From c04c7223e15db9e90dcb452be58cb36d30e0e412 Mon Sep 17 00:00:00 2001 From: k-tamura Date: Mon, 29 May 2017 00:14:14 +0900 Subject: [PATCH] Add a servlet that allows session fixation attaks --- .../core/filters/AuthenticationFilter.java | 4 +++- .../core/servlets/AdminsMainServlet.java | 9 ++++++--- .../SessionFixationServlet.java | 20 +++++++++++++++++++ src/main/resources/indexpage_en.properties | 2 ++ src/main/resources/indexpage_ja.properties | 2 ++ src/main/resources/messages_en.properties | 2 ++ src/main/resources/messages_ja.properties | 2 ++ src/main/webapp/index.jsp | 5 +++++ 8 files changed, 42 insertions(+), 4 deletions(-) create mode 100644 src/main/java/org/t246osslab/easybuggy/vulnerabilities/SessionFixationServlet.java diff --git a/src/main/java/org/t246osslab/easybuggy/core/filters/AuthenticationFilter.java b/src/main/java/org/t246osslab/easybuggy/core/filters/AuthenticationFilter.java index 44aea57e..b2ee4eeb 100644 --- a/src/main/java/org/t246osslab/easybuggy/core/filters/AuthenticationFilter.java +++ b/src/main/java/org/t246osslab/easybuggy/core/filters/AuthenticationFilter.java @@ -63,7 +63,9 @@ public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) session = request.getSession(true); session.setAttribute("target", target); if (loginType == null) { - response.sendRedirect("/login" + queryString); + response.sendRedirect(response.encodeRedirectURL("/login" + queryString)); + } else if ("sessionfixation".equals(loginType)) { + response.sendRedirect(response.encodeRedirectURL("/" + loginType + "/login" + queryString)); } else { response.sendRedirect("/" + loginType + "/login" + queryString); } diff --git a/src/main/java/org/t246osslab/easybuggy/core/servlets/AdminsMainServlet.java b/src/main/java/org/t246osslab/easybuggy/core/servlets/AdminsMainServlet.java index d52f80ab..255db125 100644 --- a/src/main/java/org/t246osslab/easybuggy/core/servlets/AdminsMainServlet.java +++ b/src/main/java/org/t246osslab/easybuggy/core/servlets/AdminsMainServlet.java @@ -21,11 +21,14 @@ protected void doGet(HttpServletRequest req, HttpServletResponse res) throws Ser StringBuilder bodyHtml = new StringBuilder(); bodyHtml.append(MessageUtils.getMsg("msg.admin.page.top", locale)); bodyHtml.append("

"); - bodyHtml.append("" + MessageUtils.getMsg("section.server.info", locale) + ""); + bodyHtml.append("" + + MessageUtils.getMsg("section.server.info", locale) + ""); bodyHtml.append("

"); - bodyHtml.append("" + MessageUtils.getMsg("section.change.password", locale) + ""); + bodyHtml.append("" + + MessageUtils.getMsg("section.change.password", locale) + ""); bodyHtml.append("

