Friday, 18 September 2009

18 Sep - WebEx on using the O2 Spring Mvc Module to exploit vulnerabilities in the PetClinic application

(post I just published to a number of web app sec security mailing lists)

I'm going to do an public WebEx on the O2 Spring MVC module tomorrow at 18th Sep at 1pm EST/ 6pm London (see the WebEx details here)

Not sure if still remember this, but I was one of the authors of the two Security issues reported on the Spring Framework MVC by Ounce Labs last year (see PDF here).

At the time we didn't really explained how I found those issues, but since then we released the Open Source OWASP O2 Platform which contains the O2 Spring MVC module (link to ClickOnce Install) and attempts to visualize the attack surface and vulnerabilities created by Spring MVC Annotation-Based Controllers (see Spring Documentation here)

To demonstrate the security implications of Spring MVC's @ModelAttribute I will show a couple vulnerabilities discovered on the PetClinic demo application that ships as an sample application on Spring 2.5 (you can you can download from here the demo materials I am going to use tomorrow (includes all files required to run a local copy of the PetClinic test application)).

What I really like about the demo that I am going to present, is how I am able to combine both WhiteBox and BlackBox analysis in one single workflow and GUI (i.e. one analysis feeds the other, enabling the quick understanding and exploitation of vulnerabilities in the PetClinic application)

Note that the issues that I am going to find & demonstrate using the O2 Spring MVC module DO NOT require the Ounce Labs product (static source code analysis engine) to work.

In fact, I will be doing my demos from a VM image that doesn't have ounce installed :) .

Of course that there are other types of analysis that you can do if you have access to Ounce's engine (or (eventually) the other engines soon-to-be-supported by O2 (Fortify, Coverity, Armorize, AppScan DE, etc...)), but my point with this presentation is to show how you can do TODAY using the power of the OWASP O2 Platform to perform security engagements on applications that use Spring MVC Annotations-Based Controllers.

I will try to do these types of WebEx on a regular basis, so if you can't make it tomorrow you can join in the next one :)

See you at the WebEx

Dinis Cruz