Upload
defconrussia
View
54
Download
1
Embed Size (px)
Citation preview
Spring MVC and
Autobinding vulns
Digital Security
Alexey GreenDog Tyurin@antyurin
Defcon Russia (DCG #7812) 2
Spring MVC
Defcon Russia (DCG #7812) 3
Model• Store info for the view
• Map
• “string”->object
Defcon Russia (DCG #7812) 4
AutobindingBinding params to object fields
Converter
Defcon Russia (DCG #7812) 5
Autobinding vuln
https://o2platform.files.wordpress.com/2011/07/ounce_springframework_vulnerabilities.pdf
Defcon Russia (DCG #7812) 6
Autobinding vuln
https://o2platform.files.wordpress.com/2011/07/ounce_springframework_vulnerabilities.pdf
Defcon Russia (DCG #7812) 7
More magic with annotations
@ModelAttribute on a method argument
“An @ModelAttribute on a method argument indicates the argument should be retrieved from the model “…
http://docs.spring.io/spring/docs/3.1.x/spring-framework-reference/html/mvc.html
Defcon Russia (DCG #7812) 8
More magic with annotations
@ModelAttribute on a method“An @ModelAttribute on a method indicates the purpose of that method is to add one or more model attributes. @ModelAttribute methods in a controller are invoked before @RequestMapping methods”
http://docs.spring.io/spring/docs/3.1.x/spring-framework-reference/html/mvc.html#mvc-ann-modelattrib-method-args
Defcon Russia (DCG #7812) 9
More magic with annotations
@SessionAttribute for controller“The type-level @SessionAttributes annotation declares session attributes used by a specific handler. This will typically list the names of model attributes or types of model attributes which should be transparently stored in the session”
Defcon Russia (DCG #7812) 10
More magic with redirectsFlashAttribute“Flash attributes provide a way for one request to store attributes intended for use in another.”
http://docs.spring.io/spring/docs/3.1.x/spring-framework-reference/html/mvc.html
Defcon Russia (DCG #7812) 11
More magic with annotations
@ModelAttribute on a method argument “An @ModelAttribute on a method argument indicates the argument should be retrieved from the model. If not present in the model, the argument should be instantiated first and then added to the model. Once present in the model, the argument's fields should be populated from all request parameters that have matching names.”
– is a wrong/dangerous way to get value from the model. Because: at first - retrieving , then autobinding.
Defcon Russia (DCG #7812) 12
Ex 2. The First School of Bulimia
Defcon Russia (DCG #7812) 13
Ex 2. The First School of Bulimia
Defcon Russia (DCG #7812) 14
Ex 2. The First School of Bulimia
Defcon Russia (DCG #7812) 15
Ex 2. The First School of Bulimia
Defcon Russia (DCG #7812) 16
PopulatingBefor in Model:
“user” ={username = “Vasia”pass = “P@ssw0rd”weight= 100}
Autobinding:
After in Model: “user” ={ username = “lalallalala”pass = “P@ssw0rd”weight= 100 }
Defcon Russia (DCG #7812) 17
Example 1. Justice League
Defcon Russia (DCG #7812) 18
Example 1. Justice League
Defcon Russia (DCG #7812) 19
Example 1. Justice League
Defcon Russia (DCG #7812) 20
Example 1. Justice League• More magic? No @ModelAttribute
• Spring MVC is IoC and too smart?
Defcon Russia (DCG #7812) 21
Example 1. Justice League
Defcon Russia (DCG #7812) 22
Other real examples?• Github • Articles• Nothing interesting?
Defcon Russia (DCG #7812) 23
Blackbox testing• Errors • Collect all parameter names
Use them for all entry pointsCheck difference
• Strange names or arrays, hashmaps
24
Q&A
Defcon Russia (DCG #7812)
https://twitter.com/antyurinhttps://github.com/grrrdog