You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@struts.apache.org by Matthias Kerkhoff <ma...@BESToffers.de> on 2000/12/16 20:52:18 UTC
Re[2]: Struts and Web Application Safety
How about the following (in pseudo code)
- create a custom tag, say <protect>, that, whenever it is invoked
does the following...
a) outputs to the html page a
<input type="hidden"
name="[a meaningful name]"
value="<%= MD5(sessionid + timeout + counter++) %>">
b) adds the value timestamp to a map valued session attribute
with MD5(sessionid + timeout + counter++) as the key.
(There may be multiple forms on one page and multiple pages
in one browser).
- modify the ActionServlet class so that whenever a the parameter
[a meaningful name] is present in a request, the following
happens...
a) search the value of [a meaningful name] in the session
attribute. If and only if it is present do b). Else do d)
b) Remove the value from the session table (to prevent replay
attacks and multiple form submissions). Goto c)
c) check if the current time is earlier than the value of the
just removed key (ie. earlier than the timeout). If it is
goto d) else continue with the real action.
d) Do appropriate error handling, log the request or something
similar, but _don't_ continue with the action. Probably a
new action attribute should be introduced. The action servlet
could than forward the problematic request for further processing
to this url.
Matthias