Académique Documents
Professionnel Documents
Culture Documents
Dinis Cruz
This book is for sale at http://leanpub.com/Exploiting_MVC
This version was published on 2014-03-23
This is a Leanpub book. Leanpub empowers authors and publishers with the Lean Publishing process. Lean
Publishing is the act of publishing an in-progress ebook using lightweight tools and many iterations to get
reader feedback, pivot until you have the right book and build traction once you do.
This work is licensed under a Creative Commons Attribution 3.0 Unported License
Contents
1 July 2011 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
O2 Script with BlackBox exploits for Spring MVC AutoBinding vulnerabilities in JPetStore . . . . .
O2 Script for Spring MVC JPetStore - Start Servers (start/stop apache and hsqldb) . . . . . . . . .
O2 Script: Spring MVC Util - View Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Creating an API for JPetStore Browser automation . . . . . . . . . . . . . . . . . . . . . . . . . . .
Injecting FirebugLite and jQuery into a IE Automation page (JPetStore Example) . . . . . . . . . .
Writing an O2 IE Automation Script for JPetStore Account Creation . . . . . . . . . . . . . . . .
Viewing JPetStore Hsqldb database and couple more Autobinding issues . . . . . . . . . . . . . . .
Finding the JSP views that are mapped to controlers in JPetStore (Spring MVC) . . . . . . . . . . .
Visualizing the links in JPetStore (Spring MVC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Packaged Spring MVC Security Test Apps: JPetStore and PetClinc . . . . . . . . . . . . . . . . . . .
Simple Viewer to see JSP files (example using Spring MVC SPetStore) . . . . . . . . . . . . . . . .
Util - Java, Jsp and Xml File Search (Example using Spring MVC JPetStore) . . . . . . . . . . . . .
Visualizing Spring MVC Annotations based Controls (and Autobinding PetClinics vulnerabilities) .
1
2
5
6
7
8
10
12
14
17
18
19
20
21
2 September 2011 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
example of spring mvc controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
25
26
3 November 2011 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Fixing one of JPetStores AutoBinding Vulnerabilities (changing the purchase price) . . . . . . . . .
27
28
4 May 2012 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ASP.NET MVC MUSIC STORE . . . . . . . . . . . . . . . . . . . .
Order details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
HTTP form post fields using Fiddler . . . . . . . . . . . . . . . . . .
Checkout controller . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exploiting Microsoft MVC vulnerabilities using OWASP O2 Platform
.
.
.
.
.
.
32
33
34
35
36
37
5 June 2013 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using ASP.NET MVC 4.0 in TeamMentor (with simple Controller, View and master Layout) . . . .
39
40
6 July 2013 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Can you spot the security implications/vulnerability of a small change to an ASP.NET MVC 3.0+
Model Binder? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Nice business logic vulnerability and CSRF on the ASP.NET MVC Design Patterns book sample . .
Day 1 - made it to Vegas, start of ASP.NET MVC research . . . . . . . . . . . . . . . . . . . . . . .
MVC ModelBinding Vulnerability in Contoso University sample (first raw PoC) . . . . . . . . . . .
45
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
46
51
58
59
CONTENTS
7 October 2012 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exploiting Microsoft MVC vulnerabilities using OWASP O2 Platform
Tool - O2 Cmd SpringMVC v1.0.exe - as standalone exe . . . . . . .
How the Tool - O2 Cmd SpringMVC v1.0.exe was created . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
63
64
65
68
8 December 2012 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ASP.NET MVC XSS and AutoBind Vulns in MVC Example app (from 2008) . . . . . . . . . . . .
ASP.NET Support in SAST and IBM F4F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
70
71
72
9 January 2013 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
OData ASP.NET Web API: An Mass Assignment vulnerability in the making? . . . . . . . . . . . .
Should Mass Assignment be an OWASP Top 10 Vulnerability? . . . . . . . . . . . . . . . . . . . .
74
75
78
10 September 2008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ASP.NET MVC XSS and AutoBind vulns in MVC Example . . . . . . . . . . . . . . . . . . . . .
80
81
11 September 2009 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Spring MVC 3.0 MVC Binding rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Finally here is how I have been analysing Spring MVC apps using O2 . . . . . . . . . . . . . . .
Reaching out to Spring Developers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Couple more blog posts on JPetStore and additional Spring MVC Autobinding vulnerabilities . . . .
Visualizing Spring MVC Annotations based Controls (and Autobinding PetClinics vulnerabilities) .
Current O2 support for analyzing Spring MVC . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
What needs to be done to map Static Analysis Traces from Controllers and Views . . . . . . . . . .
82
83
86
88
89
90
91
92
12 October 2011 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Why doesnt SAST have better Framework support (for example Spring MVC)? . . . . . . . . .
What does SAST mean? And where does it come from? . . . . . . . . . . . . . . . . . . . . . .
First Answer to: Why doesnt SAST have better Framework support (for example Spring MVC)?
Solution for fixing Springs JPetStore AutoBinding vulnerabilities . . . . . . . . . . . . . . . . .
.
.
.
.
.
. 94
. 95
. 96
. 97
. 101
13 April 2012 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Some proposed Visions for next OWASP Summit . . . . . . . . . . . . . . . . . . . . . . . .
