Sunday, January 19, 2014

No sign of vulnerability on authentication module done using Servlet

Actually I was trying to discover the CSRF thing happened on the web app. I'm trying to find out this vulnerability through ZAProxy to understand the real fact happens behind the scene. To do this, I made an web app that purely done using Servlet, not involving any JSP. This Servlet program allow users to authenticate themselves before render the protected resource.

This is the Servlet configuration in Deployment Descriptor:
 <servlet>
   <servlet-name>TestServlet</servlet-name>
   <servlet-class>org.huahsin.TestServlet</servlet-class>
 </servlet>
  
 <servlet-mapping>
    <servlet-name>TestServlet</servlet-name>
    <url-pattern>/test</url-pattern>
   </servlet-mapping>
  
   <security-constraint>
    <web-resource-collection>
     <web-resource-name>Wildcard means whole apps requires authentication</web-resource-name>
     <url-pattern>/*</url-pattern>
     <http-method>GET</http-method>
     <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
     <role-name>tomcat</role-name>
    </auth-constraint>
    <user-data-constraint>
     <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
   </security-constraint>

 <login-config>
  <auth-method>BASIC</auth-method>
 </login-config>
public class TestServlet extends HttpServlet {
 protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
  response.setContentType("text/html");
  PrintWriter out = response.getWriter();
  out.println("This is a Test Servlet.");
  
  Enumeration headerNames = request.getHeaderNames();
  while( headerNames.hasMoreElements() ) {
   String headerName = (String) headerNames.nextElement();
   out.println("Header Name: < i >" + headerName);
   String headerValue = request.getHeader(headerName);
   out.println("< /i >, Header Value: < i >" + headerValue);
   out.println("< /i >");
  }
  
  out.println("< hr / >");
  
  String authHeader = request.getHeader("authorization");
  String encodeValue = authHeader.split(" ")[1];
  out.println("Base64-encoded Authorization Value: < i >" + encodeValue);
  String decodeValue = Base64.base64Decode(encodeValue);
  out.println("< /i >Base64-encoded Authorization Value: < i >" + decodeValue + "< /i >");
 }
}
The users are define in Tomcat server, when the page launch, a prompt to user to enter a valid login credential in order to view the content. Unfortunately ZAProxy not able to do any test on it as it doesn't contain any JSP page. Since ZAProxy couldn't run any test on it, I move on to plan B. This time I create a JSP page, this JSP will replace the server authentication:
 <form action="login" method="POST" name="loginForm">
Username:<input name="txtUserName" type="text" value="" />
  Password:<input name="txtPassword" type="password" value="" />
  <input type="submit" value="login" />
  <input type="reset" value="clear" />
 </form>
Next thing is to remove the <security-constraint> from Deployment Descriptor to get rid of server authentication and allow user to authenticate through a web page. That's all about the change. When I run the test again on ZAProxy, there is no sign of vulnerability found on this example, I think I need to move on to bigger challenge to realize CSRF thing.

No comments: