Mikhail Egorov, profile picture
Uploaded byMikhail Egorov
PDF, PPTX1,796 views

Entity provider selection confusion attacks in JAX-RS applications

The document discusses entity provider selection confusion attacks in JAX-RS applications, highlighting vulnerabilities when resource methods do not specify preferred content types with the @consumes annotation. It details the impact of these attacks, including risks of remote code execution, denial of service, and cross-site request forgery, specifically addressing security flaws in RESTEasy and Jersey frameworks. Key recommendations include restricting content types and being cautious with multipart content types.

Internetβ—¦

Embed presentation

Download as PDF, PPTX
Entity provider selection confusion attacks in JAX-RS applications Mikhail Egorov
β€’ Security researcher, bug hunter β€’ Application security engineer at Odin [ Ingram Micro Cloud ] β€’ @0ang3el β€’ http://0ang3el.blogspot.com β€’ http://www.slideshare.net/0ang3el About me
β€’ Java API for creating RESTful web services β€’ Part of J2EE since J2EE 6 β€’ JAX-RS 2.0 [ https://jcp.org/aboutJava/communityprocess/final/jsr339/index.html ] β€’ RESTEasy [ Red Hat ] , Jersey [ Oracle ] What is JAX-RS?
β€’ RESTful web services are based on REST architectural style β€’ Some features β€’ Resource identification through URI β€’ Uniform interface β€’ Self-descriptive messages β€’ Stateful interactions through hyperlinks What is RESTful web services?
Simple RESTful web service built w/ JAX-RS ; import javax.ws.rs.GET; import javax.ws.rs.Path; import javax.ws.rs.Produces; @Path("helloworld") public class HelloWorldResource { public static final String CLICHED_MESSAGE = "Hello World!"; @GET @Produces("text/plain") public String getHello() { return CLICHED_MESSAGE; } }
Simple RESTful web service built w/ JAX-RS ;
β€’ Annotated parameters β€’ @PathParam β€’ @QueryParam β€’ @FormParam β€’ @HeaderParam β€’ @CookieParam β€’ @MatrixParam β€’ Entity parameters – parameters without annotation Passing parameters to resource method
β€’ @QueryParam example β€’ Entity parameter example Passing parameters to resource method @GET @Path("/order") public String getOrder(@QueryParam("id") Sting id) { ... } @Path("/order") @PUT public void putOrder(Order order) { ... }
β€’ Unmarshalling – process of converting message content into Java object which is passed as parameter into resource method β€’ Entity providers are used for marshalling/unmarshalling Entity parameters
β€’ Entity providers – specials Java classes β€’ Annotated with @Provider β€’ Implement javax.ws.rs.ext.MessageBodyReader [ isReadable(), readFrom() ] β€’ Entity provider is selected based on β€’ Content type specified with @Consumes annotation β€’ Content-Type HTTP header in request β€’ Java Class of entity parameter β€’ There are interesting built-in entity providers Entity providers
β€’ Jersey performs WEB-INF/lib scanning for entity providers β€’ RESTEasy by default performs WEB-INF/lib scanning for entity providers, parameter resteasy.scan.providers does not work [ https://issues.jboss.org/browse/RESTEASY-1504 ] Automated scanning for entity providers
β€’ Attacker selects entity provider which is not intended for unmarshalling, by manipulating with Content-Type header of HTTP request Entity provider selection confusion attack
β€’ Occur when resource or resource method does not specify preferred content type via @Consumes annotation β€’ Or specifies it too permissive β€’ */* β€’ application/* β€’ And in some cases when content type is β€’ multipart/* β€’ multipart/form-data β€’ etc Entity provider selection confusion attack
β€’ Impact of attack β€’ RCE β€’ DoS β€’ CSRF β€’ XXE β€’ etc Entity provider selection confusion attack
β€’ RESTEasy by default has SerializableProvider entity provider β€’ Vulnerable resource method doConcat() Attack for RESTEasy [ CVE-2016-7050 ] @POST @Path("/concat") @Produces(MediaType.APPLICATION_JSON) public Map doConcat(Pair pair) { HashMap result = new HashMap(); result.put("Result", pair.getP1() + pair.getP2()); return result; } public class Pair implements Serializable { ... }
β€’ isReadable() method of SerializableProvider β€’ SerializableProvider is used when Content-Type is application/x-java- serialized-object and Java class of entity parameter is serializable Attack for RESTEasy [ CVE-2016-7050 ] public boolean isReadable(Class type, Type genericType, Annotation[] annotations, MediaType mediaType) { return (Serializable.class.isAssignableFrom(type)) && (APPLICATION_SERIALIZABLE_TYPE.getType().equals(mediaType.getType())) && (APPLICATION_SERIALIZABLE_TYPE.getSubtype().equals(mediaType.getSubtype())); }
β€’ readFrom() method of SerializableProvider Attack for RESTEasy [ CVE-2016-7050 ] public Serializable readFrom(Class type, Type genericType, Annotation[] annotations, MediaType mediaType, MultivaluedMap httpHeaders, InputStream entityStream) throws IOException, WebApplicationException { BufferedInputStream bis = new BufferedInputStream(entityStream); ObjectInputStream ois = new ObjectInputStream(bis); try { return (Serializable)Serializable.class.cast(ois.readObject()); } catch (ClassNotFoundException e) { throw new WebApplicationException(e); } }
Attack for RESTEasy [ CVE-2016-7050 ]
Attack for RESTEasy [ CVE-2016-7050 ]
β€’ Jersey has default jersey-media-kryo entity provider β€’ Vulnerable resource method doShowSize() Attack for Jersey @POST @Path("/size") @Produces(MediaType.APPLICATION_JSON) public Map<String, String> doShowSize(ArrayList<Pair> pairs) { HashMap<String, String> result = new HashMap<String, String>(); result.put("Count", String.valueOf(pairs.size())); return result; }
β€’ DoS payload - https://gist.github.com/coekie/a27cc406fc9f3dc7a70d Attack for Jersey
β€’ DoS payload - https://gist.github.com/coekie/a27cc406fc9f3dc7a70d Attack for Jersey
β€’ Narrow possible content types for resource or resource method using @Consumes annotation β€’ Use multipart/*, multipart/form-data, etc. content types with caution β€’ Java deserialization bugs exist not only in RMI/JMX/JMS Takeaways

More Related Content

PDF
Unsafe JAX-RS: Breaking REST API
byMikhail Egorov
Β 
PDF
Neat tricks to bypass CSRF-protection
byMikhail Egorov
Β 
PDF
Application Threat Modeling
byPriyanka Aash
Β 
PPTX
Anatomy of business logic vulnerabilities
byDaveEdwards12
Β 
PPTX
What is security testing and why it is so important?
byONE BCG
Β 
PDF
Threat Modeling workshop by Robert Hurlbut
byDevSecCon
Β 
PDF
Frans RosΓ©n Keynote at BSides Ahmedabad
bySecurity BSides Ahmedabad
Β 
PPTX
Web application security
byKapil Sharma
Β 
Unsafe JAX-RS: Breaking REST API
byMikhail Egorov
Β 
Neat tricks to bypass CSRF-protection
byMikhail Egorov
Β 
Application Threat Modeling
byPriyanka Aash
Β 
Anatomy of business logic vulnerabilities
byDaveEdwards12
Β 
What is security testing and why it is so important?
byONE BCG
Β 
Threat Modeling workshop by Robert Hurlbut
byDevSecCon
Β 
Frans RosΓ©n Keynote at BSides Ahmedabad
bySecurity BSides Ahmedabad
Β 
Web application security
byKapil Sharma
Β 

