diff --git a/WebContent/high_yield_investments.htm b/WebContent/high_yield_investments.htm index 715a931..3b3fea4 100644 --- a/WebContent/high_yield_investments.htm +++ b/WebContent/high_yield_investments.htm @@ -124,7 +124,8 @@

High Yield Investments

if any, to third party products and/or websites are purely coincidental. This site is provided "as is" without warranty of any kind, either express or implied. Watchfire does not assume any risk in relation to your use of this website. For additional Terms of Use, - please go to http://www.watchfire.com/statements/terms.aspx.

+ please go to https://www.watchfire.com/statements/terms.aspx.

+ Copyright © 2006, Watchfire Corporation, All rights reserved. diff --git a/WebContent/static/inside_community.htm b/WebContent/static/inside_community.htm index a10d665..d3bfaa4 100644 --- a/WebContent/static/inside_community.htm +++ b/WebContent/static/inside_community.htm @@ -12,6 +12,6 @@

Summer 2006

The 2006 community efforts of Altoro Mutual and our employees is quite impressive including charitable contributions, volunteerism, diversity initiatives, and other support. View the summary report (PDF, 800KB).

Adobe Reader
-Download free Adobe Reader.

+Download free Adobe Reader.

- \ No newline at end of file + diff --git a/WebContent/static/security.htm b/WebContent/static/security.htm index 42646c0..cf12bbe 100644 --- a/WebContent/static/security.htm +++ b/WebContent/static/security.htm @@ -56,7 +56,8 @@

Keep Your System Up to Date

Backups

It is a good practice to back up important files and folders on your computer. To back up files, you can make copies onto media that you can safely store elsewhere, such as CDs or floppy discs.

-

For more information on home computer security, visit http://www.cert.org/.

+

For more information on home computer security, visit https://www.cert.org/.

+

Back to Top \ No newline at end of file diff --git a/WebContent/swagger/lib/marked.js b/WebContent/swagger/lib/marked.js index c2a678d..9c9ba96 100644 --- a/WebContent/swagger/lib/marked.js +++ b/WebContent/swagger/lib/marked.js @@ -308,7 +308,8 @@ Lexer.prototype.token = function(src, top, bq) { if (~item.indexOf('\n ')) { space -= item.length; item = !this.options.pedantic - ? item.replace(new RegExp('^ {1,' + space + '}', 'gm'), '') + ? item.replace(/^ {1, + space + }/gm, '') + : item.replace(/^ {1,4}/gm, ''); } diff --git a/src/com/ibm/security/appscan/altoromutual/servlet/AdminServlet.java b/src/com/ibm/security/appscan/altoromutual/servlet/AdminServlet.java index bcc1c94..ef8b8c9 100644 --- a/src/com/ibm/security/appscan/altoromutual/servlet/AdminServlet.java +++ b/src/com/ibm/security/appscan/altoromutual/servlet/AdminServlet.java @@ -24,6 +24,8 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.owasp.esapi.ESAPI; + import com.ibm.security.appscan.altoromutual.util.DBUtil; /** @@ -41,8 +43,8 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response) //add account if (request.getRequestURL().toString().endsWith("addAccount")){ - String username = request.getParameter("username"); - String acctType = request.getParameter("accttypes"); + String username = ESAPI.encoder().canonicalize(request.getParameter("username")); + String acctType = ESAPI.encoder().canonicalize(request.getParameter("accttypes")); if (username == null || acctType == null || username.trim().length() == 0 || acctType.trim().length() == 0) message = "An error has occurred. Please try again later."; else { @@ -54,11 +56,11 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response) //add user else if (request.getRequestURL().toString().endsWith("addUser")){ - String firstname = request.getParameter("firstname"); - String lastname = request.getParameter("lastname"); - String username = request.getParameter("username"); - String password1 = request.getParameter("password1"); - String password2 = request.getParameter("password2"); + String firstname = ESAPI.encoder().canonicalize(request.getParameter("firstname")); + String lastname = ESAPI.encoder().canonicalize(request.getParameter("lastname")); + String username = ESAPI.encoder().canonicalize(request.getParameter("username")); + String password1 = ESAPI.encoder().canonicalize(request.getParameter("password1")); + String password2 = ESAPI.encoder().canonicalize(request.getParameter("password2")); if (username == null || username.trim().length() == 0 || password1 == null || password1.trim().length() == 0 || password2 == null || password2.trim().length() == 0) @@ -87,9 +89,9 @@ else if (request.getRequestURL().toString().endsWith("addUser")){ //change password else if (request.getRequestURL().toString().endsWith("changePassword")){ - String username = request.getParameter("username"); - String password1 = request.getParameter("password1"); - String password2 = request.getParameter("password2"); + String username = ESAPI.encoder().canonicalize(request.getParameter("username")); + String password1 = ESAPI.encoder().canonicalize(request.getParameter("password1")); + String password2 = ESAPI.encoder().canonicalize(request.getParameter("password2")); if (username == null || username.trim().length() == 0 || password1 == null || password1.trim().length() == 0 || password2 == null || password2.trim().length() == 0) @@ -121,3 +123,4 @@ else if (request.getRequestURL().toString().endsWith("changePassword")){ } } + diff --git a/src/com/ibm/security/appscan/altoromutual/servlet/LoginServlet.java b/src/com/ibm/security/appscan/altoromutual/servlet/LoginServlet.java index 55303c3..631b417 100644 --- a/src/com/ibm/security/appscan/altoromutual/servlet/LoginServlet.java +++ b/src/com/ibm/security/appscan/altoromutual/servlet/LoginServlet.java @@ -92,6 +92,8 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response) //Handle the cookie using ServletUtil.establishSession(String) try{ Cookie accountCookie = ServletUtil.establishSession(username,session); + accountCookie.setHttpOnly(true); + accountCookie.setSecure(true); response.addCookie(accountCookie); response.sendRedirect(request.getContextPath()+"/bank/main.jsp"); } @@ -105,3 +107,4 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response) } } + diff --git a/src/com/ibm/security/appscan/altoromutual/servlet/SurveyServlet.java b/src/com/ibm/security/appscan/altoromutual/servlet/SurveyServlet.java index 40b8984..7f5c03f 100644 --- a/src/com/ibm/security/appscan/altoromutual/servlet/SurveyServlet.java +++ b/src/com/ibm/security/appscan/altoromutual/servlet/SurveyServlet.java @@ -95,10 +95,14 @@ else if (step.equals("done")){ content = "

