I took down a new Spring app I wrote two nights ago when I spotted a strange error message on the console. I put it up again last night after doing some security research, and the error message recurred. The application is still running now, and I was simply hoping to get a bit of beta-testing and feedback. I’ve just figured out a way to generate audio via Java on the server side, and send it to the browser using Thymeleaf and the Web Audio API, was showing that off.
It’s a little “self test” for musical intonation skills, at http://adonax.com:8081/IntervalWidthTest
After researching, it seems to me safe to conclude that simply opening a port is not particularly dangerous, as long as the application handing input from that port is safe. The database is embedded, not persistent (using H2). It’s only used to tally up answers on a given test run. And the jar doesn’t even require SUDO to run, so no special privileges to compromise, AFAIK. I think the only real danger is possible DOS attack which is highly unlikely.
Input is limited to radio button values and a couple hidden fields holding ID numbers for the Test and Question records.
Here are excerpts from the console INFO log:
“Error parsing HTTP request header”
“Invalid character found in method name” followed by very long hex literal within [ ]'s and “HTTP method names must be tokens”.
The user/client was on question 3 of a series of 10 questions when this occurred.
As an experiment, I tried changing the URL from http to https mid-test. I got a console message that is nearly identical. The stack trace is exactly the same, only the hex within the [ ]'s is different. It doesn’t seem to crash the program. IDK. Did someone try changing from http to https mid test?
Or was there possibly some sort of hacking attempt?