HTML Injection

Implementation in SmartSuite

Pavan Kumar M
Manager - Operations

1
HTML Injection - Issues

 Login – POST Method

 Generic messages on Authentication failures
 Single User Session
 Forcing HTTPS in application
 CAPTCHA in Login Module
 Session Hijacking – Protocol and IP Verification
 JSON object containing Active users details in JSP
 User data and Hidden fields sanitization
 Exception handling – Display generic messages in stead of verbose (Stack trace)
 Server configuration in weblogic.xml to secure session cookie.
 Browser compatibility

2
Login – POST Method
 Normal user login should always be in POST method. When GET method is used, user
password is appended to the URL and is visible in address bar.
 Submit to database should be POST to avoid password appending to URL.

3
Generic messages on Authentication failures

 When Authentication failure occur, do not throw scenario specific message. This gives hacker
to predict the Application behavior and hacking strategy.
 Give generic message to the user for all Authentication failures.
 Since we manage all messages through DB, we can provide common message to all
Authentication failures.

4
Single User Session

 All our Application provide multiple concurrent user sessions.

 In security perspective, it is advised to support single session at a time.
 In usability perspective, multiple sessions allow the user to concentrate on the primary window
(User primary activity) and use ancillary windows to view/perform associated activities.
 Controlled through system parameter. When set to ‘Y’ allows multiple user sessions. When set
to ‘N’, application do not allow multiple sessions (allows only single session).
 When user login into application, all user previous active sessions are logged out in
SA_APPLICATION_LOG table for the user & Application type (PMD/LDP).
 User is allowed to access application from latest window only. When access from previous
window, application invalidates the sessions by verifying against SA_APPLICATION_LOG
table. User is thrown security banner.

5
Forcing HTTPS in application

 Application provides following options for handling HTTP/HTTPS protocol.

 Remain on HTTP or HTTPS
 Switch to HTTPS on authentication (and again switch back to HTTP for Application updates to
server). This is basically to avoid encryption of data and hence performance on normal
submits as HTTPS requires encryption/decryption of data between Browser and server (at
both ends).
 Application do not force HTTPS. However, most of the HTML hacking (injection) are due to not
using HTTPS communication.
 Majority of the HTML injection problems are mitigated when application protocol is HTTPS.
 New web.xml parameter to force HTTPS.

6
Forcing HTTPS in application

 When set to ‘Y’, application verifies Browser protocol by reading Request headers.
 When proxy is used to access clustered application, proxy writes the protocol information in
Protocol attribute or x-proto attribute.
 When Proxy is not involved, protocol information is read from application hidden parameter –
protocol.
 When set to ‘Y’, and when incoming application request is in HTTP, application throws security
banner and invalidates user session.

7
Thank You