Why ASP.NET MVC is insecure by design , just like Spring MVC (and why SAST can help)
Starting to use the O2 Spring MVC viewer on ThreadFix . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
102
103
104
105
1 July 2011
July 2011
July 2011
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
July 2011
78
79
80
81
82
83
84
85
86
87
88
=> exploit_Variation_1_SetItemPriceQuantityAndTotalPrice(desiredPrice))
.append_Link("Exploit Variation #3 (set TotalPrice) ", ()=> exploit_Variation_2(desire\
dPrice))
.append_Link("Exploit Variation #3 (set TotalPrice) ", ()=> exploit_Variation_2(desire\
dPrice))
.append_Link("loginPlaceAnOrderAndGoToCheckout; ",()=> loginPlaceAnOrderAndGoToCheckou\
t());
ie.open("http://127.0.0.1.:8080/jpetstore"); return "done";
//O2File:WatiN_IE_ExtensionMethods.cs
//using O2.XRules.Database.Utils.O2
//O2Ref:WatiN.Core.1x.dll
July 2011
July 2011
This Script creates a view for the Spring MVC mapping objects created by the SpringMvcMappings_v2
API. This is a very important script since it provides a very clear view of a Spring MVC application
URLs, Controllers and CommandClass The Command Class view can be quite spectacular since it is
common to find massive AutoBinded POJOs (some even with recursion) Here is a video showing this script
in action: [youtube=http://www.youtube.com/watch?v=ZQd7xqAlSRc] Here is the code: [sourcecode language=csharp wraplines=false] var topPanel = O2Gui.open<Panel>("Spring MVC Util - View
Controllers",1000,400); //var topPanel = panel.clear().add_Panel();</pre> &nbsp; var baseDir =
PublicDI.CurrentScript.directoryName(); var xmlFile = baseDir.pathCombine(@"sourceCode\warWEBINF\petstore-servlet.xml"); var mcvMappingsFile = "{0}.mvcMappings.xml".format(xmlFile);
var webAppClassFiles = baseDir.pathCombine("jPetStore.classes.zip.xml"); var coreClassFiles =
baseDir.pathCombine("jPetStore.classes.zip.xml"); Func<string,string,string> resolveGetterReturnType = (methodName, returnType) => { "in resolveGetterReturnType: {0} - {1}".debug(methodName,
returnType); if (methodName =="getLineItems") return "org.springframework.samples.jpetstore.domain.Line
return returnType; }; var mvcMappings = (mcvMappingsFile.fileExists()) ? mcvMappingsFile.load<SpringMvcMappings>()
: xmlFile.springMvcMappings() .mapCommandClass_using_XRefs(webAppClassFiles); var xRefs = coreClassFiles.javaMetadata().map_JavaMetadata_XRefs(); var byCommandClass = mvcMappings.controllers_by_CommandClass(); var treeView = topPanel.add_TreeView_with_PropertyGrid(true).sort(); var codeViewer =
topPanel.insert_Right().add_SourceCodeViewer(); Action<string> onClassSelected = (@class) => { if
(xRefs.Classes_by_Signature.hasKey(@class)) codeViewer.open(xRefs.Classes_by_Signature[@class].file()); };
var _treeView = codeViewer.insert_Above().add_TreeView_For_CommandClasses_Visualization(xRefs, onClassSelected, resolveGetterReturnType); treeView.afterSelect<String>( (javaClass)=>{ if (javaClass.valid()
&& javaClass !="[no commandName]") { var file = "{0}.java".format(javaClass.replace("
_treeView.clear(); _treeView.add_Node(javaClass, javaClass,true); codeViewer.open(file); } else codeViewer.set_Text(""); }); treeView.afterSelect<SpringMvcController>( (mvcController)=>{ if (mvcController.FileName.valid()) codeViewer.open(mvcController.FileName); _treeView.clear(); if (mvcController.CommandClass.valid(
_treeView.add_Node(mvcController.CommandClass, mvcController.CommandClass,true); }); var byCommandClassNode = treeView.add_Node("by CommandClass"); foreach(var mapping in byCommandClass) byCommandClassNode.add_Node(mapping.Key,mapping.Key) .add_Nodes(mapping.Value); var byJavaClassNode = treeView.add_Node("by JavaClass"); foreach(var mapping in mvcMappings.controllers_by_JavaClass()) byJavaClassNode.add_Node(mapping.Key,mapping.Value); var byUrlNode = treeView.add_Node("by Url"); foreach(var controller in mvcMappings.Controllers) byUrlNode.add_Node(controller.HttpRequestU
treeView.focus(); return "ok"; //using O2.XRules.Database.Languages_and_Frameworks.J2EE //using O2.XRules.Database.APIs.IKVM //O2File:spring-servlet-2.0.xsd.cs //O2File:SpringMvcMappings_v2.0.cs
//O2Ref:O2_Misc_Microsoft_MPL_Libs.dll [/sourcecode]
July 2011
Once we have a number of Lambda functions to perform IE/Web automation, the next step is to create
an API so that they can be easily consumed and reused. This API is going to be called API_JPetStore.cs
and will allow the simple invocation of JPetStore commands like this: [sourcecode language=csharp
wraplines=false] var topPanel = panel.clear().add_Panel(); var ie = topPanel.add_IE().silent(true); var
jPetStore = new API_JPetStore(ie); jPetStore.homePage(); jPetStore.login_DefaultValues(); jPetStore.logout();
jPetStore.login(asd,asd); jPetStore.login(j2ee,j2ee);</pre> //O2File:API_JPetStore.cs //O2File:WatiN_IE_ExtensionMethods.cs //using O2.XRules.Database.Utils.O2 //O2Ref:WatiN.Core.1x.dll [/sourcecode] Here
is the current source code for the API_JPetStore.cs file (at the moment only implemeting a couple functions (like the login and logout) [sourcecode language=csharp wraplines=false] // This file is part
of the OWASP O2 Platform () and is released under the Apache 2.0 License () using System; using
System.Linq; using System.Collections.Generic; using O2.Kernel; using O2.Kernel.ExtensionMethods; using
O2.DotNetWrappers.DotNet; using O2.DotNetWrappers.ExtensionMethods; //O2File:WatiN_IE_ExtensionMethods.cs //O2File:WatiN_IE.cs //O2Ref:WatiN.Core.1x.dll</pre> namespace O2.XRules.Database.APIs {
public class API_JPetStore { public WatiN_IE ie; public string appUrl = ; public API_JPetStore(WatiN_IE
_ie) { ie = _ie; } public API_JPetStore open(string virtualPath) { if (virtualPath.starts(/).isFalse()) virtualPath
= /{0}.format(virtualPath); var fullUri = {0}{1}.format(appUrl, virtualPath).uri(); ie.open(fullUri.str()); return
this; } } public static class API_JPetStore_ExtensionMethods { public static API_JPetStore homePage(this
API_JPetStore jPetStore) { jPetStore.open(); return jPetStore; } public static API_JPetStore login_DefaultValues(this API_JPetStore jPetStore) { jPetStore.open(/shop/signonForm.do); jPetStore.ie.buttons()[1].click(); return jPetStore; } public static bool login(this API_JPetStore jPetStore, string username, string password) { jPetStore.open(/shop/signonForm.do); var ie = jPetStore.ie; ie.field(username).value(username); ie.field(password).value(passw
jPetStore.ie.buttons()[1].click(); return ie.IE.Html.contains(Invalid username or password. Signon failed.); }
public static API_JPetStore logout(this API_JPetStore jPetStore) { jPetStore.open(/shop/signoff.do); return
jPetStore; } } } [/sourcecode]
July 2011
When doing IE Automation, sometimes the best way to find out what is happening at the page were working
on is to open FireBug on it. A cool (and very powerfull) alternative is to use FirebugLite which can be embeded
on any page and works on most browsers. As you can see here http://getfirebug.com/firebuglite#Stable one
way to fireup FirebugLite is to execute that bit of Javascript they show under the Add the following link to
your bookmarks: section. When using O2s IE Automation this can be achieved like this: [sourcecode language=csharp wraplines=false] var firebugLiteScript = "(function(F,i,r,e,b,u,g,L,I,T,E){if(F.getElementById(b))return;E=
Image;Er;})(document,createElement,setAttribute,getElementsByTagName,FirebugLite,4,firebug-lite.js,releases/lite/latest
ie.eval(firebugLiteScript ); [/sourcecode] And since that works, lets add it as an Extension method to the
WatiN_ExtensionMethods.cs file that is used on the IE Automation script: [sourcecode language=csharp
wraplines=false] public static class WatiN_IE_ExtensionMethods_FireBugLite { public static WatiN_IE inject_FirebugLite(this WatiN_IE ie) { var firebugLiteScript = "(function(F,i,r,e,b,u,g,L,I,T,E){if(F.getElementById(b))return;E
Image;Er;})(document,createElement,setAttribute,getElementsByTagName,FirebugLite,4,firebug-lite.js,releases/lite/latest
ie.eval(firebugLiteScript); return ie; } } [/sourcecode] While we are here lets also add jQuery directly (without
the need to use the IE_JQuery.cs api) [sourcecode language=csharp wraplines=false] ie.eval("<a
href="http://code.jquery.com/jquery-1.6.2.min.js%22.uri().getHtml">http://code.jquery.com/jquery1.6.2.min.js".uri().getHtml</a>()); [/sourcecode] or as an extension method: [sourcecode language=csharp wraplines=false] public static class WatiN_IE_ExtensionMethods_JQuery { public static
WatiN_IE inject_jQuery(this WatiN_IE ie) { ie.eval("<a href="http://code.jquery.com/jquery1.6.2.min.js%22.uri().getHtml">http://code.jquery.com/jquery-1.6.2.min.js".uri().getHtml</a>());
return ie; } } [/sourcecode] Puting it all together, here is a script that:
opens up JPetStore
Injects FirebugLite
Injects jQuery
runs a jQuery command that:
selects an a with the content Enter the Store
changes its border to 2px
changes it size to 20px
fades it out in 2000 ms
fades is it in 2000 ms
[sourcecode language=csharp wraplines=false] var topPanel = panel.clear().add_Panel(); var ie = topPanel.add_IE().silent(true); var jPetStore = new API_JPetStore(ie); jPetStore.homePage(); ie.inject_FirebugLite();
ie.inject_jQuery(); ie.eval("jQuery(\"a:contains(Enter the Store)\").css({border: solid 10px,
font-size : 30 } ).fadeOut(2000).fadeIn(2000);");</pre> &nbsp; //O2File:API_JPetStore.cs //O2File:WatiN_IE_ExtensionMethods.cs //using O2.XRules.Database.Utils.O2 //O2Ref:WatiN.Core.1x.dll [/sourcecode] Here
July 2011
July 2011
10
Here is a video and script of the interactive process of writing an O2 IE Automation Script for JPetStore.
