Skip to main content

Spring Security Advisory

Many people consider this is not new. But there is a security advisory out for spring users.

http://www.springsource.com/securityadvisory

Quote:
For applications that bind request data to presentation-layer "form models", this is unlikely to be a problem since there is a one-to-one correspondence between a form backing object and a set of allowed request parameters. This issue is only relevant for applications that bind directly to a domain model which exposes properties that should not be updated by the client.

To understand it more clearly, look at an Example:
http://www.celerity.nl/blog/2008/04/security-implications-of-the-spring-databinder/

This is however an advanced usecase. If you are directly binding model to form objects you have a major design issue.

If you observe carefully, There is another case that we dont often remember. Most Web apps have CRUD jsps and the Update jsp will generally include the id of the model that is being edited. Most times, The only security is that edit url is protected. But still, if a malicious user logged in, he can manually edit the attributes to update the model, EVEN IF it DOESNOT belong to him. say a CreditCard / Address Object in db.

So What is the solution? When you have user secure model. keep the user info (acct # or user id) at the time of *login* in session. And use that for each call that you update The CreditCard or Address.

Bottom line is, if a sensitive data is being Cruded, not only does the user needs to be authed, each request needs to be re-validated for ownership in some way.

Popular posts from this blog

Javascript: Convert Strings to Binary (and representing in a nerdy way!)

I follow those GoogleDevelopers Videos . Sometime back, in one of the presentations on GoogleIO, there was this interesting string of dots at the bottom of each page of the presentation . They looked like random big and small dots. A similar bunch of dots were also on the T-shirt of a presenter was wearing in another presentation . While it seemed something in the pattern, I could not find what it was. Finally, another presenter cleared the matter that those dots are just binary representation of "GOOGLEIO" (So much for advertizing Google IO, Impressive!). So I wanna do it. Takes me back to days of those DSP classes at school. Nerdy me had to churn some old brain cells. I remember those first programming language classes in Pascal and C when you were asked to do fibonacci series and converting a binary string to ascii codes. That *experience* came handy here: Check it out! Text to Binarize: For those who came to copy the javascript code to convert string to binary,

MySql Copying Table Structures.

Some times you need to copy only table structures across databases. This article describes two ways of doing it. If the whole database schema need to be exported, mysqldump is very effective. A --nodata flag will dump all tables' schema. Like this. mysqldump --nodata -p -u username databaseName But if you want to copy a specific table, individually, you could use "create table like" feature. You could create it even from a different database. However it must be on the same mysqld instance. Like this. create table newtable like oldtable; --Or from a table in other database create table mytable like otherdatabase.tablename;

Add jquery in Chrome console

Many a time, a page you are debugging doesnot have jquery. This simple js will add(or prompt you to overwrite) jquery to any page from chrome console. javascript:if(!window.jQuery||confirm('Overwrite\x20current\x20version?\x20v'+jQuery.fn.jquery))(function(d,s){s=d.createElement('script');s.src='https://ajax.googleapis.com/ajax/libs/jquery/1.8/jquery.js';(d.head||d.documentElement).appendChild(s)})(document);