Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing SPAs with Spring

Securing SPAs with Spring

Marcus Hert Da Coregio

May 31, 2022
Tweet

Other Decks in Technology

Transcript

  1. Marcus Hert da Coregio Spring Security @ VMware Securing SPAs

    with Spring Copyright © 2022 VMware, Inc. or its affiliates.
  2. Who am I? Marcus Hert da Coregio • Joined the

    Spring Security team on May, 2021 @marcusdacoregio on social networks
  3. Cover w/ Image Agenda • CORS and Form Login •

    CSRF • Application Personalization • IDOR (Insecure Direct Object Reference) • Clickjacking and XSS • BFF and OAuth2
  4. How CSRF works Reference: https://owasp.org/www-pdf-archive/David_Johansson-Double_Defeat_of_Double-Submit_Cookie.pdf Browser In a malicious website

    Server Request 🍪 User's Identity 📩 ⚠ Attacker's Payload Request domain == Cookie domain Browser sends the cookies
  5. Double-Submit Cookie Pattern Reference: https://owasp.org/www-pdf-archive/David_Johansson-Double_Defeat_of_Double-Submit_Cookie.pdf Browser Request 🍪 Cookie with

    CSRF Token 📩 CSRF Token in Request ⚖ Do they match? Request domain == Cookie domain Browser sends the cookies Browser does not add the CSRF Token in the request
  6. What we have now Browser API Backend Single Page App

    🍪 Session PUBLIC ZONE 🔓No Security Headers
  7. End Product BFF Spring Security + Spring Cloud Gateway Browser

    Resource Server Spring Authorization Server Single Page App 🍪 Session JWT PRIVATE TRUSTED ZONE https://github.com/spring-projects/spring-authorization-server/issues/297 🔒 Security Headers TokenRelay Filter Retrieve JWT Keys
  8. BFF Pros and Cons Pros • No access token in

    the browser; • No refresh token in the browser; • Single trusted application instead of two apps; • Better protection against XSS (CSP and Security headers); • APIs can be deployed in a private trusted zone. Cons • Performance worse if downstream APIs required; • High probability of code duplication and lower reuse; • Business logic may bleed to the BFFs; • From a security perspective? None.
  9. Thank you Contact me at [email protected] @marcusdacoregio on Twitter/GitHub ©

    2022 Spring. A VMware-backed project. Sample code https://github.com/marcusdacoregio/springio-2022-securing-spas-with-spring
  10. Q&A