Reflected XSS#

Description:
Reflected Cross-Site Scripting (XSS) is a common web vulnerability. It happens when an attacker injects a malicious script into an application, and the application reflects it back to the user without proper sanitization or validation. This allows the script to execute in the victim’s browser, potentially leading to cookie theft, session hijacking, page defacement, phishing, etc.

Example (user input is directly concatenated into HTML):

1
import java.io.IOException;
2
import java.io.PrintWriter;
3
import javax.servlet.ServletException;
4
import javax.servlet.http.HttpServlet;
5
import javax.servlet.http.HttpServletRequest;
6
import javax.servlet.http.HttpServletResponse;
7

8
public class VulnerableServlet extends HttpServlet {
9
    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
10
        String userInput = request.getParameter("input"); // Vulnerable to XSS
11

12
        response.setContentType("text/html");
13
        PrintWriter out = response.getWriter();
14
        out.println("<html>");
15
        out.println("<head><title>Reflection XSS Vulnerability Example</title></head>");
16
        out.println("<body>");
17
        out.println("<h1>Hello, " + userInput + "!</h1>"); // Vulnerable to XSS
18
        out.println("</body>");
19
        out.println("</html>");
20
        out.close();
21
    }
22
}

Recommendations:

1. Input validation & sanitization: validate and sanitize all user input before rendering it. Ensure input does not contain HTML/JavaScript or other executable content.
2. Output encoding: encode user input when outputting it into HTML so the browser won’t interpret it as executable code (use framework-provided encoding functions/libraries).
3. Content Security Policy (CSP): enforce a strict CSP to control which resources (scripts/styles/fonts) may load. Restricting script sources helps mitigate XSS impact.
4. Use mature frameworks/libraries: leverage frameworks/libraries with built-in XSS protections (automatic encoding, safer templating, etc.).

Example: HTML-escape user input with StringEscapeUtils.escapeHtml4() (Apache Commons Text) before rendering:

1
import org.apache.commons.text.StringEscapeUtils; // Using Apache Commons Text library for HTML escaping
2

3
public class XSSExample {
4
    public static void main(String[] args) {
5
        // Simulated user input (potentially malicious)
6
        String userInput = "<script>alert('XSS Attack!');</script>";
7

8
        // Encode user input to prevent XSS
9
        String safeOutput = StringEscapeUtils.escapeHtml4(userInput);
10

11
        // Displaying the safe output
12
        System.out.println("Safe Output: " + safeOutput);
13
    }
14
}

Stored XSS#

Description:

Recommendations:

DOM-based XSS#

Description:
DOM-based XSS is an attack where malicious code executes in the browser through client-side script (typically JavaScript) manipulating the DOM (Document Object Model). Unlike other XSS types, DOM XSS does not require server-side reflection/storage — it happens when page scripts incorrectly handle untrusted input and inject it into the DOM. This can steal sessions, modify page content, etc.

Recommendations:

1. Validate/encode input before DOM insertion: never use untrusted input directly in DOM operations.
2. Use safe APIs: prefer APIs that do not parse HTML, e.g. textContent instead of innerHTML. Use Element.setAttribute instead of string concatenation.
3. Use CSP: restrict inline scripts and unauthorized external scripts.
4. Use framework protections: modern frameworks (React/Angular/Vue) provide XSS mitigations by default when used correctly.

Directory Traversal#

Description:
Directory traversal (path traversal) allows attackers to access files/directories outside the intended directory by supplying paths like ../. This can leak sensitive files (configs/passwords) or allow modification/execution of system files.

Example (attacker controls filePath like "../../etc/passwd"):

1
public class DirectoryTraversalVulnerable {
2
    public byte[] readFile(String filePath) throws IOException {
3
        File file = new File(filePath);
4
        FileInputStream fis = new FileInputStream(file);
5
        byte[] data = new byte[(int) file.length()];
6
        fis.read(data);
7
        fis.close();
8
        return data;
9
    }
10
}

Recommendations:

1. Strict input validation: reject/remove traversal sequences like ../.
2. Use safer file APIs: ensure your file access logic accounts for traversal.
3. Use allowlists: maintain an allowlist of permitted paths/files.
4. Least privilege: restrict filesystem permissions for the app user.
5. Error handling: avoid leaking filesystem structure via errors.

