Explore

Filters (0) Clear filters
Languages
Level
Tags

1-25 of 91

Access Control: MvcRequestMatcher is more secure than AntPathRequestMatcher for Spring MVC patterns

When using Spring MVC it's recommended to use MvcRequestMatcher as it protects the paths Spring annotations will match on, instead of only the one provided.

  • warning
  • java
  • Spring
  • security
  • Spring MVC
  • Spring Security
  • access control
Authentication: Username Enumeration: avoid UsernameNotFoundException

Avoid throwing a UsernameNotFoundException as it could lead to username enumeration

  • warning
  • java
  • Spring
  • security
  • framework specific
  • web
  • Spring Security
  • OWASP Top 10
Authentication: Username Enumeration: setHideUserNotFoundExceptions should be set to true

Prevent enumeration by not throwing an exception that reveals the existence of the username

  • warning
  • java
  • Spring
  • security
  • framework specific
  • web
  • Spring Security
  • OWASP Top 10
Avoid hardcoded secrets when using password encoders

Using passwordencoders in combination with hardcoded secrets is security sensitive

  • error
  • java
  • Spring
  • security
  • framework specific
  • Spring Security
Avoid hardcoded secrets when using the Encryptors class

Using the Encryptors class in combination with hardcoded secrets is security sensitive

  • error
  • java
  • Spring
  • security
  • framework specific
  • Spring Security
Avoid mapping to multiple HTTP request methods

Map to one HTTP request method for best practices

  • info
  • java
  • Spring
  • framework specific
  • web
  • Spring Web
  • quality
Code quality: Do not add @Scope("singleton") on a Spring (rest)controller, service or repository

Adding @Scope("singleton") is redundant

  • info
  • java
  • web
  • framework specific
  • Spring Boot
  • Spring
  • quality
CSRF: Disabled CSRF protection (AbstractHttpConfigurer)

Disabling Spring Security's CSRF protection makes the application vulnerable

  • error
  • java
  • Spring
  • security
  • framework specific
  • web
  • Spring Security
  • CSRF
  • OWASP Top 10
CSRF: Disabled CSRF protection (HttpSecurity)

Disabling Spring Security's CSRF protection makes the application vulnerable

  • error
  • java
  • Spring
  • security
  • framework specific
  • web
  • Spring Security
  • CSRF
  • OWASP Top 10
Data Protection: Secure Data Storage: Avoid Data Exposure: Do not use NoOpPasswordEncoder

Could lead to data exposure

  • error
  • java
  • Spring
  • security
  • framework specific
  • Spring Security
Data Protection: Secure Data Storage: Avoid Data Exposure: Hash passwords using strong hashing algorithms

Could lead to data exposure

  • error
  • java
  • security
  • framework specific
  • Spring
  • Spring Security
Data Protection: Secure Data Storage: Avoid Data Exposure: Hash passwords using strong hashing algorithms

Could lead to data exposure

  • error
  • java
  • Spring
  • security
  • framework specific
  • Spring Security
Encryptors requires the use of a random 8-byte salt

The salt should be random, 8-bytes and in hex-encoded String

  • error
  • java
  • Spring
  • security
  • framework specific
  • Spring Security
EnvironmentTestUtils is deprecated

EnvironmentTestUtils is deprecated

  • warning
  • java
  • Spring Boot
  • Spring
Field injection is not recommended

Field injection is not recommended, because the list of required dependencies are unclear during instance creation. This makes testing more difficult and could lead to runtime exceptions when the bean is instantiated without spring.

  • info
  • java
  • kotlin
  • Spring
  • Spring Core
  • dependency injection
  • framework specific
  • quality
Field injection is not recommended (lombok)

Field injection is not recommended, because the list of required dependencies are unclear during instance creation. This makes testing more difficult and could lead to runtime exceptions when the bean is instantiated without spring.

  • info
  • java
  • kotlin
  • Spring
  • Spring Core
  • dependency injection
  • framework specific
  • Lombok
  • quality
Injection: XXE: Jaxb2Marshaller#setProcessExternalEntities set to true

Prevent XXE by disabling the processing of external entities

  • error
  • java
  • Spring
  • security
  • XXE
  • framework specific
  • Spring XML
  • OWASP Top 10
Injection: XXE: Jaxb2Marshaller#setSupportDtd set to true

Prevent XXE by disabling DTDs

  • error
  • java
  • Spring
  • security
  • XXE
  • framework specific
  • Spring XML
  • OWASP Top 10
Injection: XXE: Jaxb2RootElementHttpMessageConverter#setProcessExternalEntities set to true

Prevent XXE by disabling the processing of External Entities

  • error
  • java
  • Spring
  • security
  • XXE
  • framework specific
  • Spring XML
  • OWASP Top 10
Injection: XXE: Jaxb2RootElementHttpMessageConverter#setSupportDtd set to true

Prevent XXE by disabling DTDs

  • error
  • java
  • Spring
  • security
  • XXE
  • framework specific
  • Spring XML
  • OWASP Top 10
Injection: XXE: SourceHttpMessageConverter#setProcessExternalEntities set to true

Prevent XXE by disabling the processing of External Entities

  • error
  • java
  • Spring
  • security
  • XXE
  • framework specific
  • Spring XML
  • OWASP Top 10
Injection: XXE: SourceHttpMessageConverter#setSupportDtd set to true

Prevent XXE by disabling DTDs

  • error
  • java
  • Spring
  • security
  • XXE
  • framework specific
  • Spring XML
  • OWASP Top 10
Input Validation: Avoid JDBC Injection: Bind variables in prepared statements: single parameter

Could lead to JDBC Injection

  • error
  • java
  • Spring
  • security
  • Spring Data
  • framework specific
  • injection
  • SQL
  • OWASP Top 10
Input Validation: Avoid JDBC Injection: Bind variables in prepared statements: Two parameters

Could lead to JDBC Injection

  • error
  • java
  • Spring
  • security
  • Spring Data
  • framework specific
  • injection
  • SQL
  • OWASP Top 10
Input Validation: Avoid Spring Expression Language Injection: Do not evaluate expressions controlled by user input (ExpressionParser)

Could lead to Spring Expression Language Injection

  • error
  • java
  • expression language
  • Spring
  • Spring Core
  • security
  • framework specific
  • injection
  • OWASP Top 10