CRV2 RevCodeStoredAntiPatternJava

From OWASP
Revision as of 11:23, 3 October 2013 by Johanna Curiel (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Bad Session Stores

As described in the research paper written by V.Benjamin Livshits(2005), Bad session stores occurs when objects stored in attributes of javax.servlet.http.HttpSession are not subclasses of java.io.Serializable.

As further described by Livshits, it causes issues because HttpSessions objects could be written out to disk especially when all objects stored are handled as attributes that must be serialized, if not done properly this will cause exceptions or data corruption.

What to look for in the code

  • Parameters of HttpSession.set Attribute
  • Control if javax.servlet.httpSession is a subclass of java.io.Serializable

References

V. Benjamin Livshits, "Findings Security Errors in Java Applications Using Lightweight Static Analysis" 2005 available at (http://research.microsoft.com/en-us/um/people/livshits/papers/pdf/acsac04v.pdf) Last Viewed October 3rd 2013