[Owasp-leaders] Using XMLDecoder to execute server-side Java Code on an Restlet application (i.e. Remote Command Execution)

Dinis Cruz dinis.cruz at owasp.org
Wed Aug 7 00:16:07 UTC 2013


Just to be clear on this one: Abe did most of the research (he read 1000s
of pages on REST and XML) and Alvaro did the first PoCs.

They are the ones that deserve the credit for this discovery


Dinis Cruz

Blog: http://diniscruz.blogspot.com
Twitter: http://twitter.com/DinisCruz
Web: http://www.owasp.org/index.php/O2


On 6 August 2013 20:56, Dennis Groves <dennis.groves at owasp.org> wrote:

> Jim,
>
> Input validation is hard enough as it is. Entity content compounds this
> problem enormously. You can validate an XML document fairly easily.
> However, validation of entity contents requires yet-another-grammer! To me
> the safest thing you can do is to sign-then-encrypt<http://world.std.com/%7Edtd/sign_encrypt/sign_encrypt7.html>.
>
>
> As the russians say: Trust, but verify.
>
> Do let me know what you learn - Dinis has made a very interesting
> discovery.
>
> Dennis
>
> On 6 Aug 2013, at 12:31, Jim Manico wrote:
>
> The Java security manager runtime permissions have no management
> software available and often break functionality that these libraries
> depend on to run. I still think schema validation is in order. I'll dig
> a little deeper into this (from a defense perspective) and get back to
> you on this.
>
> Cheers,
> Jim
>
> Policy file runtime permissions may help in restricting execution of rogue
> code. Most containers have them.
> Nice work btw
>
> Eoin Keary
> Owasp Global Board
> +353 87 977 2988
>
> On 6 Aug 2013, at 19:39, Jim Manico jim.manico at owasp.org wrote:
>
> You normally want to do structural validation of untrusted XML before
> you accept it (using XML schema or the like). Such defenses if
> implemented right should protect you from this kind of vulnerability.
>
> But wow, very interesting work.
>
> Cheers,
> Jim
>
>  Dennis
> ------------------------------
>
> Dennis Groves <http://about.me/dennis.groves>, MSc
> Email me <dennis.groves at owasp.org> or schedule a meeting<http://goo.gl/8sPIy>
> .
>
> Unless someone like you...cares a whole awful lot...
> nothing is going to get better...It's not."
>                                         -- The Lorax
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130807/5ce21cb8/attachment.html>


More information about the OWASP-Leaders mailing list