Security problems caused by improper processing of j2ee application exception information: Sensitive Information Leakage and XSS

Java Exception Handling Mechanism (Exception): in Java, it is composed of two parts of the Trowable class, namely the Error class and the Exception class. Error is not recommended to be captured (check the difference between Error and Exception in the Java Exception Handling Mechanism). Exception classes except the RuntimeException subclass cannot be captured, and exceptions of other subclasses must be captured, in short, exception information is generated. However, exceptions generate Exception information. When an Exception occurs, the Exception is thrown to the upper-level function that calls the function until a layer containing Exception Handling (catch) occurs, this makes it very convenient for developers to debug the program, so they can quickly locate the problem and view the exception information: org. springframework. dao. dataIntegrityViolationException: cocould not execute query; SQL [select AdContentId, ContentDesc, ContentType, ContentSize, ContentUrl from AAS_BIZ_AdContent where 1 = 1 and AdInfoId =? And contentType =? Order by AdInfoId, ContentSize]; nested exception is org. hibernate. exception. dataException: cocould not execute query at org. springframework. orm. hibernate3.SessionFactoryUtils. convertHibernateAccessException (SessionFactoryUtils. java: 642) at org. springframework. orm. hibernate3.HibernateAccessor. convertHibernateAccessException (HibernateAccessor. java: 412) at org. springframework. orm. hibernate3.Hibernate Template. doExecute (HibernateTemplate. java: 411) at org.springframework.orm.hibernate3.HibernateTemplate.exe cuteFind (HibernateTemplate. java: 343) at com. suning. framework. dao. universalDaoHibernate. queryListBySql (UniversalDaoHibernate. java: 567) at com. suning. framework. dao. universalDaoHibernate. queryListBySql (UniversalDaoHibernate. java: 554) at com. suning. aas. ad. dao. hibernate. adContentDaoHibernate. search Content (AdContentDaoHibernate. java: 40) at com. suning. aas. ad. logic. impl. adInfoBizImpl. searchContent (AdInfoBizImpl. java: 100) at sun. reflect. generatedMethodAccessor267.invoke (Unknown Source) at sun. reflect. delegatingMethodAccessorImpl. invoke (DelegatingMethodAccessorImpl. java: 25) at java. lang. reflect. method. invoke (Method. java: 600) at org. springframework. aop. support. aopUtils. invokeJoinpointUsingReflect Ion (AopUtils. java: 309) at org. springframework. aop. framework. reflectiveMethodInvocation. invokeJoinpoint (ReflectiveMethodInvocation. java: 183) at org. springframework. aop. framework. reflectiveMethodInvocation. proceed (ReflectiveMethodInvocation. java: 149) at com. suning. framework. template. serviceInterceptor. invoke (ServiceInterceptor. java: 86) at org. springframework. aop. framework. reflectiveMethodInvocation. Proceed (ReflectiveMethodInvocation. java: 172) at org. springframework. aop. framework. jdkDynamicAopProxy. invoke (JdkDynamicAopProxy. java: 202) at $ Proxy53.searchContent (Unknown Source) at com. suning. aas. portal. adsearch. action. channelAdAction. orderPage (ChannelAdAction. java: 152) at sun. reflect. generatedMethodAccessor358.invoke (Unknown Source) at sun. reflect. delegatingMethodAccessorImpl. invoke (DelegatingMe ThodAccessorImpl. java: 25) at java. lang. reflect. method. invoke (Method. java: 600) at com. opensymphony. xwork2.defaactionactioninvocation. invokeAction (defaactionactioninvocation. java: 441) at com. opensymphony. xwork2.defaactionactioninvocation. invokeActionOnly (defaactionactioninvocation. java: 280) at com. opensymphony. xwork2.defaactionactioninvocation. invoke (defaactionactioninvocation. java: 243) at com. opensymphony. xwork2.val Idator. validationInterceptor. doIntercept (ValidationInterceptor. java: 252) at org. apache. struts2.interceptor. validation. annotationValidationInterceptor. doIntercept (AnnotationValidationInterceptor. java: 68) at com. opensymphony. xwork2.interceptor. methodFilterInterceptor. intercept (MethodFilterInterceptor. java: 87) at com. opensymphony. xwork2.defaactionactioninvocation. invoke (defaactionactioninvocation. java: 237) At com. opensymphony. xwork2.interceptor. conversionErrorInterceptor. intercept (ConversionErrorInterceptor. java: 122) at com. opensymphony. xwork2.defaactionactioninvocation. invoke (defaactionactioninvocation. java: 237) at com. opensymphony. xwork2.interceptor. parametersInterceptor. doIntercept (ParametersInterceptor. java: 195) at com. opensymphony. xwork2.interceptor. methodFilterInterceptor. intercept (MethodFilterInte Rceptor. java: 87) at com. opensymphony. xwork2.defaactionactioninvocation. invoke (defaactionactioninvocation. java: 237) at com. opensymphony. xwork2.interceptor. parametersInterceptor. doIntercept (ParametersInterceptor. java: 195) at com. opensymphony. xwork2.interceptor. methodFilterInterceptor. intercept (MethodFilterInterceptor. java: 87) at com. opensymphony. xwork2.defaactionactioninvocation. invoke (defaactionactioninvocatio N. java: 237) at com. opensymphony. xwork2.interceptor. staticParametersInterceptor. intercept (StaticParametersInterceptor. java: 179) at com. opensymphony. xwork2.defaactionactioninvocation. invoke (defaactionactioninvocation. java: 237) at org. apache. struts2.interceptor. fileUploadInterceptor. intercept (FileUploadInterceptor. java: 235) at com. opensymphony. xwork2.defaactionactioninvocation. invoke (defaactionactioninvocation. j Java: 237) at com. opensymphony. xwork2.interceptor. modelDrivenInterceptor. intercept (ModelDrivenInterceptor. java: 89) at com. opensymphony. xwork2.defaactionactioninvocation. invoke (defaactionactioninvocation. java: 237) at com. opensymphony. xwork2.interceptor. chainingInterceptor. intercept (ChainingInterceptor. java: 126) at com. opensymphony. xwork2.defaactionactioninvocation. invoke (defaactionactioninvocation. java: 237) at c Om. opensymphony. xwork2.interceptor. prepareInterceptor. doIntercept (PrepareInterceptor. java: 138) at com. opensymphony. xwork2.interceptor. methodFilterInterceptor. intercept (MethodFilterInterceptor. java: 87) at com. opensymphony. xwork2.defaactionactioninvocation. invoke (defaactionactioninvocation. java: 237) at org. apache. struts2.interceptor. servletConfigInterceptor. intercept (ServletConfigInterceptor. java: 164) Com. opensymphony. xwork2.defaactionactioninvocation. invoke (defaactionactioninvocation. java: 237) at com. opensymphony. xwork2.interceptor. parametersInterceptor. doIntercept (ParametersInterceptor. java: 195) at com. opensymphony. xwork2.interceptor. methodFilterInterceptor. intercept (MethodFilterInterceptor. java: 87) at com. opensymphony. xwork2.defaactionactioninvocation. invoke (defaactionactioninvocation. java: 237) at org. a Pache. struts2.interceptor. multiselectInterceptor. intercept (MultiselectInterceptor. java: 75) at com. opensymphony. xwork2.defaactionactioninvocation. invoke (defaactionactioninvocation. java: 237) at org. apache. struts2.interceptor. checkboxInterceptor. intercept (CheckboxInterceptor. java: 94) at com. opensymphony. xwork2.defaactionactioninvocation. invoke (defaactionactioninvocation. java: 237) at com. opensymphony. xwork2.inter Ceptor. i18nInterceptor. intercept (I18nInterceptor. java: 165) at com. opensymphony. xwork2.defaactionactioninvocation. invoke (defaactionactioninvocation. java: 237) at com. opensymphony. xwork2.interceptor. aliasInterceptor. intercept (AliasInterceptor. java: 179) at com. opensymphony. xwork2.defaactionactioninvocation. invoke (defaactionactioninvocation. java: 237) at com. opensymphony. xwork2.interceptor. predictionmappingintercept Or. intercept (ExceptionMappingInterceptor. java: 176) at com. opensymphony. xwork2.defaactionactioninvocation. invoke (defaactionactioninvocation. java: 237) at com. suning. aas. common. web. interceptor. actionAccessTimeInterceptor. intercept (ActionAccessTimeInterceptor. java: 96) at com. opensymphony. xwork2.defaactionactioninvocation. invoke (defaactionactioninvocation. java: 237) at org.apache.struts2.impl.StrutsActionProxy.exe c Ute (StrutsActionProxy. java: 52) at org. apache. struts2.dispatcher. dispatcher. serviceAction (Dispatcher. java: 488) at org.apache.struts2.dispatcher.ng.ExecuteOperations.exe cuteAction (ExecuteOperations. java: 77) at org. apache. struts2.dispatcher. ng. filter. strutsPrepareAndExecuteFilter. doFilter (StrutsPrepareAndExecuteFilter. java: 91) at com. ibm. ws. webcontainer. filter. filterInstanceWrapper. doFilter (FilterIns TanceWrapper. java: 188) at com. ibm. ws. webcontainer. filter. webAppFilterChain. doFilter (WebAppFilterChain. java: 116) at com. suning. aas. portal. web. filer. authFilter. doFilter (AuthFilter. java: 163) at com. ibm. ws. webcontainer. filter. filterInstanceWrapper. doFilter (FilterInstanceWrapper. java: 188) at com. ibm. ws. webcontainer. filter. webAppFilterChain. doFilter (WebAppFilterChain. java: 116) at org. springframework. web. Filter. characterEncodingFilter. doFilterInternal (CharacterEncodingFilter. java: 88) at org. springframework. web. filter. oncePerRequestFilter. doFilter (OncePerRequestFilter. java: 76) at com. ibm. ws. webcontainer. filter. filterInstanceWrapper. doFilter (FilterInstanceWrapper. java: 188) at com. ibm. ws. webcontainer. filter. webAppFilterChain. doFilter (WebAppFilterChain. java: 116) at com. ibm. ws. webcontainer. filter. webA PpFilterChain. _ doFilter (WebAppFilterChain. java: 77) at com. ibm. ws. webcontainer. filter. webAppFilterManager. doFilter (WebAppFilterManager. java: 908) at com. ibm. ws. webcontainer. filter. webAppFilterManager. invokeFilters (WebAppFilterManager. java: 997) at com. ibm. ws. webcontainer. extension. defaultExtensionProcessor. invokeFilters (DefaultExtensionProcessor. java: 985) at com. ibm. ws. webcontainer. extension. defaultE XtensionProcessor. handleRequest (DefaultExtensionProcessor. java: 905) at com. ibm. ws. webcontainer. webapp. webApp. handleRequest (WebApp. java: 3826) at com. ibm. ws. webcontainer. webapp. webGroup. handleRequest (WebGroup. java: 276) at com. ibm. ws. webcontainer. webContainer. handleRequest (WebContainer. java: 931) at com. ibm. ws. webcontainer. WSWebContainer. handleRequest (WSWebContainer. java: 1583) at com. ibm. ws. webcontain Er. channel. WCChannelLink. ready (WCChannelLink. java: 186) at com. ibm. ws. http. channel. inbound. impl. httpInboundLink. handleDiscrimination (HttpInboundLink. java: 445) at com. ibm. ws. http. channel. inbound. impl. httpInboundLink. handleNewRequest (HttpInboundLink. java: 504) at com. ibm. ws. http. channel. inbound. impl. httpInboundLink. processRequest (HttpInboundLink. java: 301) at com. ibm. ws. http. channel. inbound. impl. httpIC LReadCallback. complete (HttpICLReadCallback. java: 83) at com. ibm. ws. tcp. channel. impl. aioReadCompletionListener. futureCompleted (AioReadCompletionListener. java: 165) at com. ibm. io. async. abstractAsyncFuture. invokeCallback (AbstractAsyncFuture. java: 217) at com. ibm. io. async. asyncChannelFuture. fireCompletionActions (AsyncChannelFuture. java: 161) at com. ibm. io. async. asyncFuture. completed (AsyncFuture. java: 138) At com. ibm. io. async. resultHandler. complete (ResultHandler. java: 204) at com. ibm. io. async. resultHandler. runEventProcessingLoop (ResultHandler. java: 775) at com. ibm. io. async. resultHandler $ 2.run( ResultHandler. java: 905) at com. ibm. ws. util. threadPool $ Worker. run (ThreadPool. java: 1563) it has been noticed that it has gone through functions from the specific code to the functions at the framework layer to the web Container layer. In scenarios where sensitive information is exposed: If the developer does not handle this exception, the developer will expose the exception to the user through the web Container by default, and the exception information includes the component name used by the application, for attackers, a large amount of available information is added, resulting in sensitive information leakage. Wooyun case: http://www.wooyun.org/bugs/wooyun-2010-011311 XSS is formed in two different scenarios: 1. If the developer processes the exception information but throws it to the user (in actual development, there are still many cases, we also create a user experience page that allows users to report such exception information to the Administrator (of course, the developer's intention is good !).) 2. Data with user input without XSS protection (malicious code of attackers ).


Of course, this problem does not occur if the container handles the output by default,