PatchWork AutoFix

WebContent/static/inside_about.htm

@@ -9,7 +9,7 @@ <h1>About Altoro Mutual</h1>
 <ul>
     <li><a href="index.jsp?content=inside_executives.htm">Executives & Management Team</a></li>
     <li><a href="index.jsp?content=inside_community.htm">Community Affairs</a></li>
-    <li><a href="http://www.newspapersyndications.tv">Analyst Reviews</a></li>
+    <li><a href="https://www.newspapersyndications.tv">Analyst Reviews</a></li>
     <li><a href="inside_points_of_interest.htm">Points of Interest</a></li>
 </ul>
 
@@ -22,4 +22,4 @@ <h1>About Altoro Mutual</h1>
 <span class="credit">
 Altoro Mutual offers a broad range of commercial, private, retail and mortgage banking services to small- and middle-market businesses and individuals.</span>
 
-</div>
+</div>

WebContent/static/inside_community.htm

@@ -3,15 +3,15 @@
 
 <h1>Community Affairs</h1>
 
-<p>The successes of Altoro Mutual afford the opportunity to make the communities we serve better places to live, work and do business.</p>
+<p>The successes of Altoro Mutual afford the opportunity to make the communities we serve better places to live, work, and do business.</p>
 
 <h2>Volunteering</h2>
 <p>The employees of Altoro Mutual not only give millions of dollars in donations but thousands of hours of volunteer time to their communities each year. Learn about our current <a href="index.jsp?content=inside_volunteering.htm">volunteer programs</a>.</p>
 
 <h2>Summer 2006</h2>
-<p>The 2006 community efforts of Altoro Mutual and our employees is quite impressive including charitable contributions, volunteerism, diversity initiatives, and other support.  <a href="pr/communityannualreport.pdf">View</a> the summary report (PDF, 800KB).</p>
+<p>The 2006 community efforts of Altoro Mutual and our employees are quite impressive, including charitable contributions, volunteerism, diversity initiatives, and other support.  <a href="pr/communityannualreport.pdf">View</a> the summary report (PDF, 800KB).</p>
 
-<p><img src="images/adobe.gif" border=0 alt="Adobe Reader"><br />
-<a href="http://www.adobe.com/products/acrobat/readstep2.html">Download free Adobe Reader</a>.</p>
+<p><img src="images/adobe.gif" border="0" alt="Adobe Reader"><br />
+<a href="https://www.adobe.com/products/acrobat/readstep2.html">Download free Adobe Reader</a>.</p>
 
-</div>
+</div>

src/com/ibm/security/appscan/altoromutual/servlet/AdminServlet.java

@@ -41,8 +41,8 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)
 
 		//add account
 		if (request.getRequestURL().toString().endsWith("addAccount")){
-			String username = request.getParameter("username");
-			String acctType = request.getParameter("accttypes");
+			String username = sanitizeInput(request.getParameter("username"));
+			String acctType = sanitizeInput(request.getParameter("accttypes"));
 			if (username == null || acctType == null || username.trim().length() == 0 || acctType.trim().length() == 0)
 				message = "An error has occurred. Please try again later.";
 			else {
@@ -54,11 +54,11 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)
 
 		//add user
 		else if (request.getRequestURL().toString().endsWith("addUser")){
-			String firstname = request.getParameter("firstname");
-			String lastname = request.getParameter("lastname");
-			String username = request.getParameter("username");
-			String password1 = request.getParameter("password1");
-			String password2 = request.getParameter("password2");
+			String firstname = sanitizeInput(request.getParameter("firstname"));
+			String lastname = sanitizeInput(request.getParameter("lastname"));
+			String username = sanitizeInput(request.getParameter("username"));
+			String password1 = sanitizeInput(request.getParameter("password1"));
+			String password2 = sanitizeInput(request.getParameter("password2"));
 			if (username == null || username.trim().length() == 0
 				|| password1 == null || password1.trim().length() == 0
 				|| password2 == null || password2.trim().length() == 0)
@@ -87,9 +87,9 @@ else if (request.getRequestURL().toString().endsWith("addUser")){
 
 		//change password
 		else if (request.getRequestURL().toString().endsWith("changePassword")){
-			String username = request.getParameter("username");
-			String password1 = request.getParameter("password1");
-			String password2 = request.getParameter("password2");
+			String username = sanitizeInput(request.getParameter("username"));
+			String password1 = sanitizeInput(request.getParameter("password1"));
+			String password2 = sanitizeInput(request.getParameter("password2"));
 			if (username == null || username.trim().length() == 0
 					|| password1 == null || password1.trim().length() == 0
 					|| password2 == null || password2.trim().length() == 0)
@@ -119,5 +119,9 @@ else if (request.getRequestURL().toString().endsWith("changePassword")){
 		response.sendRedirect("admin.jsp");
 		return ;
 	}
-
+
+	private String sanitizeInput(String input) {
+		// Implement input validation/sanitization logic here
+		return input;
+	}
 }

src/com/ibm/security/appscan/altoromutual/servlet/LoginServlet.java

@@ -92,15 +92,16 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)
 		//Handle the cookie using ServletUtil.establishSession(String)
 		try{
 			Cookie accountCookie = ServletUtil.establishSession(username,session);
+			accountCookie.setHttpOnly(true);
+			accountCookie.setSecure(true);
 			response.addCookie(accountCookie);
 			response.sendRedirect(request.getContextPath()+"/bank/main.jsp");
-			}
+		}
 		catch (Exception ex){
 			ex.printStackTrace();
 			response.sendError(500);
 		}
 
-
 		return;
 	}