You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@struts.apache.org by Matthias Kerkhoff <ma...@BESToffers.de> on 2000/12/16 20:52:18 UTC

Re[2]: Struts and Web Application Safety

How about the following (in pseudo code)

- create a custom tag, say <protect>, that, whenever it is invoked
  does the following...
  a) outputs to the html page a
     <input type="hidden"
            name="[a meaningful name]"
            value="<%= MD5(sessionid + timeout + counter++) %>">
            
  b) adds the value timestamp to a map valued session attribute
     with MD5(sessionid + timeout + counter++) as the key.
     (There may be multiple forms on one page and multiple pages
      in one browser).

-  modify the ActionServlet class so that whenever a the parameter
   [a meaningful name] is present in a request, the following
   happens...

   a) search the value of [a meaningful name] in the session
      attribute. If and only if it is present do b). Else do d)

   b) Remove the value from the session table (to prevent replay
      attacks and multiple form submissions). Goto c)

   c) check if the current time is earlier than the value of the
      just removed key (ie. earlier than the timeout). If it is
      goto d) else continue with the real action.

   d) Do appropriate error handling, log the request or something
      similar, but _don't_ continue with the action. Probably a
      new action attribute should be introduced. The action servlet
      could than forward the problematic request for further processing
      to this url.

Matthias