A comprehensive step by step tutorial and guide to fixing the OWASP top 10 vulnerabilities in Spring Boot, MVC, Data, and Security
In this tutorial, we will show you the step by step guide to fixing each of the OWASP top 10 vulnerabilities in Java web application that builds by Spring Boot, MVC, Data, and Security. We will start from the web application development, deployment, penetration testing, and fix the vulnerabilities issue based on OWASP top ten vulnerabilities.
The following tools, frameworks, libraries, and modules are required for this tutorial:
Let’s get started with the main steps!
We will use the existing Spring Boot, MVC, Data, and Security Web Application that previously created in our other tutorial. Clone this GitHub source.
git clone https://github.com/didinj/spring-boot-security-user-role-login-eclipse.git mynotes
Build this Spring Boot application by type this command inside this application folder.
cd mynotes
./gradlew build
That Gradle builds command will create a .war file in the build/libs/ folder.
We will use Tomcat 9 and Nginx as a reverse proxy for Tomcat 9. Make sure you have installed both of them. We are installing both the HTTP server and Container in Ubuntu VPS. We already make a tutorial for installing Nginx and Tomcat on Ubuntu VPS. The Tomcat version is different but the configuration remain the same.
Next, transfer the war file to your Ubuntu VPS.
scp NetBeansProjects/mynotes/build/libs/mynotes-0.0.1-SNAPSHOT.war ubuntu@192.168.0.100:~/
Connect to the VPS using SSH.
ssh ubuntu@192.168.0.100
Enter the password that you are using for the server user. Copy the transferred war file to the Tomcat webapps folder.
sudo cp mynotes-0.0.1-SNAPSHOT.war /opt/tomcat/webapps/
Open the Tomcat 9 server.xml with a text editor.
sudo nano /opt/tomcat/conf/server.xml
Then replace the following tags.
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<!-- SingleSignOn valve, share authentication between web applications
Documentation at: /docs/config/valve.html -->
<!--
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
-->
<!-- Access log processes all example.
Documentation at: /docs/config/valve.html
Note: The pattern used is equivalent to using pattern="common" -->
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log" suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
</Host>
With these tags to move the current document folder to the new web application.
<Host name="localhost" appBase="webapps" unpackWars="true" autoDeploy="true">
<Logger className="org.apache.catalina.logger.FileLogger" directory="logs" prefix="virtual_log." suff$
<Context path="" docBase="/opt/tomcat/webapps/mynotes-0.0.1-SNAPSHOT" debug="0" reloadable="true" />
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="virtual_log." s$
</Host>
Next, open the Nginx configuration file using a text editor.
sudo nano /etc/nginx/sites-enabled/default
Then change the server root document to this line.
server {
...
root /opt/tomcat/webapps/mynotes-0.0.1-SNAPSHOT;
}
Restart Tomcat and Nginx server.
sudo systemctl restart tomcat
sudo service nginx restart
Now, the web application should accessible from other computers using http://ip_address. For example, we are using IP address 192.168.0.100, on the browser go to this http://192.168.0.100, and here’s the web application looks like.
We will scan this basic Spring Boot, MVC, Data, Security web application to find the vulnerabilities. For that, install the OWASP ZAP application (not working on MACOS Catalina) then install it on your computer. Start the OWASP ZAP application, and you will get this application like this.
Before running an attack on the website, set the OWASP ZAP to the maximum attack by open the Analyse menu -> Scan Policy Manager.
Click modify then set Policy like this screenshot then click OK button.
Choose the Automated Scan button on the main panel. Then fill the URL to attack field with “http://192.168.0.1” and leave other options as default.
Click the Attack button to start scanning. After scanning is complete, it will show alerts in the bottom panel.
You can click the attack button again to make sure get more vulnerabilities results. To see the full details scan results, open the Report menu then Generate an HTML report. Save the HTML file to your desired location then open it in the browser.
#spring-boot #java #security #web-development #developer