Broken Authorization in Java
Vulnerable Examples
As example, the application uses unverified data in a method call downstream to retrieve account information, introducing an horizontal authorization bypass:
http://vulnerableapp.com/user/account?accountId=7865000321
statement.setString(1, request.getParameter("accountId"));
An attacker can modify the accountId
parameter in the HTTP Request to retrieve the information from any user’s account.
Prevention
Spring
Spring Security supports authorization semantics at both web and method level. It is possible to restrict which roles are able to execute a particular method, and it’s a great way to enforce vertical authorization controls:
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity security) throws Exception {
http
.authorizeRequests()
.antMatchers("/admin/**").hasRole("ROLE_ADMIN");
}
...
}
Security Expressions can be used to secure business functionality at the method level as well by using annotations. The annotations @PreAuthorize
and @PostAuthorize
support Spring Expression Language (SpEL) and provide expression-based access control:
@Service
public class AdminService {
@PreAuthorize("hasRole('ROLE_ADMIN')")
public List<Organization> findAllOrganizations() { ... }
...
}
References
MITRE - CWE 285 - Improper Authorization
OWASP Top 10:2021 - Broken Access Control