Misconfigurations in Spring Data Projects Could Leave Web Applications Open to Abuse

Jessica HaworthJanuary 13, 2021 12:20 UTC

Updated: July 2, 2021 1:23 PM UTC

The flaw allowed the attacker to view, modify and delete data

A security researcher has detailed how a “critical” bug in the Spring Data Project could be used to expose and modify web application user data.

The problem lies with Spring’s Application Level Profile Semantics (ALPS) feature. ALPS is defined as “a data format for defining simple descriptions of application-level semantics”, similar to an API definition.

ALPS is used in a number of applications, including Spring Data, an umbrella project of the Spring programming framework that includes several data access modules.

One of the key features of Spring Data is the ability to expose a discoverable REST API. The feature uses ALPS to describe RESTful application semantics.

Learn about the latest news on cybersecurity vulnerabilities

Understanding this semantics can allow a malicious actor to determine how to communicate with exposed APIs, as well as identify common misconfigurations such as unauthenticated access or accidentally exposed methods. said Niemand, wrote in a blog post.

By identifying API configuration errors, an attacker could then abuse it.

Niemand wrote how he was able to leverage ALPS in Spring Data to view, modify, and delete data in a web application.

Unauthenticated exploit

The security consultant was able to find, view, and disclose all user information, as well as add new items (such as admin users) and delete objects, as noted in the blog post.

The ALPS definition itself is not malicious, Niemand explained. “However, it helps attackers gain REST API insights and easily validate misconfiguration issues on them,” he said. The daily sip.

“Endpoints that are not protected by security and Spring features will allow attackers to have full REST API access depending on the vulnerable endpoints.

RECOMMENDED Facebook’s flaw meant attackers could create posts on any verified page

“Some common cases are [the ability to] list all object instances for the entire repository, modifying existing entries, creating new ones, and even deleting data stored on the application. »

Niemand added, “In my case, the app was exposing two profiles to unauthenticated users: users and companies.

“I was able to access a complete and detailed list of all accounts and companies that were part of the application, as well as create, modify or delete any information belonging to both profiles.”

No rest for the wicked

To protect against misconfigurations, Niemand pointed to Spring Security’s PreAuthorization pattern which provides a detailed pattern for protecting Spring Data repositories.

Spring Security annotations can also allow developers to create Spring Security SpEL expressions, which provide authentication, authorization and protection, he said.

YOU MIGHT ALSO LIKE This NXP side channel attack can clone Google Titan 2FA keys

Comments are closed.