3.2 Insecure Direct Object References

This topic explains insecure direct object references.

  1. Use of prepared statements (parameterized queries)

    FLEXCUBE uses PreparedStatement with bind variables to construct and execute SQL statements in JAVA.

  2. Input Validation

    FLEXCUBE is a web-based application. The request data from browser to server will be passed using request headers and request parameters. All the request fields coming from the client are validated using white list validation to prevent cross-site scripting.

    User-defined method validateParameter() is used for input validation which checks each character of the request field with a range of allowed characters.User defined methods escapeJavaScript(), escapeHTML() and escapeURL() will sanitize the output data before flushing it into client browser.

    escapeJavaScript() will escape all characters except immune JavaScript characters and alphanumeric characters in the ASCII character set. All other characters are encoded using the \\xHH or \\uHHHH notation for representing ASCII or Unicode sequences.escapeHTML() will escape the characters with equivalent HTML entities obtained from the lookup map. The lookup map will have entities such as amp, quot, lt, gt, etc.escapeURL() will encode the URL using URLEncoder class.White list validation is also used to restrict Image/signature/excel upload and to check rights for every operation performed by the user.

  3. .Image Content validation

    The signature upload will check for image type and image content using the inbuilt classes (ImageIO and JarFile) available in java.

  4. Field validation

    Field level validations exist for all mandatory fields. Database too had limits on the type and the length of data. Blacklisted characters are not allowed in the mandatory fields. Nevertheless, FLEXCUBE has free-text fields, which takes all data, entered by the user, as a String.

  5. Restriction on Blacklist characters

    Similar to white list validation black list validation is also used for validating the request fields. FLEXCUBE uses blacklist validation to check whether the request XML contains unwanted tags like scripting tag, HTML tag, anchor tag, etc inside the XML content. It is also used for the advance summary field’s validation to check whether proper request fields are coming from the browser.

    The below table shows the list of bad characters which should not be allowed in the URL path but, the FLEXCUBE operations require many of the below characters to be passed in the request. So FLEXCUBE will encode the below bad characters before sending them through the URL and, the same will be decoded at the server to prevent the hacker from modifying the request.

    Table 3-1 Bad URL Characters

    Bad URL Characters( Unsafe Characters)
    & //
    < ./
    > /.
    ; /*
    \" *.
    \' ~
    % \
    ) 25%
    ( %25u
    + %25U
    , %00-%1f, %7f-%ff
    " " (space) %00-%1f and %7f-%ff
    - %25u and %25U
  6. Restriction on Script/HTML Tags

    FLEXCUBE has blacklist validation for the unwanted tag in XML like scripting tag or HTML tag inside XML content, particularly in the header.