www.ADVISOR.com Home Boomer Advisor DataBased Advisor FileMaker Max Advisor How-To CDs Share Your Advice Buy Subscriptions & CDs Help
My.ADVISOR.com Sign-In
ID
Password

Member Center / Sign-Up
    
SUBSCRIPTION STATUS
If you are a subscriber to this publication, sign-in to access locked articles. To subscribe or renew go to www.AdvisorStore.com.
Go to Article
Advanced Search 
Link to DataBased.Advisor.com 
Submit your How To tips and advice 

ADVISOR TIPS

Beware JSP Session Cookie Vulnerability

Do you use JavaServer Pages on pages that involve private customer data? Hackers could access that data, and it would be your fault!

Netcraft, which provides a range of services in the areas of Internet publishing and security, warns of a vulnerability in designed e-commerce Web sites with JavaServer Pages (JSPs). The problem involves session IDs and a possible exposure of private data.

The company originally reported the problem in late 2000, but in a recent survey of Internet sites, it noticed that many companies have not acted on the warning.

Netcraft recently reviewed a number of transactional sites, and many (more than a thousand, according to Netcraft) had not addressed the known problem with JSPs. A lot of these sites provide core banking, retail, ticketing, and e-commerce services, and handle large sums of money, says Netcraft.

Here's the problem. There's a vulnerability in the session IDs generated by various Java application servers based on the Java Servlet Development Kit (JSDK 2.0) -- such as Java Web Server (1.1+), IBM WebSphere, and ATG Dynamo e-Business Platform. With these systems, a user connecting to the site is issued a unique session ID that identifies subsequent requests made by that user, either encoded in the URLs or as a cookie. The server can then store data for each user session. Session IDs can also control access to sites that require a login: Instead of the user sending a name and password for every request, the site issues a session ID after the user logs on, which identifies the user for the rest of the session.

The danger is a person can hijack another user's session and perform transactions as if he were that person by guessing his session ID. If he's successful, the hacker can view any page, take any action, and post to any form the real user could.

Netcraft says a number of transactional sites, including some high-profile ones, are still using predictable session IDs. If you're still using them, the company advises you to read the original November 2000 report on the Netcraft Web site.

In that advisory, the company recommends you include random input in your session IDs if you're going to use them as the sole means of session tracking and management. In addition, any meaningful data being used in session IDs should be one-way encrypted.


http://www.netcraft.com

Printer-friendly
page layout

Beware JSP Session Cookie Vulnerability

No reader comments ... yet.

    What do YOU think about this topic? Share your advice and thoughts using this form.

    Your Name

    REQUIRED : PUBLIC

    Your E-Mail

    REQUIRED : PRIVATE

    Job, Company

    OPTIONAL : PUBLIC

    City, State, Country

    OPTIONAL : PUBLIC

    Your Web Site

    OPTIONAL : PUBLIC

    Your Comment

    Please help everyone by keeping your comments on-topic, using clean language, and not defaming or making personal attacks.


    Your e-mail address is required, but it will not be displayed to the public or given to anyone. See our Privacy Policy. Comments become visible after they pass our spam filter, and spammers and abusers are permanently blocked. Please report spam or abuse.

    ARTICLE INFO

    Web Edition: 2001.12.05, Doc #09110

    FREE ACCESS FREE ACCESS

    Keyword Tags: ATG, ATG Dynamo e-Business Platform, Authentication, Development, E-Business, IBM, IBM Lotus, IBM WebSphere, IBM WebSphere Application Server, Java, JSP - Java Server Pages, Netcraft, Security, Software Development, Web Deployment, Web Design, Web Development

    ADVISORAMA
    Hell hath no fury like a bureaucrat scorned.
    -- Milton Friedman (1912-)
    Refresh (F5) for more   Contribute

    MORE ADVISOR

    Advisor on ATG

    Advisor on ATG Dynamo e-Business Platform

    Advisor on Authentication

    Advisor on Development

    Advisor on E-Business

    Advisor on IBM

    Advisor on IBM Lotus

    Advisor on IBM WebSphere

    Advisor on IBM WebSphere Application Server

    Advisor on Java

    Advisor on JSP - Java Server Pages

    Advisor on Netcraft

    Advisor on Security

    Advisor on Software Development

    Advisor on Web Deployment

    Advisor on Web Design

    Advisor on Web Development

    APPLICATION DEVELOPMENT Library

    APPLE MAC OS Library

    COLLABORATION Library

    CORPORATE COMPLIANCE Library

    DATABASE MANAGEMENT Library

    E-BUSINESS Library

    E-DISCOVERY Library

    FILEMAKER Library

    FILEMAKER DEVELOPMENT Library

    IBM SOFTWARE Library

    IBM DB2 Library

    IBM LOTUS Library

    IBM WEBSPHERE Library

    IT ADMINISTRATION Library

    LINUX Library

    MOBILE BUSINESS Library

    MICROSOFT DEVELOPMENT Library

    MICROSOFT ACCESS Library

    MICROSOFT .NET FRAMEWORK Library

    MICROSOFT OFFICE Library

    MICROSOFT SHAREPOINT Library

    MICROSOFT SQL SERVER Library

    MICROSOFT VISUAL BASIC Library

    MICROSOFT VISUAL FOXPRO Library

    MICROSOFT VISUAL STUDIO Library

    MICROSOFT WINDOWS Library

    NOVELL Library

    NOVELL GROUPWISE Library

    SECURITY Reference Library

    WEB DEVELOPMENT Library

    DATABASED ADVISOR How-To Library by Topic Keywords

    Subscribe to DATABASED ADVISOR

    Get subscriber online access to articles

    Free enewsletters on business, technology & lifestyle
    Site Map Advisor Store Privacy Terms of Use Trademarks Advertising About Advisor Media Advisor's San Diego
    ADVISOR NETWORK
    Boomer Advisor | Business Advisor | Business Security Advisor | Caregiver Advisor | Community Advisor | Computer Advisor | DataBased.Advisor.com | Dogs Advisor | Entertainment Advisor | Family Advisor | FileMaker Developer Advisor | FileMaker Max Advisor | Food Advisor | Fun Advisor | Generations Advisor | Health Advisor | HomeLiving Advisor | IBM WebSphere Advisor | Lifestyle Advisor | Money Advisor | Pets Advisor | Recreation Advisor | Retirement Advisor | RV Advisor | Senior Solutions Advisor | Travel Advisor | Work Advisor
    Use of this or any other site, content, product or service of Advisor Media constitutes acceptance of Terms of Use.
    Portions copyright ©1983-2010 Advisor Media, LLC. All Rights Reserved.
    Reuse or reproduction of any portion or quantity of Advisor Media's copyrighted content, in any form, for any purpose, requires written permission.
    ADVISOR®, the ADVISOR logo, and other names and logos that incorporate ADVISOR are registered trademarks, trademarks or service marks of Advisor Media, LLC in the United States and/or other countries.
    Other trademarks are used for identification, editorial or descriptive purposes and are the property of their owners.
    Hosted by Prominic.NET Website powered by
    LOTUS SOFTWARE
    oa SMITT504 posted 2001-12-5 mod 03/10/2010 03:15:41 AM ztdbms/ztdbms
    domino-144.advisor.com my.advisor.com 03/14/2010 06:25:48 AM