[Owasp-leaders] [Java-project] Using XMLDecoder to execute server-side Java Code on an Restlet application (i.e. Remote Command Execution)

Dinis Cruz dinis.cruz at owasp.org
Tue Aug 6 23:47:20 UTC 2013

To be fair Restlet also supports JAXB (see
and some of their sample apps use it. BUT, the problem is that there
no valid scenario for using the XMLDecoder in an REST app (since the XML by
design comes from an untrusted source)

On 6 August 2013 15:28, Stephen de Vries <stephen at continuumsecurity.net>wrote:

> For the long term persistence of java objects, xmldecoder seems
> appropriate because you would usually write and read from trusted sources
> (the db or filesystem).

Sure, but is the db or filesystem really that trustworthy? (in regards to
XML files).

I can see how xml config files are usually well protected, but normal
application-level XML files?

They usually come from all sort of difference sources (Message Queues, User
supplied data, object serialisation), and if XMLDecoder it is used, then
those files will need to be highly protected (since anybody who can change
them will be able to execute code/commands/process on the server).

Another problem is that on an app that uses XMLDecoder, an XML Injection
vulnerability suddenly becomes much more dangerous


> Stephen
> On 6 Aug 2013, at 14:38, Dinis Cruz <dinis.cruz at owasp.org> wrote:
> Hi, where you aware that XmlDecoder could be used this way:
> http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html (see
> examples at the end)
> Me and Abe presented that last week at DefCon and the awareness was very
> low.
> I'm also sure that there are other dangerous/exploitable uses of
> XmlDecoder on other REST or web apis.
> Finally what about fixing/mitigating this? It looks like Java Sandboxing
> using the Security manager is one option, but even that will not be safe,
> since the attacker will be able to attack the application assets.
> Any other ideas?
> Dinis Cruz
> _______________________________________________
> Java-project mailing list
> Java-project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/java-project
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130807/1a3387b6/attachment.html>

More information about the OWASP-Leaders mailing list