Request Out of Order

"+ "

It appears that you attempted to skip or repeat some areas of this survey. Please return to the start page to begin again.

"; } else { - request.getSession().setAttribute("surveyStep", step); + String safeStep = StringEscapeUtils.escapeHtml4(step); + request.getSession().setAttribute("surveyStep", safeStep); + } response.setContentType("text/html"); - response.getWriter().write(content); + import org.apache.commons.text.StringEscapeUtils; + response.getWriter().write(StringEscapeUtils.escapeHtml4(content)); + response.getWriter().flush(); } diff --git a/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java b/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java index 3031aa8..594c0c0 100644 --- a/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java +++ b/src/com/ibm/security/appscan/altoromutual/util/DBUtil.java @@ -214,9 +214,10 @@ public static boolean isValidUser(String user, String password) throws SQLExcept return false; Connection connection = getConnection(); - Statement statement = connection.createStatement(); - - ResultSet resultSet =statement.executeQuery("SELECT COUNT(*)FROM PEOPLE WHERE USER_ID = '"+ user +"' AND PASSWORD='" + password + "'"); /* BAD - user input should always be sanitized */ + PreparedStatement preparedStatement = connection.prepareStatement("SELECT COUNT(*)FROM PEOPLE WHERE USER_ID = ? AND PASSWORD= ?"); + preparedStatement.setString(1, user); + preparedStatement.setString(2, password); + ResultSet resultSet =preparedStatement.executeQuery(); if (resultSet.next()){ @@ -272,8 +273,9 @@ public static Account[] getAccounts(String username) throws SQLException{ return null; Connection connection = getConnection(); - Statement statement = connection.createStatement(); - ResultSet resultSet =statement.executeQuery("SELECT ACCOUNT_ID, ACCOUNT_NAME, BALANCE FROM ACCOUNTS WHERE USERID = '"+ username +"' "); /* BAD - user input should always be sanitized */ + PreparedStatement preparedStatement = connection.prepareStatement("SELECT ACCOUNT_ID, ACCOUNT_NAME, BALANCE FROM ACCOUNTS WHERE USERID = ?"); + preparedStatement.setString(1, username); + ResultSet resultSet = preparedStatement.executeQuery(); ArrayList accounts = new ArrayList(3); while (resultSet.next()){ @@ -302,8 +304,7 @@ public static String transferFunds(String username, long creditActId, long debit User user = getUserInfo(username); Connection connection = getConnection(); - Statement statement = connection.createStatement(); - + Account debitAccount = Account.getAccount(debitActId); Account creditAccount = Account.getAccount(creditActId); @@ -332,8 +333,16 @@ public static String transferFunds(String username, long creditActId, long debit debitAmount = -debitAmount; //create transaction record - statement.execute("INSERT INTO TRANSACTIONS (ACCOUNTID, DATE, TYPE, AMOUNT) VALUES ("+debitAccount.getAccountId()+",'"+date+"',"+((debitAccount.getAccountId() == userCC)?"'Cash Advance'":"'Withdrawal'")+","+debitAmount+")," + - "("+creditAccount.getAccountId()+",'"+date+"',"+((creditAccount.getAccountId() == userCC)?"'Payment'":"'Deposit'")+","+creditAmount+")"); + PreparedStatement prep = connection.prepareStatement("INSERT INTO TRANSACTIONS (ACCOUNTID, DATE, TYPE, AMOUNT) VALUES (?, ?, ?, ?), (?, ?, ?, ?)"); + prep.setLong(1, debitAccount.getAccountId()); + prep.setTimestamp(2, date); + prep.setString(3, (debitAccount.getAccountId() == userCC) ? "Cash Advance" : "Withdrawal"); + prep.setDouble(4, debitAmount); + prep.setLong(5, creditAccount.getAccountId()); + prep.setTimestamp(6, date); + prep.setString(7, (creditAccount.getAccountId() == userCC) ? "Payment" : "Deposit"); + prep.setDouble(8, creditAmount); + prep.execute(); Log4AltoroJ.getInstance().logTransaction(debitAccount.getAccountId()+" - "+ debitAccount.getAccountName(), creditAccount.getAccountId()+" - "+ creditAccount.getAccountName(), amount); @@ -342,14 +351,26 @@ public static String transferFunds(String username, long creditActId, long debit //add cash advance fee since the money transfer was made from the credit card if (debitAccount.getAccountId() == userCC){ - statement.execute("INSERT INTO TRANSACTIONS (ACCOUNTID, DATE, TYPE, AMOUNT) VALUES ("+debitAccount.getAccountId()+",'"+date+"','Cash Advance Fee',"+CASH_ADVANCE_FEE+")"); + PreparedStatement feeStmt = connection.prepareStatement("INSERT INTO TRANSACTIONS (ACCOUNTID, DATE, TYPE, AMOUNT) VALUES (?, ?, ?, ?)"); + feeStmt.setLong(1, debitAccount.getAccountId()); + feeStmt.setTimestamp(2, date); + feeStmt.setString(3, "Cash Advance Fee"); + feeStmt.setDouble(4, CASH_ADVANCE_FEE); + feeStmt.execute(); debitAmount += CASH_ADVANCE_FEE; Log4AltoroJ.getInstance().logTransaction(String.valueOf(userCC), "N/A", CASH_ADVANCE_FEE); } //update account balances - statement.execute("UPDATE ACCOUNTS SET BALANCE = " + (debitAccount.getBalance()+debitAmount) + " WHERE ACCOUNT_ID = " + debitAccount.getAccountId()); - statement.execute("UPDATE ACCOUNTS SET BALANCE = " + (creditAccount.getBalance()+creditAmount) + " WHERE ACCOUNT_ID = " + creditAccount.getAccountId()); + PreparedStatement updateDebit = connection.prepareStatement("UPDATE ACCOUNTS SET BALANCE = ? WHERE ACCOUNT_ID = ?"); + updateDebit.setDouble(1, debitAccount.getBalance() + debitAmount); + updateDebit.setLong(2, debitAccount.getAccountId()); + updateDebit.execute(); + + PreparedStatement updateCredit = connection.prepareStatement("UPDATE ACCOUNTS SET BALANCE = ? WHERE ACCOUNT_ID = ?"); + updateCredit.setDouble(1, creditAccount.getBalance() + creditAmount); + updateCredit.setLong(2, creditAccount.getAccountId()); + updateCredit.execute(); return null; @@ -359,6 +380,7 @@ public static String transferFunds(String username, long creditActId, long debit } + /** * Get transaction information for the specified accounts in the date range (non-inclusive of the dates) * @param startDate @@ -375,32 +397,45 @@ public static Transaction[] getTransactions(String startDate, String endDate, Ac Connection connection = getConnection(); - Statement statement = connection.createStatement(); - if (rowCount > 0) - statement.setMaxRows(rowCount); - + StringBuffer acctIds = new StringBuffer(); - acctIds.append("ACCOUNTID = " + accounts[0].getAccountId()); + acctIds.append("ACCOUNTID = ?"); for (int i=1; i0 && endDate != null && endDate.length()>0){ - dateString = "DATE BETWEEN '" + startDate + " 00:00:00' AND '" + endDate + " 23:59:59'"; + dateString = "DATE BETWEEN ? AND ?"; } else if (startDate != null && startDate.length()>0){ - dateString = "DATE > '" + startDate +" 00:00:00'"; + dateString = "DATE > ?"; } else if (endDate != null && endDate.length()>0){ - dateString = "DATE < '" + endDate + " 23:59:59'"; + dateString = "DATE < ?"; } String query = "SELECT * FROM TRANSACTIONS WHERE (" + acctIds.toString() + ") " + ((dateString==null)?"": "AND (" + dateString + ") ") + "ORDER BY DATE DESC" ; + PreparedStatement preparedStatement = connection.prepareStatement(query); + int parameterIndex = 1; + for (Account account : accounts) { + preparedStatement.setLong(parameterIndex++, account.getAccountId()); + } + if (startDate != null && startDate.length() > 0 && endDate != null && endDate.length() > 0) { + preparedStatement.setString(parameterIndex++, startDate + " 00:00:00"); + preparedStatement.setString(parameterIndex++, endDate + " 23:59:59"); + } else if (startDate != null && startDate.length() > 0) { + preparedStatement.setString(parameterIndex++, startDate + " 00:00:00"); + } else if (endDate != null && endDate.length() > 0) { + preparedStatement.setString(parameterIndex++, endDate + " 23:59:59"); + } + if (rowCount > 0) + preparedStatement.setMaxRows(rowCount); + ResultSet resultSet = null; try { - resultSet = statement.executeQuery(query); + resultSet = preparedStatement.executeQuery(); } catch (SQLException e){ int errorCode = e.getErrorCode(); if (errorCode == 30000) @@ -421,6 +456,7 @@ public static Transaction[] getTransactions(String startDate, String endDate, Ac return transactions.toArray(new Transaction[transactions.size()]); } + public static String[] getBankUsernames() { try { @@ -447,8 +483,9 @@ public static String[] getBankUsernames() { public static Account getAccount(long accountNo) throws SQLException { Connection connection = getConnection(); - Statement statement = connection.createStatement(); - ResultSet resultSet =statement.executeQuery("SELECT ACCOUNT_NAME, BALANCE FROM ACCOUNTS WHERE ACCOUNT_ID = "+ accountNo +" "); /* BAD - user input should always be sanitized */ + PreparedStatement preparedStatement = connection.prepareStatement("SELECT ACCOUNT_NAME, BALANCE FROM ACCOUNTS WHERE ACCOUNT_ID = ? "); + preparedStatement.setLong(1, accountNo); + ResultSet resultSet = preparedStatement.executeQuery(); ArrayList accounts = new ArrayList(3); while (resultSet.next()){ @@ -467,8 +504,10 @@ public static Account getAccount(long accountNo) throws SQLException { public static String addAccount(String username, String acctType) { try { Connection connection = getConnection(); - Statement statement = connection.createStatement(); - statement.execute("INSERT INTO ACCOUNTS (USERID,ACCOUNT_NAME,BALANCE) VALUES ('"+username+"','"+acctType+"', 0)"); + PreparedStatement preparedStatement = connection.prepareStatement("INSERT INTO ACCOUNTS (USERID,ACCOUNT_NAME,BALANCE) VALUES (?, ?, 0)"); + preparedStatement.setString(1, username); + preparedStatement.setString(2, acctType); + preparedStatement.execute(); return null; } catch (SQLException e){ return e.toString(); @@ -478,20 +517,31 @@ public static String addAccount(String username, String acctType) { public static String addSpecialUser(String username, String password, String firstname, String lastname) { try { Connection connection = getConnection(); - Statement statement = connection.createStatement(); - statement.execute("INSERT INTO SPECIAL_CUSTOMERS (USER_ID,PASSWORD,FIRST_NAME,LAST_NAME,ROLE) VALUES ('"+username+"','"+password+"', '"+firstname+"', '"+lastname+"','user')"); + PreparedStatement preparedStatement = connection.prepareStatement("INSERT INTO SPECIAL_CUSTOMERS (USER_ID,PASSWORD,FIRST_NAME,LAST_NAME,ROLE) VALUES (?,?,?,?,?)"); + preparedStatement.setString(1, username); + preparedStatement.setString(2, password); + preparedStatement.setString(3, firstname); + preparedStatement.setString(4, lastname); + preparedStatement.setString(5, "user"); + preparedStatement.execute(); return null; } catch (SQLException e){ return e.toString(); } } + public static String addUser(String username, String password, String firstname, String lastname) { try { Connection connection = getConnection(); - Statement statement = connection.createStatement(); - statement.execute("INSERT INTO PEOPLE (USER_ID,PASSWORD,FIRST_NAME,LAST_NAME,ROLE) VALUES ('"+username+"','"+password+"', '"+firstname+"', '"+lastname+"','user')"); + PreparedStatement preparedStatement = connection.prepareStatement("INSERT INTO PEOPLE (USER_ID,PASSWORD,FIRST_NAME,LAST_NAME,ROLE) VALUES (?,?,?,?,?)"); + preparedStatement.setString(1, username); + preparedStatement.setString(2, password); + preparedStatement.setString(3, firstname); + preparedStatement.setString(4, lastname); + preparedStatement.setString(5, "user"); + preparedStatement.execute(); return null; } catch (SQLException e){ return e.toString(); @@ -502,8 +552,10 @@ public static String addUser(String username, String