[youtube=http://www.youtube.com/watch?v=J4Ojqzb6qsw] This is is the original script as shown in the
video: [sourcecode language=csharp wraplines=false] panel.clear(); var ie = panel.add_IE().silent(true);</pre>
//ie.open(http://localhost:8080/jpetstore); //ie.link(Enter the Store).click(); ie.open(http://localhost:8080/jpetstore/shop/new
ie.field(account.username).value(a user); ie.field(account.password).value(pwd); ie.field(repeatedPassword).value(pw
ie.field(account.firstName).value(first); ie.field(account.lastName).value(name); ie.field(account.address1).value(1);
ie.field(account.phone).value(2); ie.field(account.city).value(3); ie.field(account.state).value(4); ie.field(account.zip
ie.field(account.country).value(6); ie.field(account.email).value(7); ie.button(Save Account Information).click(); //return ie.buttons(); //ie.inject_FirebugLite(); //return ie.links(); //O2File:WatiN_IE_ExtensionMethods.cs //using O2.XRules.Database.Utils.O2 //O2Ref:WatiN.Core.1x.dll [/sourcecode] Which was then
added to the API_JPetStore.cs as a couple createAccount() extension methods: [sourcecode language=csharp
wraplines=false] public static API_JPetStore createAccount(this API_JPetStore jPetStore, string username,
string password) { return jPetStore.createAccount(username, password, username,10.randomLetters(),10.randomLetters(),
10.randomLetters(),10.randomLetters(),10.randomLetters(), 10.randomLetters(),10.randomLetters(),10.randomLetters());
} public static API_JPetStore createAccount(this API_JPetStore jPetStore, string username, string password ,
string firstName, string lastName, string address1, string phone, string city, string state, string zip, string country, string email) { jPetStore.open(/shop/newAccount.do); var ie = jPetStore.ie; ie.field(account.username).value(username);
ie.field(account.password).value(password); ie.field(repeatedPassword).value(password); ie.field(account.firstName).valu
ie.field(account.lastName).value(lastName); ie.field(account.address1).value(address1); ie.field(account.phone).value(pho
ie.field(account.city).value(city); ie.field(account.state).value(state); ie.field(account.zip).value(zip); ie.field(account.coun
ie.field(account.email).value(email); ie.button(Save Account Information).click(); return jPetStore; } [/sourcecode] So that they can be easily consumed like this: [sourcecode language=csharp wraplines=false]
panel.clear(); var ie = panel.add_IE().silent(true);</pre>
var jPetStore = new API_JPetStore(ie); jPetStore.createAccount(user12,pwd); //create user jPetStore.logout(); // logout jPetStore.login(user12,pwd____); //should fail (wrong password) jPetStore.login(user12,pwd); //should work //O2File:API_JPetStore.cs //O2File:WatiN_IE_ExtensionMethods.cs //using O2.XRules.Database.Utils.O2 //O2Ref:WatiN.Core.1x.dll
[/sourcecode] Here is a screenshot of the user created with the script above (note the random values)
July 2011
11
July 2011
12
13
July 2011
1
2
3
4
5
6
7
8
9
Action scrollToTotal =
()=>{
var tdElement = ie.elements().elements("TD").toList().Where((element)=> elemen\
t.innerHtml().notNull() && element.innerHtml().contains("Total:")).first();
tdElement.scrollIntoView();
\
10
11
};
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
July 2011
14
One of the topics that was discussed at yesterdays O2 WebCast was how to find the JSPs that are mapped to
a controler? This is a very important piece of the puzzle since that is one of the few ways we can try to have
a fell for the size of the Spring Auto-Binding vulnerabilities (since one of the analysis that needs to be done is
the cross-check between what is on the *.jsps and what the Spring MVC engine will autobind into the assigned
CommandClass POJO. The first place to look is on the Spring config file, and here is a script that does exactly
that: [sourcecode language=csharp wraplines=false] var topPanel = panel.clear().add_Panel(); var springConfig = @C:O2Demos\jPetStore - O2 Demo Pack\sourceCode\warWEB-INF\petstore-servlet.xml;</pre>
springConfig.showInCodeViewer(); //topPanel.add_SourceCodeViewer().open(springConfig); var data = from
controller in springConfig.springMvcMappings().Controllers from property in controller.Properties select
new { controler = controller.HttpRequestUrl , key = property.Key, value = property.Value }; topPanel.add_TableList().show(data); //return springConfig.springMvcMappings().Controllers[0].Properties[0]; //using O2.XRules.Database.L
and_Frameworks.J2EE //using O2.XRules.Database.APIs.IKVM //O2File:spring-servlet-2.0.xsd.cs //O2File:SpringMvcMappings
v2.0.cs //O2Ref:O2Misc_Microsoft_MPL_Libs.dll [/sourcecode] When executed this script will open up the local
petstore-servlet.xml config file and show a mapping the bean URLs and its property values
As the table created clearly shows, in this application (and this tend to be unique per app) we cant use the
spring config file to fully map the Controllers views (there are a couple that can be resolved using this method,
but there are a lot of missing mappings). A quick look at one of the controlllers shows the most likely solution
July 2011
15
July 2011
16
7.0.16\workCatalina\localhost\jpetstore\org\apache\jspWEB002dINF\jsp\spring):
July 2011
17
July 2011
18
July 2011
19
and
July 2011
20
Util - Java, Jsp and Xml File Search (Example using Spring MVC
JPetStore)
Here is a script that creates a regex based file search. The user can define both the file location and search filters.
