JSP authentication bypass
Description
Manual confirmation is required for this alert.
This vulnerability allows unauthorized access to JSP files that are protected by Basic Authentication. By appending a semicolon and a benign file extension (such as .jsp;.css) to the URL, an attacker can bypass authentication controls. This occurs because some web servers and application containers parse the file extension differently than the authentication mechanism, treating the request as a static resource rather than a protected JSP file.
Remediation
To remediate this vulnerability, implement the following measures:
1. Update authentication rules to normalize URLs before applying access controls. Ensure that path parameters (characters after semicolons) are stripped or properly handled before authentication checks.
2. Configure your web server or application container to reject or normalize requests containing semicolons in file paths. For example, in Apache Tomcat, ensure you are using a recent version with proper path parameter handling.
3. Implement security filters that validate and sanitize incoming requests. Example Java servlet filter:
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) {
HttpServletRequest httpRequest = (HttpServletRequest) request;
String uri = httpRequest.getRequestURI();
// Reject requests with semicolons in the path
if (uri.contains(";")) {
((HttpServletResponse) response).sendError(HttpServletResponse.SC_BAD_REQUEST);
return;
}
chain.doFilter(request, response);
}4. Apply defense in depth by using declarative security constraints in web.xml that cover all variations of file extensions and path manipulations, rather than relying solely on URL pattern matching.