Flaw allowed attacker to view, modify, and delete data
A security researcher has detailed how a “critical” bug in the Spring Data project could be abused to expose and modify web application user data.
The issue lies within Spring’s Application-Level Profile Semantics (ALPS) feature. ALPS is defined as “a data format for defining simple descriptions of application-level semantics”, similar to an API definition.
ALPS is used in a number of applications including Spring Data, an umbrella project from the Spring programming framework that features several data access modules.
One of the key features of Spring Data is the ability to expose a discoverable REST API. The feature uses ALPS as a way to describe the semantics of the RESTful application.
Understanding these semantics can enable a threat actor to determine how to communicate with the exposed APIs, as well as identify common misconfigurations such as unauthenticated access, or methods being accidentally exposed, the researcher, known as Niemand, wrote in a blog post.
By identifying the API’s misconfigurations, an attacker could then abuse them.
Niemand wrote how he was able to exploit ALPS in Spring Data in order to view, edit, and delete data within a web application.
The security consultant was able to find, view, and leak all user information, as well as add new elements (such as admin users), and delete objects, as detailed in the blog post.
The ALPS definition itself is not malicious, Niemand explained. “However, it helps attackers to obtain information about the REST API and easily validate misconfiguration issues on them,” he told The Daily Swig.
“Endpoints that are not protected by the @pre and @post Spring security features will allow attackers to have full access to the REST API depending on the vulnerable endpoints.
“Some common cases are [the ability to] list all object instances for the entire repository, modification of existing entries, creation of new ones, and even deletion of the data being stored on the application.”
Niemand added: “In my case, the application was exposing two profiles to unauthenticated users – users and companies.
“I was able to access to a full detailed list of all the accounts and companies that were part of the application, as well as create, modify, or delete any information that belongs to both profiles.”
No REST for the wicked
To protect against the misconfigurations, Niemand pointed to Spring Security’s PreAuthorization model which provides a detailed model for protecting Spring Data repositories.
Spring Security annotations can also allow developers to create Spring Security SpEL expressions, that provide authentication, authorization, and protection, he said.
YOU MAY ALSO LIKE This NXP side-channel attack can clone Google Titan 2FA keys