Collaborate Disseminate
I have a spring MVC web application and am running ZAP Active scan on it.
I noticed that ZAP will modify URL , and add additional parameter named query and value query+AND+1%3D1+–+ to test SQL Injection. And in my case, it raise HIGH ME… Continue reading False positive SQL Injection by ZAP with adding new parameter query
I have a REST service A, which communicates with REST service B (both are internally hosted within the company network). REST service B is accessed via a service ID & plain password.
How do I store service B’s password s… Continue reading Rest service Password securing
Developers of the popular Spring framework for developing Java web applications patched three vulnerabilities this past week, including a critical one that could be exploited for remote code execution. The most serious flaw is located in the spring-me… Continue reading Serious Flaws Endanger Apps Built with Spring Framework
Security researchers have discovered three vulnerabilities in the Spring Development Framework, one of which is a critical remote code execution flaw that could allow remote attackers to execute arbitrary code against applications built with it.
Sprin… Continue reading Remote Execution Flaw Threatens Apps Built Using Spring Framework — Patch Now
I want to introduce pagination in one of my server endpoints.
The endpoint will have an option to include in the parameter the last index of the previous page, and if included, the “page” returned will start from the first index bigger th… Continue reading Server pagination with key in response to fetch next page
We’re developing a Spring appication with Spring Security. After doing some pen testing, one of the test results was a vulnerability:
Cross-Site Request Forgery Token is not bound to user context.
We started to play aro… Continue reading CSRF token not bound to session in Spring application
While working on a Java project using Spring-boot, Spring-security and JWT token, I need to provide access via API key and secret. After searching on Google for a while about key/secret generation, here is what I found:
For… Continue reading Need advices on API key & secret generation?
I am going to start a new project where I will expose a SOAP Web Service to our external partners. The main objective is to ensure the security of exchanged messages from end-to-end. Our main security requirements:
Authenti… Continue reading What are the advantages of using WS-Security? [on hold]
I have a single page application (client side) that interacts with a set of backend rest APIs – micro services architecture, to achieve SSO, I used the Oauth2 protocol (Spring implementation).
Now, to avoid the risks associat… Continue reading Ouath2 SSO with SPA using proxy
In my Spring application, I was planning to remove passwords from the authentication process by sending a “magic sign-in link” to a user’s email address. However, in this question Rob Winch (lead of Spring Security) says the following: