[Owasp-leaders] 18 Sep - WebEx on using the O2 Spring Mvc Module to exploit vulnerabilities in the PetClinic application

dinis cruz dinis.cruz at owasp.org
Thu Sep 17 20:24:06 EDT 2009


I'm going to do an public WebEx on the O2 <https://www.o2-ounceopen.com> Spring
MVC module tomorrow at 18th Sep at 1pm EST/ 6pm London (see the WebEx
details here <http://bit.ly/9nauD>)

Not sure if still remember this, but I was one of the authors of the two
Security issues reported on the Spring Framework MVC by Ounce Labs last year
(see PDF here<http://www.ouncelabs.com/writable/resources/file/ounce_springframework_vulnerabilities.pdf>
).
At the time we didn't really explained how I found those issues, but since
then we released the Open Source OWASP O2
Platform<https://www.o2-ounceopen.com/> which
contains the O2 Spring MVC module (link to ClickOnce
Install<http://deploy.o2-ounceopen.com/O2_Cmd_SpringMvc/>)
and attempts to visualize the attack surface and vulnerabilities created by
Spring MVC Annotation-Based Controllers (see Spring Documentation
here<http://static.springsource.org/spring/docs/2.5.6/reference/mvc.html>
)

To demonstrate the security implications of Spring MVC's @ModelAttribute I
will show a couple vulnerabilities discovered on the PetClinic demo
application that ships as an sample application on Spring 2.5 (you can you
can download from
here<http://deploy.o2-ounceopen.com/DemoFiles/SpringMvc/O2%20Spring%20MVC%20PetClinic%20Package.zip>
the
demo materials I am going to use tomorrow (includes all files required to
run a local copy of the PetClinic test application)).

What I really like about the demo that I am going to present, is how I am
able to *combine both WhiteBox and BlackBox analysis in one single workf**low
and GUI* (i.e. one analysis feeds the other, enabling the quick
understanding and exploitation of vulnerabilities in the PetClinic
application)

Note that the issues that I am going to find & demonstrate using the O2
Spring MVC module <http://deploy.o2-ounceopen.com/O2_Cmd_SpringMvc/> DO NOT
require the Ounce Labs product (static source code analysis engine) to work.

In fact, I will be doing my demos from a VM image that doesn't have ounce
installed :) .

Of course that there are other types of analysis that you can do if you have
access to Ounce's engine (or (eventually) the other engines
soon-to-be-supported by O2 (Fortify, Coverity, Armorize, AppScan DE,
etc...)), but my point with this presentation is to show how you can do
TODAY using the power of the OWASP O2
Platform<https://www.o2-ounceopen.com/> to
perform security engagements on applications that use Spring MVC
Annotations-Based Controllers.

I will try to do these types of WebEx on a regular basis, so if you can't
make it tomorrow you can join in the next one :)

See you at the WebEx

Dinis Cruz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20090918/ab13d9ef/attachment-0001.html 


More information about the OWASP-Leaders mailing list