[Owasp-leaders] Using XMLDecoder to execute server-side Java Code on an Restlet application (i.e. Remote Command Execution)

Dinis Cruz dinis.cruz at owasp.org
Tue Aug 6 12:38:07 UTC 2013


Hi, where you aware that XmlDecoder could be used this way:
http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html
(see
examples at the end)

Me and Abe presented that last week at DefCon and the awareness was very
low.

I'm also sure that there are other dangerous/exploitable uses of XmlDecoder
on other REST or web apis.

Finally what about fixing/mitigating this? It looks like Java Sandboxing
using the Security manager is one option, but even that will not be safe,
since the attacker will be able to attack the application assets.

Any other ideas?

Dinis Cruz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130806/b936f4de/attachment.html>


More information about the OWASP-Leaders mailing list