This is what it looks like when using the files from JPetStore (note: above the files, the textbox on the left is a file
July 2011
21
July 2011
22
If you select a URL that uses @ModelAttribure, and go to the _Spring MVC Bindable fields for selection tab, you will see a graphical representation
of the fields that can be binded into (and that create another variation of the Spring Framework Autobinding
July 2011
23
the extra field pets[0].owner.id=6 which save the current data into user #6
This app (together with JPetStore) presents good case-studies on the security vulnerabilities that are easily
created with the Spring Autobinding capabilities. In the above example, the Edit Owner page should
only allow 5 fields to be edited, while in fact it allows a VERY large number of fields to be edited
July 2011
24
2 September 2011
September 2011
here is an example of spring MVC controllers. Can you spot the vulnerability?
26
3 November 2011
November 2011
28
Here are a number of posts that give the brackground to this problem and document the O2 Script Im using
to test the fix:
Two Security Vulnerabilities in the Spring Frameworks MVC pdf (from 2008)
O2 Script with BlackBox exploits for Spring MVC AutoBinding vulnerabilities in JPetStore
Packaged Spring MVC Security Test Apps: JPetStore and PetClinc
Current O2 support for analyzing Spring MVC
JPetStore releated O2 blog posts: http://o2platform.wordpress.com/category/java/spring-mvc/jpetstore/
The vulnerability we are going to fix is the one that allows (amongst other things) the modification of the
TotalPrice value of our shopping cart (which is not a good thing :) ) This vulnerability is graphically described
in this video: [youtube=http://www.youtube.com/watch?v=yzTExpNZ2bw] and it is fundamentally created
by the fact that the setTotalPrice() method is exposed in the Order class which is exposed in the OrderForm
class (which is used as the command class for the OrderFormController). So here is the fix. 1) The first
step is to create a class that can be used on as the CommandClass. Trying to give it a name that
made sense for what is was going to do, I called it OrderData and place it in a package called jpetstore.domain.fromWeb (vs the original OrderForm class in the package jpetstore.domain) [sourcecode language=csharp wraplines=false] package org.springframework.samples.jpetstore.domain.fromWeb; import
org.springframework.samples.jpetstore.domain.Order; import org.springframework.samples.jpetstore.web.spring.OrderForm;
public class OrderData { private OrderForm orderForm; public OrderData(OrderForm orderForm) { this.orderForm
= orderForm; } public static OrderForm getOrderForm(Object command) { OrderData orderData = (OrderData)command; return orderData.orderForm; } //bindable values public OrderData getOrder() { return this; }
. } [/sourcecode] This expects to receive an OrderForm object in its contructor which it will store in a private
field. The static getOrderForm() method is there to help the casting of the object given to us by the Spring
Framework 2) On the FormBackingObject method return an OrderData object instead of an OrderForm
object (which is vulnerable to the AutoBinding injection) and put on the Http Request attributes the original
orderForm object (this will allow the views to have access to the original orderForm , which they expec,t,
and prevent us from needing to make code changes to the view (the fact that views should have access
to massive domain objects is a topic for another time)) [sourcecode language=csharp wraplines=false]
November 2011
29
pose is to look at the values that are submited from the web pages, in this case:
Here is the full code of this class: [sourcecode language=csharp wraplines=false] package org.springframework.samples.jpets
import org.springframework.samples.jpetstore.domain.Order; import org.springframework.samples.jpetstore.web.spring.Order
public class OrderData { private OrderForm orderForm; public OrderData(OrderForm orderForm) { this.orderForm
= orderForm; } public static OrderForm getOrderForm(Object command) { OrderData orderData = (OrderData)command; return orderData.orderForm; } //bindable values public void setShippingAddressRequired
November 2011
30
exploit variation #1
exploit variation #2
November 2011
31
4 May 2012
May 2012
33
May 2012
Order details
Order details
34
May 2012
35
May 2012
Checkout controller
Checkout controller
36
May 2012
37
May 2012
38
5 June 2013
June 2013
40
Which (after Resharper optimization) results in two MVC dependencies (System.Web.MVC and System.Web.WebPages)
June 2013
41
I then added a MvcTestController.cs file with a controller class with two methods
and a view called Index.cshtml **_(located in the **_/Mvc/Views/*_ folder instead of the default _/Views/MvcTest/* folder)
June 2013
42
and a master view called __layout.cshtml** (referenced from the **_Index.cshtml razor file shown
above)
and that is it :)
The __layout.cshtml** file is basically the **_AngularJS main page used by _TBot, _with all the ASP.NET
MVC _**interaction happening with the **@RenderBody_ command (shown above)
After compiling the project, here is what the http://localhost:3187/MvcTest looks like (in Chrome inside
VisualStudio)
June 2013
43
June 2013
44
6 July 2013
July 2013
46
Code to Review:
Lets say that you have an ASP.NET MVC 4.0 (or 3.0) project with this configuration:
1
2
3
RegisterGlobalFilters(GlobalFilters.Filters);
RegisterRoutes (RouteTable.Routes);
ModelBinders.Binders.Add(typeof(Cart), new CartModelBinder());
DependencyResolver.SetResolver(new NinjectDependencyResolver());
}
With the CartModelBinder (used to create instances of the Cart Object) looking like this:
1
2
3
July 2013
{
// get the Cart from the session
Cart cart = (Cart)controllerContext.HttpContext.Session[sessionKey];
// create the Cart if there wasnt one in the session data
if (cart == null)
{
cart = new Cart();
controllerContext.HttpContext.Session[sessionKey] = cart;
}
// return the cart
return cart;
}
}
With these Cart, CartLine and Product Model classes:
1
2
3
public IEnumerable
public class CartLine
{
public Product Product { get; set; }
public int Quantity { get; set; }
}
public class Product
{
[HiddenInput(DisplayValue = false)]
public int ProductID { get; set; }
[Required(ErrorMessage = Please enter a product name)]
public string Name { get; set; }
[DataType(DataType.MultilineText)]
[Required(ErrorMessage = Please enter a description)]
public string Description { get; set; }
[Required]
[Range(0.01, double.MaxValue, ErrorMessage = Please enter a positive price)]
public decimal Price { get; set; }
//[HiddenInput(DisplayValue = false)]
public int CategoryID { get; set; }
public virtual Category Category { get; set; }
}
And finally, with these controllers:
47
July 2013
1
2
3
4
48
if (product != null)
{
cart.AddItem(product, 1);
}
return RedirectToAction(Index, new { returnUrl });
}
public PartialViewResult Summary(Cart cart)
{
return PartialView(cart);
}
public ViewResult Index(Cart cart,string returnUrl)
{
return View(new CartIndexViewModel
{
Cart = cart,
ReturnUrl = returnUrl
});
}
Can you spot any security vulnerability(ies)?
