Welcome to the very first lesson of the security misconfiguration course! In this lesson, we will explore the concept of default credentials and their impact on web application security. Default credentials are pre-set usernames and passwords that come with many applications and devices. While convenient for initial setup, they pose significant security risks if not changed.

By the end of this lesson, you will learn how to identify, exploit, and secure endpoints that use default credentials. Let's dive in! 🚀

Default credentials are the factory-set usernames and passwords that come with many applications and devices. They are intended for initial setup but can become a security risk if not changed. For example, an admin panel might come with a default username admin and password admin123. If these credentials remain unchanged, anyone with access to the application can log in and potentially access sensitive data.

Default credentials exist primarily to help developers quickly test and set up applications during development. However, they often find their way into production environments due to rushed deployments, poor documentation, or simple oversight.

Sometimes, teams intentionally keep them unchanged for "easier maintenance," which creates significant security risks. It is crucial to change default credentials to prevent unauthorized access and protect your application from potential breaches.

Let's look at a code snippet that demonstrates the use of default credentials in an admin panel. This example shows how an attacker might exploit these credentials to gain unauthorized access.

In this code, the admin panel uses default credentials (admin and admin123). If these credentials are not changed, anyone can log in as an admin, posing a significant security risk. This vulnerability can be exploited to access sensitive data or perform unauthorized actions.

Let's look at another vulnerable endpoint that demonstrates how an attacker can exploit default credentials to access sensitive user data:

This endpoint is particularly vulnerable because it relies on a simple header check for . An attacker who has logged in with can easily access all user data by including the access header in their request.

Now, let's see how an attacker might exploit the vulnerable code using a simple curl command. This demonstration will show how easy it is to gain unauthorized access when default credentials are left unchanged.

In this example, the attacker uses a curl command to send a POST request to the admin login endpoint with the default credentials. If the credentials are still active, the attacker will receive a response indicating a successful login, granting them access to the admin panel. They can then use the access token to retrieve sensitive user data.

Let's look at how to properly set up admin users using environment variables and secure password hashing. We'll use Spring Boot's configuration system to manage admin credentials securely.

First, let's create our User entity:

Here's the Role enum:

Now, let's create a repository for database operations:

Next, we will implement the initialization logic using Spring Boot's ApplicationRunner:

Next, we will implement jwt-based authentication to protect the admin panel. This ensures that only authorized users can access the admin panel.

First, let's create a utility class for JWT operations using the Auth0 JWT library:

Now, let's update our login endpoint to use JWT:

Let's look at how we can protect sensitive endpoints using our JWT authentication. We'll create a method to verify admin access:

Now, let's update our user data endpoint to use this verification method:

This version uses the verifyAdminOrError method to verify the JWT token from the Authorization header and ensure that only users with an ADMIN role can access sensitive user information. The method returns an AdminOutcome record that contains either the authenticated user or an error response, making it easy to handle both success and failure cases.

In this lesson, we explored the risks associated with default credentials and how they can be exploited. We learned how to identify vulnerable endpoints and secure them using environment variables and jwt-based authentication. By implementing these best practices, you can protect your application from unauthorized access and potential breaches.

Key takeaways from this lesson:

1. Never hardcode credentials - Always use environment variables or secure configuration management
2. Use strong password hashing - BCrypt provides secure one-way hashing for passwords
3. Implement JWT tokens - Short-lived tokens with expiration times limit the damage from compromised credentials
4. Verify admin roles - Always check user roles before granting access to sensitive operations
5. Choose strong credentials - Use complex usernames and passwords with proper entropy

As you move on to the practice exercises, remember the importance of securing your endpoints and managing credentials properly. Good luck, and see you in the next lesson! 🎉