CVE-2022-23726 Previous versions of the PingCentral Ping API exposed Spring Boot actuator endpoints with administrative authentication that gives away sensitive information.

The most common attack scenario is via an outside party using a web crawling tool to search for available endpoints and then craft a request to one of these endpoints with malicious intent, such as to retrieve sensitive information or an account password file. An attacker may also target an open endpoint via a brute-force dictionary or SQL injection attack. As such, it is important to harden your Spring Boot application to protect against these types of attacks. Taken from the example above, the below URL is exposed and would leak sensitive information if accessed via a malicious third party crawler. a href="https://app.pwnable.com/v1/accounts/fo0">{{ endpoints.accounts.find(" fo0 ") }}/a>

HTTP Header Protection

To protect the HTTP headers of a Spring Boot application from being tampered with by an outside party, you can use a proxy server. For example, if you have a simple REST endpoint that accepts GET requests, you could pass the HTTP request through Nginx or Apache first so that it appears to be coming from your own IP address and not just any outside source. If you want to ensure that the POST request is also secured, then you could setup your own reverse proxy in front of Spring Boot.
The following example is how Spring Security would secure your POST endpoint when using its own reverse proxy:

a href="http://localhost:8080"
{{ request }}
{{ response }}

Protection

Against Attacks
There are a few ways to protect against these types of attacks. First, you can use the Spring Security filter chain to create a RequestMatcher class which will match requests to your application. You can then apply this RequestMatcher class via the WebSecurityConfigurerAdapter. This class will determine if an incoming request is malicious or not and block it accordingly. In addition, you can leverage X-Frame-Options headers on your web pages to prevent malicious third party crawlers from viewing your website.

HTTPS Protection

If your application is running on port 80 and has access to web crawling software, you can protect it by enabling HTTPS. Using the below example, we'll show you how to set up a Spring Boot application with an embedded Tomcat server that listens on port 443.
First, perform the following steps:
1. Install Java JDK 8 and Tomcat 8.
2. Create a new Spring Boot project in IntelliJ IDEA or Eclipse/Intellij CE/PyCharm/WebStorm/PHPStorm/.
3. Add dependencies for tomcat-servlet-4.x and spring-boot-starter-webflux .
3. Enable HTTPS in the pom file for your application's port (for example, use 8080).
4. The following code snippet must be placed before the declaration of @RestController : import org . apache . commons . servlet . HttpServletRequest ; import org . apache . commons . servlet . ServletContextListener ; import org . apache . httpclient

Bypass Authentication

Once the attacker has gained access to an endpoint, they can bypass authentication by using a brute-force attack. They may also craft a request that attempts to exploit known vulnerabilities in Spring Boot’s authentication schemes. An attacker might try to find a URL with an authentication header that has been previously created and then use it in their own requests. One good way to mitigate this issue is to implement a custom security filter for your application.
For example, you could use the below code snippet as the security filter:

Protection Against Brute Force Attacks

The best way to protect your Spring Boot application against brute force attacks is to leverage the use of a Hashed Authentication Provider (HAP). HAPs are responsible for verifying that each user attempting to login with Spring Security has a valid username and password combination by encrypting the data. This ensures that the person attempting to login is authorized before any information is returned.
At this point, it's important to determine what you want your application to do in case of a successful login. In order for the system to be secure, it's recommended that only authenticated users have access. If this is desirable, we can also implement an additional layer of security by using an Authorization Strategy . An Authorization Strategy allows us to specify what actions are allowed for an authenticated user before returning them back with the results.

Timeline

Published on: 09/30/2022 15:15:00 UTC
Last modified on: 10/04/2022 16:33:00 UTC

References

• https://www.pingidentity.com/en/resources/downloads/pingcentral.html
• https://docs.pingidentity.com/bundle/pingcentral-110/page/sdd1651696160285.html
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23726