What about if we change the CartModelBinder _**to use the **_IModelBinder (and BindModel) instead
of DefaultModelBinder (and CreateModel)?
1
2
3
July 2013
49
return cart;
}
}
Anything changed? (from a security point of view, since the app works ok with both versions)
Can you spot any security vulnerability with this 2nd version of the CartModelBinder?
Or are both vulnerable?
:)
**
****Wrapping up: Here is the question being asked in this post:**
_
_
What is are the security implications of these two variations of an **CartModelBinder **(which both provide
the same business-logic functionality)
Related Threads:
Security vulnerability created by ASP.NET MVC ModelBinder (SO Question)
http://www.reddit.com/r/dotnet/comments/1iiq67/can_you_spot_the_security/
http://www.reddit.com/r/netsec/comments/1iiq7j/can_you_spot_the_security/
**
****Some references and related articles:**
**
**External:
http://msdn.microsoft.com/en-us/library/system.web.mvc.imodelbinder(v=vs.108).aspx
http://msdn.microsoft.com/en-us/library/system.web.mvc.defaultmodelbinder(v=vs.98).aspx
https://github.com/ASP-NET-MVC/aspnetwebstack/blob/master/src/System.Web.Mvc/DefaultModelBinder.cs
http://stackoverflow.com/questions/3183931/how-do-i-invoke-updatemodel-from-within-a-custom-modelbindermvc
http://stackoverflow.com/questions/3774287/asp-net-mvc-controller-updatemodel-not-updating
http://stackoverflow.com/questions/1550520/best-practices-when-implementing-imodelbinder
http://odetocode.com/blogs/scott/archive/2009/04/27/6-tips-for-asp-net-mvc-model-binding.aspx (check
out tip #3)
http://lostechies.com/jimmybogard/2009/03/18/a-better-model-binder/
http://www.dalsoft.co.uk/blog/index.php/2010/05/21/mvc-model-binders/
http://lostechies.com/jimmybogard/2013/07/17/how-we-do-mvc-4-years-later/ and http://stackoverflow.com/questions/
should-i-design-my-model-to-be-tightly-coupled-to-my-view (on _1:1 ratio between view model classes
and view _concept)
http://www.codeproject.com/Articles/471784/Exploiting-Microsoft-MVC-vulnerabilities-using-OWA
July 2013
50
July 2013
51
. here is the page where I can see the 1st order (for the current user)
July 2013
52
July 2013
53
Since this controller asks for an orderId (which as seen above, in our current users case was 29 and 30),
where is the code that checks that the requested orderId belongs to the current user?
July 2013
54
Which makes for a nice example of an business logic vulnerability, where the request data is valid, but we are
accessing information that shouldnt be visible to the current logged in user.
The solution for this vulnerability is to Use Indirect Object References
CSRF
**
**This app is also vulnerable to CSRF (Cross Site Request Forgery)
Here is the raw HTTP Request (with only a valid session ID and Basket)
July 2013
**
at handling malformed data
55
July 2013
56
with some errors only caught on the view (due to lack of data in the model)
**
****XSS via product data**
**
**Talking about the views, this app does a pretty good job at using HtmlEncode on the views, except on this
page:
July 2013
57
Which means that XSS payloads could be introduced via the product database (normally managed via other
systems/websites)
Is there more?
**
**Probably, and it would be interesting to find and fix them (grab the code from GitHub and have a go)
July 2013
58
July 2013
59
Remember that this is how developers learn about programming ASP.NET MVC, so it is important that the
code samples they have access to (from reputable sources like http://www.asp.net/mvc) are rock solid and
dont have MVC ModelBinding Vulnerabilities.
A quick look at the code showed numerous vulnerable controllers, and in this first (raw) PoC example,
we are going to exploit the public **ActionResult Edit(int id, FormCollection formCollection, string[]
selectedCourses) **method from the InstructorController.cs file.
This is what the vulnerable code looks like:
July 2013
60
Here is the list of current Instructors (note the extra course on Scratch (added in a previous execution of the
PoC)
Here is the page that is used to edit an Instructors details (and the one we will use on the exploit)
July 2013
61
July 2013
62
This is actually an interesting scenario, specially since the affected controller tries to prevent injection into
the Courses field :)
My next series of blog posts will explain how this works, and how it was possible to add a new course while
editing an Instructor details
7 October 2012
October 2012
64
October 2012
65
When you open this tool, you will get a GUI that looks like this:
Then if you drop a jar (or the zip of *.classes like the one you will find in the jPetClinic O2 Demo Pack.zip that
you get from the Packaged Spring MVC Security Test Apps: JPetStore and PetClinc ), a series of conversions
will occur (Jython is used to parse the java byte code) :
October 2012
66
For a detailed explanation of how this module works (including the VERY important /*O2Helper:MVCAutoBindListObject:
hack) take a look at this blog post:
Visualizing Spring MVC Annotations based Controls (and Autobinding PetClinics vulnerabilities)
October 2012
67
October 2012
68
Step 3: Open the context menu and chose the item to package the current script
October 2012
69
Its quite powerful the fact that it took me longer to write this blog post than to package that old O2 tool :)
8 December 2012
December 2012
71
December 2012
72
The core concept is that we need an ASP.NET MVC aware parser/tool that will then be used to mass create
the rules for the SAST scanners.
The approach that I take with the O2 Platform is to do just that, and it all starts with trying to find out where
the controllers are and the cases where Model-Attributes are used (I.e autobindings).
That said, at the moment there is not a lot of support in the O2 Platform for ASP.NET MVC (specially when
compared with Spring MVC). There are a couple ASP.NET MVC mini-tools in the O2 Scripts folder that help
with ASP.NET MVC controllers visualization (which I plan to document and post about) and there is the
CodeProject article: Exploiting Microsoft MVC vulnerabilities using OWASP O2 Platform
For reference see the Spring Framework posts (which show what we will need to do for ASP.NET MVC):
in this blog (posts tagged with Spring Framework)
in the O2 Platform blog (posts tagged with Spring MVC)
Back in ASP.NET MVC land, once we have the (for example) controllers mappings, they will need to
communicated to the SAST engine.
One way to do this is to mass create rules directly on the SAST engine database (like what I used to do with
OunceLabs MySql database).
Another way (if you are an AppScan Source user) is to use the newly released IBM F4F (Framework for
Frameworks) technology/concept.
If you dont know what F4F is, here are some IBM resources/papers:
F4F: Taint Analysis of Framework-based Web Applications (presentation at OOPSLA 2011)
F4F: Taint Analysis of Framework-based Web Applications (research paper with support materials here)
F4F Technology Helps You Analyze Applications For Security
December 2012
73
I think F4F is a great idea and concept, since it is a way to mass create rules (and mappings) that tell the
AppScan Source engine where are the source and sinks (and glues) of the app being scan.
But for F4F to really live to its potential, we will need a much better understanding of how it works and how
it can be used (IBM will also need to release F4F under an open licence, but that is a topic for another post).
