Kingdom: Security Features
Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.
Spring Security Misconfiguration: Overly Permissive Firewall Policy
Abstract
Spring Security HTTP firewall is configured with a lax policy.
Explanation
Spring Security includes an HTTP firewall that helps protect the application by sanitizing requests that contain potentially malicious characters. Spring achieves this by including the
Example 1: The following code relaxes the firewall policy to allow
Allowing potentially malicious characters can lead to vulnerabilities if these characters are incorrectly on inconsistently processed. For example, allowing semicolons enable path parameters (as defined in RFC 2396) which are not consistently processed by frontend web servers such as nginx and application servers such as Apache Tomcat. These inconsistencies may be used for path traversal attacks or access control bypasses.
HttpFirewall into its FilterChainProxy, which processes the requests before they are sent through the filter chain. Sprint Security uses the StrictHttpFirewall implementation by default.Example 1: The following code relaxes the firewall policy to allow
%2F and ; characters:
<beans:bean id="httpFirewall" class="org.springframework.security.web.firewall.StrictHttpFirewall" p:allowSemicolon="true" p:allowUrlEncodedSlash="true"/>
Allowing potentially malicious characters can lead to vulnerabilities if these characters are incorrectly on inconsistently processed. For example, allowing semicolons enable path parameters (as defined in RFC 2396) which are not consistently processed by frontend web servers such as nginx and application servers such as Apache Tomcat. These inconsistencies may be used for path traversal attacks or access control bypasses.
References
[1] Class DefaultHttpFirewall Spring
[2] Standards Mapping - FIPS200 CM
[3] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-6 Configuration Settings (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-6 Configuration Settings
[6] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[7] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[8] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[9] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[10] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[12] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.4.1
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.4.1
[16] Standards Mapping - Web Application Security Consortium Version 2.00 Server Misconfiguration (WASC-14)
desc.config.java.spring_security_misconfiguration_overly_permissive_firewall_policy