password, String firstname, public static String changePassword(String username, String password) { try { Connection connection = getConnection(); - Statement statement = connection.createStatement(); - statement.execute("UPDATE PEOPLE SET PASSWORD = '"+ password +"' WHERE USER_ID = '"+username+"'"); + PreparedStatement preparedStatement = connection.prepareStatement("UPDATE PEOPLE SET PASSWORD = ? WHERE USER_ID = ?"); + preparedStatement.setString(1, password); + preparedStatement.setString(2, username); + preparedStatement.execute(); return null; } catch (SQLException e){ return e.toString(); @@ -515,9 +567,13 @@ public static String changePassword(String username, String password) { public static long storeFeedback(String name, String email, String subject, String comments) { try{ Connection connection = getConnection(); - Statement statement = connection.createStatement(); - statement.execute("INSERT INTO FEEDBACK (NAME,EMAIL,SUBJECT,COMMENTS) VALUES ('"+name+"', '"+email+"', '"+subject+"', '"+comments+"')", Statement.RETURN_GENERATED_KEYS); - ResultSet rs= statement.getGeneratedKeys(); + PreparedStatement preparedStatement = connection.prepareStatement("INSERT INTO FEEDBACK (NAME,EMAIL,SUBJECT,COMMENTS) VALUES (?, ?, ?, ?)", Statement.RETURN_GENERATED_KEYS); + preparedStatement.setString(1, name); + preparedStatement.setString(2, email); + preparedStatement.setString(3, subject); + preparedStatement.setString(4, comments); + preparedStatement.execute(); + ResultSet rs= preparedStatement.getGeneratedKeys(); long id = -1; if (rs.next()){ id = rs.getLong(1); @@ -528,4 +584,5 @@ public static long storeFeedback(String name, String email, String subject, Stri return -1; } } + } \ No newline at end of file diff --git a/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java b/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java index 5629335..f1883c8 100644 --- a/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java +++ b/src/com/ibm/security/appscan/altoromutual/util/OperationsUtil.java @@ -13,6 +13,19 @@ import com.ibm.security.appscan.altoromutual.model.Account; import com.ibm.security.appscan.altoromutual.model.User; +import java.nio.charset.Charset; +import java.security.SecureRandom; +import java.sql.SQLException; +import java.text.SimpleDateFormat; +import java.util.Date; +import java.util.StringTokenizer; + +import javax.servlet.http.Cookie; +import javax.servlet.http.HttpServletRequest; + +import org.apache.commons.codec.binary.Base64; +import org.apache.commons.lang.StringEscapeUtils; + public class OperationsUtil { public static String doApiTransfer(HttpServletRequest request, long creditActId, long debitActId, @@ -145,10 +158,11 @@ public static User getUser(HttpServletRequest request) throws SQLException{ public static String makeRandomString() { byte[] array = new byte[7]; // length is bounded by 7 - new Random().nextBytes(array); + new SecureRandom().nextBytes(array); String generatedString = new String(array, Charset.forName("UTF-8")); return generatedString; } } + diff --git a/src/com/ibm/security/appscan/altoromutual/util/ServletUtil.java b/src/com/ibm/security/appscan/altoromutual/util/ServletUtil.java index 6524e35..8bed6d4 100644 --- a/src/com/ibm/security/appscan/altoromutual/util/ServletUtil.java +++ b/src/com/ibm/security/appscan/altoromutual/util/ServletUtil.java @@ -343,6 +343,8 @@ public static Cookie establishSession(String username, HttpSession session){ Account[] accounts = user.getAccounts(); String accountStringList = Account.toBase64List(accounts); Cookie accountCookie = new Cookie(ServletUtil.ALTORO_COOKIE, accountStringList); + accountCookie.setHttpOnly(true); + accountCookie.setSecure(true); session.setAttribute(ServletUtil.SESSION_ATTR_USER, user); return accountCookie; }