Insecure JAX-RS Endpoint
Description
This method is part of a REST Web Service (JSR311) and its security should be analyzed, including authentication, access control, input validation, and communication over SSL.
Examples
Insecure Code
scala
Example of insecure JAX-RS endpoint: @javax.ws.rs.Path("/users")
def getUsers(): List[User] = {...}Secure Code
scala
Example of secure JAX-RS endpoint: @javax.ws.rs.Path("/users")
@javax.ws.rs.Produces("application/json")
def getUsers(@Context HttpServletRequest request): List[User] = {...}Remediation
Analyze the security of this web service by testing authentication, access control, and input validation. Ensure communication is over SSL and investigate vulnerability to CSRF if the service supports writes.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0031 |
| Category | Web |
| Severity | MEDIUM |
| CWE | CWE-348 |
| Confidence | MEDIUM |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | REST, Web Service, Security |
| OWASP | N/A |