В Spring MVC есть классная фича — autobinding. Но если пользоваться ей неправильно, могут появиться «незаметные» уязвимости, иногда с серьёзным импактом. Рассмотрим пару примеров, углубимся в тонкости появления autobinding-багов. Writeup [ENG]: http://agrrrdog.blogspot.ru/2017/03/autobinding-vulns-and-spring-mvc.html
5. Autobinding vuln
Defcon Russia (DCG #7812) 5
https://o2platform.files.wordpress.com/2011/07/ounce_springframework_vulnerabilities.pdf
6. Autobinding vuln
Defcon Russia (DCG #7812) 6
https://o2platform.files.wordpress.com/2011/07/ounce_springframework_vulnerabilities.pdf
7. More magic with annotations
Defcon Russia (DCG #7812) 7
@ModelAttribute on a method argument
“An @ModelAttribute on a method argument indicates the argument
should be retrieved from the model “…
http://docs.spring.io/spring/docs/3.1.x/spring-framework-reference/html/mvc.html
8. More magic with annotations
Defcon Russia (DCG #7812) 8
@ModelAttribute on a method
“An @ModelAttribute on a method indicates the purpose of that
method is to add one or more model attributes. @ModelAttribute
methods in a controller are invoked before @RequestMapping
methods”
http://docs.spring.io/spring/docs/3.1.x/spring-framework-reference/html/mvc.html#mvc-
ann-modelattrib-method-args
9. More magic with annotations
Defcon Russia (DCG #7812) 9
@SessionAttribute for controller
“The type-level @SessionAttributes annotation declares session
attributes used by a specific handler. This will typically list the names of
model attributes or types of model attributes which should be
transparently stored in the session”
10. More magic with redirects
Defcon Russia (DCG #7812) 10
FlashAttribute
“Flash attributes provide a way for one request to store attributes
intended for use in another.”
http://docs.spring.io/spring/docs/3.1.x/spring-framework-reference/html/mvc.html
11. More magic with annotations
Defcon Russia (DCG #7812) 11
@ModelAttribute on a method argument
“An @ModelAttribute on a method argument indicates the argument
should be retrieved from the model. If not present in the model, the
argument should be instantiated first and then added to the model.
Once present in the model, the argument's fields should be
populated from all request parameters that have matching names.”
– is a wrong/dangerous way to get value from the model.
Because: at first - retrieving , then autobinding.
12. Ex 2. The First School of Bulimia
Defcon Russia (DCG #7812) 12
13. Ex 2. The First School of Bulimia
Defcon Russia (DCG #7812) 13
14. Ex 2. The First School of Bulimia
Defcon Russia (DCG #7812) 14
15. Ex 2. The First School of Bulimia
Defcon Russia (DCG #7812) 15
16. Populating
Defcon Russia (DCG #7812) 16
Befor in Model:
“user” ={username = “Vasia”
pass = “P@ssw0rd”
weight= 100}
Autobinding:
After in Model:
“user” ={ username = “lalallalala”
pass = “P@ssw0rd”
weight= 100 }
23. Blackbox testing
Defcon Russia (DCG #7812) 23
• Errors
• Collect all parameter names
Use them for all entry points
Check difference
• Strange names or arrays, hashmaps
24. Q&A
Defcon Russia (DCG #7812) 24
https://twitter.com/antyurin
https://github.com/grrrdog