Privilege escalation vulnerabilities in Java Spring applications often evade dynamic testing but can be effectively detected through secure code review by analyzing authorization logic in the source code. This article outlines authorization implementation patterns in Spring Security and provides a practical step-by-step guide for identifying and mitigating authorization flaws during code review. #JavaSpring #PrivilegeEscalation #SecureCodeReview
Keypoints
- Privilege escalation issues in Java Spring applications frequently result from broken or missing authorization controls and can be missed by pentesting due to limited coverage.
- Spring Security supports multiple layers of authorization including URL-level, method-level, object-level, attribute-level, with strong reliance on Role-Based Access Control (RBAC) and Permission-Based Access Control (PBAC).
- Annotations like @PreAuthorize and @PostAuthorize are key to enforcing fine-grained method and object-level authorization in code.
- Secure Code Review involves mapping the application’s authorization model, locating enforcement points, and looking for misconfigurations or missing validations to prevent privilege escalation.
- Key testing focuses include detecting vertical privilege escalation (users gaining higher roles) and horizontal escalation (users accessing others’ data) with checks on role assignments, JWT validation, and ownership enforcement.
- Common red flags include poorly validated roles and permissions, reliance on client-side enforcement, missing authorization at service layers, and overly permissive or catch-all access configurations.
- Combining source code review with penetration testing improves detection coverage of authorization flaws in tight testing environments.
MITRE Techniques
- [T1068] Exploitation for Privilege Escalation – Privilege escalation vulnerabilities caused by broken or missing authorization allow unauthorized users to gain elevated access (“privilege escalation paths early in the SDLC”).
- [T1078] Valid Accounts – Risk of unauthorized role assignments or role manipulation due to insecure role change operations (“Ensure that users cannot assign themselves elevated roles… Ensure role changes are only performed by authorized users”).
- [T1550] Use of Valid Credentials – Risks arising from improper validation of JWT tokens allowing forged claims to escalate privileges (“parses token without verifying signature … leading to privilege escalation or impersonation”).
Indicators of Compromise
- [Code Patterns] Authorization Annotations – Examples include @PreAuthorize(“hasRole(‘ADMIN’)”), @PostAuthorize(“returnObject.owner == authentication.name”), and @PreAuthorize(“hasPermission(#document, ‘write’)”).
- [Code Constructs] Role Definitions and Assignments – Role enums like ADMIN, USER, GUEST and role assignment methods such as user.setRole(Role.Admin) or dynamic role assignment using external sources.
- [Code Snippets] JWT Parsing without Signature Validation – Example: Claims claims = Jwts.parserBuilder().build().parseClaimsJwt(token).getBody(); indicating missing token signature verification.