Searching for vulnerabilities in a Spring Boot application

So you are interested in securing your application written in Java with Spring Boot. You probably might already heard about the OWASP project and the TOP 10 vulnerabilities. Did you know there is a sample Spring Boot application deliberately insecure that you can hack it yourself?

Webgoat meets WebWolf

There are multiple ways to start the applications. If you already use Docker, you can easily run one command:

docker run --rm -it -p 8080:8080 -p 9090:9090 webgoat/goatandwolf sh

From the logs, you should see the webgoat application is already listening to the 8080 port.

You can now access the application:

http://localhost:8080/WebGoat

You can easily register an user, unless you think you can bypass the spring security form login + spring data jpa

Now that you logged in you can explore many vulnerabilities. The nice thing about this is that you also do a recap on some basic concepts (that you could also skip)

In the Challenges section you try it on your own to hack the system

Rate the system without authenticating

If you press the stars buttons you can see a GET request being triggered. This is the endpoint you need to hack: /challenge/8/vote/3 where 3 is the number of stars and 8 is the challenge index.

When you change the method to something else like POST, you can see the Spring boot error handling into action.

If you wonder what other methods are supported by the server, you can use OPTIONS

The HTTP OPTIONS method requests permitted communication options for a given URL or server. A client can specify a URL with this method, or an asterisk (*) to refer to the entire server.

In our situation we can see HEAD is also supported.

The HTTP HEAD method requests the headers that would be returned if the HEAD request's URL was instead requested with the HTTP GET method. For example, if a URL might produce a large download, a HEAD request could read its Content-Length header to check the filesize without actually downloading the file.

Bingo, when we use this method we capture the flag

Now all we have to do is to paste the value in the app and move to the next challenge.

If you are curious how it looks the server side implementation, you can check out the source code since it’s open source.

Conclusion: HEAD requests are also mapped to @ GetMapping annotated methods.