Spring Security

From bibbleWiki
Revision as of 01:03, 28 March 2021 by Iwiseman (talk | contribs) (Created page with "=Introduction= ==Authentication== Spring Security Provides out of the box *Basic Web From Authentication *Ouath2 and OpenID Connect *LDAP *JWT JSon Web Tokens ==Protection== I...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Introduction

Authentication

Spring Security Provides out of the box

  • Basic Web From Authentication
  • Ouath2 and OpenID Connect
  • LDAP
  • JWT JSon Web Tokens

Protection

Includes strategies for

  • Session Fixation (Reusing of the Session ID)
    • Session token in the URL argument:

The Session ID is sent to the victim in a hyperlink and the victim accesses the site through the malicious URL.

    • Session token in a hidden form field: In this method, the victim must be tricked to authenticate in the target Web Server, using a login form developed for the attacker. The form could be hosted in the evil web server or directly in html formatted e-mail.
    • Session ID in a cookie:

Client-side script

  • Clickjacking(UI redress attack)

This is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page. Thus, the attacker is “hijacking” clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both.

  • Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

  • Cross Site Scripting

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

Retrieved from "https://www.bibble.co.nz/mediawiki/index.php?title=Spring_Security&oldid=4119"