Ryan Berg

Co-Founder and Chief Scientist

March 2009
 Spring is in the air

• Aren’t we all a little tired of SQL injection and XSS?

• Want to learn about all the latest rage in framework

based vulnerabilities and analysis?

• Join me on this whirlwind tour of how your

applications can be exploited!
 Spring mission statement

• It should be easy and fun to use

• Applications developed should be loosely coupled
with the framework
• Should leverage existing solutions as much as
possible

• Nowhere does it say it should be secure

 The Weakest Link

• As we put more and more trust into the frameworks

that are the foundation of our apps, make sure you
understand the security decisions made so you can
make the right implementation choices.

Copyright © 2009 Ounce Labs, Inc. All rights reserved.

 Just a little background…

ƒ For a good overview of the Spring Framework, see:

http://www.theserverside.com/tt/articles/article.tss?l=IntrotoSpring25

ƒ Here is the main documentation for the Spring Framework:

http://static.springframework.org/spring/docs/2.5.x/reference/index.html
 It’s all about the models, Baby!

(see also http://en.wikipedia.org/wiki/Model-view-controller)

 Sounds cool, where can I get some?

Front Controller

Source: /spring-framework-2.0.7/docs/MVC-step-by-step/
Time to wire up the app
Basic controller
Form view
Form controller
Model
Huh?
All this gives you…
 I thought this was about security?

It’s all about

auto-binding:
 It certainly makes it easy for developers

• Let’s look at some guiding principles:

• “There does not now, nor will there ever, exist a programming language in which it
is the least bit hard to write bad programs.”
• Lawrence Flon

• “If there are two or more ways to do something, and one of those ways can result
in a disaster, then someone will do it.”
• Edward A Murphy

• “For just about any technology, be it an operating system, application or network,

when a sufficient level of adoption is reached, that technology then becomes a
threat vector.”
• Gene Spafford
 Right, so what could go wrong?

• The vulnerability is created by this ‘auto binding’ feature since, in

most cases, not all fields that are exposed via the web interface
should be editable.

• That is to say, since it is possible for an attacker to submit data to ALL

fields that exist in the classes that are used to bind the data received,
exploitable vectors occur when:
1. There is a difference between the fields exposed on the web page (via JSP for
example) and the fields with setters in the backend classes
2. The developers don’t realize that ALL fields from those classes can contain tainted
data
1. Although Spring MVC provides excellent support for validation of user supplied
data, that validation tends to be focused on what the developers EXPECT to
receive from the user (the fields exposed in the JSP) and not on ALL fields
available (i.e. the real attack surface)
3. Manipulation of these extra fields (controllable by the attacker) allows the
circumvention of the application’s business logic

Copyright © 2009 Ounce Labs, Inc. All rights reserved.

 So, what does Spring say about this?

• Note that there are potential security implications in failing to set an array of
allowed fields. In the case of HTTP form POST data, for example, malicious
clients can attempt to subvert an application by supplying values for fields or
properties that do not exist on the form. In some cases this could lead to
illegal data being set on command objects or their nested objects. For this
reason, it is highly recommended to specify the allowedFields property
on the DataBinder.

Source:
http://static.springframework.org/spring/docs/2.5.x/api/org/springframework/validation/DataBinder.h
tml
 Demo time

• Demo #1
 But wait, it gets better

• Inversion of Control
 MVC Recap

• DispatcherServlet
• The DispatcherServlet is the FrontController in the MVC pattern and is
responsible for controller routing.

• ModelAndView
• Created by the Controller
• Holds the Model
• Ties the View to the request

• ViewResolver
• Associates view names to view implementations

• HandlerMapping
• Used by the DispatcherServlet for request routing
Blah Blah Blah, I thought we covered
this already!
 Did I say it’s all about the Model? Maybe it’s the View

• ViewResolver
• Provides a mapping between view names and actual
views.
• UrlBasesViewResolver
• Provides direct resolution between symbolic view names and
URLS.
• InternalResourceViewResolver
• Primarily used to route requests to internal JSPS/Servlets
• BeanNameViewResolver
• Basic resolver that maps views to beans in the current
application context.
• View resolvers can be chained, this could never
be a problem, right?
 This can be a huge problem.

• What is wrong with the following code?

public ModelAndView handleRequest(
HttpServletRequest request,
HttpServletResponse response) throws Exception
{
UserSession userSession = (UserSession) WebUtils.getSessionAttribute(request, "userSession");
Cart cart = (Cart) WebUtils.getOrCreateSessionAttribute(request.getSession(), "sessionCart", Cart.class);
String page = request.getParameter("page");
if (userSession != null) {
if ("next".equals(page)) {
userSession.getMyList().nextPage();
} else if ("previous".equals(page)) {
userSession.getMyList().previousPage();
}
}
if ("nextCart".equals(page)) {
cart.getCartItemList().nextPage();
} else if ("previousCart".equals(page)) {
cart.getCartItemList().previousPage();
}
if (request.getParameter("view")!=null)
return new ModelAndView(request.getParameter("view"));
return new ModelAndView(this.successView, "cart", cart);
}
 Let’s see that in action

• Demo #2
 So, what do you do?

• Use DataBinder.setAllowedFields religiously.

• http://static.springframework.org/spring/docs/1.2.x/api/org/springfr
amework/validation/DataBinder.html
• http://forum.springframework.org/archive/index.php/t-10820.html

• Never allow direct user input to your Controllers

return View.

• Happy Hunting :)
• http://www.google.com/codesearch?hl=en&lr=&q=ModelAndView
%5C%28.*request%5C.&sbtn=Search
 Questions

• Ryan Berg, Co-Founder and Chief Scientist

• ryan.berg@ouncelabs.com

• For more information, visit:

• www.ouncelabs.com/springmvc