1. Development Security Guide
  2. Insecure Direct Object References

2.4 Insecure Direct Object References

  1. Use of prepared statements (parameterized queries)

    Oracle Banking Trade Finance uses PreparedStatement with bind variables to construct and execute SQL statements in JAVA.

  2. Input Validation

    Oracle Banking Trade Finance is a web based application, the request data from browser to server will be passed using request headers and request parameters. All the request fields coming from the client are validated using white list validation to prevent cross site scripting.

    User defined method validateParameter() is used for input validation which checks each character of the request field with a range of allowed characters.

    User defined methods escapeJavaScript(), escapeHTML() and escapeURL() will sanitize the output data before flushing it into client browser.

    escapeJavaScript() will escape all characters except immune JavaScript characters and alphanumeric characters in the ASCII character set. All other characters are encoded using the \\xHH or \\uHHHH notation for representing ASCII or Unicode sequences.

    escapeHTML() will escape the characters with equivalent HTML entities obtained from the lookup map. Lookup map will have entities such as amp, quot, lt, gt etc.

    escapeURL() will encode the URL using URLEncoder class.

    White list validation is also used to restrict Image/signature/excel upload and to check rights for every operation performed by user.

  3. Image Content validation

    Signature upload will check for image type and image content using the inbuilt classes (ImageIO and JarFile) available in java.

  4. Field validation

    Field level validations exist for all mandatory fields. Database too had limits on the type and the length of data. Blacklisted characters are not allowed in the mandatory fields. Nevertheless, Oracle Banking Trade Finance has free-text fields, which takes all data, entered by the user, as a String.

  5. Restriction on Blacklist characters

    Similar to white list validation black list validation is also used for validating the request fields. Oracle Banking Trade Finance uses blacklist validation to check whether the request xml contains unwanted tags like scripting tag, html tag, anchor tag etc inside the xml content. It is also used for the advance summary field’s validation to check whether proper request fields are coming from the browser.

    Below table shows the list of bad characters which should not be allowed in URL path but the Oracle Banking Trade Finance operations requires many of the below characters to be passed in the request. So Oracle Banking Trade Finance will encode the below bad characters before sending them through the URL and same will be decoded at the server to prevent the hacker from modifying the request.

    Bad URL Characters( Unsafe Characters )
    & //
    < ./
    > /.
    ; /*
    \" *.
    \' ~
    % \
    ) 25%
    ( %25u
    + %25U
    , %00-%1f, %7f-%ff
    " " (space) %00-%1f and %7f-%ff
    - %25u and %25U
  6. Restriction on Script/Html tags

    Oracle Banking Trade Finance has blacklist validation for unwanted tag in xml like scripting tag or html tag inside xml content particularly in the header