Hunchentoot Webserver and Application Security

I had the opportunity to have the security of the Hunchentoot lisp web server set-up, from the previous post, and a web application using Hunchentoot reviewed by a reputable firm. In short this is what they had to say:

“it would appear that the server administrators should be commended for their network-level hardening of the target system”

Its not a hundred percent clean bill of health because only automated testing was used with some manual interventions to validate the auto testing.

Here are some of the issues that where picked up:


1. Nginx Version Disclosure

  Issue Summary:
  The Nginx version was detected by viewing the HTTP response headers received from the
  remote server.
  This information gives potential attackers additional information about the system they are
  attacking. Versions should be omitted where possible.
  Disable the Nginx server tokens.

General web application issues:

Note: These issues are most likely caused by how I use Hunchentoot and not a problem with Hunchentoot or the rest of the set-up it self. Obviously not all of these issues are pertinent to all web applications but its still good to know about them.

1. POST Parameters Accepted as GET Parameters (Rated Low)

  Issue Summary:
  Some web frameworks collapse the POST and GET parameters into a single collection. This
  is a flawed design pattern from a security standpoint.

  If a page accepts POST parameters as GET parameters an attacker would be able to effect
  change on websites through Cross-Site Request Forgery or leverage this design flaw with
  other vulnerabilities to attack the system hosting the web application.

  POST variables and GET variables should be distinct and no attempt to collapse to two
  collections should occur.

2. Form Autocomplete Active (Rated Low)

  Issue Summary:
  Most recent browsers have features that will save form field content entered by users and
  then automatically complete the form entry the next time the fields are encountered.
  This feature is enabled by default and could leak sensitive information since it is stored on the
  hard drive of the user.
  The risk of this issue is greatly increased if users are accessing the application from a shared

  Set autocomplete to "off" on all your forms.

3. Missing HttpOnly Flag on Cookie (Rated Low)
  Issue Summary:
  The session-identifying cookies did not have the HttpOnly flag set. This flag was introduced to
  safeguard session details.
  Once enabled, browsers (that recognise the flag) will disallow all scripts from accessing and /
  or manipulating the cookie information.

  Set the flag on all session-identifying cookies.

4. Missing Secure Flag on Cookie (Rated Low)

  Issue Summary:
  The session-identifying cookies did not have the Secure flag set. This flag instructs compliant
  browsers to avoid transmitting session details over unencrypted channels.
  Set the flag on all session-identifying cookies.

I hope these notes will help you build safer and better web applications in lisp.

I would appreciate any feedback from the Hunchentoot community on how to avoid these issues in Hunchentoot.


Tags: , , ,

2 Responses to “Hunchentoot Webserver and Application Security”

  1. sabrac Says:

    I remember trying to figure out how to change the cookie flags and was not successful. Hopefully someone brighter than I am can chime in.

  2. sabrac Says:

    With respect to the post parameter item, when you are defining your handler, you can insert several limitations into the parameter list, including limiting the request types. For example, this parameter set tells the handler that you are accepting two parameters (name, id) only from a post request, and the name is expected to be a string and the id must be an integer.

    ((name :parameter-type ‘string :request-type :post)
    (id :parameter-type ‘integer :request-type :post)

    To set a cookie secure flag, put something like this line into your handler:

    (hunchentoot:set-cookie “testpage-george” :secure ‘t)

    You should be able to add the http-only flag the same way.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: