Common Hybris Security Issue On Daily Work

By admin On Jan 14, 2021

Purpose

We often use fortify which is a security tool to scan our secruity issue when we prepare to release a new version. This lead us have to fix our issue in a very tense situation, but more important is that some time it is difficult to make a corresponding adjustment at this time because it will affect design or the overall structure.

So I put forward the following two suggestions:

Every developer need konw the common security rules and abide by the rules.
We should use the fortify scan every time the code is submitted and should not wait until the end.

Overview

This is topic we need offen update, because security issues are constantly changing, here I summarize what we often encounter.

Issue For Exception

Empty catch block. The exception will be ignored. Bad case:

catch (final JaloItemNotFoundException e) {

// Todo

}
We can not directly catch base exception, we should add more type of exception to handle error. Bad case:

catch (final Exception e) {

// Todo

}
We should not direct print the details info of the Exception Object in catch, we shoud wrap the exception. Bad case:

catch (final Exception e) {

log.error(e);

}

InitBinder

The initBinder is a check for the form submit. We can set the AllowedFields and DisallowedFields to filter the form submit. But actually, we already have the check of the form submit in the frontend. We set the DisallowedFields to be empty, to allow all the form submit fileds.

@InitBinder

public void initBinder(WebDataBinderbinder) {

binder.setDisallowedFields(DISALLOWED_FIELDS);

}

CSRF

When the form labels are used, it is better to use the form label which Spring offers, do not use form labels directly. It will support csrf validation.

<%@ page trimDirectiveWhitespaces="true"%>

<%@ taglib prefix="c" uri="https://java.sun.com/jsp/jstl/core"%>

<%@ taglib prefix="template" tagdir="/WEB-INF/tags/responsive/template"%>

<%@ taglib prefix="cms" uri="https://hybris.com/tld/cmstags"%>

<%@ taglib prefix="spring" uri="https://www.springframework.org/tags"%>

<%@ taglib prefix="form" uri="https://www.springframework.org/tags/form"%>

<%@ taglib prefix="formElement" tagdir="/WEB-INF/tags/responsive/formElement"%>

<%@ taglib prefix="ycommerce" uri="https://hybris.com/tld/ycommercetags"%>

<%@ taglib prefix="fn" uri="https://java.sun.com/jsp/jstl/functions"%>

 class="account-section-header"> 
      class="row"> 
          class="container-lg col-md-6"> 
              
                 code="text.account.notificationPreference.notificationPreferenceForm" />

 class="row"> 
      class="container-lg col-md-6"> 
          class="account-section-content"> 
              class="account-section-form"> 
                 "${action}" method="post" 
                     commandName="notificationPreferenceForm"> 
                     "channel" items="email,sms" delims="," varStatus="loop"> 
                      class="checkbox"> 
                          class="control-label notification_preference_channel"> 
                             if test="${not empty notificationPreferenceForm.emailAddress && channel == 'email'}"> 
                                 "${channel}NotificationChannel" path="${channel}Enabled"tabindex="${loop.index}"/> 
                                 "notification.channel.${channel}"arguments="${notificationPreferenceForm.emailAddress}"/>                                
                             if> 
                             if test="${not empty notificationPreferenceForm.mobileNumber && channel == 'sms'}"> 
                                 "${channel}NotificationChannel" path="${channel}Enabled"tabindex="${loop.index}"/> 
                                 "notification.channel.${channel}"arguments="${notificationPreferenceForm.mobileNumber}"/> 
                             if> 
                          
                     
 
                      
                      class="row"> 
                          class="col-sm-6 col-sm-push-6"> 
                              class="accountActions"> 
                                 
                                     "notificationPreferenceSetting.submit" text="Update Password" /> 
                                  
                             
 
                         
 
                          class="col-sm-6 col-sm-pull-6"> 
                              class="accountActions"> 
                                 
                                     "notificationPreferenceSetting.cancel" text="Cancel" />

Weak Cryptographic Hash

Weak cryptographic hashes cannot guarantee data integrity and should not be used in security-critical contexts. We should use sha256 or at the same level.

This case is not safe enough:

DigestUtils.md5Hex(preStr);

Mass Assignment: Insecure Binder Configuration

The framework binder used for binding the HTTP request parameters to the model class has not been explicitly configured to allow, or disallow certain attributes.

@RequestMapping(method = RequestMethod.POST)

@RequireHardLogIn

public String updateNotificationPreference(final NotificationPreferenceForm notificationPreferenceForm,

final BindingResult bindingResult, final Model model, final RedirectAttributes redirectModel)

Open Redirect

The file MyInterestsPageController.java passes unvalidated data to an HTTP redirect function on line 115. Allowing unvalidated input to control the URL used in a redirect can aid phishing attacks.

final String showUrl = getConfigurationService().getConfiguration().getString(urlKey) + "/" + productCode;

return "redirect:" + showUrl;

Header Manipulation

The method post() in WeChatPayHttpClient.java includes unvalidated data in an HTTP response header on line 69. This enables attacks such as cache-poisoning, cross-site scripting, cross-user defacement, page hijacking, cookie manipulation or open redirect.

WeChatPayHttpClient

post.setEntity(new StringEntity(requestBody, ContentType.create(MediaType.APPLICATION_XML.toString(), CharEncoding.UTF_8)));

Hidden field

sing the input hidden to save variable in jsp files. The variable will be exposed.

<input type="hidden" name="${var.key}" value="${var.value}" />

<input name="${var.key}" value="${var.value}" readonly style="display: none;"/>

Java Details

Parse Double, use this case

Double.valueOf(xxx);
StringUtils.EMPTY, use this case

String temp = StringUtils.EMPTY;

Would you like to get Full SAP Tutorials Access?

If you are already a member in this website, Please Click here to login
If you are not yet a member, Please Click here to Sign up

if you have any questions don't hesitate to contact us from the Button bellow

New NetWeaver Information at SAP.com

Very Helpfull

User Rating: Be the first one !