A comprehensive step by step tutorial and guide to fixing the OWASP top 10 vulnerabilities in Spring Boot, MVC, Data, and Security

In this tutorial, we will show you the step by step guide to fixing each of the OWASP top 10 vulnerabilities in Java web application that builds by Spring Boot, MVC, Data, and Security. We will start from the web application development, deployment, penetration testing, and fix the vulnerabilities issue based on OWASP top ten vulnerabilities.

This tutorial divided into several steps:

• Step #1: Download Existing Spring Boot, MVC, Data and Security Web Application
• Step #2: Deploy Web Application to VPS
• Step #3: Scan using OWASP ZAP on Basis Web Application
• Step #4: Fix the Vulnerabilities Issues
• Step #5: Re-Testing The Web Application

The following tools, frameworks, libraries, and modules are required for this tutorial:

1. Spring Boot, MVC, Data, Security, Thymeleaf, and H2 Database
2. Web Server (Nginx and Tomcat7)
3. OWASP ZAP application
4. Terminal or CMD
5. Text Editor or IDE

Let’s get started with the main steps!

Step #1: Download Existing Spring Boot, MVC, Data and Security Web Application

We will use the existing Spring Boot, MVC, Data, and Security Web Application that previously created in our other tutorial. Clone this GitHub source.

git clone https://github.com/didinj/spring-boot-security-user-role-login-eclipse.git mynotes

Build this Spring Boot application by type this command inside this application folder.

cd mynotes
./gradlew build

That Gradle builds command will create a .war file in the build/libs/ folder.

Step #2: Deploy Web Application to VPS

We will use Tomcat 9 and Nginx as a reverse proxy for Tomcat 9. Make sure you have installed both of them. We are installing both the HTTP server and Container in Ubuntu VPS. We already make a tutorial for installing Nginx and Tomcat on Ubuntu VPS. The Tomcat version is different but the configuration remain the same.

Next, transfer the war file to your Ubuntu VPS.

scp NetBeansProjects/mynotes/build/libs/mynotes-0.0.1-SNAPSHOT.war ubuntu@192.168.0.100:~/

Connect to the VPS using SSH.

ssh ubuntu@192.168.0.100

Enter the password that you are using for the server user. Copy the transferred war file to the Tomcat webapps folder.

sudo cp mynotes-0.0.1-SNAPSHOT.war /opt/tomcat/webapps/

Open the Tomcat 9 server.xml with a text editor.

sudo nano /opt/tomcat/conf/server.xml

Then replace the following tags.

      <Host name="localhost"  appBase="webapps"
            unpackWARs="true" autoDeploy="true">

        <!-- SingleSignOn valve, share authentication between web applications
             Documentation at: /docs/config/valve.html -->
        <!--
        <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
        -->

        <!-- Access log processes all example.
             Documentation at: /docs/config/valve.html
             Note: The pattern used is equivalent to using pattern="common" -->
        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="localhost_access_log" suffix=".txt"
               pattern="%h %l %u %t &quot;%r&quot; %s %b" />

      </Host>

With these tags to move the current document folder to the new web application.

      <Host name="localhost" appBase="webapps" unpackWars="true" autoDeploy="true">
        <Logger className="org.apache.catalina.logger.FileLogger" directory="logs" prefix="virtual_log." suff$
        <Context path="" docBase="/opt/tomcat/webapps/mynotes-0.0.1-SNAPSHOT" debug="0" reloadable="true" />
        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="virtual_log." s$
      </Host>

Next, open the Nginx configuration file using a text editor.

sudo nano /etc/nginx/sites-enabled/default

Then change the server root document to this line.

server {
   ...
   root /opt/tomcat/webapps/mynotes-0.0.1-SNAPSHOT;
}

Restart Tomcat and Nginx server.

sudo systemctl restart tomcat
sudo service nginx restart

Now, the web application should accessible from other computers using http://ip_address. For example, we are using IP address 192.168.0.100, on the browser go to this http://192.168.0.100, and here’s the web application looks like.

Step #3: Scan using OWASP ZAP on Basis Web Application

We will scan this basic Spring Boot, MVC, Data, Security web application to find the vulnerabilities. For that, install the OWASP ZAP application (not working on MACOS Catalina) then install it on your computer. Start the OWASP ZAP application, and you will get this application like this.

Before running an attack on the website, set the OWASP ZAP to the maximum attack by open the Analyse menu -> Scan Policy Manager.

Click modify then set Policy like this screenshot then click OK button.

Choose the Automated Scan button on the main panel. Then fill the URL to attack field with “http://192.168.0.1” and leave other options as default.

Click the Attack button to start scanning. After scanning is complete, it will show alerts in the bottom panel.

You can click the attack button again to make sure get more vulnerabilities results. To see the full details scan results, open the Report menu then Generate an HTML report. Save the HTML file to your desired location then open it in the browser.

#spring-boot #java #security #web-development #developer