Struts2 framework security flaws

Abstract

This article describes the development of popular java framework for struts2, and webwork some of the security flaws, and illustrates the framework itself as well as developers use the framework, arising from security problems, and the author of a number of mining framework for security vulnerabilities had learned.

Recommend the following people to read

Learn about java development framework for developing understanding of web application security, "Network security enthusiasts"

Text

The current java web site development are usually not pure JSP, and most use the java framework.

With this framework, allows developers to more quickly develop the code, but also so that the code is very scalable, layered architecture of those ideas, even more pervasive. This also greatly affected the security code review, he proposed "layered audit code" ideas, such as DAO layer of specialized inspection sql injection, xss in the view layer of checks and so on. Of these frameworks has its own level, this article is mainly talking about the struts framework of related security issues, there will be a small part deals with the struts behind the DAO layer.

This framework updates the struts hold significant market share in a framework that at all levels, located as shown here:

Can see the struts in the web application to handle receiving user data, called business processing, and display the data work. Therefore, this paper, the function of struts into controller layer and the view layer, controller layer to complete the receive user data, distribution of user requests, while the view specifically for displaying data.

A separate struts, it is illogical, because the architect is usually like a collection of a variety of frameworks, so that they each responsible for a certain layer of processing. Study of a framework for security problems, can not just stand on the perspective of the framework should also be fully taken into account developers how to use these frameworks, what they most like to write the code, so as to restore a normal, complete web application scenarios .

From the search results on the Internet, most tutorials recommend struts + hibernate + spring such a combination of gold, then I assume that there is an application to use this combination in order to focus on struts, standing on the attacker's point of view, layers of analysis struts of the design flaws.

Development Review and easy to learn Struts2

To put the review or study how struts2, together we build an action, jsp page, do one receiving user input, followed by dealing with what, and then displayed to the user process, struts2 proficient students can skip this step.

------------------------------------- struts Review start
First, the establishment of action, called AaaaAction:

public class AaaaAction extends ActionSupport (
private String name;
public String getName () (
return name;
)
public void setName (String name) (
this.name = name;
)
public String execute () (
System.out.println ( "exe");
return SUCCESS;
)
public String bbb () (
System.out.println ( "bbbbb");
return SUCCESS;
)
)

Please note that execute this method, so that the address entered by the user action, the default will visit this method.

After the configuration struts.xml file

<action name="aaaaaaa">
<result name="success"> user / aaa.jsp </ result>
</ action>

Configuration of this file, when the user input

http://www.inbreak.net/app/aaaaaaa.action

The time, struts will be responsible for AaaaAction in the execute method of processing user requests.

Processing, the method returns "return SUCCESS;", struts also responsible for finding the name is a result of the jsp page seccuess pointed.
To parse the page, return to the user.

The user can see is aaa.jsp page html code.

struts2 inherits all the advantages of webwork, in fact, tantamount to webwork upgrade, if the developers want the user to directly access the action in a way, rather than access to the default execute method, so long as the definition of a method called the bbb, and is a public, user - can directly enter the

http://www.inbreak.net/app/aaaaaaa!bbb.action

Direct access to the methods of the bbb.

That request parameter, if it receives? struts2, this process is packaged up and is very convenient to use, as long as the action defined in a property, called public String name;. Then add getName and setName methods can be the same as the normal use of property, the receiver to the user to pass over variables. Either get a request or post requests in this way can be used to receive user input.

The whole process is so simple, it is now on the process with the understanding, we began to discuss the text, if you still want to know more, your own google.

---------------------------------- struts Review end

Struts2 flaws

Struts2 in the data flow can be seen, there are two main points, one is to enter the (in), one is the output (out). And I do dig the idea of vulnerability, but also follow the process this data to begin the analysis, here we started to let the data entry.

