| ||||||||||
Resin 3.1 Documentation Examples Changes Overview Installation Configuration Quercus SOA/IoC JSP Servlets and Filters Admin (JMX) EJB Amber Security Performance Hessian XML and XSLT Third-party Troubleshooting/FAQ Authentication Digest Passwords Authorization SSL Security Manager Malicious Attacks FAQ Scrapbook |
Resin is a very mature product, and has not had any security reports in a long time. Here we discuss some common methods used to attack web servers, and how they are handled by Resin and how they apply to your applications. Cross-site scriptingCross-site scripting occurs when a web-site inadvertantly includes HTML tags or scripting code that has come from an untrusted source (such as a form submit) Cross-site scripting is primarily an application issue, not an app-server issue. An audit of your code will help you identify any areas that may be vulnerable to cross-site scripting issues. The only case where it could be a Resin issue is for Resin's error messages, like 404 messages, and these have been carefully audited to prevent the possibilty of cross-site scripting. For more information on cross-site scripting, the CERT advisory on the topic is a useful resource. Protecting your site from cross-site scriptingThe main source of vulnerability is from malicious posting of request parameters by users. The following steps are a good start to protecting your site.
Serving of raw JSP filesA potentially dangerous security problem is the inadvertant serving of .jsp files in raw form, exposing information about the underlying system. The most significant area of concern for this with Resin is when Resin is used as a servlet runner. A raw jsp could potentially be served up by the main webserver (IIS or Apache, for example) if it does not recognize that the page should be handlecd by Resin. Since this is a configuration issue, it should appear during your testing and not suddenly become a problem in a production environment that has not had the configuration changed. There are also some issues regarding this with the underlying filesystem, for example a jsp name being passed in such a way that it does not match the pattern for jsp files but is recognized by the OS/filesystem as a valid filename. We have covered all of these areas that have come to our attention. Session stealingResin establishes a session with the user by assigning an id, which is then included in subsequent requests as either a cookie or as part of the URL. It is conceivable that someone could use a packet sniffer to find the session id of a user and then make a fake request to Resin thus gaining access to the session. This can be avoided by using HTTPS. Denial of Service (DoS) attacksThe most common method used in DoS attacks on a server is to flood the server with useless traffic, overloading the network's capacity. A real DoS attack is best handled by a firewall or operating system. Any real DoS attack is going to try to overwhelm your TCP, so you need the OS kernel to refuse to accept packets for the offending system. For a less extreme DoS attack, you can use com.caucho.filters.ThrottleFilter to minimize the number of concurrent requests.
In configurations that use a cluster, the
ThrottleFilter should be used on the front-end server that is running the
<filter filter-name="throttle" filter-class="com.caucho.filters.ThrottleFilter"> <init max-concurrent-requests="5"/> </filter> <filter-mapping url-pattern="/*" filter-name="throttle"/>
|