Skip to content
Permalink
Browse files Browse the repository at this point in the history
Added html escaping to help with XSS. Added frame busting to help wit…
…h XFS. Added a method override filter so that only GETs and POSTs are accepted. Disabled autocomplete for password fields. Added ability for customer to set their HPKP headers.
  • Loading branch information
tannermitchell committed Feb 1, 2018
1 parent f0700bb commit f64b10d
Show file tree
Hide file tree
Showing 15 changed files with 167 additions and 12 deletions.
44 changes: 44 additions & 0 deletions src/main/java/com/unboundid/webapp/ssam/HTTPHeaderFilter.java
@@ -0,0 +1,44 @@
/*
* Copyright 2014-2017 Ping Identity Corporation
* All Rights Reserved.
*/

package com.unboundid.webapp.ssam;

import org.springframework.stereotype.Component;
import javax.servlet.FilterConfig;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.FilterChain;
import javax.servlet.http.HttpServletResponse;

@Component
public class HTTPHeaderFilter implements javax.servlet.Filter {
public FilterConfig filterConfig;

public void doFilter(final ServletRequest request,
final ServletResponse response, FilterChain chain)
throws java.io.IOException, javax.servlet.ServletException {

HttpServletResponse res = (HttpServletResponse) response;

// Set this variable to the sha256 pin of your public key
// This value can be generated using the "openssl" command line tool
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning
String pinSha256 = "";

if(pinSha256.length() > 0)
{
res.setHeader("Public-Key-Pins", "max-age=518400; " +
"pin-sha256=\"" + pinSha256 + "\"; " +
"includeSubDomains");
}

chain.doFilter(request, response);
}

public void init(final FilterConfig filterConfig) { this.filterConfig = filterConfig; }

public void destroy() {}

}
@@ -0,0 +1,35 @@
/*
* Copyright 2014-2017 Ping Identity Corporation
* All Rights Reserved.
*/

package com.unboundid.webapp.ssam;

import org.springframework.stereotype.Component;
import javax.servlet.FilterConfig;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.FilterChain;
import javax.servlet.http.HttpServletRequest;

@Component
public class HTTPRequestParameterFilter implements javax.servlet.Filter {
public FilterConfig filterConfig;

public void doFilter(final ServletRequest request,
final ServletResponse response, FilterChain chain)
throws java.io.IOException, javax.servlet.ServletException {

String curMethod = ((HttpServletRequest) request).getMethod();
//only allow for GET and POST requests.
if (curMethod.equalsIgnoreCase("get") || curMethod.equalsIgnoreCase("post"))
{
chain.doFilter(request, response);
}
}

public void init(final FilterConfig filterConfig) {
this.filterConfig = filterConfig;
}
public void destroy() {}
}
5 changes: 3 additions & 2 deletions src/main/java/com/unboundid/webapp/ssam/SSAMController.java
Expand Up @@ -44,6 +44,7 @@
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.client.RestTemplate;
import org.springframework.web.util.HtmlUtils;

import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
import com.fasterxml.jackson.annotation.JsonProperty;
Expand Down Expand Up @@ -971,7 +972,7 @@ private void populateUserModel(String username, Entry entry, Model model)
model.addAttribute("username", username);
for(Attribute attribute : entry.getAttributes())
{
model.addAttribute(attribute.getName(), attribute.getValue());
model.addAttribute(attribute.getName(), HtmlUtils.htmlEscape(attribute.getValue()));
}
model.addAttribute("entry", entry);
}
Expand All @@ -989,7 +990,7 @@ private void populateRegistrationModel(Map<String, String> parameters,
String value = parameter.getValue().trim();
if(!value.isEmpty())
{
model.addAttribute(name, value);
model.addAttribute(name, HtmlUtils.htmlEscape(value));
}
}
}
Expand Down
9 changes: 9 additions & 0 deletions src/main/resources/static/css/ssam.css
@@ -1,3 +1,12 @@
/*
* None style added to help with Frame Busting
* intended for older browsers without 'X-Frame-Options' header support.
* This method comes from an OWASP write up by Gustav Rydstedt.
*/
html {
display: none;
}

