What docs or links are there that would describe passed bug that turned in to vulnerabilities of spring security and how does one go about trying to hack into the framework?
I’m mainly interested in how to work around login and authorization of the spring security framework. Any technique that would help me to create automated penetration tests would be great help.
Unrelated side-note (would like to know your opinion on it though):
One feature that I would make the framework awesome is banning of IP addresses that exceeded daily request limit, or even better request limit per hour. So far I have been doing his on Cisco ASA or IPS units but it would be very useful to have application log of the events integrated together with spring security.
Any intel on this would be greatly appreciated.
XSS exploits are one of the most infamous, but, you’ve probably tried them.
Check the OWASP Top 10 (google please). You can try all of those.
Also, for blocking requests, that seems like a very good idea, until you realize the fact that raw sockets allow any even remotely experienced hacker to forge their IP. I guess you could validate the IP (because many times the script used to attack the page would not have a valid IP, as they would be randomly generated), but, websites are slow enough anyway, and as soon as you would do that, you’d still be vulnerable to slightly more sophisticated attacks that use IP databases.
Also, check out Metasploit, its VERY easy to use, and should get you on the road really quickly. You can also script penetration tests, so, once you deploy an update, just run a Ruby script and it should test it for holes.