Action attribute default value can be covered by deficiencies:

In their daily java projects, we often encounter save a new object (such as registration of a user), and then give the object to give some user submitted, property values, where only need to define an object class:

public class User (
private Long
private String name;
private String pass;
private Integer type = 1;
. . . The following methods get and set code for slightly
)

Definition, in the action, add an attribute

User reguser;

User registration page code is as follows:

<form XXXXXXX>
<input name="reguser.name">

When the user submits the form to the action in the following, struts2 will be responsible for automatically mapping reguser.name's value to reguser related attributes (name), so the execute this method, you can use reguser.getName () to get users to submit a reguser.name value. Therefore, we the following code is very simple:

public String execute () (
add (user);

add method, more simple, because our project integrates hibernate, this framework automatically maps user classes each of the attributes, automatic composition of insert statements. As long as we add the call session.save (user); you can save the user to the database.

Previously referred to so many "simple" words, are these processes are safe while he gave us just the convenience brought about Yao?

struts2 is only responsible for mapping all the objects, he provided a form validation, and can only verify that the contents of the form of attribute values, such as email format, etc., and can not bind the user to submit other properties up, so this becomes a very dangerous functions.

When the User has a property type, whether the administrator on behalf of User (1 for ordinary users, 2 as an administrator), troubles come, the attacker in the original registration form, by adding a new input, called the

<input name="reguser.type">

And then enter the value is 2, together with this value to the action. In this process, this value is, of course, will be automatically taken to a database, down processing logic, the user, it has become the administrator of the.

When you see a struts2 or webwork application, you can try to use the property attack, modify the current form, which has all the attributes you have to guess to be submitted to up, it could affect the whole logic, to achieve any offensive purpose. This paper is just one example, in fact, the data transmission process, we can arbitrarily override the default value of the data, has always been a dangerous defect, while the struts2 and webwork framework of these two saw it only benefits ignored this regard, based on security considerations, just be concerned about the correctness of the data submitted by the user. Struts2 this function in the absence of contrast, when we need action in one of the needs of a variable, from the user's request to submit the solution out of a one treatment, such is not the security problems. It is now packaged this process, since that is in, but out of a serious problem.

Action in the method is defective violence guess Xie

Mentioned earlier, there is a way to allow users access to action, has no access to the default execute method, but direct access to other action in the way the condition that the action in writing a public method. Developers If you need to make a landing, the show features a list of all users, and he's a "decoupling" the development of habits, will be here to lead to security flaws.

Define an action as follows

public class Userlogin extends ActionSupport (
private String uname = "";
private String upwd;
private List list;
/ / getter and setter methods slightly
public String login () (
if (uname! = null & & upwd! = null & & uname.equals ( "kxlzx") & & upwd.equals ( "pass"))
(/ / if login success
return list ();
)
return false;
)
public String list () (
list.add ( "kxlzx"); list.add ( "kxlzx1"); list.add ( "kxlzx2"); list.add ( "kxlzx3");
return "list";
)
)

Userlogin, because the list this function (show all user list), is actually a common feature, it is easy to call other places, so developers had written it to a separate method.

When the user login time, open the

http://www.inbreak.net/app/userlogin!login.action

Come to the user's landing page, you can see, only the user enters the correct user name and password in order to ultimately call the list () method, displays the results.

However, all public methods struts2 are exposed out, leading to user input is now a

http://www.inbreak.net/app/userlogin!list.action

User to access this link, struts2 call the list method, and then returns the results to the user, so there is no login, it displays all the user information,
Direct bypassing the login in the login authentication.

In the absence of struts2, we want to servlet's doget or dopost methods, such as writing the code to determine if, in order to allow users to call other servlet in the way, it seems a matter of fact this is a protective measure. Now struts2 order to facilitate the development of all the public method of mapping out a unified, leading to the development to a frequently used functions, used to write a public method, but has now become a serious loophole.

struts2 in action attribute design flaws

Let us turn to our action in the attribute definition, you will find, and now they have become a loophole as struts2 provides property get and set methods must be public to.

Then we define the

private String name;
public String getName () (
return name;
)
public void setName (String name) (
this.name = name;
)

When this code is, in fact, to write two public methods.
That these two surfaces do not have any real meaning, there will be any security risk it?
This requires the previous text link mentioned earlier, we struts.xml file, defined as follows:

<action name="user">
<result name="success"> user / userlist.jsp </ result>
<result name="addUser"> user / addUser.jsp </ result>
<result name="added"> user / added.jsp </ result>
<result name="false"> user / false.jsp </ result>
</ action>

This code means that, UserAction, any implementation of a method, if the return is a success of this string will be the user / userlist.jsp returned to the user.

If the return is addUser, will be the user / addUser.jsp returned to the user.
UserAction now is to manage a user's page, in our system, there are general managers and super managers, and their difference is that general managers can view the user, but can not add a user.

Therefore, we UserAction in writing

public String addUser () (
if (true) (/ / In fact Here is a super-administrator to judge, I have been lazy.
return "false";
)
return "addUser";
)

This method does not allow the code to determine the general administrator access, but the user / addUser.jsp the jsp page, and no such decision logic.
Because the development that only when the return addUser only came to this page, but to return to addUser, you must pass the super administrator validation.

That way we can make a return addUser Mody? Of course you can!

http://www.inbreak.net/app/user!getUsername.action?username=addUser

This link, struts2 how would deal with it?

He will find struts.xml in the path segment corresponding to user, so to find the corresponding treatment of Action (net.inbreak.UserAction), because of the path with the "! GetUsername", so he went to the Action in getUsername this method, Obviously, this approach is a username of this property get method, if you want Action to receive user-submitted username, you have to define this method.

Then this method will return what? Will return the value of the username field action! HA HA ! username the user has submitted to the action, and links behind a sign reading "? username = addUser", struts2 this action given the value of the username attribute. Then return here, of course, "addUser"!

After a series of coincidences led to the user is now returned to the user / addUser.jsp page, which is a form to add a user page, and users do not have to go for the super administrator to verify this step.

Now add the users to see a user's page, he has two kinds of attacks on thinking:
1, direct submission, if not handled that submitted by the user without further action to determine user identity, then submitted to a success.
2, if he is to determine the user's identity, we can also csrf him, because we know the address of this action, and it needs parameters!

Because of the action and jsp file struts2 separation, resulting in developers tend to action approach, the implementation of competence to judge, but jsp page and did not call for the implementation of this assessment, he thought the action to determine enough. But had the properties of action, has brought us a customizable way to return result, leading to action that we can bypass the access to jsp pages.

Those that result type of Struts2 defects (redirect)

Struts2 we have just learned, has brought us the benefits of those properties, and now we go down to take one step after the study method to return the results of Action.
In fact, not only by the String type of results returned, struts2 there are other types of returns, such as "redirect" type.

<action name="test">
<result name="false"> user / false.jsp </ result>
<result name="redir" type="redirect"> $ (redirecturl) </ result>
</ action>

This code, we only possible to read, that is, type = "redirect" the.

This is a url redirect the way, struts2 for the convenience of all the development, the "custom 302 Jump to the other url" in this way to package up. As long as the above definition, we can write the action method:

public String redirect () (
return "redir";
)

And then define the properties

private String redirecturl;

When the user opens

http://www.inbreak.net/app/test!redirect.action?redirecturl=/a.jsp

The time, it will jump to 302

http://www.inbreak.net/app/a.jsp

This is a very common application url jump in struts2, the above configuration what can be achieved.

I believe any discerning person looking out, it is clear there exist url Jump vulnerability, if the user enters a

http://www.inbreak.net/app/test!redirect.action?redirecturl=http://www.ph4nt0m.org

This will jump to http://www.ph4nt0m.org phishing site (-_-!). So how defense?

