Leanpub The Leanpub Logo is a Registered Trademark
AccountLibraryOverviewPurchasesStoreSupport
AppsBooksBundlesCoursesFeaturedNewslettersPodcastSupportWhy Leanpub
AppsBooksBundlesCoursesFeaturedNewslettersPodcastSupportWhy Leanpub
Exploiting MVC Model Binding
Exploiting MVC Model Binding
Free!
Minimum price
$11.00
Suggested price
  • 361

    Readers

  • 112

    Pages

  • 16,950

    Words

  • English

  • PDF

  • EPUB

  • MOBI

  • APP

Exploiting MVC Model Binding

This book is 60% complete

Last updated on 2014-03-23

About the Book

About the Author

Dinis Cruz
Dinis Cruz

Dinis Cruz is the CISO of the Photobox Group and an active OWASP contributor (Owasp Summits and O2 Platform Project)

Table of Contents

  • 1 July 2011
    • O2 Script with BlackBox exploits for Spring MVC AutoBinding vulnerabilities in JPetStore
    • O2 Script for “Spring MVC JPetStore - Start Servers” (start/stop apache and hsqldb)
    • O2 Script: ‘Spring MVC Util - View Controllers’
    • Creating an API for JPetStore Browser automation
    • Injecting FirebugLite and jQuery into a IE Automation page (JPetStore Example)
    • Writing an O2 ‘IE Automation’ Script for JPetStore Account Creation
    • Viewing JPetStore Hsqldb database and couple more Autobinding issues
    • Finding the JSP views that are mapped to controlers in JPetStore (Spring MVC)
    • Visualizing the links in JPetStore (Spring MVC)
    • Packaged Spring MVC Security Test Apps: JPetStore and PetClinc
    • Simple Viewer to see JSP files (example using Spring MVC SPetStore)
    • Util - Java, Jsp and Xml File Search (Example using Spring MVC JPetStore)
    • Visualizing Spring MVC Annotations based Controls (and Autobinding PetClinic’s vulnerabilities)
  • 2 September 2011
    • example of spring mvc controllers
  • 3 November 2011
    • Fixing one of JPetStore’s AutoBinding Vulnerabilities (changing the purchase price)
  • 4 May 2012
    • ASP.NET MVC MUSIC STORE
    • Order details
    • HTTP form post fields using Fiddler
    • Checkout controller
    • Exploiting Microsoft MVC vulnerabilities using OWASP O2 Platform
  • 5 June 2013
    • Using ASP.NET MVC 4.0 in TeamMentor (with simple Controller, View and master Layout)
  • 6 July 2013
    • Can you spot the security implications/vulnerability of a small change to an ASP.NET MVC 3.0+ Model Binder?
    • Nice business logic vulnerability and CSRF on the ASP.NET MVC Design Patterns book sample
    • Day 1 - made it to Vegas, start of ASP.NET MVC research
    • MVC ModelBinding Vulnerability in Contoso University sample (first raw PoC)
  • 7 October 2012
    • Exploiting Microsoft MVC vulnerabilities using OWASP O2 Platform
    • Tool - O2 Cmd SpringMVC v1.0.exe - as standalone exe
    • How the Tool - O2 Cmd SpringMVC v1.0.exe was created
  • 8 December 2012
    • ASP.NET MVC – XSS and AutoBind Vulns in MVC Example app (from 2008)
    • ASP.NET Support in SAST and IBM F4F
  • 9 January 2013
    • OData ASP.NET Web API: An Mass Assignment vulnerability in the making?
    • Should Mass Assignment be an OWASP Top 10 Vulnerability?
  • 10 September 2008
    • ASP.NET MVC – XSS and AutoBind vulns in MVC Example
  • 11 September 2009
    • Spring MVC 3.0 MVC Binding rules
    • Finally … here is how I have been analysing Spring MVC apps using O2
    • Reaching out to Spring Developers
    • Couple more blog posts on JPetStore and additional Spring MVC Autobinding vulnerabilities
    • Visualizing Spring MVC Annotations based Controls (and Autobinding PetClinic’s vulnerabilities)
    • Current O2 support for analyzing Spring MVC
    • What needs to be done to map Static Analysis Traces from Controllers and Views
  • 12 October 2011
    • Why doesn’t SAST have better Framework support (for example Spring MVC)?
    • What does SAST mean? And where does it come from?
    • First Answer to: Why doesn’t SAST have better Framework support (for example Spring MVC)?
    • Solution for fixing Spring’s JPetStore AutoBinding vulnerabilities
  • 13 April 2012
    • Some proposed Visions for next OWASP Summit
    • Why ASP.NET MVC is ‘insecure by design’ , just like Spring MVC (and why SAST can help)
    • Starting to use the O2 Spring MVC viewer on ThreadFix

The Leanpub 45-day 100% Happiness Guarantee

Within 45 days of purchase you can get a 100% refund on any Leanpub purchase, in two clicks.

See full terms

Free Updates. Free App. DRM Free.

If you buy a Leanpub book, you get free updates for as long as the author updates the book! Many authors use Leanpub to publish their books in-progress, while they are writing them. All readers get free updates, regardless of when they bought the book or how much they paid (including free).

Most Leanpub books are available in PDF (for computers), EPUB (for phones and tablets), MOBI (for Kindle) and in the free Leanpub App (for Mac, Windows, iOS and Android). The formats that a book includes are shown at the top right corner of this page.

Finally, Leanpub books don't have any DRM copy-protection nonsense, so you can easily read them on any supported device.

Learn more about Leanpub's ebook formats and where to read them

Write and Publish on Leanpub

Authors, publishers and universities use Leanpub to publish amazing in-progress and completed books and courses, just like this one. You can use Leanpub to write, publish and sell your book or course as well! Leanpub is a powerful platform for serious authors, combining a simple, elegant writing and publishing workflow with a store focused on selling in-progress ebooks. Leanpub is a magical typewriter for authors: just write in plain text, and to publish your ebook, just click a button. It really is that easy.

Learn more about writing on Leanpub

Leanpub is copyright © 2010-2019 Ruboss Technology Corp. All rights reserved.