Example: enforce a safe base directory and validate canonical paths:

1
public class DirectoryTraversalSafe {
2
    private final String basePath = "/var/data/appfiles";  // safe base path
3

4
    public byte[] readFile(String filePath) throws IOException {
5
        File file = new File(basePath, filePath);
6
        if (!file.getCanonicalPath().startsWith(basePath)) {
7
            throw new SecurityException("Attempted directory traversal attack");
8
        }
9
        FileInputStream fis = new FileInputStream(file);
10
        byte[] data = new byte[(int) file.length()];
11
        fis.read(data);
12
        fis.close();
13
        return data;
14
    }
15
}

SQL Injection#

Description:
SQL injection allows attackers to inject malicious SQL into queries, leading to auth bypass, data theft/modification/deletion, etc. It typically occurs when user input is concatenated into SQL without proper parameterization.

Vulnerable example (string concatenation):

1
public class SqlInjectionVulnerable {
2
    public void getUser(String username) {
3
        Connection conn = null;
4
        Statement stmt = null;
5
        try {
6
            conn = DriverManager.getConnection("jdbc:mysql://localhost/testdb", "user", "password");
7
            stmt = conn.createStatement();
8
            ResultSet rs = stmt.executeQuery("SELECT * FROM users WHERE username = '" + username + "'");
9
            while (rs.next()) {
10
                // handle results
11
            }
12
        } catch (SQLException e) {
13
            e.printStackTrace();
14
        } finally {
15
            try { if (stmt != null) stmt.close(); } catch (SQLException e) { }
16
            try { if (conn != null) conn.close(); } catch (SQLException e) { }
17
        }
18
    }
19
}

Recommendations:

1. Parameterized queries: the most effective protection; prevents SQL structure changes.
2. Prepared statements: e.g. PreparedStatement in Java; separates query structure from data.
3. Input validation: reduce attack surface by rejecting suspicious input (not sufficient alone).
4. Use ORM frameworks: Hibernate/JPA typically use parameterization by default.
5. Least privilege: limit DB account permissions so impact is reduced if injection succeeds.

Safe example (prepared statement):

1
public class SqlInjectionSafe {
2
    public void getUser(String username) {
3
        Connection conn = null;
4
        PreparedStatement pstmt = null;
5
        try {
6
            conn = DriverManager.getConnection("jdbc:mysql://localhost/testdb", "user", "password");
7
            pstmt = conn.prepareStatement("SELECT * FROM users WHERE username = ?");
8
            pstmt.setString(1, username);
9
            ResultSet rs = pstmt.executeQuery();
10
            while (rs.next()) {
11
                // handle results
12
            }
13
        } catch (SQLException e) {
14
            e.printStackTrace();
15
        } finally {
16
            try { if (pstmt != null) pstmt.close(); } catch (SQLException e) { }
17
            try { if (conn != null) conn.close(); } catch (SQLException e) { }
18
        }
19
    }
20
}

SQL Injection (MyBatis)#

Description:
In MyBatis, ${} performs string substitution: it directly injects the value into the SQL text (no precompilation/binding like #{}). While ${} can be useful for internal trusted variables, using it with untrusted user input can lead to SQL injection.

Vulnerable mapper (uses ${}):

1
<mapper namespace="com.example.mapper.UserMapper">
2
    <select id="findUserByUsername" resultType="com.example.model.User">
3
        SELECT * FROM users WHERE username = '${username}'
4
    </select>
5
</mapper>

Recommendations:

1. Avoid ${} for user input: only use it for internal trusted values.
2. Use #{} parameter binding: uses prepared statements and prevents SQL injection.
3. Validate/clean inputs: enforce formats/length/range to reduce abuse.
4. Use MyBatis dynamic SQL: prefer <choose>, <if>, <when>, <otherwise>, etc., instead of manual string concatenation.

Safe mapper (uses #{}):

1
<mapper namespace="com.example.mapper.UserMapper">
2
    <select id="findUserByUsername" parameterType="string" resultType="com.example.model.User">
3
        SELECT * FROM users WHERE username = #{username}
4
    </select>
5
</mapper>

Command Injection#

Description:
Command injection occurs when untrusted input is used to build a system command. Attackers can inject extra commands/arguments to achieve arbitrary command execution, leading to data exposure and system compromise. This often happens when using APIs like Runtime.exec() or ProcessBuilder without strict validation.