"); - bodyHtml.append("" + MessageUtils.getMsg("section.change.mail", locale) + ""); + bodyHtml.append("" + + MessageUtils.getMsg("section.change.mail", locale) + ""); HTTPResponseCreator.createSimpleResponse(req, res, MessageUtils.getMsg("title.admins.main.page", locale), bodyHtml.toString()); } diff --git a/src/main/java/org/t246osslab/easybuggy/vulnerabilities/SessionFixationServlet.java b/src/main/java/org/t246osslab/easybuggy/vulnerabilities/SessionFixationServlet.java new file mode 100644 index 00000000..86f81529 --- /dev/null +++ b/src/main/java/org/t246osslab/easybuggy/vulnerabilities/SessionFixationServlet.java @@ -0,0 +1,20 @@ +package org.t246osslab.easybuggy.vulnerabilities; + +import java.io.IOException; + +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.t246osslab.easybuggy.core.servlets.DefaultLoginServlet; + +@SuppressWarnings("serial") +@WebServlet(urlPatterns = { "/sessionfixation/login" }) +public class SessionFixationServlet extends DefaultLoginServlet { + + public void doGet(HttpServletRequest req, HttpServletResponse res) throws IOException, ServletException { + req.setAttribute("login.page.note", "msg.note.session.fixation"); + super.doGet(req, res); + } +} diff --git a/src/main/resources/indexpage_en.properties b/src/main/resources/indexpage_en.properties index 4f6acc52..2774a939 100644 --- a/src/main/resources/indexpage_en.properties +++ b/src/main/resources/indexpage_en.properties @@ -85,6 +85,8 @@ function.name.open.redirect=Login page that allows Open Redirect function.description.open.redirect=There is an open redirect vulnerability in this login page. function.name.brute.force=Login page that allows brute-force attacks function.description.brute.force=This login page is vulnerable for brute-force attack because it does not have an account lock mechanism. +function.name.session.fixation=Login page that allows session fixation attacks +function.description.session.fixation=This login page is vulnerable for session fixation attack. function.name.verbose.error.message=Verbose Authentication Error Messages function.description.verbose.error.message=It is easy to guess an account who can logs in because authentication error messages on this page are too detailed. function.name.dangerous.file.inclusion=Dangerous File Inclusion diff --git a/src/main/resources/indexpage_ja.properties b/src/main/resources/indexpage_ja.properties index 7226e02b..71e56d67 100644 --- a/src/main/resources/indexpage_ja.properties +++ b/src/main/resources/indexpage_ja.properties @@ -85,6 +85,8 @@ function.name.open.redirect=\u30aa\u30fc\u30d7\u30f3\u30ea\u30c0\u30a4\u30ec\u30 function.description.open.redirect=\u3053\u306e\u30ed\u30b0\u30a4\u30f3\u30da\u30fc\u30b8\u306b\u306f\u30aa\u30fc\u30d7\u30f3\u30ea\u30c0\u30a4\u30ec\u30af\u30c8\u306e\u8106\u5f31\u6027\u304c\u3042\u308a\u307e\u3059\u3002 function.name.brute.force=\u30d6\u30eb\u30fc\u30c8\u30d5\u30a9\u30fc\u30b9\u653b\u6483\u53ef\u80fd\u306a\u30ed\u30b0\u30a4\u30f3\u753b\u9762 function.description.brute.force=\u3053\u306e\u30ed\u30b0\u30a4\u30f3\u30da\u30fc\u30b8\u306b\u306f\u30a2\u30ab\u30a6\u30f3\u30c8\u30ed\u30c3\u30af\u304c\u7121\u3044\u305f\u3081\u3001\u30d6\u30eb\u30fc\u30c8\u30d5\u30a9\u30fc\u30b9\u653b\u6483\u306b\u5bfe\u3057\u3066\u306e\u8106\u5f31\u3067\u3059\u3002 +function.name.session.fixation=\u30bb\u30c3\u30b7\u30e7\u30f3\u56fa\u5b9a\u653b\u6483\u53ef\u80fd\u306a\u30ed\u30b0\u30a4\u30f3\u753b\u9762 +function.description.session.fixation=\u3053\u306e\u30ed\u30b0\u30a4\u30f3\u30da\u30fc\u30b8\u306b\u306f\u30bb\u30c3\u30b7\u30e7\u30f3\u56fa\u5b9a\u653b\u6483\u306e\u8106\u5f31\u6027\u304c\u3042\u308a\u307e\u3059\u3002 function.name.verbose.error.message=\u89aa\u5207\u904e\u304e\u308b\u8a8d\u8a3c\u30a8\u30e9\u30fc\u30e1\u30c3\u30bb\u30fc\u30b8 function.description.verbose.error.message=\u3053\u306e\u30ed\u30b0\u30a4\u30f3\u30da\u30fc\u30b8\u306e\u30a8\u30e9\u30fc\u30e1\u30c3\u30bb\u30fc\u30b8\u306f\u89aa\u5207\u904e\u304e\u308b\u305f\u3081\u3001ID\u3068\u30d1\u30b9\u30ef\u30fc\u30c9\u304c\u63a8\u6e2c\u3055\u308c\u308b\u53ef\u80fd\u6027\u304c\u9ad8\u3044\u3067\u3059\u3002 function.name.dangerous.file.inclusion=\u5371\u967a\u306a\u30d5\u30a1\u30a4\u30eb\u30a4\u30f3\u30af\u30eb\u30fc\u30c9 diff --git