界: Security Features
软件安全不是安全软件。此处我们关注的主题包括身份验证、Access Control、机密性、加密和权限管理。
Spring Security Misconfiguration: Overly Permissive Firewall Policy
Abstract
Spring Security HTTP 防火墙配置了 lax 策略。
Explanation
Spring Security 包括 HTTP 防火墙,可通过清理可能包含恶意字符的请求保护应用程序的安全。Spring 通过将
示例 1:以下代码会放宽防火墙策略以允许
若这些字符未得到一致和正确的处理,允许潜在的恶意字符会导致漏洞。例如,允许使用分号会启用路径参数(根据 RFC 2396 中的定义),该参数未得到前端 Web 服务器(Apache Tomcat 等 nginx 和应用程序服务器)的一致处理。这些不一致可能会被 Path Traversal 攻击利用或用于绕过 Access Control。
HttpFirewall 包含在其 FilterChainProxy 中实现此功能,其会借助过滤链发送预先处理过的请求。默认情况下,Sprint Security 使用 StrictHttpFirewall 实施。示例 1:以下代码会放宽防火墙策略以允许
%2F 和 ; 字符:
<beans:bean id="httpFirewall" class="org.springframework.security.web.firewall.StrictHttpFirewall" p:allowSemicolon="true" p:allowUrlEncodedSlash="true"/>
若这些字符未得到一致和正确的处理,允许潜在的恶意字符会导致漏洞。例如,允许使用分号会启用路径参数(根据 RFC 2396 中的定义),该参数未得到前端 Web 服务器(Apache Tomcat 等 nginx 和应用程序服务器)的一致处理。这些不一致可能会被 Path Traversal 攻击利用或用于绕过 Access Control。
References
[1] Class DefaultHttpFirewall Spring
[2] Standards Mapping - FIPS200 CM
[3] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-6 Configuration Settings (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-6 Configuration Settings
[6] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[7] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[8] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[9] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[10] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[12] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.4.1
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.4.1
[16] Standards Mapping - Web Application Security Consortium Version 2.00 Server Misconfiguration (WASC-14)
desc.config.java.spring_security_misconfiguration_overly_permissive_firewall_policy