Backend Spring Boot Security
01. SQL injection
Injection flaws, such as SQL injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
How we protect the applications
We follow json api standard, so the risk of GET based query string sql injection is lowered.
Json parsers wouldnt parse the payload if it doesnt adhere to the json standard (This wouldnt work if the sql is in a value). So the risk of lowered again for SQL injection.
We use ORM frameworks instead jdbc prepared statements or native queries.
What we should do more
Follow strict rules on using native queries or don't use native queries at all.
Update the ORM frameworks to new versions ( if we can somehow evade the lib conflits )
02. Broken Authentication and Session Management
This is mostly related to sessionId/cookie high jacking.
How should we protect the applications
We should disable session management in the spring boot.
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
If session management needs to be enabled, enable it with below configurations
- Fixation protection
http.sessionManagement()
.sessionFixation().migrateSession()
2. Prevent using URL Parameters for Session Tracking
http.sessionManagement()
.sessionFixation().migrateSession()
What we should do more
- Timeout the access token quicker
- Protection against brute force login: Enforce account disabling after an established number of invalid login attempts
03. Cross-Site Scripting XSS
How should we protect the applications
- Sanitise the incoming data using a filter. Both params and post/put/patch data
- Client frameworks should have inbuilt xss protection
What we should do more
Use external libraries for extra protection (https://github.com/hdiv/hdiv)
04. XML External Entities
How should we protect the applications
- Securly the xml using standard libaries
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
Spring security already addressed these issues to a controllable level (https://github.com/spring-projects/spring-security-saml/commit/925c8925fa0d0645d7b177b6e65cfb920fc6782f)
05. Broken Access Control
Restrictions on what authenticated users are allowed to do. Attackers can exploit these flaws to access unauthorized functionality and/or data.
How we protect the applications
- Authenticating secured urls
- Secure the login credentials. ( either using a third party service or hashing the details in the database )
What we should do more
- Apply role based method execution
- Apply roles base check for class levels and method levels
- Be strict on having classes and method without a role based annotation
Run security vulnerability check tools against the source code (https://find-sec-bugs.github.io)
06. Security Misconfiguration
This could happen if security configured without prior knowlege or if not tested or a result of insecure default configurations, incomplete or ad hoc configurations. Misconfigured HTTP headers and exposing verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched and upgraded in a timely fashion
How should we protect the applications
- Test the security configurations
What we should do more
- Study spring security
- Update the framework versions and operating systems and tools
- Review security configurations with team memebers
Penetration Testing
07. Sensitive Data Exposure
How should we protect the applications
- Test, test and test again
- Code review
Related article
https://developer.okta.com/blog/2018/07/30/10-ways-to-secure-spring-boot#2-check-your-dependencies-with-snyk