a/src/main/resources/messages_en.properties b/src/main/resources/messages_en.properties index fc478883..6b79a1a5 100644 --- a/src/main/resources/messages_en.properties +++ b/src/main/resources/messages_en.properties @@ -125,6 +125,8 @@ msg.note.enter.decimal.value=Loss of trailing digits occurs if you enter 0.00000 msg.note.enter.runtime.exec=If you enter @Runtime@getRuntime().exec('rm -fr /your-important-dir/') , then your important directory is removed on your server. msg.note.not.use.ext.db=Database connection leak occurs if using an external RDBMS such as MySQL. Please edit application.properties if using an external RDBMS. msg.note.positive.number=Integer overflow occurs if you enter a number greater than or equal to 63. +msg.note.session.fixation=You can login with admin and password. \ +The URL rewriting feature works on this page in order to support clients that cannot use cookie, so the session fixation attack is possible. msg.note.slow.regular.expression=If you enter string to aaaaaaaaaaaaaaaaaaaaaaaaaaaaa\u3042, parse processing will take several tens of seconds
\      If you enter string to aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\u3042, then ... msg.note.slow.string.plus.operation=If you enter a large number then the processing will take several tens of seconds because the string is created by "+" (plus) operator. diff --git a/src/main/resources/messages_ja.properties b/src/main/resources/messages_ja.properties index fb1f800c..609c232a 100644 --- a/src/main/resources/messages_ja.properties +++ b/src/main/resources/messages_ja.properties @@ -134,6 +134,8 @@ msg.note.ldap.injection=admin \u3068 password\u3092\u5 msg.note.mail.header.injection=\u30d6\u30e9\u30a6\u30b6\u306e\u958b\u767a\u8005\u30e2\u30fc\u30c9\u3067\u4ef6\u540d\u306einput\u30bf\u30b0\u306etype\u5c5e\u6027\u3092textarea\u306b\u5909\u66f4\u3057\u3001\u300c[\u4efb\u610f\u4ef6\u540d][\u6539\u884c]Bcc: [\u4efb\u610f\u30e1\u30fc\u30eb\u30a2\u30c9\u30ec\u30b9]\u300d\u3092\u5165\u529b\u3057\u3066\u9001\u4fe1\u3059\u308b\u3068\u3001[\u4efb\u610f\u30e1\u30fc\u30eb\u30a2\u30c9\u30ec\u30b9]\u306b\u30e1\u30fc\u30eb\u3092\u9001\u4fe1\u3067\u304d\u307e\u3059\u3002 msg.note.mojibake=\u6587\u5b57\u5217\u306b\u65e5\u672c\u8a9e\u3092\u5165\u529b\u3059\u308b\u3068\u3001\u6587\u5b57\u5316\u3051\u304c\u767a\u751f\u3057\u307e\u3059\u3002 msg.note.null.byte.injection=\u30d0\u30fc\u30b8\u30e7\u30f31.7.0_40\u3088\u308a\u524d\u306eJava\u3092\u4f7f\u7528\u3057\u3066\u3044\u308b\u5834\u5408\u3001\u30af\u30a8\u30ea\u30b9\u30c8\u30ea\u30f3\u30b0\u306b fileName=../WEB-INF/web.xml%00 \u3092\u4ed8\u52a0\u3059\u308b\u3068\u3001web.xml\u306e\u5185\u5bb9\u3092\u542b\u3080\u30d5\u30a1\u30a4\u30eb\u304c\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3067\u304d\u307e\u3059\u3002 +msg.note.session.fixation=admin \u3068 password\u3092\u5165\u529b\u3059\u308b\u3068\u3001\u30ed\u30b0\u30a4\u30f3\u3067\u304d\u307e\u3059\u3002\ +\u3053\u306e\u30da\u30fc\u30b8\u3067\u306fCookie\u3092\u6271\u3048\u306a\u3044\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u3092\u30b5\u30dd\u30fc\u30c8\u3059\u308b\u76ee\u7684\u3067URL\u30ea\u30e9\u30a4\u30c8\u304c\u6a5f\u80fd\u3057\u307e\u3059\u3002\u305d\u308c\u306b\u3088\u308a\u3001\u30bb\u30c3\u30b7\u30e7\u30f3\u56fa\u5b9a\u653b\u6483\u304c\u53ef\u80fd\u3068\u306a\u3063\u3066\u3044\u307e\u3059\u3002 msg.note.slow.regular.expression=\u6587\u5b57\u5217\u306b aaaaaaaaaaaaaaaaaaaaaaaaaaaaa\u3042 \u3092\u5165\u529b\u3059\u308b\u3068\u3001\u69cb\u6587\u89e3\u6790\u306b\u6570\u5341\u79d2\u304b\u308a\u307e\u3059\u3002
\      \u6587\u5b57\u5217\u306b aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\u3042 \u3092\u5165\u529b\u3059\u308b\u3068... msg.note.slow.string.plus.operation=+(\u30d7\u30e9\u30b9)\u6f14\u7b97\u5b50\u3067\u6587\u5b57\u5217\u3092\u9023\u7d50\u3057\u3066\u3044\u308b\u305f\u3081\u3001\u5927\u304d\u306a\u6587\u5b57\u6570\u3092\u5165\u529b\u3059\u308b\u3068\u3001\u6587\u5b57\u5217\u751f\u6210\u306b\u6570\u5341\u79d2\u304b\u308a\u307e\u3059\u3002 diff --git a/src/main/webapp/index.jsp b/src/main/webapp/index.jsp index cf9b6b34..0229a81b 100644 --- a/src/main/webapp/index.jsp +++ b/src/main/webapp/index.jsp @@ -183,6 +183,11 @@ key="function.name.brute.force" />:

+

  • + >: + +

  • :