.navbar-static-top {
margin-bottom: 19px;
}
Expand Down
26 changes: 26 additions & 0 deletions src/main/resources/static/js/ssam-security-patch.js
@@ -0,0 +1,26 @@
// frame busting
function buster(document_in, top_in) {
if (self === top_in) {
document_in.documentElement.style.display = "block";
} else {
top_in.location = self.location;
}
}

// html escaping for potentially unsafe jQuery methods such as ".append()"
var entityMap = {
'&': '&amp;',
'<': '&lt;',
'>': '&gt;',
'"': '&quot;',
"'": '&#x27;',
'/': '&#x2F;',
'`': '&#x60;',
'=': '&#x3D;'
};

function escapeHtml (string) {
return String(string).replace(/[&<>"'`=\/]/g, function (s) {
return entityMap[s];
});
}
6 changes: 5 additions & 1 deletion src/main/resources/templates/deletion-success.vm
Expand Up @@ -25,7 +25,11 @@
</div>
</div>
</div>


<script src="js/ssam-security-patch.js"></script>
<script type="text/javascript">
buster(document, top);
</script>
<script src="js/jquery-2.1.4.min.js"></script>
<script src="js/bootstrap.min.js"></script>
<script src="js/ssam.js"></script>
Expand Down
4 changes: 4 additions & 0 deletions src/main/resources/templates/error.vm
Expand Up @@ -13,5 +13,9 @@
<div class="container">
Something went wrong: $!status $error
</div>
<script src="js/ssam-security-patch.js"></script>
<script type="text/javascript">
buster(document, top);
</script>
</body>
</html>
6 changes: 5 additions & 1 deletion src/main/resources/templates/login.vm
Expand Up @@ -22,7 +22,7 @@
<label for="inputUsername" class="sr-only">Email/Username</label>
<input type="text" id="inputUsername" name="username" class="form-control" placeholder="Email/Username" required autofocus>
<label for="inputPassword" class="sr-only">Password</label>
<input type="password" id="inputPassword" name="password" class="form-control" placeholder="Password" required>
<input type="password" id="inputPassword" name="password" class="form-control" placeholder="Password" autocomplete="off" required>
<button class="btn btn-lg btn-primary btn-block" type="submit">Sign in</button>
<div style="margin-top: 5px;">
<a href="recoverPassword">Forgot password?</a>
Expand All @@ -31,6 +31,10 @@
</div>
</form>
</div>
<script src="js/ssam-security-patch.js"></script>
<script type="text/javascript">
buster(document, top);
</script>
<script src="js/jquery-2.1.4.min.js"></script>
<script src="js/bootstrap.min.js"></script>
</body>
Expand Down
6 changes: 5 additions & 1 deletion src/main/resources/templates/recover-password-success.vm
Expand Up @@ -25,7 +25,11 @@
</div>
</div>
</div>


<script src="js/ssam-security-patch.js"></script>
<script type="text/javascript">
buster(document, top);
</script>
<script src="js/jquery-2.1.4.min.js"></script>
<script type="text/javascript">
$(document).ready(function() {
Expand Down
4 changes: 4 additions & 0 deletions src/main/resources/templates/recover-password-verify.vm
Expand Up @@ -90,6 +90,10 @@
</div>
</div>

<script src="js/ssam-security-patch.js"></script>
<script type="text/javascript">
buster(document, top);
</script>
<script src="js/jquery-2.1.4.min.js"></script>
<script src="js/bootstrap.min.js"></script>
<script src="js/ssam.js"></script>
Expand Down
4 changes: 4 additions & 0 deletions src/main/resources/templates/recover-password.vm
Expand Up @@ -51,6 +51,10 @@
</div>
</div>