What's hot

PDF
Http methods
bymaamir farooq
Β 
PDF
Attack modeling vs threat modelling
byInvisibits
Β 
PPTX
Rest API Security
byStormpath
Β 
PPTX
Ethical hacking : Its methodologies and tools
bychrizjohn896
Β 
PDF
Dvwa low level
byhackstuff
Β 
PDF
Security Testing for Test Professionals
byTechWell
Β 
PPTX
Types of Malware (CEH v11)
byEC-Council
Β 
PPT
Introduction to Web Application Penetration Testing
byAnurag Srivastava
Β 
PPTX
SQL INJECTION
byMentorcs
Β 
ODP
OWASP Secure Coding
bybilcorry
Β 
PPTX
Going Passwordless with Microsoft
byFIDO Alliance
Β 
PPTX
Reverse proxies & Inconsistency
byGreenD0g
Β 
PPTX
Web application vulnerability assessment
byRavikumar Paghdal
Β 
PDF
OWASP Mobile Top 10
byNowSecure
Β 
PPT
Port Scanning
byamiable_indian
Β 
PDF
ORM Injection
bySimone Onofri
Β 
PPTX
REST API Security: OAuth 2.0, JWTs, and More!
byStormpath
Β 
PPTX
Web API authentication and authorization
byChalermpon Areepong
Β 
PPT
Pentesting Using Burp Suite
byjasonhaddix
Β 
PPTX
API Security Fundamentals
byJosΓ© Haro Peralta
Β 
Http methods
bymaamir farooq
Β 
Attack modeling vs threat modelling
byInvisibits
Β 
Rest API Security
byStormpath
Β 
Ethical hacking : Its methodologies and tools
bychrizjohn896
Β 
Dvwa low level
byhackstuff
Β 
Security Testing for Test Professionals
byTechWell
Β 
Types of Malware (CEH v11)
byEC-Council
Β 
Introduction to Web Application Penetration Testing
byAnurag Srivastava
Β 
SQL INJECTION
byMentorcs
Β 
OWASP Secure Coding
bybilcorry
Β 
Going Passwordless with Microsoft
byFIDO Alliance
Β 
Reverse proxies & Inconsistency
byGreenD0g
Β 
Web application vulnerability assessment
byRavikumar Paghdal
Β 
OWASP Mobile Top 10
byNowSecure
Β 
Port Scanning
byamiable_indian
Β 
ORM Injection
bySimone Onofri
Β 
REST API Security: OAuth 2.0, JWTs, and More!
byStormpath
Β 
Web API authentication and authorization
byChalermpon Areepong
Β 
Pentesting Using Burp Suite
byjasonhaddix
Β 
API Security Fundamentals
byJosΓ© Haro Peralta
Β 

Viewers also liked

PDF
New methods for exploiting ORM injections in Java applications
byMikhail Egorov
Β 
PDF
What should a hacker know about WebDav?
byMikhail Egorov
Β 
PDF
ORM2Pwn: Exploiting injections in Hibernate ORM
byMikhail Egorov
Β 
PDF
Hacking Adobe Experience Manager sites
byMikhail Egorov
Β 
PPTX
Nopcon '16 Android Kernel Vulnerabilities
byAbdSec
Β 
PDF
НСкриптографичСскоС исслСдованиС носитСлСй православной ΠΊΡ€ΠΈΠΏΡ‚ΠΎΠ³Ρ€Π°Ρ„ΠΈΠΈ
bySergey Soldatov
Β 
PDF
PHDays '14 Cracking java pseudo random sequences by egorov & soldatov
bySergey Soldatov
Β 
PPT
PQP 1 Child Protection
byreneec
Β 
PPTX
Barabanov_Markov it-std
byAlexander Barabanov
Β 
PPTX
Developer Evidences (Infosecurity Russia 2013)
byAlexander Barabanov
Β 
PDF
Threat hunting as SOC process
bySergey Soldatov
Β 
PDF
Volatile Memory: Behavioral Game Theory in Defensive Security
byKelly Shortridge
Β 
PDF
SlideShare 101
byAmit Ranjan
Β 
New methods for exploiting ORM injections in Java applications
byMikhail Egorov
Β 
What should a hacker know about WebDav?
byMikhail Egorov
Β 
ORM2Pwn: Exploiting injections in Hibernate ORM
byMikhail Egorov
Β 
Hacking Adobe Experience Manager sites
byMikhail Egorov
Β 
Nopcon '16 Android Kernel Vulnerabilities
byAbdSec
Β 
НСкриптографичСскоС исслСдованиС носитСлСй православной ΠΊΡ€ΠΈΠΏΡ‚ΠΎΠ³Ρ€Π°Ρ„ΠΈΠΈ
bySergey Soldatov
Β 
PHDays '14 Cracking java pseudo random sequences by egorov & soldatov
bySergey Soldatov
Β 
PQP 1 Child Protection
byreneec
Β 
Barabanov_Markov it-std
byAlexander Barabanov
Β 
Developer Evidences (Infosecurity Russia 2013)
byAlexander Barabanov
Β 
Threat hunting as SOC process
bySergey Soldatov
Β 
Volatile Memory: Behavioral Game Theory in Defensive Security
byKelly Shortridge
Β 
SlideShare 101
byAmit Ranjan
Β 

