Java/Spring Security
Java
Java and Spring Framework applications have common vulnerability patterns. This guide covers SQL injection, deserialization, SSTI, and Spring-specific security issues.
SQL Injection in Java
java
// VULNERABLE - String concatenation
String query = "SELECT * FROM users WHERE id = " + userId;
Statement stmt = connection.createStatement();
ResultSet rs = stmt.executeQuery(query);
// SECURE - Prepared statements
String query = "SELECT * FROM users WHERE id = ?";
PreparedStatement pstmt = connection.prepareStatement(query);
pstmt.setInt(1, userId);
ResultSet rs = pstmt.executeQuery();
// VULNERABLE - JPA/Hibernate with concatenation
String hql = "FROM User WHERE username = '" + username + "'";
Query query = session.createQuery(hql);
// SECURE - JPA with parameters
String hql = "FROM User WHERE username = :username";
Query query = session.createQuery(hql);
query.setParameter("username", username);
// Spring Data JPA - Usually safe with method names
// But @Query with concatenation is vulnerable
@Query("SELECT u FROM User u WHERE u.name = " + name) // VULNERABLEJava Deserialization
java
// VULNERABLE - Deserializing untrusted data
ObjectInputStream ois = new ObjectInputStream(inputStream);
Object obj = ois.readObject(); // RCE if gadget chain exists
// Check for vulnerable libraries:
// - Apache Commons Collections < 3.2.2
// - Spring Framework < 4.2.2
// - Many others (check ysoserial)
// SECURE - Use allowlist/blocklist
ObjectInputStream ois = new ValidatingObjectInputStream(inputStream);
ois.accept(SafeClass.class); // Only allow specific classes
// Or use safe alternatives
// - JSON (Jackson, Gson) instead of Java serialization
// - Protocol Buffers
// - XML with safe parsersysoserial
Use
ysoserial to generate gadget chain payloads for Java deserialization exploitation.
Many common libraries have known gadget chains.