Fortify sink issue for error logging and hidden field issue for input hidden field using aem6.5

Question

Hello ,

I am using AEM 6.5 on fortify scan found the below. Any inputs on how to resolve this will be helpfull.

1> Error logging

It shows Sink:org.slf4j.Logger.error()

I am doing

try{...}

catch(cryptoexception e){

log.error("there was an error {}",e.getMessage());

}

It is throwing the sink error.

2>I have an hidden field like below in the .html and need it

How to resolve above issues so that it does not show up in Fortify scan. Any sample code will help

Thanks,

Srinivas

<input

HrishikeshKagne · Accepted Answer

HI @srinivas_opti ,If you have already implemented the suggested solution for the hidden field issue and are still seeing it flagged in Fortify reports, there may be other factors contributing to the issue. Here are some additional steps you can take to further investigate and resolve the issue:1. Check the Fortify report for more details: The Fortify report should provide more information about the specific issue and the reason it was flagged. Review the report to see if there are any additional details that can help you identify the root cause of the issue.2. Verify that the validation is working correctly: Double-check that the server-side validation is working as expected. You can add debug logging or use a debugger to step through the code and verify that the validation logic is being executed correctly.3. Consider other sources of input: Hidden fields are not the only source of input that can be manipulated by attackers. Check if there are other input fields in your form that could be manipulated and ensure that they are validated on the server-side.4. Review your code for other security issues: Fortify scans can flag multiple security issues in your code. Review your code for other security issues and address them as necessary.5. Seek expert assistance: If you are still unable to resolve the issue, consider seeking assistance from a security expert or a Fortify consultant who can help you identify and address the root cause of the issue.By following these steps, you should be able to identify and resolve the hidden field issue flagged by Fortify in your AEM 6.5 environment.

HrishikeshKagne · Answer

Hi @srinivas_opti ,To address the Fortify scan issues you're encountering in AEM 6.5, let's break down the solutions for each of the issues:1. Error Logging (Sink: org.slf4j.Logger.error())Fortify is flagging the logging as a potential security issue because logging sensitive information can lead to information leakage. Here are some best practices to follow for secure logging:Avoid logging sensitive information: Ensure you are not logging sensitive data such as passwords, personal information, or detailed error messages that could be useful to an attacker.Log Exceptions Securely: When logging exceptions, avoid logging the full stack trace directly. Instead, log a unique error identifier and handle the detailed logging securely.Example SolutionInstead of logging the exception message directly, you could log a generic error message and the exception's stack trace separately, ensuring you do not expose sensitive details. import org.slf4j.Logger;import org.slf4j.LoggerFactory;public class YourClass { private static final Logger log = LoggerFactory.getLogger(YourClass.class); public void yourMethod() { try { // Your code here } catch (CryptoException e) { log.error("An error occurred while processing the request: {}", e.getMessage()); // Avoid this pattern log.debug("Detailed error: ", e); // Use debug or trace level to log the stack trace } }} In this approach:The log.error statement provides a generic message, avoiding exposure of sensitive details.The log.debug statement logs the detailed exception stack trace at a lower log level (debug), which can be disabled in production environments.2. Hidden Field Issue in HTMLFortify is flagging the hidden input field because hidden fields can be manipulated by attackers. Hidden fields should not contain sensitive data. To resolve this, ensure that hidden fields are used securely and consider server-side validation.Example SolutionAvoid storing sensitive data in hidden fields.Validate all input, including hidden fields, on the server-side to ensure they haven't been tampered with.For instance, if you need to include a hidden field in your form, ensure that it does not contain sensitive information and always validate it on the server-side: On the server-side, validate the hidden field value: protected void doPost(SlingHttpServletRequest request, SlingHttpServletResponse response) throws ServletException, IOException { String hiddenFieldValue = request.getParameter("nonSensitiveParameter"); // Validate the hidden field value if (hiddenFieldValue != null && hiddenFieldValue.matches("\d+")) { // Process the form } else { // Handle invalid input response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Invalid input"); }} By ensuring hidden fields are used appropriately and validating them on the server-side, you can mitigate the security risks flagged by Fortify.Error Logging:Avoid logging sensitive information.Log exceptions with a generic message and use debug level for detailed stack traces.Hidden Field:Do not store sensitive data in hidden fields.Validate hidden field values on the server-side to ensure they haven't been tampered with.Implementing these best practices should help resolve the issues flagged by Fortify in your AEM 6.5 environment.

1. Error Logging (Sink: org.slf4j.Logger.error())

Example Solution

2. Hidden Field Issue in HTML

Example Solution

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded