Broken Authentication
Debido a una incorrecta validaciĂłn de la autenticaciĂłn, el atacante puede acceder a áreas a la cual no deberĂa. Por ejemplo, una validaciĂłn de autenticaciĂłn en cliente o mediante datos provenientes de este.
Riesgo del ataque
Robo de informaciĂłn no autorizada.
Posibilidad de modificaciĂłn o borrado de datos no autorizados.
EjecuciĂłn de acciones no autorizadas.
Posibilidad de suplantaciĂłn del rol administrador.
Â
CĂłdigo vulnerable 1:
[...]
public void doFilter(ServletRequest req, ServletResponse res,
            FilterChain chain) throws IOException, ServletException {
 Â
        HttpServletRequest request = (HttpServletRequest) req;
        HttpServletResponse response = (HttpServletResponse) res;
        String url = request.getServletPath();
        boolean isSessionValid=true;
        boolean allowedRequest = false;
        HttpSession session = request.getSession(false);
         Â
        if(urlList.contains(url)) {
            allowedRequest = true;
        }
        Â
        if (!allowedRequest) {
            Â
            if (null == session) {
                isSessionValid=false;
                redirectToInvalidErrorPage(request, response, url);
                return;
            }
            if(isSessionValid){
                try{
                    if ((Object)session.getAttribute("isValidUser")==null) {
                        isSessionValid=false;
                    }
                }catch(NullPointerException ne){
                    isSessionValid=false;
                }
            }
            if(!isSessionValid){
                redirectToInvalidErrorPage(request, response, url);
                return;
            }
            else {
                UserInfo user = (UserInfo)session.getAttribute("user");
                if (url.contains("admin") && user == null) { // this code line
                    redirectToInvalidErrorPage(request, response, url);
                    return;
                }
            }
        }
        chain.doFilter(req, res);
    }
[...] |
SoluciĂłn:
Se debe garantizar que la validaciĂłn de la autenticaciĂłn se realiza del lado del servidor.
Â
[...]
    public void doFilter(ServletRequest req, ServletResponse res,
            FilterChain chain) throws IOException, ServletException {
 Â
        HttpServletRequest request = (HttpServletRequest) req;
        HttpServletResponse response = (HttpServletResponse) res;
        String url = request.getServletPath();
        boolean isSessionValid=true;
        boolean allowedRequest = false;
        HttpSession session = request.getSession(false);
         Â
        if(urlList.contains(url)) {
            allowedRequest = true;
        }
        Â
        if (!allowedRequest) {
            Â
            if (null == session) {
                isSessionValid=false;
                redirectToInvalidErrorPage(request, response, url);
                return;
            }
            if(isSessionValid){
                try{
                    if ((Object)session.getAttribute("isValidUser")==null) {
                        isSessionValid=false;
                    }
                }catch(NullPointerException ne){
                    isSessionValid=false;
                }
            }
            if(!isSessionValid){
                redirectToInvalidErrorPage(request, response, url);
                return;
            }else{
                UserInfo user = (UserInfo)session.getAttribute("user");
                if(!validateForSecureURL(url, "/admin", user.getRole_id())){ // solution
                    redirectToInvalidErrorPage(request, response, url);
                    return;
                }
                Â
            }
        }
        chain.doFilter(req, res);
    }
[...] |
Referencias:
Authentication - OWASP Cheat Sheet Series