OWASP O2 Platform Blog

Visualizing Spring MVC Annotations based Controls (and Autobinding PetClinic’s vulnerabilities)

If you are reviewing a Spring MVC aplication that uses Java Annotations to define the controller’s behaviour, you can use an older version of O2 (packaged separately) which was published a couple years ago, but is still quite effective in its capabilities.

You can get the installer from here or just execute the following script to download it and start the installation process:

var path = "http://s3.amazonaws.com/O2_Downloads/O2_Cmd_SpringMvc.msi".uri().download();
path.startProcess();

Once it is installed, you will have a shortcut on your desktop called O2_Cmd_SpringMvc.exe which when executed looks like this:

For the rest of this demo I’m going to use the PetClinc Spring MVC demo app, which you can download from SpringSource or from the O2 Demo Pack that I  published (see Packaged Spring MVC Security Test Apps: JPetStore and PetClinic)

Unzip the files to the C:\O2\Demos folder

And drag and drop the petclinic.classes.zip file into the big red box (top left) from the O2 Spring MVC module, which will trigger the conversion process:

Once the coversion is finished, you will see the Spring MVC mappings and its source code location:

If you select a URL that uses @ModelAttribure, and go to the Spring MVC Bindable fields for selection  tab, you will see a graphical representation of the fields that can be binded into (and that create another variation of the Spring Framework Autobinding vulnerabilities)

Note that in order for the o2 engine to find some of these mappings, there are a couple cases where an extra comment needs to be added to the affected classes.

For example, in the Owner.java class:

    public List<Pet> getPets() { 
    /*O2Helper:MVCAutoBindListObject:org.springframework.samples.petclinic.Pet*/

This O2 tool also has a BlackBox analysis module, which allow the use of the mappings created to drive/test the website dynamically

For example here is how to bypass the current SetDisallowedFields protection that is included in the controller for /editOwner.do

    @InitBinder
    public void setAllowedFields(WebDataBinder dataBinder) {
        dataBinder.setDisallowedFields(new String[] {"id"});
    }

Note the extra field pets[0].owner.id=6 which save the current data into user #6

 

 

This app (together with JPetStore) presents good case-studies on the security vulnerabilities that are easily created with the Spring Autobinding capabilities. In the above example, the Edit Owner page should only allow 5 fields to be edited, while in fact it allows a VERY large number of fields to be edited

In fact, in this case, there are infinite posibilites, since: the Owner class has a getPets method, which returns a Pets class, who has a getOwner method, who has a getPets method , etc….

This applicaition also has a large number of XSS vulnerabilities, including the ability to create a Pet with a XSS payload which (via autobinding) can be assigned to another user (i.e. via modifing the pet’s owner ID)

July 19, 2011 Posted by | JPetStore, Spring MVC | Leave a comment