EFW Framework Security Features - Comprehensive Web Application Protection

EFW Framework Security Overview

EFW (Escco-Framework) is a server-side JavaScript Ajax framework designed and developed by Escco Japan Co., Ltd. using a goal-oriented approach, providing multi-layered security protection mechanisms.

EFW framework ensures application security from three dimensions: file security, parameter security, and injection attack protection.

Multi-layered Security Protection - Comprehensive Defense from File Management to Injection Attacks

File Security Parameter Security Injection Protection

1. File Leakage Protection Measures

What is File Leakage?

File leakage refers to a category of security issues where files within a web server are continuously read by attackers on the internet. This is one of the most basic vulnerabilities in web applications. Websites without file leakage protection measures fall into the category of the lowest security level.

1-1. EFW Folder Location Strategy

Traditional Problem

Application files and resources are typically stored in web-accessible areas, making them vulnerable to direct access by attackers.

EFW Solution

EFW framework defaults to storing application programs and various resources (excluding jsp, css, etc.) in the WEB-INF folder, which is in the web non-public area.

event: Folder for storing event js files
i18n: Folder for storing multilingual message definitions
mail: Folder for storing email templates
sql: Folder for storing external SQL
storage: Folder for storing application operation files

1-2. Enhanced File Management Tool Elfinder

Original Elfinder Issues

In the original elfinder, home path, read-only flag, etc. can be modified in client-side JavaScript, posing security risks.

EFW Enhancement

EFW's elfinder tag has a protected attribute that makes the home path and read-only flag unchangeable, significantly enhancing security.

1-3. Secure Download Mechanism

Traditional Download Issues

Direct file path downloads may lead to unauthorized access and file leakage.

EFW Secure Download Mechanism

Downloads must start from an event dispatch. Between event execution and download initiation, the download target is stored in the session.

This prevents downloads from being executed solely through client-side JavaScript tampering.

                            // In event JS, use attach function to set download file name or path name

                            return (new Result())

                                .attach("myfile.txt");

2. Parameter Information Leakage Protection

What is Parameter Information Leakage?

Parameter information leakage refers to vulnerabilities where parameters passed during page transitions cause issues such as unauthorized access to personal information. Although named "information leakage," this category also includes tampering issues such as manipulating parameters for improper low-price shopping on e-commerce sites.

2-1. Event Parameter Check Mechanism

EFW provides a parameter definition check mechanism that verifies whether event parameters obtained from the client match the expected types, preventing server failures caused by client tampering.

                    var myEvent = {};

                    myEvent.paramsFormat = {

                        "#txt_date": "format:yyyy/MM/dd;required;display-name:Date Field",

                        "#txt_number": "format:###,##0;min:0;max:1,000;display-name:Number Field",

                        "#txt_string": "maxlength:100;display-name:String Field",

                    };

2-2. Login Check Mechanism

Through property file settings, automatic login checks are performed on pages that require authentication and events that require login, preventing information leakage caused by directly entering addresses without logging in.

                    # Login check flag

                    efw.login.check = true

                    # Session key for login

                    efw.login.key = USER_ID

                    # Login URL

                    efw.login.url = login.jsp

                    # URL patterns exempt from login check

                    efw.outoflogin.url.pattern = [/](LG01|LG02|LG03|error).jsp

2-3. Role Check Mechanism

Through property file settings, automatic role checks are performed on pages viewable only by administrators and events operable only by administrators, preventing information leakage caused by regular users directly entering administrator-only page addresses.

                    # Authorization check flag

                    efw.auth.check = true

                    # All authorization check cases

                    efw.auth.cases = admin,user

                    # Define cases one by one

                    admin.auth.pattern = ^admin.*$

                    admin.url.pattern = [/]*.jsp

                    admin.eventid.pattern = .*

3. Injection Attack Protection Measures

What is Injection Attack?

Injection refers to the act of injecting something into the inside. Injection attacks are attack techniques that cleverly mix security-compromising commands into input data that programs normally receive, making them functional inside the computer.

3-1. JavaScript Injection Prevention in JSON Communication

Risk of Using eval()

If eval() is used to parse JSON data, malicious code may be executed.

EFW Solution

EFW uses JSON.parse() to parse strings sent from the client, preventing JavaScript injection in JSON communication.

                            // Safe - using JSON.parse

                            var data = JSON.parse(requestData);

3-2. HTML Injection Prevention in Automatic Result Display

Risk of Using html()

If jQuery's html() method is used to directly display data, HTML injection attacks may occur.

EFW Solution

EFW utilizes jQuery's val() and text() methods to display return values, preventing HTML injection.

                            // Safe - using val() and text()

                            return (new Result())

                                .runat("body")

                                .withdata({

                                    "#span_value": params["#input1"]

                                });

3-3. SQL Injection Prevention with Prepared Statements

Risk of String Concatenation

Using string concatenation to build SQL statements may lead to SQL injection attacks.

EFW Solution

EFW converts parameters of external SQL into prepared statement-style parameters, preventing SQL injection.

                            <!-- Safe - using prepared statements -->

                            <sql id="select_user_by_uid">

                                SELECT uid, unm, pwd

                                FROM tb_user

                                WHERE uid = :txt_uid

                            </sql>

Comprehensive Security Assurance

EFW framework provides comprehensive protection for web applications from file management to injection attacks through multi-layered security mechanisms.

File Security

Comprehensive prevention of file leakage through non-web public area storage, secure download mechanisms, and enhanced file management tools.

Parameter Security

Prevention of parameter tampering and unauthorized access through parameter checks, login checks, and role checks.

Injection Protection

Comprehensive prevention of various injection attacks through secure JSON parsing, secure HTML display, and SQL prepared statements.

EFW Framework - Providing Comprehensive Security for Your Web Applications

GitHub Source Academic Paper