[Owasp-leaders] Using XMLDecoder to execute server-side Java Code on an Restlet application (i.e. Remote Command Execution)

Dennis Groves dennis.groves at owasp.org
Tue Aug 6 19:56:49 UTC 2013


Jim,

Input validation is hard enough as it is. Entity content compounds this 
problem enormously. You can validate an XML document fairly easily. 
However, validation of entity contents requires yet-another-grammer! To 
me the safest thing you can do is to 
[sign-then-encrypt](http://world.std.com/~dtd/sign_encrypt/sign_encrypt7.html).

As the russians say: Trust, but verify.

Do let me know what you learn - Dinis has made a very interesting 
discovery.

Dennis

On 6 Aug 2013, at 12:31, Jim Manico wrote:

> The Java security manager runtime permissions have no management
> software available and often break functionality that these libraries
> depend on to run. I still think schema validation is in order. I'll 
> dig
> a little deeper into this (from a defense perspective) and get back to
> you on this.
>
> Cheers,
> Jim
>
>
>> Policy file runtime permissions may help in restricting execution of 
>> rogue code. Most containers have them.
>> Nice work btw
>>
>> Eoin Keary
>> Owasp Global Board
>> +353 87 977 2988
>>
>>
>> On 6 Aug 2013, at 19:39, Jim Manico <jim.manico at owasp.org> wrote:
>>
>>> You normally want to do structural validation of untrusted XML 
>>> before
>>> you accept it (using XML schema or the like). Such defenses if
>>> implemented right should protect you from this kind of 
>>> vulnerability.
>>>
>>> But wow, very interesting work.
>>>
>>> Cheers,
>>> Jim

Dennis
-- 
[Dennis Groves](http://about.me/dennis.groves), MSc
[Email me](mailto:dennis.groves at owasp.org) or [schedule a 
meeting](http://goo.gl/8sPIy).

     Unless someone like you...cares a whole awful lot...
     nothing is going to get better...It's not."
                                             -- The Lorax
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130806/d624ccc6/attachment.html>


More information about the OWASP-Leaders mailing list