<script src="js/ssam-security-patch.js"></script>
<script type="text/javascript">
buster(document, top);
</script>
<script src="js/jquery-2.1.4.min.js"></script>
<script src="js/bootstrap.min.js"></script>
<script src="js/ssam.js"></script>
Expand Down
4 changes: 4 additions & 0 deletions src/main/resources/templates/register.vm
Expand Up @@ -93,6 +93,10 @@
</div>
</div>

<script src="js/ssam-security-patch.js"></script>
<script type="text/javascript">
buster(document, top);
</script>
<script src="js/jquery-2.1.4.min.js"></script>
<script src="js/bootstrap.min.js"></script>
<script src="js/ssam.js"></script>
Expand Down
6 changes: 5 additions & 1 deletion src/main/resources/templates/registration-success.vm
Expand Up @@ -25,7 +25,11 @@
</div>
</div>
</div>


<script src="js/ssam-security-patch.js"></script>
<script type="text/javascript">
buster(document, top);
</script>
<script src="js/jquery-2.1.4.min.js"></script>
<script src="js/bootstrap.min.js"></script>
<script src="js/ssam.js"></script>
Expand Down
6 changes: 5 additions & 1 deletion src/main/resources/templates/registration-verify.vm
Expand Up @@ -56,7 +56,11 @@
</div>
</div>
</div>


<script src="js/ssam-security-patch.js"></script>
<script type="text/javascript">
buster(document, top);
</script>
<script src="js/jquery-2.1.4.min.js"></script>
<script src="js/bootstrap.min.js"></script>
<script src="js/ssam.js"></script>
Expand Down
14 changes: 9 additions & 5 deletions src/main/resources/templates/user.vm
Expand Up @@ -113,20 +113,20 @@
<div class="form-group">
<label class="col-sm-4 control-label">Current Password </label>
<div class="col-sm-8">
<input id="currentPassword" type="password" class="form-control" placeholder="Enter Current Password">
<input id="currentPassword" type="password" class="form-control" placeholder="Enter Current Password" autocomplete="off">
</div>
</div>
<div class="form-group">
<label class="col-sm-4 control-label">Password </label>
<div class="col-sm-8">
<input id="password" type="password" class="form-control" placeholder="Enter New Password">
<input id="password" type="password" class="form-control" placeholder="Enter New Password" autocomplete="off">
#parse("_password-requirements.vm")
</div>
</div>
<div class="form-group">
<label class="col-sm-4 control-label">Confirm&nbsp;Password </label>
<div class="col-sm-8">
<input id="confirmPassword" type="password" class="form-control" placeholder="Re-Enter New Password">
<input id="confirmPassword" type="password" class="form-control" placeholder="Re-Enter New Password" autocomplete="off">
</div>
</div>
</form>
Expand Down Expand Up @@ -161,6 +161,10 @@
</div>
</div>
#end
<script src="js/ssam-security-patch.js"></script>
<script type="text/javascript">
buster(document, top);
</script>
<script src="js/jquery-2.1.4.min.js"></script>
<script src="js/bootstrap.min.js"></script>
<script src="js/ssam.js"></script>
Expand Down Expand Up @@ -277,8 +281,8 @@
cn = first + " " + last;
}
var address = cn + '$' + $('input[name="street"]').val().trim() + '$' + $('input[name="l"]').val().trim() + ', ' + $('input[name="st"]').val().trim() + ' ' + $('input[name="postalCode"]').val().trim();
userForm.append('<input type="hidden" name="cn" value="' + cn + '">');
userForm.append('<input type="hidden" name="postalAddress" value="' + address + '">');
userForm.append('<input type="hidden" name="cn" value="' + escapeHtml(cn) + '">');
userForm.append('<input type="hidden" name="postalAddress" value="' + escapeHtml(address) + '">');
userForm.submit();
});
});
Expand Down

0 comments on commit f64b10d

Please sign in to comment.