Sample Spring Boot Application

This is the initial demo application that will be used for showing all security patterns when deploying and running this in Kubernetes.

This application provides two REST APIs:

Greetings API
- GET localhost:8080: Shows greeting with configured default message
- GET localhost:8080?message=test: Shows greeting with custom message
Actuator API
- Exposes all available actuator endpoints of Spring Boot (including sensitive ones)

The application is kept simple by intention to focus on the security parts instead of having to describe a complex use case model.

Run the application

Just start it by running com.example.app.Step1App.

This should return the default greeting:

http localhost:8080

This should return a custom greeting:

http localhost:8080 "message==Test"

This should return the default greeting:

curl http://localhost:8080

This should return a custom greeting:

curl http://localhost:8080\?message\=Test

By using the browser we can try to put in some cross-site scripting (XSS) snippets into the message parameter.

Try to display a popup via javascript:

Try to redirect to Google search via XSS:

```http request
http://localhost:8080/?message=<script>document.location="http://www.google.com/"</script>

With the default code XSS is not working as there are multiple defense mechanisms in place:

Input validation only permits maximum length of 30 for url message parameter
The application is safe against interpreting the reflected greeting by using output escaping (Html AND javascript)
Content-Type is set to application/json

Note: If you disable all these precautions then you should see XSS working. Please do not disable those precautions in productive code !!!

The gradle build for this application includes specific security relevant parts:

SpotBugs (with Security Add-On): Automatically does static code analysis for security issues
OWASP Dependency Check: Automatically checks all gradle dependencies for known vulnerabilities

Last updated 3 years ago