[Owasp-leaders] Using XMLDecoder to execute server-side Java Code on an Restlet application (i.e. Remote Command Execution)

Jim Manico jim.manico at owasp.org
Tue Aug 6 18:39:25 UTC 2013


You normally want to do structural validation of untrusted XML before
you accept it (using XML schema or the like). Such defenses if
implemented right should protect you from this kind of vulnerability.

But wow, very interesting work.

Cheers,
Jim


> I wasn't aware that this was possible. Nice work!
> 
> I'd be very interested in seeing how a Security Manager can be used to
> sandbox a class like this.
> 
> If you restrict it to elementary Objects such as String, Integer,
> Boolean, Float, etc, and Collection classes such as Map and List, I
> suspect that you should not be able to do too much damage. How would you
> get a reference to the application code, anyway, to attack the
> application assets?
> 
> Rogan
> 
> 
> On 06/08/2013 14:38, Dinis Cruz wrote:
>> Hi, where you aware that XmlDecoder could be used this way:
>> http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html
>> (see
>> examples at the end)
>>
>> Me and Abe presented that last week at DefCon and the awareness was very
>> low.
>>
>> I'm also sure that there are other dangerous/exploitable uses of
>> XmlDecoder on other REST or web apis.
>>
>> Finally what about fixing/mitigating this? It looks like Java Sandboxing
>> using the Security manager is one option, but even that will not be
>> safe, since the attacker will be able to attack the application assets.
>>
>> Any other ideas?
>>
>> Dinis Cruz
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders



More information about the OWASP-Leaders mailing list