype,MS word etc.
When I copy paste the string from skype messenger it automatically adds extra styling data with div,meta,p,etc (all the HTML tags) which leads to addition of many special characters which might be causing the exception mentioned above.
But when I copy the string from notepad it doesn't give an exception.
How can I ignore this exception so that I can add the data ? is there something to be modified in ESAPI.properties or validation.properties? what are your views?
I think your weird issue has to do with additional encoding when you paste something from (say) MS Word versus from something simple like notepad. When you are in Word, it picks up some additional meta-data and the default 'paste' from 'MS Word' is really 'paste special'. This is done so that you can copy text from one Office application to another (e.g., Word to Outlook) and "retain formatting". I think it is all this additional meta-data that you are getting that is messing you up, because it probably looks to ESAPI like it is multi-encoded or it thinks that mixed-encoding is used.
That said,if you want to do validation, you really ought to be using one of the Validator.isValidInput() or Validator.getValidInput() methods. This call Encoder.canonicalize() by default (unless you use the latest ESAPI from the 'develop' branch, where you can actually disable the canonicalization--a recent bug fix).
-kevin
I have generated a Fortify report for my application. In a Fortify report it is showing Log forging issues in the below code:
holDate = ((MaintainHolidayCalenderForm) form).getCALENDER_DATE();
logger.info("This is some description" + holDate + holName );
and as per some people's suggestions I have replaced the "/n" with "" and "/r" with "" but still the issue is not resolved.
Can any one tell me how to resolve this?
Thanks in advance.
A blacklist fix, e.g. stripping out the log clearing characters (/n /r), still leaves an opportunity for an attacker to do malicious things with your application. If the holDate and holName are submitted from the browser they are UTF-8 strings, which can be very long and have any characters in the rather large UTF-8 unicode character set. If the log is usually viewed with an HTML viewer (common) an example attack might go like this: the attacker could forge a record that shows that they logged out, do their bad stuff, then write a log message that overwrites that activity using any of the unicode characters that cause backspaces or dels back to the 'friendly attacker logged out - nothing to see here' message. (Note: you should never try to predict how an attacker might affect bad things so don't try to blacklist all of the ways to get backspace characters in unicode.)
Rather than blacklisting, you should ensure that the data you're writing to the log is the type you expect, also known as whitelist validation, and of a reasonable length.
So the fix (in the code that you posted):
1. Make sure holDate is a Date object (java.util.Date) if it isn't already.
2. HolName is probably an alphanumeric string of a relatively small length. Choose a small length (like 30 characters) and make sure that only alphanumeric characters are accepted in the holName.
You can use a regex String.matches("^[a-zA-Z0-9]*$") after checking length to ensure that you're only accepting alphanumeric characters.
You should probably do this whitelist input validation in the setters for the form pojos.
I am fixing code against the code audit report. It says "PREVENT EXPOSURE OF SENSITIVE DATA" against the line having the syntax response.getWriter().write(xml.toString()). The whole code is below.
String alertId = request.getParameter("alertId") != null ? request.getParameter("alertId") : "";
String desc=AAAA.getBBBB(Long.parseLong(AAAA.getCCCC(alertId)));
StringBuffer xml = new StringBuffer();
xml.append("<?xml version=\"1.0\"?>");
xml.append("<parent>");
xml.append("<child>");
xml.append("<alertDesc>");
xml.append(desc);
xml.append("</alertDesc>");
xml.append("</child>");
xml.append("</parent>");
response.getWriter().write(xml.toString()); // ISSUE IN THIS LINE
response.setContentType("text/xml");
response.setHeader("Cache-Control", "no-cache");
I have done sufficient home work and can fix it for the XSS attack and used ESAPI for the same. But dont know how to fix this one. Please give suggestions
The report has the below message against the reported issue.
"Leakage of toString() result ("xml") via web page"
after the day long r&d i found that the sax parser can help me in this case. it is actually a memory leakage at the StringBuffer.toString() syntax, due to which sensitive data is getting exposed and lost. but i dont know how to implement that. also at some place i found the use of StringBuilder() class instead of StringBuffer() class. Can anybody help me or give their valuable suggestions.
Thanks in advance.
Also I have the same issue for another type of the code. it is below.
StringBuffer content = (StringBuffer)file.get("content");
response.setContentLength((int)content.length());
response.getWriter().write(content.toString());
Again i dont know how to fix this one. THE issue is same leakage of sensitive data been reported by the tool.
As I have told in my comment, I do not thing that the comment has something to do with the code itself but with the exposure of sensitive data. I have read the PCI-DSS document and I don't remember it says anything about how something it should be coded (regardless good practices). You can take a look to all PCI documentation available by yourself. It is a hard task, a better approach would be to try to find out what the consultant meant.
It is really difficult to fix something when you don't know where the problem is.
The content.toString() needs to be properly validated. use ESAPI to validate it strictly. writing directly to response is really vulnerable and if if the data is output from a method having request as input then its twice vulnerable. major security issue.