The first step is to visualize what is already in the WAFL files (part of F4F) and how they can be created and
manipulated.
There are already a couple WAFL related scripts in O2 but we need a lot more :)
9 January 2013
January 2013
75
and
January 2013
76
There are no mentions in that article of the words security or mass assignment so I wonder how much
awareness there is for this issue?
Anybody has cycles to test it out?
**
****Is there any documentation for the OData ASP.NET Web API on this topic? **I couldnt find any references
in OData in WebAPI RC release and OData support in ASP.NET Web API
Mass Assignment Vulnerability references:
Mass assignment in Rails applications blog.mhartl | Michael Hartls tech blog and Finding and fixing
mass assignment problems in Rails applications blog.mhartl | Michael Hartls tech blog
#26 Hackers Love Mass Assignment RailsCasts
Ruby on Rails Guides: Ruby On Rails Security Guide
http://en.wikipedia.org/wiki/Mass_assignment_vulnerability
6 Ways To Avoid Mass Assignment in ASP.NET MVC
On Rails mass-assignment, Github and the apocalypse :: Labs :: Headshift
OWASP Heiko Webers Ruby on Rails Security (pdf)
Newest mass-assignment Questions - Stack Overflow
Auto-Binding Vulnerability references (another name for Mass Assignment):
Two Security Vulnerabilities in the Spring Frameworks MVC pdf (from 2008)
January 2013
Why ASP.NET MVC is insecure by design , just like Spring MVC (and why SAST can help)
Visualizing Spring MVC Annotations based Controls (and Autobinding PetClinics vulnerabilities)
Solution for fixing Springs JPetStore AutoBinding vulnerabilities
Dinis Cruz Blog: Current O2 support for analyzing Spring MVC
Finally here is how I have been analysing Spring MVC apps using O2
Tool - O2 Cmd SpringMVC v1.0.exe - as standalone exe
Starting to use the O2 Spring MVC viewer on ThreadFix
ASP.NET MVC XSS and AutoBind Vulns in MVC Example app (from 2008)
77
January 2013
78
January 2013
Why ASP.NET MVC is insecure by design , just like Spring MVC (and why SAST can help)
Visualizing Spring MVC Annotations based Controls (and Autobinding PetClinics vulnerabilities)
Solution for fixing Springs JPetStore AutoBinding vulnerabilities
Dinis Cruz Blog: Current O2 support for analyzing Spring MVC
Finally here is how I have been analysing Spring MVC apps using O2
Tool - O2 Cmd SpringMVC v1.0.exe - as standalone exe
Starting to use the O2 Spring MVC viewer on ThreadFix
ASP.NET MVC XSS and AutoBind Vulns in MVC Example app (from 2008)
79
10 September 2008
September 2008
81
11 September 2009
September 2009
83
Spring Finance > Part 2: Spring @MVC & Spring 3.0 REST integration
New stuff in Spring 3.0 & New stuff in Spring 3.0, part 2
REST in Spring 3: @MVC
Spring 3 MVC CodeMash 2009
Spring 3.0 docs: 2.5 Overview of new features , 15.3 Implementing Controllers
GWT, Spring 3.0 MVC, and REST on Google App Engine / Java - Part 1 & GWT, Spring 3.0 MVC, and
REST on Google App Engine / Java - Part 2
I find a bit worrying that the security implications of the way Spring MVC works (for both old and
new features) is NOT properly documented in these articles (for example making references to Security
implications of the Spring DataBinder (note-to-self: create page with my & others past research on this topic))
The list below (from 15.3 Implementing Controllers) is what we need to add to the next version of O2 Cmd Spring MVC module so that it supports Spring MVC 3.0 (in fact I need to dig out the docs about Spring MVC
2.5 works, and start there :) )
15.3.2.3 Supported handler method arguments and return types
Handler methods that are annotated with __@RequestMapping_ can have very flexible signatures. They may
have arguments of the following types, in arbitrary order. (except for validation results, which need to follow
right after the corresponding command object, if desired):_
Request and/or response objects (Servlet API). Choose any specific request/response type, for example,
__ServletRequest_ / _HttpServletRequest_._
Session object (Servlet API): of type __HttpSession_. An argument of this type enforces the presence of
a corresponding session. As a consequence, such an argument is never _null_._
_org.springframework.web.context.request.WebRequest__ or _org.springframework.web.context.request.Nativ
. Allows for generic request parameter access as well as request/session attribute access, without ties to
the native Servlet/Portlet API._
September 2009
84
_java.util.Locale__ for the current request locale, determined by the most specific locale resolver
available, in effect, the configured _LocaleResolver_ in a Servlet environment._
_java.io.InputStream__ / _java.io.Reader_ for access to the requests content. This value is the raw
InputStream/Reader as exposed by the Servlet API._
_java.io.OutputStream__ / _java.io.Writer_ for generating the responses content. This value is the
raw OutputStream/Writer as exposed by the Servlet API._
_@PathVariabe__ annotated parameters for access to URI template variables. See _Section 15.3.2.1, URI
Templates_._
_@RequestParam__ annotated parameters for access to specific Servlet request parameters. Parameter
values are converted to the declared method argument type. See _Section 15.3.2.4, Binding request
parameters to method parameters with @RequestParam_._
_@RequestHeader__ annotated parameters for access to specific Servlet request HTTP headers. Parameter values are converted to the declared method argument type._
_@RequestBody__ annotated parameters for access to the request HTTP body. Parameter values are
converted to the declared method argument type using _HttpMessageConverter__s. See __Section
15.3.2.5, Mapping the request body with the @RequestBody annotation_._
_java.util.Map__ / _org.springframework.ui.Model_ / _org.springframework.ui.ModelMap_ for
enriching the implicit model that is exposed to the web view._
Command or form objects to bind parameters to: as bean properties or fields, with customizable
type conversion, depending on __@InitBinder_ methods and/or the HandlerAdapter configuration.
See the_webBindingInitializer_ property on _AnnotationMethodHandlerAdapter_. Such command
objects along with their validation results will be exposed as model attributes by default., using
the non-qualified command class name in property notation. For example, orderAddress for type
mypackage.OrderAddress. Specify a parameter-level _ModelAttribute_ annotation for declaring a
specific model attribute name._
_org.springframework.validation.Errors__ / _org.springframework.validation.BindingResult_validation results for a preceding command or form object (the immediately preceding argument)._
_org.springframework.web.bind.support.SessionStatus__ status handle for marking form processing as complete, which triggers the cleanup of session attributes that have been indicated by
the_@SessionAttributes_ annotation at the handler type level._
The following return types are supported for handler methods:
A __ModelAndView_ object, with the model implicitly enriched with command objects and the results
of _@ModelAttribute_ annotated reference data accessor methods._
A __Model_ object, with the view name implicitly determined through a _RequestToViewNameTranslator_and the model implicitly enriched with command objects and the results of _@ModelAttribute__annotated reference data accessor methods.
