Skip to content

Commit c76117b

Browse files
AndriiPiatakhaAndriiPiatakha
committed
Demo Improper Inventory Management
1 parent 0267207 commit c76117b

File tree

2 files changed

+72
-0
lines changed

2 files changed

+72
-0
lines changed

‎online-store.web/src/main/java/com/itbulls/learnit/onlinestore/web/owasp/iim/problem/ProblemDebugInfoServlet.java

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
package com.itbulls.learnit.onlinestore.web.owasp.iim.problem;
2+
3+
import jakarta.servlet.ServletException;
4+
import jakarta.servlet.annotation.WebServlet;
5+
import jakarta.servlet.http.HttpServlet;
6+
import jakarta.servlet.http.HttpServletRequest;
7+
import jakarta.servlet.http.HttpServletResponse;
8+
import java.io.IOException;
9+
import java.io.PrintWriter;
10+
11+
//Deprecated endpoint for debugging purposes
12+
@WebServlet("/api/debug-info")
13+
public class ProblemDebugInfoServlet extends HttpServlet {
14+
15+
@Override
16+
protected void doGet(HttpServletRequest request, HttpServletResponse response)
17+
throws ServletException, IOException {
18+
// Exposes sensitive server and application info
19+
String serverInfo = "Server Info: [OS: Linux, Java Version: 11, JVM Args: ...]";
20+
String appLogs = "Recent Logs: [INFO: Startup complete, ERROR: Null pointer exception ...]";
21+
22+
response.setContentType("text/plain");
23+
PrintWriter out = response.getWriter();
24+
out.println(serverInfo);
25+
out.println(appLogs);
26+
}
27+
}

‎online-store.web/src/main/java/com/itbulls/learnit/onlinestore/web/owasp/iim/solution/SolutionSecureDebugInfoServlet.java

Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,45 @@
1+
package com.itbulls.learnit.onlinestore.web.owasp.iim.solution;
2+
3+
import jakarta.servlet.ServletException;
4+
import jakarta.servlet.annotation.WebServlet;
5+
import jakarta.servlet.http.HttpServlet;
6+
import jakarta.servlet.http.HttpServletRequest;
7+
import jakarta.servlet.http.HttpServletResponse;
8+
import jakarta.servlet.http.HttpSession;
9+
import java.io.IOException;
10+
import java.io.PrintWriter;
11+
12+
//Updated and secured endpoint
13+
@WebServlet("/api/admin/debug-info")
14+
public class SolutionSecureDebugInfoServlet extends HttpServlet {
15+
16+
@Override
17+
protected void doGet(HttpServletRequest request, HttpServletResponse response)
18+
throws ServletException, IOException {
19+
HttpSession session = request.getSession(false);
20+
21+
// Ensure the user is authenticated
22+
if (session == null || session.getAttribute("user") == null) {
23+
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
24+
response.getWriter().println("Unauthorized access");
25+
return;
26+
}
27+
28+
// Ensure the user has admin privileges
29+
String userRole = (String) session.getAttribute("role");
30+
if (!"ROLE_ADMIN".equals(userRole)) {
31+
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
32+
response.getWriter().println("Forbidden access");
33+
return;
34+
}
35+
36+
// Access to debugging information should be restricted and controlled
37+
String serverInfo = "Server Info: [OS: Linux, Java Version: 11]";
38+
String appLogs = "Debugging Logs: [Access restricted]";
39+
40+
response.setContentType("text/plain");
41+
PrintWriter out = response.getWriter();
42+
out.println(serverInfo);
43+
out.println(appLogs);
44+
}
45+
}

0 commit comments

Comments
 (0)