[Owasp-leaders] Using XMLDecoder to execute server-side Java Code on an Restlet application (i.e. Remote Command Execution)
eoin.keary at owasp.org
Tue Aug 6 19:25:32 UTC 2013
Policy file runtime permissions may help in restricting execution of rogue code. Most containers have them.
Nice work btw
Owasp Global Board
+353 87 977 2988
On 6 Aug 2013, at 19:39, Jim Manico <jim.manico at owasp.org> wrote:
> You normally want to do structural validation of untrusted XML before
> you accept it (using XML schema or the like). Such defenses if
> implemented right should protect you from this kind of vulnerability.
> But wow, very interesting work.
>> I wasn't aware that this was possible. Nice work!
>> I'd be very interested in seeing how a Security Manager can be used to
>> sandbox a class like this.
>> If you restrict it to elementary Objects such as String, Integer,
>> Boolean, Float, etc, and Collection classes such as Map and List, I
>> suspect that you should not be able to do too much damage. How would you
>> get a reference to the application code, anyway, to attack the
>> application assets?
>> On 06/08/2013 14:38, Dinis Cruz wrote:
>>> Hi, where you aware that XmlDecoder could be used this way:
>>> examples at the end)
>>> Me and Abe presented that last week at DefCon and the awareness was very
>>> I'm also sure that there are other dangerous/exploitable uses of
>>> XmlDecoder on other REST or web apis.
>>> Finally what about fixing/mitigating this? It looks like Java Sandboxing
>>> using the Security manager is one option, but even that will not be
>>> safe, since the attacker will be able to attack the application assets.
>>> Any other ideas?
>>> Dinis Cruz
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
More information about the OWASP-Leaders