Hello ,
I am using AEM 6.5 on fortify scan found the below. Any inputs on how to resolve this will be helpfull.
1> Error logging
It shows Sink:org.slf4j.Logger.error()
I am doing
try{...}
catch(cryptoexception e){
log.error("there was an error {}",e.getMessage());
}
It is throwing the sink error.
2>I have an hidden field like below in the .html and need it
<input type="hidden" otherparameters>
How to resolve above issues so that it does not show up in Fortify scan. Any sample code will help
Thanks,
Srinivas
<input
Solved! Go to Solution.
Views
Replies
Total Likes
HI @Srinivas_Opti ,
If you have already implemented the suggested solution for the hidden field issue and are still seeing it flagged in Fortify reports, there may be other factors contributing to the issue. Here are some additional steps you can take to further investigate and resolve the issue:
1. Check the Fortify report for more details: The Fortify report should provide more information about the specific issue and the reason it was flagged. Review the report to see if there are any additional details that can help you identify the root cause of the issue.
2. Verify that the validation is working correctly: Double-check that the server-side validation is working as expected. You can add debug logging or use a debugger to step through the code and verify that the validation logic is being executed correctly.
3. Consider other sources of input: Hidden fields are not the only source of input that can be manipulated by attackers. Check if there are other input fields in your form that could be manipulated and ensure that they are validated on the server-side.
4. Review your code for other security issues: Fortify scans can flag multiple security issues in your code. Review your code for other security issues and address them as necessary.
5. Seek expert assistance: If you are still unable to resolve the issue, consider seeking assistance from a security expert or a Fortify consultant who can help you identify and address the root cause of the issue.
By following these steps, you should be able to identify and resolve the hidden field issue flagged by Fortify in your AEM 6.5 environment.
Hi @Srinivas_Opti ,
To address the Fortify scan issues you're encountering in AEM 6.5, let's break down the solutions for each of the issues:
Fortify is flagging the logging as a potential security issue because logging sensitive information can lead to information leakage. Here are some best practices to follow for secure logging:
Instead of logging the exception message directly, you could log a generic error message and the exception's stack trace separately, ensuring you do not expose sensitive details.
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
public class YourClass {
private static final Logger log = LoggerFactory.getLogger(YourClass.class);
public void yourMethod() {
try {
// Your code here
} catch (CryptoException e) {
log.error("An error occurred while processing the request: {}", e.getMessage()); // Avoid this pattern
log.debug("Detailed error: ", e); // Use debug or trace level to log the stack trace
}
}
}
In this approach:
Fortify is flagging the hidden input field because hidden fields can be manipulated by attackers. Hidden fields should not contain sensitive data. To resolve this, ensure that hidden fields are used securely and consider server-side validation.
For instance, if you need to include a hidden field in your form, ensure that it does not contain sensitive information and always validate it on the server-side:
<form action="/submit-form" method="post">
<!-- Non-sensitive hidden field -->
<input type="hidden" name="nonSensitiveParameter" value="12345" />
<!-- Other form fields -->
<input type="submit" value="Submit" />
</form>
On the server-side, validate the hidden field value:
protected void doPost(SlingHttpServletRequest request, SlingHttpServletResponse response) throws ServletException, IOException {
String hiddenFieldValue = request.getParameter("nonSensitiveParameter");
// Validate the hidden field value
if (hiddenFieldValue != null && hiddenFieldValue.matches("\\d+")) {
// Process the form
} else {
// Handle invalid input
response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Invalid input");
}
}
By ensuring hidden fields are used appropriately and validating them on the server-side, you can mitigate the security risks flagged by Fortify.
Error Logging:
Hidden Field:
Implementing these best practices should help resolve the issues flagged by Fortify in your AEM 6.5 environment.
Thanks @HrishikeshKa .
For the inputs. I will make the changes validate and update you again on this.
Regards,
Srinivas
Hi @HrishikeshKa ,
Issue 1 is resolved.
Issue2: still present
HI @Srinivas_Opti ,
If you have already implemented the suggested solution for the hidden field issue and are still seeing it flagged in Fortify reports, there may be other factors contributing to the issue. Here are some additional steps you can take to further investigate and resolve the issue:
1. Check the Fortify report for more details: The Fortify report should provide more information about the specific issue and the reason it was flagged. Review the report to see if there are any additional details that can help you identify the root cause of the issue.
2. Verify that the validation is working correctly: Double-check that the server-side validation is working as expected. You can add debug logging or use a debugger to step through the code and verify that the validation logic is being executed correctly.
3. Consider other sources of input: Hidden fields are not the only source of input that can be manipulated by attackers. Check if there are other input fields in your form that could be manipulated and ensure that they are validated on the server-side.
4. Review your code for other security issues: Fortify scans can flag multiple security issues in your code. Review your code for other security issues and address them as necessary.
5. Seek expert assistance: If you are still unable to resolve the issue, consider seeking assistance from a security expert or a Fortify consultant who can help you identify and address the root cause of the issue.
By following these steps, you should be able to identify and resolve the hidden field issue flagged by Fortify in your AEM 6.5 environment.
Views
Like
Replies