[Owasp-leaders] Using XMLDecoder to execute server-side Java Code on an Restlet application (i.e. Remote Command Execution)

Abraham Kang abraham.kang at owasp.org
Fri Aug 9 01:37:49 UTC 2013


We all had important contributions to the success of this talk.

Regards,
Abe


On Tue, Aug 6, 2013 at 5:16 PM, Dinis Cruz <dinis.cruz at owasp.org> wrote:

> Just to be clear on this one: Abe did most of the research (he read 1000s
> of pages on REST and XML) and Alvaro did the first PoCs.
>
> They are the ones that deserve the credit for this discovery
>
>
> Dinis Cruz
>
> Blog: http://diniscruz.blogspot.com
> Twitter: http://twitter.com/DinisCruz
> Web: http://www.owasp.org/index.php/O2
>
>
> On 6 August 2013 20:56, Dennis Groves <dennis.groves at owasp.org> wrote:
>
>>  Jim,
>>
>> Input validation is hard enough as it is. Entity content compounds this
>> problem enormously. You can validate an XML document fairly easily.
>> However, validation of entity contents requires yet-another-grammer! To me
>> the safest thing you can do is to sign-then-encrypt<http://world.std.com/%7Edtd/sign_encrypt/sign_encrypt7.html>.
>>
>>
>> As the russians say: Trust, but verify.
>>
>> Do let me know what you learn - Dinis has made a very interesting
>> discovery.
>>
>> Dennis
>>
>> On 6 Aug 2013, at 12:31, Jim Manico wrote:
>>
>> The Java security manager runtime permissions have no management
>> software available and often break functionality that these libraries
>> depend on to run. I still think schema validation is in order. I'll dig
>> a little deeper into this (from a defense perspective) and get back to
>> you on this.
>>
>> Cheers,
>> Jim
>>
>> Policy file runtime permissions may help in restricting execution of
>> rogue code. Most containers have them.
>> Nice work btw
>>
>> Eoin Keary
>> Owasp Global Board
>> +353 87 977 2988
>>
>> On 6 Aug 2013, at 19:39, Jim Manico jim.manico at owasp.org wrote:
>>
>> You normally want to do structural validation of untrusted XML before
>> you accept it (using XML schema or the like). Such defenses if
>> implemented right should protect you from this kind of vulnerability.
>>
>> But wow, very interesting work.
>>
>> Cheers,
>> Jim
>>
>>  Dennis
>> ------------------------------
>>
>> Dennis Groves <http://about.me/dennis.groves>, MSc
>> Email me <dennis.groves at owasp.org> or schedule a meeting<http://goo.gl/8sPIy>
>> .
>>
>> Unless someone like you...cares a whole awful lot...
>> nothing is going to get better...It's not."
>>                                         -- The Lorax
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130808/069f55d3/attachment.html>


More information about the OWASP-Leaders mailing list