Tag: Java

Spring Excessive Data Exposure: Examples and Prevention

An API is essentially a tool to provide an interface for the client with the software—that’s what they do. Some of the API methods modify application state and some return data to the client. Further, some methods can do both. Once we return data to the client, we need to make sure that we return only what’s necessary and don’t expose any sensitive information. This post will cover excessive data exposure in APIs with examples and prevention methods. The examples will be given in the context of the Java Spring framework. REST …

Spring Broken Object Level Authorization Guide: Examples and Prevention

If a malicious user gains access to functionality that only system administrators should have access to, there can be dire consequences. This post is about a specific type of vulnerability called broken object level authorization, or BOLA. This happens when an attacker gains access to API methods that should be restricted. In addition to talking about what this is, I’ll discuss ways to mitigate this attack in general, and specifically in Java Spring Boot. Broken Object Level Authorization Defined Back-end APIs are basically a set of functions that return answers to requests. …

Spring XML External Entities (XXE) Guide: Examples and Prevention

XML is a markup language that we use to define and categorize data. Data stored in XML format can move between multiple servers or between a client and a server. Once a server receives an XML input, it parses it via an XML parser. XML external entities are basically references in the XML document to files or URLs outside of the XML document. Essentially, it’s an XML standard feature that enables accessing and/or loading external resources. However, this feature can be dangerous, as it can allow malicious actors to retrieve unauthorized sensitive …

Spring CORS Guide: What it Is And How To Enable It

Introduction A cross-domain call is an HTTP request done via the browser from domain A to domain B via AJAX. An “origin” in the context of a cross-domain call is the combination of the request’s protocol, port, and domain. Originally proposed in the early 2000s, it’s now a standard across all modern browsers. In this post, I’ll explain what CORS is, why it’s important, and how to properly work with it in Spring. Why Use CORS? Before CORS Let’s start by describing the situation before CORS was implemented. Before CORS, a request …

Using H2 as in memory database for unit/component tests instead of MySQL

h2 database

So following my recent post regarding the creation of a component test framework – let’s take a closer look in the use case of using H2 as a lightweight in memory database instead of MySQL, for your unit/component tests. Benefits of using H2 instead of MySQL It makes a lot of sense to use H2 in the context of component tests instead of MySQL: You can create and destroy a DB/table/data on the fly – once the tests are done the DB disappears. Compare this to having to rollback manually every change …

Creating a component test framework

component tests

If you have been reading Martin Fowler’s canonical article on the test pyramid, you know that there is a mystical layer that hides between those braod unit tests (the base of the pyramid) and the integration tests layer (near the top). This layer is called: component tests. This article is about the following : What are component tests? Why should you care, and how to implement them properly? What are component tests and why should you care? Basically component tests are the the part that theoretically should allow you to isolate a …