Exploiting MVC Model Binding
Exploiting MVC Model Binding
Free!
Minimum price
$11.00
Suggested price
Exploiting MVC Model Binding

This book is 60% complete

Last updated on 2014-03-23

About the Book

Table of Contents

  • 1 July 2011
    • O2 Script with BlackBox exploits for Spring MVC AutoBinding vulnerabilities in JPetStore
    • O2 Script for “Spring MVC JPetStore - Start Servers” (start/stop apache and hsqldb)
    • O2 Script: ‘Spring MVC Util - View Controllers’
    • Creating an API for JPetStore Browser automation
    • Injecting FirebugLite and jQuery into a IE Automation page (JPetStore Example)
    • Writing an O2 ‘IE Automation’ Script for JPetStore Account Creation
    • Viewing JPetStore Hsqldb database and couple more Autobinding issues
    • Finding the JSP views that are mapped to controlers in JPetStore (Spring MVC)
    • Visualizing the links in JPetStore (Spring MVC)
    • Packaged Spring MVC Security Test Apps: JPetStore and PetClinc
    • Simple Viewer to see JSP files (example using Spring MVC SPetStore)
    • Util - Java, Jsp and Xml File Search (Example using Spring MVC JPetStore)
    • Visualizing Spring MVC Annotations based Controls (and Autobinding PetClinic’s vulnerabilities)
  • 2 September 2011
    • example of spring mvc controllers
  • 3 November 2011
    • Fixing one of JPetStore’s AutoBinding Vulnerabilities (changing the purchase price)
  • 4 May 2012
    • ASP.NET MVC MUSIC STORE
    • Order details
    • HTTP form post fields using Fiddler
    • Checkout controller
    • Exploiting Microsoft MVC vulnerabilities using OWASP O2 Platform
  • 5 June 2013
    • Using ASP.NET MVC 4.0 in TeamMentor (with simple Controller, View and master Layout)
  • 6 July 2013
    • Can you spot the security implications/vulnerability of a small change to an ASP.NET MVC 3.0+ Model Binder?
    • Nice business logic vulnerability and CSRF on the ASP.NET MVC Design Patterns book sample
    • Day 1 - made it to Vegas, start of ASP.NET MVC research
    • MVC ModelBinding Vulnerability in Contoso University sample (first raw PoC)
  • 7 October 2012
    • Exploiting Microsoft MVC vulnerabilities using OWASP O2 Platform
    • Tool - O2 Cmd SpringMVC v1.0.exe - as standalone exe
    • How the Tool - O2 Cmd SpringMVC v1.0.exe was created
  • 8 December 2012
    • ASP.NET MVC – XSS and AutoBind Vulns in MVC Example app (from 2008)
    • ASP.NET Support in SAST and IBM F4F
  • 9 January 2013
    • OData ASP.NET Web API: An Mass Assignment vulnerability in the making?
    • Should Mass Assignment be an OWASP Top 10 Vulnerability?
  • 10 September 2008
    • ASP.NET MVC – XSS and AutoBind vulns in MVC Example
  • 11 September 2009
    • Spring MVC 3.0 MVC Binding rules
    • Finally … here is how I have been analysing Spring MVC apps using O2
    • Reaching out to Spring Developers
    • Couple more blog posts on JPetStore and additional Spring MVC Autobinding vulnerabilities
    • Visualizing Spring MVC Annotations based Controls (and Autobinding PetClinic’s vulnerabilities)
    • Current O2 support for analyzing Spring MVC
    • What needs to be done to map Static Analysis Traces from Controllers and Views
  • 12 October 2011
    • Why doesn’t SAST have better Framework support (for example Spring MVC)?
    • What does SAST mean? And where does it come from?
    • First Answer to: Why doesn’t SAST have better Framework support (for example Spring MVC)?
    • Solution for fixing Spring’s JPetStore AutoBinding vulnerabilities
  • 13 April 2012
    • Some proposed Visions for next OWASP Summit
    • Why ASP.NET MVC is ‘insecure by design’ , just like Spring MVC (and why SAST can help)
    • Starting to use the O2 Spring MVC viewer on ThreadFix

About the Author

Dinis Cruz
Dinis Cruz

Dinis Cruz is the CISO of the Photobox Group and an active OWASP contributor (Owasp Summits and O2 Platform Project)

The Leanpub 45-day 100% Happiness Guarantee

Within 45 days of purchase you can get a 100% refund on any Leanpub purchase, in two clicks.

See full terms...

Write and Publish on Leanpub

Authors and publishers use Leanpub to publish amazing in-progress and completed ebooks, just like this one. You can use Leanpub to write, publish and sell your book as well! Leanpub is a powerful platform for serious authors, combining a simple, elegant writing and publishing workflow with a store focused on selling in-progress ebooks. Leanpub is a magical typewriter for authors: just write in plain text, and to publish your ebook, just click a button. It really is that easy.

Learn more about writing on Leanpub