Recommendations:

1. Avoid executing user input directly: validate and sanitize strictly if unavoidable.
2. Use safer APIs: keep command and parameters strictly separated (e.g., ProcessBuilder with argument arrays).
3. Allowlist validation: restrict to known-safe commands/arguments.
4. Least privilege: run the app with minimal OS permissions.
5. Use existing security libraries/tools: avoid custom parsing/escaping where possible.

Server-Side Request Forgery (SSRF)#

Description:
SSRF allows an attacker to make the server send requests to attacker-chosen targets (internal/external). This can access internal services behind firewalls, bypass IP allowlists, scan ports, and abuse trust relationships.

Recommendations:

1. Validate and filter URLs: enforce strict format and allowlist allowed schemes/domains.
2. Restrict destinations: block private networks/metadata endpoints; restrict ports.
3. Use safe URL parsing libraries: avoid hand-rolled parsing.
4. Set timeouts/retries: reduce DoS risk.
5. Use an egress proxy: centralize filtering/auditing and hide real server IP.

Example: validate host/protocol with an allowlist before fetching:

1
import java.io.BufferedReader;
2
import java.io.InputStreamReader;
3
import java.net.HttpURLConnection;
4
import java.net.URL;
5

6
public class SsrfSafeExample {
7
    public String fetchUrlContent(String urlString) throws Exception {
8
        URL url = new URL(urlString);
9

10
        // Validate URL host/protocol
11
        if (!isValidUrl(url)) {
12
            throw new IllegalArgumentException("Invalid URL provided");
13
        }
14

15
        HttpURLConnection connection = (HttpURLConnection) url.openConnection();
16
        BufferedReader reader = new BufferedReader(new InputStreamReader(connection.getInputStream()));
17

18
        StringBuilder response = new StringBuilder();
19
        String line;
20
        while ((line = reader.readLine()) != null) {
21
            response.append(line);
22
        }
23
        reader.close();
24

25
        return response.toString();
26
    }
27

28
    private boolean isValidUrl(URL url) {
29
        // Example allowlist (customize for your app)
30
        String host = url.getHost();
31
        String protocol = url.getProtocol();
32
        return "http".equals(protocol) && ("example.com".equals(host) || "api.example.com".equals(host));
33
    }
34
}

Code Injection#

Description:
Code injection happens when untrusted input is passed into an interpreter/executor (e.g., eval(), Runtime.exec()) and runs as code. Impact ranges from data tampering to full system compromise.

Recommendations:

1. Avoid dynamic execution: avoid eval()/dynamic execution APIs whenever possible.
2. Validate and sanitize inputs: strict format validation; reject dangerous characters/expressions.
3. Parameterize: avoid string concatenation for commands/scripts.
4. Least privilege: minimize execution environment permissions.
5. Use secure frameworks: rely on frameworks providing safer patterns/mitigations.

Open Redirect#

Description:
Open redirect lets attackers craft URLs that redirect users to malicious sites, enabling phishing and other social engineering. It happens when redirect targets are built from unvalidated user input.

Recommendations:

1. Strict validation + allowlist: only allow redirects to trusted domains or internal URLs.
2. Avoid user-controlled redirect targets: sanitize and validate if unavoidable.
3. Use framework-safe redirect helpers: e.g., Spring MVC RedirectAttributes.
4. Log/monitor redirects: capture source and destination to detect abuse.
5. Security training: ensure the team can recognize and avoid open redirects.

Insecure Cipher Mode#

Description:
Block cipher modes describe how to apply a cipher repeatedly over data blocks (ECB/CBC/CFB/CTR/etc).

• ECB is weak because identical plaintext blocks produce identical ciphertext blocks.
• CBC can be vulnerable to padding oracle attacks.
• CTR avoids these specific issues and is generally better.

Example (AES in ECB mode):

1
SecretKeySpec key = new SecretKeySpec(keyBytes, "AES");
2
Cipher cipher = Cipher.getInstance("AES/ECB/PKCS7Padding", "BC");
3
cipher.init(Cipher.ENCRYPT_MODE, key);

Recommendations:
Avoid ECB and (where possible) CBC when encrypting multi-block data. Prefer CCM or (for performance) GCM when available.

Example (GCM mode):

1
SecretKeySpec key = new SecretKeySpec(keyBytes, "AES");
2
Cipher cipher = Cipher.getInstance("AES/GCM/PKCS5Padding", "BC");
3
cipher.init(Cipher.ENCRYPT_MODE, key);

Insecure Cipher Algorithm#

Description:
Using outdated/weak algorithms (e.g., DES, MD5) can lead to easy cracking and data exposure. As computing power increases, algorithms once considered secure may become weak.

