Spring MVC and

Autobinding vulns

Digital Security

Alexey GreenDog Tyurin@antyurin

Defcon Russia (DCG #7812) 2

Spring MVC

Defcon Russia (DCG #7812) 3

Model• Store info for the view

• Map

• “string”->object

Defcon Russia (DCG #7812) 4

AutobindingBinding params to object fields

Converter

Defcon Russia (DCG #7812) 5

Autobinding vuln

https://o2platform.files.wordpress.com/2011/07/ounce_springframework_vulnerabilities.pdf

Defcon Russia (DCG #7812) 6

Autobinding vuln

https://o2platform.files.wordpress.com/2011/07/ounce_springframework_vulnerabilities.pdf

Defcon Russia (DCG #7812) 7

More magic with annotations

@ModelAttribute on a method argument

“An @ModelAttribute on a method argument indicates the argument should be retrieved from the model “…

http://docs.spring.io/spring/docs/3.1.x/spring-framework-reference/html/mvc.html

Defcon Russia (DCG #7812) 8

More magic with annotations

@ModelAttribute on a method“An @ModelAttribute on a method indicates the purpose of that method is to add one or more model attributes. @ModelAttribute methods in a controller are invoked before @RequestMapping methods”

http://docs.spring.io/spring/docs/3.1.x/spring-framework-reference/html/mvc.html#mvc-ann-modelattrib-method-args

Defcon Russia (DCG #7812) 9

More magic with annotations

@SessionAttribute for controller“The type-level @SessionAttributes annotation declares session attributes used by a specific handler. This will typically list the names of model attributes or types of model attributes which should be transparently stored in the session”

Defcon Russia (DCG #7812) 10

More magic with redirectsFlashAttribute“Flash attributes provide a way for one request to store attributes intended for use in another.”

http://docs.spring.io/spring/docs/3.1.x/spring-framework-reference/html/mvc.html

Defcon Russia (DCG #7812) 11

More magic with annotations

@ModelAttribute on a method argument “An @ModelAttribute on a method argument indicates the argument should be retrieved from the model. If not present in the model, the argument should be instantiated first and then added to the model. Once present in the model, the argument's fields should be populated from all request parameters that have matching names.”

– is a wrong/dangerous way to get value from the model. Because: at first - retrieving , then autobinding.

Defcon Russia (DCG #7812) 12

Ex 2. The First School of Bulimia

Defcon Russia (DCG #7812) 13

Ex 2. The First School of Bulimia

Defcon Russia (DCG #7812) 14

Ex 2. The First School of Bulimia

Defcon Russia (DCG #7812) 15

Ex 2. The First School of Bulimia

Defcon Russia (DCG #7812) 16

PopulatingBefor in Model:

“user” ={username = “Vasia”pass = “P@ssw0rd”weight= 100}

Autobinding:

After in Model: “user” ={ username = “lalallalala”pass = “P@ssw0rd”weight= 100 }

Defcon Russia (DCG #7812) 17

Example 1. Justice League

Defcon Russia (DCG #7812) 18

Example 1. Justice League

Defcon Russia (DCG #7812) 19

Example 1. Justice League

Defcon Russia (DCG #7812) 20

Example 1. Justice League• More magic? No @ModelAttribute

• Spring MVC is IoC and too smart?

Defcon Russia (DCG #7812) 21

Example 1. Justice League

Defcon Russia (DCG #7812) 22

Other real examples?• Github • Articles• Nothing interesting?

Defcon Russia (DCG #7812) 23

Blackbox testing• Errors • Collect all parameter names

Use them for all entry pointsCheck difference

• Strange names or arrays, hashmaps

24

Q&A

Defcon Russia (DCG #7812)

https://twitter.com/antyurinhttps://github.com/grrrdog