1. Development Security Guide
  2. Sensitive Data Exposure

2.6 Sensitive Data Exposure

  1. Secure Transformation of Data (SSL)

    The Oracle Banking Trade Finance Installer allows a deployer to configure Oracle Banking Trade Finance such that all HTTP connections to the Oracle Banking Trade Finance application are over SSL/TLS. In other words, all HTTP traffic in the clear will be prohibited; only HTTPS traffic will be allowed. It is mandatory to enable this option in a production environment, especially when WebLogic Server acts as the SSL terminator.

    A two-way SSL is used when the server needs to authenticate the client. In a two-way SSL connection the client verifies the identity of the server and then passes its identity certificate to the server. The server then validates the identity certificate of the client before completing the SSL handshake.

    In order to establish a two-way SSL connection, need to have two certificates, one for the server and the other for client. This is required for de-centralized setup of application.

    For Oracle Banking Trade Finance, need to configure a single connector. This connector is related to SSL/TLS communication between host or browser and the branch which uses two-way authentication.

    If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic.

    Below configuration has to be ensured in weblogic.xml within the deployed application ear.
    • Cookies are set with Http only as true
    • Cookie secure flag set to true
    • Cookie path to refer to deployed application

      <wls: session-descriptor>

      <wls: cookie-http-only>true</wls: cookie-http-only>

      </wls: session-descriptor>

      <wls: session-descriptor>

      <wls: cookie-secure>true</wls: cookie-secure>

      <wls: url-rewriting-enabled>false</wls: url-rewriting-enabled>

      </wls: session-descriptor>

      <session-descriptor>

      <cookie-name>JSESSIONID</cookie-name>

      <cookie-path>/<DeployedApplicationPath></cookie-path>

      <cookie-http-only>true</cookie-http-only>

      <cookie-secure>true</cookie-secure>

      <url-rewriting-enabled>false</url-rewriting-enabled>

      </session-descriptor>

    Always make sure Cookies are set with always Auth Flag enabled by default for WebLogic server .

  2. Sign-On messages
    Below table shows the general Sign-On messages which would be displayed to the user during invalid authentication.
    Message Explanation
    User Already Logged In The user has already logged into the system and is attempting a login through a different terminal.
    User Authentication Failed An incorrect user ID or password was entered.
    User Status is Disabled. Please contact your System Administrator The user profile has been disabled due to number of dormancy days allowed for the user has exceeded the dormancy days configured in the system.
    User Status is Locked. Please contact your System Administrator The user profile has been locked due to an excessive number of attempts to login, using an incorrect user ID or password. The number of attempts could have matched either the successive or cumulative number of login failures (configured for the system).
  3. CACHE Control in Servlet and jsp

    There are three basic HTTP response headers that prevent a page from being cached to disk. Different browsers handle them in slightly different ways, so they need to be used in combination to ensure all browsers do not cache the specific page. These headers are "Expires", "Pragma" and "Cache-control". In addition, these headers can either be sent directly by the server or placed in the HTML code as HTTP-EQUIV META tags within the HEAD section. The "Expire" header gives a date at which point the page should expire and no longer be cached. Internet Explorer supports a date of "0" for immediately and any negative number for already expired. The "Pragma: no-cache" header indicates that the page should not be cached.

  4. Clickjacking/Frame-bursting

    Oracle Banking Trade Finance uses the X-Frame-Options HTTP response header to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. This is used to avoid Clickjacking attacks, by ensuring that the content is not embedded into other sites.