Example (DES):

1
import javax.crypto.Cipher;
2
import javax.crypto.KeyGenerator;
3
import javax.crypto.SecretKey;
4

5
public class UnsafeEncryptionExample {
6
    public static void main(String[] args) throws Exception {
7
        KeyGenerator keyGenerator = KeyGenerator.getInstance("DES");
8
        SecretKey secretKey = keyGenerator.generateKey();
9

10
        Cipher cipher = Cipher.getInstance("DES/ECB/PKCS5Padding");
11
        cipher.init(Cipher.ENCRYPT_MODE, secretKey);
12

13
        String plainText = "Sensitive Information";
14
        byte[] encryptedText = cipher.doFinal(plainText.getBytes());
15
        System.out.println("Encrypted: " + new String(encryptedText));
16
    }
17
}

Recommendations:

1. Use strong algorithms: e.g. AES with sufficient key length (AES-256).
2. Choose secure modes: e.g. CBC/GCM; prefer modes that provide integrity/authentication where applicable.
3. Use mature crypto libraries: avoid implementing crypto yourself.
4. Regularly review/update crypto: keep up with vulnerabilities and best practices.

Example (AES-GCM with 256-bit key):

1
import javax.crypto.Cipher;
2
import javax.crypto.KeyGenerator;
3
import javax.crypto.SecretKey;
4
import javax.crypto.spec.GCMParameterSpec;
5
import java.security.SecureRandom;
6

7
public class SecureGcmEncryptionExample {
8
    public static void main(String[] args) throws Exception {
9
        KeyGenerator keyGenerator = KeyGenerator.getInstance("AES");
10
        keyGenerator.init(256); // 256-bit key
11
        SecretKey secretKey = keyGenerator.generateKey();
12

13
        final int GCM_IV_LENGTH = 12; // recommended IV length
14
        final int GCM_TAG_LENGTH = 128; // recommended tag length (bits)
15

16
        byte[] iv = new byte[GCM_IV_LENGTH];
17
        new SecureRandom().nextBytes(iv);
18
        GCMParameterSpec gcmParameterSpec = new GCMParameterSpec(GCM_TAG_LENGTH, iv);
19

20
        Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
21
        cipher.init(Cipher.ENCRYPT_MODE, secretKey, gcmParameterSpec);
22

23
        String plainText = "Sensitive Information";
24
        byte[] encryptedText = cipher.doFinal(plainText.getBytes());
25
        System.out.println("Encrypted securely with GCM: " + java.util.Base64.getEncoder().encodeToString(encryptedText));
26
    }
27
}

Insufficient Key Size (RSA)#

Description:
RSA security strongly depends on key size. 1024-bit RSA keys were once considered safe but are now much easier to break as computing power improved. Use 2048-bit or larger keys for stronger security.

Example (1024-bit RSA key pair):

1
import java.security.KeyPair;
2
import java.security.KeyPairGenerator;
3
import java.security.NoSuchAlgorithmException;
4

5
public class WeakRsaKeyExample {
6
    public static KeyPair generateWeakRSAKeyPair() throws NoSuchAlgorithmException {
7
        KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("RSA");
8
        keyPairGen.initialize(1024); // too short
9
        return keyPairGen.generateKeyPair();
10
    }
11

12
    public static void main(String[] args) throws Exception {
13
        KeyPair weakKeyPair = generateWeakRSAKeyPair();
14
        System.out.println("Generated weak RSA key pair with key size: " + weakKeyPair.getPrivate().getEncoded().length * 8 + " bits");
15
    }
16
}

Recommendations:

1. Use at least 2048-bit RSA keys; for long-term security consider 3072/4096.
2. Rotate keys regularly.
3. Use strong randomness and vetted libraries for key generation.

