Monday 11 July 2011

"Two Security Vulnerabilities in the Spring Framework’s MVC" pdf (from 2008)

(update: see Finally ... here is how I have been analysing Spring MVC apps using O2 post for an update on how to exploit and visualize these issues using O2)

Since the Ounce website doesn't exist anymore, here is the link to the "Two Security Vulnerabilities in the  Spring Framework’s MVC" we published 3 years ago, which unfortunately it is still very relevant today.

You can read Spring's response here

One of the interesting elements of this issue (namely the first one which I usually call the 'Spring AutoBinding issue') is that calling it a 'vulnerability' depends on how one looks at the problem.

Spring's MVC Autobinding (just like ASP.NET MVC Autobinding), is one of the most powerful capabilities of these frameworks. The problem is that they promote a type of programming practice that leads/promotes the creation of massive vulnerabilities.

Now the Spring Framework's position is that 'developers should know better and not create domain objects that expose fields that should not be editable' 

The problem is that in the real world, it is easy to fall into this trap and not only expose fields that should not be editable but to create massive domain objects.

I just completed a security review project were again, the auto-binding vulnerability created a large number of exploitable security vulnerabilities.

The good news is that today (in 2011) I can talk and present the technology that I currently use to perform security analysis on Spring MVC apps. The latest version of the O2 Platform already has good support for analysing these apps (I also have a bunch of notes and scripts which I need to clean-up before posting, so if you want to help, ping me).

Related posts/links: