2. • Security researcher, bug hunter
• Application security engineer at Odin [ Ingram Micro Cloud ]
• @0ang3el
• http://0ang3el.blogspot.com
• http://www.slideshare.net/0ang3el
About me
3. • Java API for creating RESTful web services
• Part of J2EE since J2EE 6
• JAX-RS 2.0 [ https://jcp.org/aboutJava/communityprocess/final/jsr339/index.html ]
• RESTEasy [ Red Hat ] , Jersey [ Oracle ]
What is JAX-RS?
4. • RESTful web services are based on REST architectural style
• Some features
• Resource identification through URI
• Uniform interface
• Self-descriptive messages
• Stateful interactions through hyperlinks
What is RESTful web services?
5. Simple RESTful web service built w/ JAX-RS
;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
@Path("helloworld")
public class HelloWorldResource {
public static final String CLICHED_MESSAGE = "Hello World!";
@GET
@Produces("text/plain")
public String getHello() {
return CLICHED_MESSAGE;
}
}
8. • @QueryParam example
• Entity parameter example
Passing parameters to resource method
@GET
@Path("/order")
public String getOrder(@QueryParam("id") Sting id) {
...
}
@Path("/order")
@PUT
public void putOrder(Order order) {
...
}
9. • Unmarshalling – process of converting message content into Java
object which is passed as parameter into resource method
• Entity providers are used for marshalling/unmarshalling
Entity parameters
10. • Entity providers – specials Java classes
• Annotated with @Provider
• Implement javax.ws.rs.ext.MessageBodyReader [ isReadable(), readFrom() ]
• Entity provider is selected based on
• Content type specified with @Consumes annotation
• Content-Type HTTP header in request
• Java Class of entity parameter
• There are interesting built-in entity providers
Entity providers
11. • Jersey performs WEB-INF/lib scanning for entity providers
• RESTEasy by default performs WEB-INF/lib scanning for entity
providers, parameter resteasy.scan.providers does not work
[ https://issues.jboss.org/browse/RESTEASY-1504 ]
Automated scanning for entity providers
12. • Attacker selects entity provider which is not intended for
unmarshalling, by manipulating with Content-Type header of HTTP
request
Entity provider selection confusion attack
13. • Occur when resource or resource method does not specify preferred
content type via @Consumes annotation
• Or specifies it too permissive
• */*
• application/*
• And in some cases when content type is
• multipart/*
• multipart/form-data
• etc
Entity provider selection confusion attack
14. • Impact of attack
• RCE
• DoS
• CSRF
• XXE
• etc
Entity provider selection confusion attack
15. • RESTEasy by default has SerializableProvider entity provider
• Vulnerable resource method doConcat()
Attack for RESTEasy [ CVE-2016-7050 ]
@POST
@Path("/concat")
@Produces(MediaType.APPLICATION_JSON)
public Map doConcat(Pair pair) {
HashMap result = new HashMap();
result.put("Result", pair.getP1() + pair.getP2());
return result;
}
public class Pair implements Serializable {
...
}
16. • isReadable() method of SerializableProvider
• SerializableProvider is used when Content-Type is application/x-java-
serialized-object and Java class of entity parameter is serializable
Attack for RESTEasy [ CVE-2016-7050 ]
public boolean isReadable(Class type, Type genericType, Annotation[] annotations,
MediaType mediaType) {
return (Serializable.class.isAssignableFrom(type)) &&
(APPLICATION_SERIALIZABLE_TYPE.getType().equals(mediaType.getType())) &&
(APPLICATION_SERIALIZABLE_TYPE.getSubtype().equals(mediaType.getSubtype()));
}
17. • readFrom() method of SerializableProvider
Attack for RESTEasy [ CVE-2016-7050 ]
public Serializable readFrom(Class type, Type genericType, Annotation[]
annotations, MediaType mediaType, MultivaluedMap httpHeaders, InputStream
entityStream) throws IOException, WebApplicationException {
BufferedInputStream bis = new BufferedInputStream(entityStream);
ObjectInputStream ois = new ObjectInputStream(bis);
try {
return (Serializable)Serializable.class.cast(ois.readObject());
} catch (ClassNotFoundException e) {
throw new WebApplicationException(e);
}
}
20. • Jersey has default jersey-media-kryo entity provider
• Vulnerable resource method doShowSize()
Attack for Jersey
@POST
@Path("/size")
@Produces(MediaType.APPLICATION_JSON)
public Map<String, String> doShowSize(ArrayList<Pair> pairs) {
HashMap<String, String> result = new HashMap<String, String>();
result.put("Count", String.valueOf(pairs.size()));
return result;
}
21. • DoS payload - https://gist.github.com/coekie/a27cc406fc9f3dc7a70d
Attack for Jersey
22. • DoS payload - https://gist.github.com/coekie/a27cc406fc9f3dc7a70d
Attack for Jersey
23. • Narrow possible content types for resource or resource method using
@Consumes annotation
• Use multipart/*, multipart/form-data, etc. content types with caution
• Java deserialization bugs exist not only in RMI/JMX/JMS
Takeaways