Link Search Menu Expand Document
×
Topics

Broken Authentication in Java

Play SecureFlag Play Java Labs on this vulnerability with SecureFlag!

Spring

Vulnerable example

The following Spring controller does not explicitly enforce any authentication:

@RestController
@RequestMapping(path = "/admin")
public class AdminApi {
    @PostMapping(path = "action")
    public ResponseEntity doAction() {
        // ...
    }
}

In these cases, other mechanisms take place. In the following example, some endpoints are explicitly marked as public:

@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .antMatchers(HttpMethod.GET, "/", "/index.html", "/css/**", "/js/**").permitAll()
            .antMatchers(HttpMethod.GET, "/admin/other-action").authenticated();

        // ...
    }

But any other (unlisted) endpoint is made public as well, including the /admin/action specified by the above controller.

Prevention

It is fundamental to implement an exhaustive authentication mechanism in which some endpoints are allowed, and all others are explicitly forbidden so as to make the application more resilient to changes:

http
    .antMatchers(HttpMethod.GET, "/", "/index.html", "/css/**", "/js/**").permitAll()
    .anyRequest().authenticated();

Apply the recommended authentication and authorization controls depending on the web framework of choice.

References

CWE - CWE-287: Improper Authentication

OWASP - A07:2021 - Identification and Authentication Failures

OWASP - Authentication Cheat Sheet