Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

[Defcon Russia #29] Алексей Тюрин - Spring autobinding

403 views

Published on

В Spring MVC есть классная фича — autobinding. Но если пользоваться ей неправильно, могут появиться «незаметные» уязвимости, иногда с серьёзным импактом. Рассмотрим пару примеров, углубимся в тонкости появления autobinding-багов. Writeup [ENG]: http://agrrrdog.blogspot.ru/2017/03/autobinding-vulns-and-spring-mvc.html

Published in: Internet
  • Be the first to comment

  • Be the first to like this

[Defcon Russia #29] Алексей Тюрин - Spring autobinding

  1. 1. Spring MVC and Autobinding vulns Digital Security Alexey GreenDog Tyurin @antyurin
  2. 2. Spring MVC Defcon Russia (DCG #7812) 2
  3. 3. Model Defcon Russia (DCG #7812) 3 • Store info for the view • Map • “string”->object
  4. 4. Autobinding Defcon Russia (DCG #7812) 4 Binding params to object fields Converter
  5. 5. Autobinding vuln Defcon Russia (DCG #7812) 5 https://o2platform.files.wordpress.com/2011/07/ounce_springframework_vulnerabilities.pdf
  6. 6. Autobinding vuln Defcon Russia (DCG #7812) 6 https://o2platform.files.wordpress.com/2011/07/ounce_springframework_vulnerabilities.pdf
  7. 7. More magic with annotations Defcon Russia (DCG #7812) 7 @ModelAttribute on a method argument “An @ModelAttribute on a method argument indicates the argument should be retrieved from the model “… http://docs.spring.io/spring/docs/3.1.x/spring-framework-reference/html/mvc.html
  8. 8. More magic with annotations Defcon Russia (DCG #7812) 8 @ModelAttribute on a method “An @ModelAttribute on a method indicates the purpose of that method is to add one or more model attributes. @ModelAttribute methods in a controller are invoked before @RequestMapping methods” http://docs.spring.io/spring/docs/3.1.x/spring-framework-reference/html/mvc.html#mvc- ann-modelattrib-method-args
  9. 9. More magic with annotations Defcon Russia (DCG #7812) 9 @SessionAttribute for controller “The type-level @SessionAttributes annotation declares session attributes used by a specific handler. This will typically list the names of model attributes or types of model attributes which should be transparently stored in the session”
  10. 10. More magic with redirects Defcon Russia (DCG #7812) 10 FlashAttribute “Flash attributes provide a way for one request to store attributes intended for use in another.” http://docs.spring.io/spring/docs/3.1.x/spring-framework-reference/html/mvc.html
  11. 11. More magic with annotations Defcon Russia (DCG #7812) 11 @ModelAttribute on a method argument “An @ModelAttribute on a method argument indicates the argument should be retrieved from the model. If not present in the model, the argument should be instantiated first and then added to the model. Once present in the model, the argument's fields should be populated from all request parameters that have matching names.” – is a wrong/dangerous way to get value from the model. Because: at first - retrieving , then autobinding.
  12. 12. Ex 2. The First School of Bulimia Defcon Russia (DCG #7812) 12
  13. 13. Ex 2. The First School of Bulimia Defcon Russia (DCG #7812) 13
  14. 14. Ex 2. The First School of Bulimia Defcon Russia (DCG #7812) 14
  15. 15. Ex 2. The First School of Bulimia Defcon Russia (DCG #7812) 15
  16. 16. Populating Defcon Russia (DCG #7812) 16 Befor in Model: “user” ={username = “Vasia” pass = “P@ssw0rd” weight= 100} Autobinding: After in Model: “user” ={ username = “lalallalala” pass = “P@ssw0rd” weight= 100 }
  17. 17. Example 1. Justice League Defcon Russia (DCG #7812) 17
  18. 18. Example 1. Justice League Defcon Russia (DCG #7812) 18
  19. 19. Example 1. Justice League Defcon Russia (DCG #7812) 19
  20. 20. Example 1. Justice League Defcon Russia (DCG #7812) 20 • More magic? No @ModelAttribute • Spring MVC is IoC and too smart?
  21. 21. Example 1. Justice League Defcon Russia (DCG #7812) 21
  22. 22. Other real examples? Defcon Russia (DCG #7812) 22 • Github • Articles • Nothing interesting?
  23. 23. Blackbox testing Defcon Russia (DCG #7812) 23 • Errors • Collect all parameter names Use them for all entry points Check difference • Strange names or arrays, hashmaps
  24. 24. Q&A Defcon Russia (DCG #7812) 24 https://twitter.com/antyurin https://github.com/grrrdog

×