Similar to Entity provider selection confusion attacks in JAX-RS applications

PPTX
JAX-RS 2.0 and OData
byAnil Allewar
Β 
PDF
There is REST and then there is "REST"
byRadovan Semancik
Β 
PDF
JavaEE and RESTful development - WSO2 Colombo Meetup
bySagara Gunathunga
Β 
PDF
JAX-RS 2.0: RESTful Web Services
byArun Gupta
Β 
PDF
JAX-RS 2.0: New and Noteworthy in RESTful Web services API at JAX London
byArun Gupta
Β 
PDF
From Open Source to Open API with Restlet
byRestlet
Β 
PDF
Role of Rest vs. Web Services and EI
byWSO2
Β 
DOC
Web services soap rest training
byFuturePoint Technologies
Β 
PDF
RESTful Java With JAX RS 1st Edition Bill Burke
byrohismhmob88
Β 
PPT
Developing RESTful WebServices using Jersey
byb_kathir
Β 
PPTX
Real world RESTful service development problems and solutions
byMasoud Kalali
Β 
PPTX
Lies you have been told about REST
bydarrelmiller71
Β 
PPTX
Fixing the Java Serialization Mess
bySalesforce Engineering
Β 
PDF
Java EE 8 Overview (Japanese)
byLogico
Β 
PDF
Securty Testing For RESTful Applications
bySource Conference
Β 
PPTX
Ppt on web development and this has all details
bygogijoshiajmer
Β 
PDF
JAX-RS 2.0: New and Noteworthy in RESTful Web Services API - Arun Gupta
byJAX London
Β 
PDF
112815 java ee8_davidd
byTakashi Ito
Β 
PDF
RESTful Java With JAX RS 1st Edition Bill Burke
byjolokmertah
Β 
PDF
Asec r01-resting-on-your-laurels-will-get-you-pwned
byDinis Cruz
Β 
JAX-RS 2.0 and OData
byAnil Allewar
Β 
There is REST and then there is "REST"
byRadovan Semancik
Β 
JavaEE and RESTful development - WSO2 Colombo Meetup
bySagara Gunathunga
Β 
JAX-RS 2.0: RESTful Web Services
byArun Gupta
Β 
JAX-RS 2.0: New and Noteworthy in RESTful Web services API at JAX London
byArun Gupta
Β 
From Open Source to Open API with Restlet
byRestlet
Β 
Role of Rest vs. Web Services and EI
byWSO2
Β 
Web services soap rest training
byFuturePoint Technologies
Β 
RESTful Java With JAX RS 1st Edition Bill Burke
byrohismhmob88
Β 
Developing RESTful WebServices using Jersey
byb_kathir
Β 
Real world RESTful service development problems and solutions
byMasoud Kalali
Β 
Lies you have been told about REST
bydarrelmiller71
Β 
Fixing the Java Serialization Mess
bySalesforce Engineering
Β 
Java EE 8 Overview (Japanese)
byLogico
Β 
Securty Testing For RESTful Applications
bySource Conference
Β 
Ppt on web development and this has all details
bygogijoshiajmer
Β 
JAX-RS 2.0: New and Noteworthy in RESTful Web Services API - Arun Gupta
byJAX London
Β 
112815 java ee8_davidd
byTakashi Ito
Β 
RESTful Java With JAX RS 1st Edition Bill Burke
byjolokmertah
Β 
Asec r01-resting-on-your-laurels-will-get-you-pwned
byDinis Cruz
Β 

