Skip to main content

Spring Security Advisory

Many people consider this is not new. But there is a security advisory out for spring users.

http://www.springsource.com/securityadvisory

Quote:
For applications that bind request data to presentation-layer "form models", this is unlikely to be a problem since there is a one-to-one correspondence between a form backing object and a set of allowed request parameters. This issue is only relevant for applications that bind directly to a domain model which exposes properties that should not be updated by the client.

To understand it more clearly, look at an Example:
http://www.celerity.nl/blog/2008/04/security-implications-of-the-spring-databinder/

This is however an advanced usecase. If you are directly binding model to form objects you have a major design issue.

If you observe carefully, There is another case that we dont often remember. Most Web apps have CRUD jsps and the Update jsp will generally include the id of the model that is being edited. Most times, The only security is that edit url is protected. But still, if a malicious user logged in, he can manually edit the attributes to update the model, EVEN IF it DOESNOT belong to him. say a CreditCard / Address Object in db.

So What is the solution? When you have user secure model. keep the user info (acct # or user id) at the time of *login* in session. And use that for each call that you update The CreditCard or Address.

Bottom line is, if a sensitive data is being Cruded, not only does the user needs to be authed, each request needs to be re-validated for ownership in some way.

Popular posts from this blog

Powered By

As it goes, We ought to give thanks to people who power us. This page will be updated, like the version page , to show all the tools, and people this site is Powered By! Ubuntu GIMP Firebug Blogger Google [AppEngine, Ajax and other Apis] AddtoAny Project Fondue jQuery

Decorator for Memcache Get/Set in python

I have suggested some time back that you could modularize and stitch together fragments of js and css to spit out in one HTTP connection. That makes the page load faster. I also indicated that there ways to tune them by adding cache-control headers. On the server-side however, you could have a memcache layer on the stitching operation. This saves a lot of Resources (CPU) on your server. I will demonstrate this using a python script I use currently on my site to generate the combined js and css fragments. So My stitching method is like this @memize(region="jscss") def joinAndPut(files, ext): res = files.split("/") o = StringIO.StringIO() for f in res: writeFileTo(o, ext + "/" + f + "." + ext) #writes file out ret = o.getvalue() o.close() return ret; The method joinAndPut is * decorated * by memize. What this means is, all calls to joinAndPut are now wrapped (at runtime) with the logic in memize. All you wa...

Faster webpages with fewer CSS and JS

Its easy, have lesser images, css and js files. I will cover reducing number of images in another post. But If you are like me, You always write js and css in a modular fashion. Grouping functions and classes into smaller files (and Following the DRY rule, Strictly!). But what happens is, when you start writing a page to have these css and js files, you are putting them in muliple link rel=style-sheet or script tags. Your server is being hit by (same) number of HTTP Requests for each page call. At this point, its not the size of files but the number server roundtrips on a page that slows your page down. Yslow shows how many server roundtrips happen for css and js. If you have more than one css call and one js call, You are not using your server well. How do you achieve this? By concatinating them and spitting out the content as one stream. So Lets say I have util.js, blog.js and so.js. If I have a blog template that depends on these three, I would call them in three script tags. Wh...