Valid 312-96 Dumps shared by ExamDiscuss.com for Helping Passing 312-96 Exam! ExamDiscuss.com now offer the newest 312-96 exam dumps, the ExamDiscuss.com 312-96 exam questions have been updated and answers have been corrected get the newest ExamDiscuss.com 312-96 dumps with Test Engine here:
Alice works as a Java developer in Fygo software Services Ltd. He is given the responsibility to design a bookstore website for one of their clients. This website is supposed to store articles in .pdf format. Alice is advised by his superior to design ArticlesList.jsp page in such a way that it should display a list of all the articles in one page and should send a selected filename as a query string to redirect users to articledetails.jsp page. Alice wrote the following code on page load to read the file name. String myfilename = request.getParameter("filename"); String txtFileNameVariable = myfilename; String locationVariable = request.getServletContext().getRealPath("/"); String PathVariable = ""; PathVariable = locationVariable + txtFileNameVariable; BufferedInputStream bufferedInputStream = null; Path filepath = Paths.get(PathVariable); After reviewing this code, his superior pointed out the security mistake in the code and instructed him not repeat the same in future. Can you point the type of vulnerability that may exist in the above code?
Correct Answer: D
The code snippet provided is vulnerable to a Directory Traversal attack. This type of attack occurs when an attacker exploits insufficient security validation/sanitization of user-supplied file names and paths, allowing them to access files or directories that are stored outside the intended folder. Here's why the code is vulnerable: * String myfilename = request.getParameter("filename"); This line retrieves the file name from the request's query string without any validation. * String PathVariable = locationVariable + txtFileNameVariable; This line directly concatenates the user input with the server's file path, which can be manipulated to traverse directories. An attacker could manipulate the filename parameter to include sequences like ../ (dot-dot-slash), potentially gaining unauthorized access to files outside the web application's directory. To mitigate this vulnerability, Alice should: * Validate the input filename against a whitelist of allowed files. * Use a method to normalize the path, like File.getCanonicalPath(), to resolve any relative path elements and ensure the path is within the intended directory. * Implement proper error handling to avoid revealing sensitive information through error messages. References:For more detailed information on preventing Directory Traversal vulnerabilities, refer to resources such as the OWASP Foundation1 and other security best practices for Java web applications234.
