Spring Validation and Security

Spring validation is done to prevent attacks caused through unchecked input
All the inputs should be checked using the spring validator before they are processed by the application
Each and every field included in the form should be validated in the corresponding validation form
Spring support groups and roles in application
Vulnerabilities in input validation may lead to buffer overflow attacks, cross-site scripting, SQL injection, etc.

Input Validation Errors: Improper Sanitization of Untrusted Data

Web application accept data from untrusted sources, contradicted users and network connections and then transfer data from one trusted boundary to another trusted domain to execute
The data travels across domains in string format with some internal syntactic structure that the subsystem should parse
If the subsystem cannot handle the malicious input properly it may lead to different types of injection attacks such as SQL injection, XML injection, etc.

Vulnerable Code for SQL injection

The vulnerable code is an example of SQL injection vulnerability that occurs because the SQL statement used in the code sqlString accepts unsanitized input arguments

For sanitizing untrusted input variables, JDBC library is provided with an API for building SQL commands
The java.sql .PreparedStatement class when used properly can escape input strings preventing SQL injection
The set*() method of preparedstatement class performs strong type checking of user inputs

In the following code, doPriviledgedAction() method users preparedstatement instead of java.sql.statment
This method also validates the length of username argument, preventing it from executing an absurdly long username intentionally submitted by an attacker

In the code , for sending an XML query to a server, a simple string concatenation is used by a client method
The client method used however does not perform input validation properly leading to an XML injection