Example (2048-bit RSA key pair):

1
import java.security.KeyPair;
2
import java.security.KeyPairGenerator;
3
import java.security.NoSuchAlgorithmException;
4

5
public class StrongRsaKeyExample {
6
    public static KeyPair generateStrongRSAKeyPair() throws NoSuchAlgorithmException {
7
        KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("RSA");
8
        keyPairGen.initialize(2048); // recommended
9
        return keyPairGen.generateKeyPair();
10
    }
11

12
    public static void main(String[] args) throws Exception {
13
        KeyPair strongKeyPair = generateStrongRSAKeyPair();
14
        System.out.println("Generated strong RSA key pair with key size: " + strongKeyPair.getPrivate().getEncoded().length * 8 + " bits");
15
    }
16
}

Hardcoded Passwords#

Description:
Hardcoded plaintext passwords in source code/config/internal structures are highly insecure. Anyone who can access the code/files (devs, attackers via leaks, etc.) can obtain them. They are also hard to rotate, so a leak can cause long-term impact. This violates best practices.

Recommendations:
Never hardcode passwords. Store secrets outside of code (e.g., environment variables, secret stores) and avoid plaintext storage anywhere in the system.

Hardcoded Encryption Keys#

Description:
Hardcoding encryption keys in code/config makes them easy to leak. Rotating keys requires code changes and redeployments, increasing risk and maintenance cost.

Recommendations:

1. Store keys in environment variables or external secret stores (KMS/secret manager).
2. Implement key rotation and safe decommissioning.
3. Encrypt configuration files if keys must be stored there, and manage the encryption key securely.
4. Enforce access control and auditing for systems storing keys.
5. Use key derivation functions (PBKDF2/Argon2) where appropriate instead of hardcoded keys.

Hardcoded API Credentials#

Description:
Hardcoding API keys/passwords/tokens in source code is unsafe and makes rotation hard. Leaks can lead to unauthorized access, data exposure, financial loss, etc.

Recommendations:

1. Use environment variables.
2. Use config files that are excluded from version control; encrypt in production.
3. Use secret management services (AWS Secrets Manager, Azure Key Vault, etc.) with access control/auditing.
4. Apply least privilege to the credentials.
5. Rotate credentials regularly.

Plaintext Passwords in Configuration Files#

Description:
Storing plaintext passwords in config files is a common security issue. Anyone with access can read them, and leaked configs can cause serious incidents. Config files also tend to be synced across environments, increasing exposure.

Recommendations:

1. Use environment variables.
2. Use secret management systems (AWS Secrets Manager, HashiCorp Vault, etc.).
3. Encrypt secrets stored in config files so only the app can decrypt at runtime.
4. Use config management tools (Spring Cloud Config, Consul) that support external loading and encryption.

Plaintext Passwords in Test Files#

Description:
Hardcoding plaintext passwords in test code/data is unsafe. Test assets might accidentally ship to production, or source repositories might be accessed by unauthorized parties. Test environments are also often weaker than production.

Recommendations:

1. Use environment variables for test credentials.
2. Encrypt config files if secrets must exist there, and manage keys securely.
3. Use secret managers for test environment credentials.
4. Avoid real user accounts/passwords; use mocking where possible.

Insecure Transport Protocol#

Description:
SSL and early TLS versions (SSLv2/SSLv3/TLS 1.0/TLS 1.1) have known vulnerabilities (BEAST/POODLE/CRIME, etc.) and are not considered safe. Modern secure communication should use TLS 1.2 or TLS 1.3.

Example (unsafe SSLv3):

1
public class InsecureSSLExample {
2
    public static void main(String[] args) throws Exception {
3
        SSLContext context = SSLContext.getInstance("SSLv3");
4
        context.init(null, null, null);
5
        SSLSocketFactory factory = context.getSocketFactory();
6
        SSLSocket socket = (SSLSocket) factory.createSocket("example.com", 443);
7
        // insecure connection example
8
    }
9
}

Recommendations:

1. Upgrade to TLS 1.2 or TLS 1.3.
2. Disable SSLv2/SSLv3/TLS 1.0/TLS 1.1 on servers and clients.
3. Patch OS/app/libs regularly to include the latest SSL/TLS fixes.
4. Review and update crypto policies and configs regularly.
5. Use secure cipher suites (avoid weak/broken ones).

Example (TLS 1.2):

1
public class SecureSSLExample {
2
    public static void main(String[] args) throws Exception {
3
        SSLContext context = SSLContext.getInstance("TLSv1.2");  // TLSv1.2
4
        context.init(null, null, null);
5
        SSLSocketFactory factory = context.getSocketFactory();
6
        SSLSocket socket = (SSLSocket) factory.createSocket("example.com", 443);
7
        // secure connection example
8
    }
9
}

Missing Content Security Policy (CSP)#

Description:
CSP helps prevent XSS and other injection attacks by allowlisting which resources can be loaded/executed. Without CSP (or with a weak CSP), pages are easier to exploit via injected scripts.

