[Owasp-o2-platform] [Fwd: Pet Clinic / Spring MVC issues]
dinis.cruz at ouncelabs.com
Mon Nov 23 10:33:25 EST 2009
Sorry for not replying sooner, my work-load has been super hectic since I came back from DC.
Regarding the vulnerability you mention bellow, you are right that they are issues in PetClinic (and not with Spring), but there are many more vulnerabilities on that application we need to identify and remediate (some are variations of this same issue).
I really like the Spring Framework and understand why the developers love it, my problem (from a security point of view) is that currently it is very hard for developers and application architects to understand the implications & behavior of the Spring MVC HTTP FORM data Auto-Wiring capabilities (it is a very powerful feature which can be easily misused (just like building raw SQL queries allow the creation of SQL Injection vulnerabilities))
I really want to make sure we properly document the remediation practices and make them into O2's XRules, so that we can automate the creation of those XRules in O2.
I've started a page on the O2 Platform Wiki for this (still in very draft format), and It would be great if you could help http://www.owasp.org/index.php/OWASP_O2_Platform/Spring_Framework/MVC
The other area that I really need your (& core Spring Framework developers) help is to make sure that the way the O2 String MVC mappings objects are created since the idea is that they should represent the behavior of the Spring MVC data flows. The current O2 module (http://deploy.o2-ounceopen.com/DemoFiles/SpringMvc) mainly deals with with the 'Attribute based' Controllers (aka @Controller, @RequestParam, @ModelAttribute, etc...). I have an older version (which I used for another client and is available in raw format in the O2 Source code) which handles the 'Config-Driven or '*Controller implementation-based' Spring MVC Controllers that needs quite a bit of work.
Note: I'm CCing the O2 Platform mailing list (owasp-o2-platform at lists.owasp.org) since there is a LOT of interest over there on these Spring MVC security issues.
From: SpringSource Security Team [mailto:security at springsource.com]
Sent: Mon 23/11/2009 14:41
To: Dinis Cruz
Cc: Security Team
Subject: [Fwd: Pet Clinic / Spring MVC issues]
-----BEGIN PGP SIGNED MESSAGE-----
I haven't heard back from you in response to my previous mail below.
To follow up on that mail, we have done some further testing and our
conclusion is that this is a vulnerability in the PetClinic sample app,
rather than the core framework. The edit owner form calls
setDisabledFields("id") when it should call setDisabledFields("id", "pets*")
We will be reviewing the PetClinic sample application and the other
sample applications for similar issues. We will also be looking at
improving the tools and/or defaults to reduce the chances of developers
introducing similar vulnerabilities into their applications.
- -------- Original Message --------
Subject: Pet Clinic / Spring MVC issues
Date: Fri, 13 Nov 2009 23:04:43 -0600
From: SpringSource Security Team <security at springsource.com>
To: dinis.cruz at ouncelabs.com <dinis.cruz at ouncelabs.com>
I was good to talk to you today - although it was rather rushed.
I have tried to recreate what you demonstrated but I am working somewhat
dark since I was at the back of the room for your presentation and could
I believe I have re-created the scenario you demonstrated using the steps
outlined below. I would be grateful if you can confirm whether or not
the attack you demonstrated. I suspect I may not have all of it because you
indicated that you could edit the ID of the owner whereas I have only
to overwrite an existing record - which isn't quite the same thing.
I have passed this to the Spring MVC team although I do not expect to
from them until early next week.
Install a clean copy of pet clinic on Tomcat.
Use Firefox + LiveHttpHeaders or similar
List the owners.
Select owner 2 (Betty Davis).
Make a trivial change.
Click edit again.
Use LiveHttpHeaders replay to replay the previous edit but modify the
The upshot is that you end up over-writing owner 3 with Betty Davis's
though the URL that the POST goes to is:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-o2-platform