More from Mikhail Egorov

PDF
A Hacker's perspective on AEM applications security
byMikhail Egorov
Β 
PDF
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
byMikhail Egorov
Β 
PDF
Securing AEM webapps by hacking them
byMikhail Egorov
Β 
PDF
Hunting for security bugs in AEM webapps
byMikhail Egorov
Β 
PDF
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
byMikhail Egorov
Β 
PPTX
CSRF-уязвимости всС Π΅Ρ‰Π΅ Π°ΠΊΡ‚ΡƒΠ°Π»ΡŒΠ½Ρ‹: ΠΊΠ°ΠΊ Π°Ρ‚Π°ΠΊΡƒΡŽΡ‰ΠΈΠ΅ обходят CSRF-Π·Π°Ρ‰ΠΈΡ‚Ρƒ Π² вашСм ...
byMikhail Egorov
Β 
A Hacker's perspective on AEM applications security
byMikhail Egorov
Β 
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
byMikhail Egorov
Β 
Securing AEM webapps by hacking them
byMikhail Egorov
Β 
Hunting for security bugs in AEM webapps
byMikhail Egorov
Β 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
byMikhail Egorov
Β 
CSRF-уязвимости всС Π΅Ρ‰Π΅ Π°ΠΊΡ‚ΡƒΠ°Π»ΡŒΠ½Ρ‹: ΠΊΠ°ΠΊ Π°Ρ‚Π°ΠΊΡƒΡŽΡ‰ΠΈΠ΅ обходят CSRF-Π·Π°Ρ‰ΠΈΡ‚Ρƒ Π² вашСм ...
byMikhail Egorov
Β 

