1. Development Security Guide
  2. How to address the OWASP Top10 in Oracle Banking Corporate Lending
  3. Sensitive Data Exposure

2.6 Sensitive Data Exposure

  1. Secure Transformation of Data (SSL)

    The Installer allows a deployer to configure the application such that all HTTP connections to the application are over SSL/TLS. In other words, all HTTP traffic in the clear is prohibited; only HTTPS traffic is allowed. It is mandatory to enable this option in a production environment, especially when WebLogic Server acts as the SSL terminator.

    A two-way SSL is used when the server needs to authenticate the client. In a two-way SSL connection the client verifies the identity of the server and then passes its identity certificate to the server. The server then validates the identity certificate of the client before completing the SSL handshake.

    In order to establish a two-way SSL connection, need to have two certificates, one for the server and the other for client. This is required for de-centralized setup of application.

    For Oracle Banking Corporate Lending Solutions, need to configure a single connector. This connector is related to SSL/TLS communication between host or browser and the branch which uses two-way authentication.

    If the secure flag is set on a cookie, then browsers shoud not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic.

    Below configuration has to be ensured in weblogic.xml within the deployed application ear.
    • Cookies are set with Http only as true
    • Cookie secure flag set to true
    • Cookie path to refer to deployed application
      <wls: session-descriptor>
<wls: cookie-http-only>true</wls: cookie-http-only>
</wls: session-descriptor>
      <wls: session-descriptor>
<wls: cookie-secure>true</wls: cookie-secure>
<wls: url-rewriting-enabled>false</wls: url-rewriting-enabled>
</wls: session-descriptor>
      <session-descriptor>
<cookie-name>JSESSIONID</cookie-name>
<cookie-path>/<DeployedApplicationPath></cookie-path>
<cookie-http-only>true</cookie-http-only>
<cookie-secure>true</cookie-secure>
<url-rewriting-enabled>false</url-rewriting-enabled>
</session-descriptor>
      Always make sure Cookies are set with always Auth Flag enabled by default for WebLogic server.
  2. Sign-On messages
    Below table shows the general Sign-On messages which is displayed to the user during invalid authentication.

    Table 2-2 Sign-On messages

    Message Explanation
    User Already Logged In The user has already logged into the system and is attempting a login through a different terminal.
    Invalid User ID/Login. An incorrect user ID or password was entered.
    iUser Status is Disabled. Please contact your System Administrator. The user profile has been disabled due to number of dormancy days allowed for the user has exceeded the dormancy days configured in the system.
    User Status is Locked. Please contact your System Administrator. The user profile has been locked due to an excessive number of attempts to login, using an incorrect user ID or password. The number of attempts could have matched either the successive or cumulative number of login failures (configured for the system).
  3. CACHE Control in Servlet and jsp

    There are three basic HTTP response headers that prevent a page from being cached to disk. Different browsers handle them in slightly different ways, so they need to be used in combination to ensure all browsers do not cache the specific page. These headers are Expires, Pragma and Cache-control. In addition, these headers can either be sent directly by the server or placed in the HTML code as HTTP-EQUIV META tags within the HEAD section. The Expire header gives a date at which point the page should expire and no longer be cached. Internet Explorer supports a date of 0 for immediately and any negative number for already expired. The Pragma: no-cache header indicates that the page should not be cached.

  4. Clickjacking/Frame-bursting

    Application uses the X-Frame-Options HTTP response header to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. This is used to avoid Clickjacking attacks, by ensuring that the content is not embedded into other sites.

Parent topic: How to address the OWASP Top10 in Oracle Banking Corporate Lending