Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [servlet-dev] Question on Security Implications of GET Requests on J_SECURITY_CHECK in Jakarta Servlet Specification

On 12/11/2024 04:23, Harsha Vardhan Sai T via servlet-dev wrote:
Dear Team,

I hope this message finds you well. I am reaching out with a question regarding the Servlet Specification’s form-based authentication mechanism, specifically in relation to the behavior of GET requests on the |J_SECURITY_CHECK| endpoint.

Reference links :https://javaee.github.io/servlet-spec/downloads/ servlet-4.0/servlet-4_0_FINAL.pdf <https://javaee.github.io/servlet- spec/downloads/servlet-4.0/servlet-4_0_FINAL.pdf>


      Question and Concern

Our understanding is that, under the current specification, there is no explicit restriction on HTTP methods for the |J_SECURITY_CHECK| endpoint, which allows some implementations to respond to GET requests with a *200 OK* status code. We are concerned that this behavior could pose security risks in production environments where form-based authentication is implemented.
> >
      Potential Security Implications

Allowing GET requests on |J_SECURITY_CHECK| raises several security concerns:

 1. *Information Disclosure*: A 200 OK response on a GET request may
    reveal details about the endpoint, potentially aiding in
    reconnaissance activities.
 2. *Expanded Attack Surface*: Permitting GET requests could expose the
    endpoint to brute-force attacks or enumeration if not properly
    monitored.
 3. *Security Standards and Best Practices*: To adhere to security best
    practices, many authentication mechanisms restrict endpoints to
    specific HTTP methods to mitigate unintended access or exposure.

Please explain, with examples including details of each HTTP request and response, each of the above risks.

I currently don't see any of the above risks in the container for a specification compliant FORM auth implementation. Application risks are a different matter (and a concern for application developers not the Servlet specification).

Mark


      Suggested Revision

To mitigate these concerns, we would like to ask if it would be feasible to update the specification to:

  * Explicitly state that |J_SECURITY_CHECK| should *only accept POST
    requests*.
  * Recommend returning *405 Method Not Allowed* for any unsupported
    HTTP methods, such as GET.

This change could enhance the security posture of applications implementing form-based authentication as per the Jakarta Servlet Specification, while aligning with secure development practices.

Thank you for considering our question, and please let us know if we can provide any further clarification.


--

Best regards,

Harsha


_______________________________________________
servlet-dev mailing list
servlet-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/servlet-dev



Back to the top