A __Map_ object for exposing a model, with the view name implicitly determined through a _RequestToViewNameTranslator_ and the model implicitly enriched with command objects and the
results of_@ModelAttribute_ annotated reference data accessor methods._
A __View_ object, with the model implicitly determined through command objects and _@ModelAttribute_annotated reference data accessor methods. The handler method may also programmatically enrich the
model by declaring a _Model_ argument (see above)._
September 2009
85
A __String_ value that is interpreted as the view name, with the model implicitly determined through
command objects and _@ModelAttribute_ annotated reference data accessor methods. The handler
method may also programmatically enrich the model by declaring a _Model_ argument (see above)._
_void__ if the method handles the response itself (by writing the response content directly, declaring an
argument of type _ServletResponse_ / _HttpServletResponse_ for that purpose) or if the view name
is supposed to be implicitly determined through a _RequestToViewNameTranslator_ (not declaring a
response argument in the handler method signature)._
If the method is annotated with __@ResponseBody_, the return type is written to the response
HTTP body. The return value will be converted to the declared method argument type using_HttpMessageConverter__s. See __Section 15.3.2.6, Mapping the response body with the @ResponseBody annotation_._
Any other return type is considered as single model attribute to be exposed to the view, using the attribute
name specified through __@ModelAttribute_ at the method level (or the default attribute name based
on the return type class name). The model is implicitly enriched with command objects and the results
of _@ModelAttribute_ annotated reference data accessor methods._
September 2009
86
September 2009
87
This is also a part of O2 that I was waiting for, in order to be able to fully participate in the current
OWASP reach the developer efforts. In order to reach the developers, we need to speak their language, and
with these examples (and technology) I can finally communicate properly with developers, and show them
how their app works.
Note that the point here is not to push that everybody should be using using O2 to perform this type of
analysis! My objective with O2 is to show what can/should be done, and to allow others to create more native
implementations of these techniques (in this case, there should be an eclipse plug-in to do this or to consume
this data). Ultimately if we want to reach the developers we need to communicate with them using tools and
techniques they are already used to.
There is still a lot to document and to map out (including other tools that merge even further the blackbox and white box worlds), so please take these scripts for a test drive, and help me to create a really
powerful Spring MVC Security Analsys ToolKit that can dramatically increase the security of Spring
MVC applications :)
We also need to start thinking about creating an (Open) Spring MVC Security Rule Pack which can be
maintained by the community and consumed by the multiple tools/services.
Final note for the .NET Crowd, the ASP.NET MVC has the same problem, and I although I have not looked
at a big ASP.NET MVC app, I will bet that they will create the same types of vulnerabilties (so if you have
access to such an app, try the O2s ASP.NET MVC visualizer on it :) )
September 2009
88
September 2009
89
September 2009
90
September 2009
91
O2 Script with BlackBox exploits for Spring MVC AutoBinding vulnerabilities in JPetStore
O2 Script: Spring MVC Util View Controllers
Finding the JSP views that are mapped to controllers in JPetStore (Spring MVC)
Visualizing Spring MVC Annotations based Controls (and Autobinding PetClinics vulnerabilities)
Visualizing the links in JPetStore (Spring MVC)
O2 Script for Spring MVC JPetStore Start Servers (start/stop apache and hsqldb)
Simple Viewer to see JSP files (example using Spring MVC SPetStore)
Util Java, Jsp and Xml File Search (Example using Spring MVC JPetStore)
JPetStore and PetClinic are demo apps which can be downloaded from here Packaged Spring MVC Security
Test Apps: JPetStore and PetClinc (includes tomcat), or from the main Spring Framework source distribution
(look in the samples folder)
For more details on the Spring MVC Autobinding Vulnerabilities see: Two Security Vulnerabilities in the
Spring Frameworks MVC pdf (from 2008)
September 2009
92
I think we are exactly on the same page, and welcome to the wonderful world of Framework behaviour
mapping :)
Ive done this quite a lot in the past, so let see if I can help you here.
The first thing you must do is to make sure that you have scriptable access to ALL required artifacts. Since
you will need to be doing a lot automagically glueing, you have to make sure that you can programatically
access the data you need.
From what I understand you already have the traces for the controllers and the views. So what about the
config files? Is everything on those config files, or will you also need to parse the java/class files for more
metadata. Btw, this is J2EE right?
The next thing you need to do, is to figure out the exact formula that maps the controllers to the views. And
before you go any further you need to have a visualization of this (which can be as simple as a treeview, or
as complex as a full blow graph model (which you can also do with O2 :) ).
After that, you will need to look at your sinks and sources and see if they are easy to match (this has to be
done after you matched the controllers with the view, or you will get a huge amount of mappings, most of
which will never happen in the real-world). One of the beauties of the IO2Finding and O2Trace format is that
I was able to join traces by simple doing string matches (there are even helper methods to do that).
The idea/concept for Joining traces, is that you rewrite the Sinks and Sources so that they match:
For example, if you had a Controller Sink with
setAttribute(A_KEY , {taint value})
and a **View Source **with
getAttribute(A_Key)
Then I would rewrite them (in-memory or in disk (if there is a large number of findings)) as:
Controller Sink -> getset_Attribute_A_KEY ()
** View Source ** ->** ** getset_Attribute_A_KEY ()
and then just:
do a direct string Sink-to-Source match,
September 2009
93
glue them with a one-to-many traces/finding generation mode (i.e you will need to create a new trace
for each unique Sink-to-Source mapping),
look at the created findings (and finally you will be able to gain a better picture of what is going on)
This actually works very well, and scales spectacularly.
I have used this on lots of different glue locations: Session/Global Variables, Interfaces, Database layers,
Controllers->Views, Reflection, Aspect PointCuts, Validation routines, etc
A good way forward is probably if we work together on doing this for Spring MVCs JPetstore, since Ive already started this process and it is a great case study. See the posts at http://o2platform.wordpress.com/category/java/springmvc/jpetstore/ , and my next step on this JPetStore security analysis is exactly to create a mapping for the JSPs
(check out this post which talks about that: Finding the JSP views that are mapped to controlers in JPetStore
(Spring MVC) )
Does this make sense?
Dinis Cruz
(end-of-email)
12 October 2011
October 2011
95
October 2011
96
October 2011
97
October 2011
98
then I continue these mappings into the inner-working of the application in order to identify its hyper
jumps (reflection, aop, setters/getters, hash-objects-used-to-carry-data, web services, data/storage
layers, other abstraction layers, etc) and data changing steps like validation or object casting.
then I map out the connection between the controllers and the views (which is very important because
we cant assume that there will be path into all views from all controllers)
then. (next actions depend on how the app is designed and what other APIs or Frameworks are used)
When Im doing these steps, I (using O2) tend to do three things:
Create mini tools that visualize what is going on (for example url mappings to controllers, or the
complete command classes objects )
Create Browser-Automation APIs that represent the expected behaviour of the target application (how
to login, how to perform action XYZ, how to invoke a Web Service, etc)
Mass create rules for the tools available (for example I used to create 1000s of Ounce rules so that I
would get the most of its Engine by getting it to create as many taint-flow traces as possible
So yes, Im coding all the time
The only difference between engagements, is that Im able to build on the technology developed on the
previous engagements.