Entity provider selection confusion attacks in JAX-RS applications

  • 1.
    Entity provider selection confusion attacksin JAX-RS applications Mikhail Egorov
  • 2.
    β€’ Security researcher,bug hunter β€’ Application security engineer at Odin [ Ingram Micro Cloud ] β€’ @0ang3el β€’ http://0ang3el.blogspot.com β€’ http://www.slideshare.net/0ang3el About me
  • 3.
    β€’ Java APIfor creating RESTful web services β€’ Part of J2EE since J2EE 6 β€’ JAX-RS 2.0 [ https://jcp.org/aboutJava/communityprocess/final/jsr339/index.html ] β€’ RESTEasy [ Red Hat ] , Jersey [ Oracle ] What is JAX-RS?
  • 4.
    β€’ RESTful webservices are based on REST architectural style β€’ Some features β€’ Resource identification through URI β€’ Uniform interface β€’ Self-descriptive messages β€’ Stateful interactions through hyperlinks What is RESTful web services?
  • 5.
    Simple RESTful webservice built w/ JAX-RS ; import javax.ws.rs.GET; import javax.ws.rs.Path; import javax.ws.rs.Produces; @Path("helloworld") public class HelloWorldResource { public static final String CLICHED_MESSAGE = "Hello World!"; @GET @Produces("text/plain") public String getHello() { return CLICHED_MESSAGE; } }
  • 6.
    Simple RESTful webservice built w/ JAX-RS ;
  • 7.
    β€’ Annotated parameters β€’@PathParam β€’ @QueryParam β€’ @FormParam β€’ @HeaderParam β€’ @CookieParam β€’ @MatrixParam β€’ Entity parameters – parameters without annotation Passing parameters to resource method
  • 8.
    β€’ @QueryParam example β€’Entity parameter example Passing parameters to resource method @GET @Path("/order") public String getOrder(@QueryParam("id") Sting id) { ... } @Path("/order") @PUT public void putOrder(Order order) { ... }
  • 9.
    β€’ Unmarshalling –process of converting message content into Java object which is passed as parameter into resource method β€’ Entity providers are used for marshalling/unmarshalling Entity parameters
  • 10.
    β€’ Entity providers– specials Java classes β€’ Annotated with @Provider β€’ Implement javax.ws.rs.ext.MessageBodyReader [ isReadable(), readFrom() ] β€’ Entity provider is selected based on β€’ Content type specified with @Consumes annotation β€’ Content-Type HTTP header in request β€’ Java Class of entity parameter β€’ There are interesting built-in entity providers Entity providers
  • 11.
    β€’ Jersey performsWEB-INF/lib scanning for entity providers β€’ RESTEasy by default performs WEB-INF/lib scanning for entity providers, parameter resteasy.scan.providers does not work [ https://issues.jboss.org/browse/RESTEASY-1504 ] Automated scanning for entity providers
  • 12.
    β€’ Attacker selectsentity provider which is not intended for unmarshalling, by manipulating with Content-Type header of HTTP request Entity provider selection confusion attack
  • 13.
    β€’ Occur whenresource or resource method does not specify preferred content type via @Consumes annotation β€’ Or specifies it too permissive β€’ */* β€’ application/* β€’ And in some cases when content type is β€’ multipart/* β€’ multipart/form-data β€’ etc Entity provider selection confusion attack
  • 14.
    β€’ Impact ofattack β€’ RCE β€’ DoS β€’ CSRF β€’ XXE β€’ etc Entity provider selection confusion attack
  • 15.
    β€’ RESTEasy bydefault has SerializableProvider entity provider β€’ Vulnerable resource method doConcat() Attack for RESTEasy [ CVE-2016-7050 ] @POST @Path("/concat") @Produces(MediaType.APPLICATION_JSON) public Map doConcat(Pair pair) { HashMap result = new HashMap(); result.put("Result", pair.getP1() + pair.getP2()); return result; } public class Pair implements Serializable { ... }
  • 16.
    β€’ isReadable() methodof SerializableProvider β€’ SerializableProvider is used when Content-Type is application/x-java- serialized-object and Java class of entity parameter is serializable Attack for RESTEasy [ CVE-2016-7050 ] public boolean isReadable(Class type, Type genericType, Annotation[] annotations, MediaType mediaType) { return (Serializable.class.isAssignableFrom(type)) && (APPLICATION_SERIALIZABLE_TYPE.getType().equals(mediaType.getType())) && (APPLICATION_SERIALIZABLE_TYPE.getSubtype().equals(mediaType.getSubtype())); }
  • 17.
    β€’ readFrom() methodof SerializableProvider Attack for RESTEasy [ CVE-2016-7050 ] public Serializable readFrom(Class type, Type genericType, Annotation[] annotations, MediaType mediaType, MultivaluedMap httpHeaders, InputStream entityStream) throws IOException, WebApplicationException { BufferedInputStream bis = new BufferedInputStream(entityStream); ObjectInputStream ois = new ObjectInputStream(bis); try { return (Serializable)Serializable.class.cast(ois.readObject()); } catch (ClassNotFoundException e) { throw new WebApplicationException(e); } }
  • 18.
    Attack for RESTEasy[ CVE-2016-7050 ]
  • 19.
    Attack for RESTEasy[ CVE-2016-7050 ]
  • 20.
    β€’ Jersey hasdefault jersey-media-kryo entity provider β€’ Vulnerable resource method doShowSize() Attack for Jersey @POST @Path("/size") @Produces(MediaType.APPLICATION_JSON) public Map<String, String> doShowSize(ArrayList<Pair> pairs) { HashMap<String, String> result = new HashMap<String, String>(); result.put("Count", String.valueOf(pairs.size())); return result; }
  • 21.
    β€’ DoS payload- https://gist.github.com/coekie/a27cc406fc9f3dc7a70d Attack for Jersey
  • 22.
    β€’ DoS payload- https://gist.github.com/coekie/a27cc406fc9f3dc7a70d Attack for Jersey
  • 23.
    β€’ Narrow possiblecontent types for resource or resource method using @Consumes annotation β€’ Use multipart/*, multipart/form-data, etc. content types with caution β€’ Java deserialization bugs exist not only in RMI/JMX/JMS Takeaways