Since the Ounce website doesn't exist anymore, here is the link to the "Two Security Vulnerabilities in the Spring Framework’s MVC" we published 3 years ago, which unfortunately it is still very relevant today.
You can read Spring's response here http://www.springsource.com/security/spring-mvc
One of the interesting elements of this issue (namely the first one which I usually call the 'Spring AutoBinding issue') is that calling it a 'vulnerability' depends on how one looks at the problem.
Spring's MVC Autobinding (just like ASP.NET MVC Autobinding), is one of the most powerful capabilities of these frameworks. The problem is that they promote a type of programming practice that leads/promotes the creation of massive vulnerabilities.
Now the Spring Framework's position is that 'developers should know better and not create domain objects that expose fields that should not be editable'
The problem is that in the real world, it is easy to fall into this trap and not only expose fields that should not be editable but to create massive domain objects.
I just completed a security review project were again, the auto-binding vulnerability created a large number of exploitable security vulnerabilities.
The good news is that today (in 2011) I can talk and present the technology that I currently use to perform security analysis on Spring MVC apps. The latest version of the O2 Platform already has good support for analysing these apps (I also have a bunch of notes and scripts which I need to clean-up before posting, so if you want to help, ping me).
Related posts/links:
- http://diniscruz.blogspot.com/2009/09/spring-mvc-30-mvc-binding-rules.html
- http://diniscruz.blogspot.com/2009/06/jsp-el-spring-mvc-and-xss.html
- https://lists.owasp.org/pipermail/owasp-o2-platform/2009-November/000015.html
- https://www.owasp.org/index.php/OWASP_O2_Platform/Spring_Framework/MVC
- http://o2platform.files.wordpress.com/2011/07/ounce_springframework_vulnerabilities.pdf (original pdf, also linked above)