Again using Spring MVC as an example:
First time I saw Spring MVC I had a script that did a dirty read of the XML files and extracted some
metadata (with a lot of manual mappings)
On next engagement I was able to add support for Java bytecode analysis and analyse the Spring MVC
attributes (used to mass create Ounce rules)
On next engagement , I was able to start visualizing the Command Classes and created an generic API
for Spring MVC (with specific classes/objects to store Spring MVC metadata in a way that made sense
to us (security consultants))
On next engagement , I added a number of real powerful GUIs, improved the CommandClass resolution
calculations and did a bunch of mappings between controllers and viewers
On next engagement , I already had most of the core Spring MVC behaviour scripts in place, so I mainly
focused on what specific about the application being analyzed
As you can see, although there is always some level of customization, its amount (and skill level) is reduced
on each interaction (and this is how we will scale this type of analysis).
So to play this game (and to be able to do this type of analysis), this is what is needed from the tools used (in
this case SAST)
Ability to write scripts that directly control how the tool works
Ideally most of the tools analysis capabilities is written in dynamically compiled scripts so that it is
possible to modify/adjust them to the current reality (created by the application being analysed)
Ability to have direct access the tools internal capabilities via exposed APIs
October 2011
99
Ability to start and stop each analysis phase (with each phase providing a modifiable dump of its
internal representations and analysis so far)
Ability to consume, feed and correlate data from all sorts of sources: file system, config files, black-box
scans, fuzzers, real-time instrumentation, security consultants brain
Ability to mass create/manipulate rules
Ability to write rules as scripts AND in a fast-prototyping language like: C#, Java, Python, Ruby or
Javascript (i.e. not in C/C++ or XML)
Ability to easily process, filter and visualize in real-time thousands if not millions of findings (created
by the large number of rules applied)
Ability to create rules that analyse the thousands if not millions of findings findings created (i.e. create
findings from findings)
this is the ability to perform multi-phase analysis, each using different rules/techniques and
targeted at a different types of vulnerabilities (for example SQL Injection vs Direct Object
References)
Ability to visualize the data that was created (in its multiple stages of maturity) so that a security
consultant (and/or app developer) can help to connect the dots (with more scripts or config settings)
Ability to add business logic analysis to the findings discovered. (for example when taking Authorization and Authentication activities in account, an direct SQL execution or file upload security
vulnerability finding in an admin panel, might actually be a feature)
Ability to re-package the final findings into the SDL tools currently used by the client (bug tracking,
collaboration, IDEs), in a way that makes sense to the client (i.e. using their terminology and workflows)
and is immediately consumed
Ability to package all analysis (and rules, workflows, scripts, etc) into a single execution point (i.e. an
*.exe). This is the big button that can be inserted into the Build process
Ability to execute individually the complete analysis required to confirm (and ideally to exploit) a
particular issue. This is the small button that can check if ONE issue has been fixed
And here you can see why the SAST tools really struggle with frameworks, because they dont want to play
this game. Ironically the end result is the same big button to press and get solid results , the only difference
is how to get there.
My personal view (backed by real world experience) is that this is the only way that_ good enough_framework support can be added to a SAST tool in a way that it will actually be usable by developers.
Note that I said_ good enough,** because usually the comment I receive when explaining that we
need to do this is **..well but only you (Dinis) wants this and what we (tool vendor XYZ) wants to
do, is to provide Good Enough support . _
_
_
Unfortunately for the tool vendors, Im not asking for them to create a tool that would only add value to
a small number of expert security consultants. Im describing what they will need to do in order to add
good enough support for frameworks to their tools. Only then security consultants and app developers can
customize those tools and deploy them to a wide audience (finally being able to have decent support for
the frameworks used and the target apps). The cases where there is no need to customize the engine (or rules)
should be seen as free passes (i.e. easy sales)
October 2011
100
The bottom-line is that, if the path chosen by the tool vendors really worked, then today (Oct 2011), we should
have much better Framework support in our tools. The reality is that we dont even have in our current SAST
tools decent support for vanilla Java or .NET language behaviours (for example: reflection, collections, arrays,
base-classes behaviour). And part of the reason of currently struggle with Java or .NET, is because its core
libraries are in itself a Framework :)
The good news is that I have shown with O2 how my proposed model can work in the real-work. It was done
on top of an Open Source platform (O2), and it is out there for others to learn and copy
Unfortunately, I am one of the few O2 users that can really do this, so the next step is to find a way to scale O2s
techniques/usability and help SAST (and others) tools to develop/expose similar technology and wokflows.
Finally, the other reason why the tools vendors are not doing this is because there is very little public (i.e.
on the record) customer demand for this! Those nasty NDAs have a powerful side-effect on buyers (and end
users) who wont publicly say what they really think.
So in some ways, it is not 100% the vendors fault. They tend to react to their paying customers needs, who
(since they cant say the tool doesnt really work in my environment) tend to ask for thinks like: You need
to be able scan XYZ Millions of line of code, You need to have support for Oracle databases, you need to
have a report for the PCI XYZ, You need to support language XYZ, etc
Add to this the fact that SAST vendors :
dont see the security consulting companies (who would ask for the capabilities described above) as
their partners (i.e. they try to get as much money from them as possible),
want to control all/most the technology that they consume/create
dont have enough paying customers that put them to the ropes and demand that their tools really work
still believe (or want to believe) that their tools actually work
dont have to deal with the side-effects of applications scanned by their product got exploited by
malicious attackers (i.e. got sued by their clients or by the attackers victims)
and you have a world where the SAST vendors dont have an direct incentive to go down this path.
Note that some paying customers DO get some value from the current SAST tools (the ones that dont have
SAST tools as shelfware). And since there are no popular alternatives (O2s market share is still very small :)
), these customers are resigned with the current status-quo (the others are trying to ignore the fact that they
spent a pile of money of a tool that they have not found a way to work in their environment, or are trying to
hire a consulting company to make it work).
The tragedy is that SASTs marked could be enormous!!!
Just imagine that we were able to use SAST tools in a way that they were really able to map/visualize/analyze
an entire code/data flow, and create solid, defensible and comprehensive results (with very low False
Positives and False Negatives)
Dont you think the developers (and managers architects, buyers, consumer groups, government agencies,
etc..) would be ALL over it?
This is what I am to say in my Making Security Invisible by Becoming the Developers Best Friends
presentation. If only we could be the developers best friends by showing them how their app actually works
and what are the side effects of their code :)
October 2011
101
13 April 2012
April 2012
103
April 2012
104
April 2012
105
This will start tomcat, and more importantly extract the threadfix.war file into the webapps folder, where I
zipped the classes folder:
April 2012
106
The first time there is a source code to be opened in the document viewer area, you will be asked to resolve
the files, which in this case it points to here:
April 2012
107
Interestingly there is quite a lot meat here. For example, if you look for the ModelAttribute mappings there
is quite a lot cases where they use this dangerous coding technique:
With some of the model classes looking quite big, there could be a number of spring mvc autobinding issues
here:
April 2012
108