Geek Answers Handbook

Adding additional security to the site

I am running a Java Spring MVC web application. It is also based on the Hybris platform.

Now the basic functions in terms of authentication and authorization are already implemented. This means that we have filters for sessions, a working user system, etc.

However, we currently do not have security measures for things like XSS and other types of possible attacks that are. XSS is probably the biggest problem as it is the most common attack method.

Now, I wonder ... what steps would be reasonable? I looked around and I saw that things like XSS-Filter exist. The implementation of this will be quite simple, just copy the source code and add it as in tomcats web.xml.

But I wonder if this is enough protection against such a filter?

There are even more overblown solutions, for example, I could use spring-security. However, reading the documentation, I feel that this is very bloated, and most of it implements what has already been implemented (for example, two A). I feel that it will take a lot of work to configure it to the amount of work that I need. I am wrong?

and

How would you say whether it is recommended to solve security problems, for example XSS? Do you use a specific predefined structure that meets your needs or is your security “made by hand” by following these lines: cheat sheet ?

+6
3

  • Anti-XSS (: Spring Interceptor)

    Content-Security-Policy: default-src 'self'   --only allow content from your own site

X-XSS-Protection: 1; mode=block   --prevent some reflective attacks in some browsers

X-Content-Type-Options: nosniff   --can't trick browser into detecting and running js in other content types

  • HTML/JS/CSS

    Hibernate Validator ( Hibernate ORM ) @SafeHtml .

    , post Interceptor XSS.

  • OWASP Java Encoder <e:forHtml value="${attr}" />, JSTL <c:out value="${attr}"/> web.xml

    <context-param>
    <param-name>defaultHtmlEscape</param-name>
    <param-value>true</param-value>
</context-param>

    , HTML node , OWASP HTML <script> .

    , http://pukkaone.imtqy.com/2011/01/03/jsp-cross-site-scripting-elresolver.html

  • cookie cookie JavaScript. web.xml:

    <session-config>
    <cookie-config>
        <!-- browser will disallow JavaScript access to session cookie -->
        <http-only>true</http-only>
    </cookie-config>
    <tracking-mode>COOKIE</tracking-mode>
</session-config>

  • , ( ) , ​​ cookie (, , httpOnly)

+6

, , , :

, - . , -.

, , XSS- 60k , , , .

, .

: , - , (, JS, HTML, ...), , , , /.

, , , - , . , JS JSP , , , , .

0

, Hybris, :

hybris.

XML

XML.

Sax :

  • XML. XML, , " ".
  • .
  • DTD
  • , DOCTYPE

JSON

OWASP lib json-sanitizer. . Https://www.owasp.org/index.php/OWASP_JSON_Sanitizer.

:

String wellFormedJson = JsonSanitizer.sanitize(jsonData);
try
{
    return new ObjectMapper().readValue(wellFormedJson, JsonNode.class).toString();
}
catch (final IOException ex)
{
     LOG.error("Incorrect json data : " + wellFormedJson, ex);
}

, , , .

- BaseController. logParam, - .

YSanitizer.sanitize(input).

public class YSanitizer
{
    public static String sanitize(final String input) {
        String output = StringUtils.defaultString(input).trim();
        output = output.replaceAll("(\\r\\n|\\r|\\n)+", " ");
        output = StringEscapeUtils.escapeHtml(output);
        return output;
    }
}

StringEscapeUtils.escapeJava(valToLog) .

, String.

, .

, char[].

"0" ( ).

100%, .

(XSS)

, de.hybris.platform.servicelayer.web.XSSFilter .

( Go-Live)

  • ,
    • CMS
    • CS
    • HMC
  • MD5 SHA256
  • MD5 SHA256
  • local.properties.
  • Ensure that the user account and checkout pages are only accessible through a secure SSL connection.
  • Verify that the web application firewall is installed
  • Perform a code check to ensure that no sensitive data, such as credit card information or passwords, is logged
  • Verify that the hybris application server is not running as root
  • Secure JMX connected
0
source

More articles:


All Articles