[Owasp-leaders] Using XMLDecoder to execute server-side Java Code on an Restlet application (i.e. Remote Command Execution)

Rogan Dawes rogan at dawes.za.net
Tue Aug 6 14:29:53 UTC 2013

I wasn't aware that this was possible. Nice work!

I'd be very interested in seeing how a Security Manager can be used to 
sandbox a class like this.

If you restrict it to elementary Objects such as String, Integer, 
Boolean, Float, etc, and Collection classes such as Map and List, I 
suspect that you should not be able to do too much damage. How would you 
get a reference to the application code, anyway, to attack the 
application assets?


On 06/08/2013 14:38, Dinis Cruz wrote:
> Hi, where you aware that XmlDecoder could be used this way:
> http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html (see
> examples at the end)
> Me and Abe presented that last week at DefCon and the awareness was very
> low.
> I'm also sure that there are other dangerous/exploitable uses of
> XmlDecoder on other REST or web apis.
> Finally what about fixing/mitigating this? It looks like Java Sandboxing
> using the Security manager is one option, but even that will not be
> safe, since the attacker will be able to attack the application assets.
> Any other ideas?
> Dinis Cruz
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

More information about the OWASP-Leaders mailing list