Recommendations:

1. Enable and properly configure CSP via the Content-Security-Policy header; strictly restrict script/style/img/font/form/resource sources to trusted origins.
2. Avoid unsafe-inline and unsafe-eval where possible.
3. Review and update CSP regularly as the app evolves.
4. Use reporting (report-uri / report-to) to collect violation reports.
5. Test thoroughly before rollout to avoid breaking legitimate resources.

Server Identity Verification Disabled#

Description:
In SSL/TLS connections, verifying server identity is essential. Clients typically validate the certificate chain (trusted CA) and hostname match. If verification is disabled, the client can be vulnerable to MITM attacks.

Example (disables hostname verification):

1
public class InsecureConnection {
2
    public static void main(String[] args) throws Exception {
3
        HttpsURLConnection connection = (HttpsURLConnection) new URL("https://example.com").openConnection();
4
        connection.setHostnameVerifier(new HostnameVerifier() {
5
            @Override
6
            public boolean verify(String hostname, SSLSession session) {
7
                return true;  // insecure: no verification
8
            }
9
        });
10
        trustAllHttpsCertificates(connection); // assume this makes it trust all certs
11
    }
12

13
    private static void trustAllHttpsCertificates(HttpsURLConnection conn) {
14
        // implementation omitted: trusts all certificates (unsafe)
15
    }

Recommendations:

1. Always enable server identity verification.
2. Use correctly configured certificates issued by trusted CAs, with correct DNS names.
3. Check certificate revocation status (OCSP/CRL) where appropriate.
4. Enforce full certificate chain validation.
5. Follow best practices and use secure libraries to avoid disabling validation accidentally.

Overly Broad Certificate Trust#

Description:
Trusting too many certificates (including self-signed/untrusted ones) weakens security and enables MITM. Common anti-pattern: trusting all certificates.

Example (trust all certificates):

1
public class InsecureTrustManager {
2
    public static void main(String[] args) throws Exception {
3
        SSLContext sc = SSLContext.getInstance("TLS");
4
        TrustManager[] trustAllCerts = new TrustManager[] {
5
            new X509TrustManager() {
6
                public java.security.cert.X509Certificate[] getAcceptedIssuers() {
7
                    return null;
8
                }
9
                public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType) { }
10
                public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType) { }
11
            }
12
        };
13
        sc.init(null, trustAllCerts, new java.security.SecureRandom());
14
        HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
15
        // insecure: trusts all certificates
16
    }
17
}

Recommendations:

1. Trust only known, reliable CAs (maintain an explicit trust store).
2. Validate the full certificate chain (root + intermediates).
3. Use certificate pinning when appropriate.
4. Do not trust self-signed certs except in controlled environments (e.g., internal testing).
5. Keep trust stores updated (add new CAs; remove revoked/unsafe ones).

Example (use system default trust manager):

1
public class SecureTrustManager {
2
    public static void main(String[] args) throws Exception {
3
        SSLContext sc = SSLContext.getInstance("TLS");
4
        sc.init(null, null, new java.security.SecureRandom()); // use system default trust manager
5
        HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
6
        // default trust manager trusts only certificates issued by trusted CAs
7
    }
8
}

Weak Randomness#

Description:
Using weak RNGs in security contexts (session ids, passwords, keys) can produce predictable values, enabling replay/session hijacking and other attacks. This often happens when using non-cryptographic PRNGs like Random.

Recommendations:

1. Use a CSPRNG: e.g. Java SecureRandom, not Random.
2. Reseed when appropriate (especially after security events).
3. Avoid custom RNG algorithms; use vetted implementations.
4. Combine multiple entropy sources for high-security needs.
5. Assess randomness strategy periodically.

Insecure Spring Default Configuration#

Description:
In Spring Boot, management.security.enabled controls security for management endpoints. Misconfiguration (e.g. false) can expose sensitive endpoints (metrics, health, info, etc.) to unauthorized users.

Recommendations:

1. Enable management endpoint security by default (management.security.enabled=true).
2. Use roles/permissions to restrict access (Spring Security).
3. Restrict network access (firewalls/security groups; internal-only).
4. Use layered defenses (authn/authz/logging/monitoring).
5. Review and update configuration regularly.