Vulnerable Dependencies
- Check
pom.xml or build.gradle for outdated or vulnerable libraries:
mvn dependency:tree
mvn versions:display-dependency-updates
mvn dependency-check:aggregate
- Use tools like:
Entry Points (Controllers / Routes)
- Look for Spring Boot entry points:
grep -r -A2 -E '@(Get|Post|Put|Delete)Mapping' *
grep -r 'RequestMapping' *
- Validate input and enforce access control on:
@RequestParam, @PathVariable, @RequestBody- File uploads, redirect URLs, and form data
Dangerous Java Functions
Runtime / System Command Execution
java.lang.Runtime.getRuntime().exec()
ProcessBuilder
Code Execution
javax.script.ScriptEngineManager
JShell (Java 9+)
Deserialization
ObjectInputStream ois = new ObjectInputStream(...)
ois.readObject();
- Watch for use of:
- Apache Commons Collections
- Spring
DefaultSerializer
- Use
@JsonTypeInfo + ObjectMapper carefully (Jackson exploit chains)
- Tools:
📦 Unsafe Reflection
Class.forName(...)
clazz.getMethod(...).invoke(...)
Cryptography
- Hardcoded keys or weak algorithms:
Cipher.getInstance("AES/ECB/NoPadding")
md5
sha1
- No salting with hashes like:
MessageDigest.getInstance("MD5")
Insecure Deserialization
- Common libraries:
- Java native serialization
- Jackson
- XStream
- Prevent by:
- Disabling default typing
- Using safe types or
ObjectMapper.enableDefaultTyping(NON_FINAL) only with strict base classes
Misconfigurations
- Exposed Actuator and H2 endpoints:
/actuator/env
/actuator/heapdump
/actuator/jolokia
/h2-console/
- Enable only required endpoints and secure them
Authentication/Session Risks
- Look for:
- Custom auth logic
- Missing CSRF protection :
springSecurity().csrf().disable()
vaadin.disable-xsrf-protection
- Insecure JWT usage (e.g.,
alg=none, no signature verification)