To defend, url Jump to phishing sites, we certainly need a white list mechanism, or simply let him jump to the next site. That's when the judge is as follows:

public String redirect () (
if (redirecturl.startsWith ("/"))
(
return "redir";
)
return "false";
)

Perhaps you saw it, and just to judge "/" at the beginning, in fact, can not put an end to url jump holes, because the

http://www.inbreak.net/app/test!redirect.action?redirecturl=//www.ph4nt0m.org

Will still jump. But here is enough, because struts2 has taken over this process, as long as "/" at the beginning, were all let you automatically add the local domain name, Ethereal, you will see
location: http://www.inbreak.net/app//www.ph4nt0m.org

In fact there will be no problem.

struts2 also believe that such judgments would not be a problem, but the user input

http://www.inbreak.net/app/test!getStr.action?str=redir&redirecturl=http://www.ph4nt0m.org

In fact, the former chapter have been analyzed, and so the use of action in the str property, bypassing the need to "/" at the beginning of the judgments of the direct jump.

test, there are a str attributes, can be customized to return, where the custom of the "redir", it came to the

<result name="redir" type="redirect"> $ (redirecturl) </ result>

The redirecturl values, also submitted to the action, so the jump.

Those that result type of Struts2 defects (Ajax)

The struts2 using ajax, is also supported by struts2, it provides a return type, called "stream". In the study of the use of this result, the author saw a book called "Struts 2 The Definitive Guide: Based on the WebWork core MVC development." This book is very well known, almost all of struts2 users are recommended.

http://book.csdn.net/bookfiles/479/index.html

Ajax book description It can be used:

Configuration struts.xml

<action name="ajaxtest">
<result type="stream">
<param name="contentType"> text / html </ param>
<param name="inputName"> input </ param>
</ result>
</ action>

After the write TestajaxAction:

public InputStream input;
public String execute () throws Exception (
input = new StringBufferInputStream ( "aaaa <td> <script> alert (" kxlzx ") </ script> aa");
return SUCCESS;
)

In fact, we have seen what I meant, and returned to the contentType to "text / html" pages, content

aaaa <td> <script> alert ( 'kxlzx') </ script> aa

The results, when the browser parsing the emergence of XSS vulnerabilities.

Originally default contentType is text / plain, no configuration, if the user directly to open, only to see a Stream, which does not parse html and js. Now, said the book should be written so I do not know whether the author knows the impact of this tutorial to all of us, results have been misled a large number of developers.

In fact, this is not a struts issue is the struts "authority" tutorial questions. Authoritative tutorial, once a security breach occurs, often will mislead a large number of developers who do not know at the time of digging holes, whether it is aware of this point, especially when the official DEMO a loophole, it is definitely shaking ZZZZZZZZZ the tragedy of .

Those that result type of Struts2 defects (custom page)

Sometimes, developers for the convenience of like configuration struts.xml is as follows:

<action name="test">
<result name="success"> user / test.jsp </ result>
<result name="testpro"> user / testproperty.jsp </ result>
<result name="redir" type="redirect"> $ (redir) </ result>
<result name="testloadfilepath"> $ (testloadfilepath) </ result>
<result name="false"> user / redirfalse.jsp </ result>
<result name="input"> user / input.jsp </ result>
</ action>

Please note, in which a result, the name "testloadfilepath", $ (testloadfilepath) is the role of a custom jsp page address, receive or request in the session pass over the value of this variable. Then the user submits

http://www.inbreak.net/app/test.action?testloadfilepath=user/test.jsp

Of course, it will return user / test.jsp page, very flexible. Although not all of the development will be done, but once this happens, what would be the problem?

http://www.inbreak.net/app/test!getRedir.action?redir=testloadfilepath&testloadfilepath=WEB-INF/classes/hibernate.cfg.xml

Do not know if you understand the meaning of this url is not, first call getRedir, can be customized to return to the testloadfilepath, while testloadfilepath have designated WEB-INF/classes/hibernate.cfg.xml. WEB-INF directory, are protected by the web container things, the relative address of the default does not allow a direct request to visit. The directory inside program compiled class file (which can be directly anti-compiled java source code), there is a database configuration files and other sensitive documents, and now open the above url, downloaded directly hibernate.cfg.xml, there stood the database user name and password.

In this way, the attacker can download all of your source code, all the files on the server. struts in providing us with this form of time, and there is no official statement here, that it is dangerous, and this is a non-timed bomb.

The taglib design flaws Struts2

After a few examples of down, do not know what notes the absence, from the user input came here, has reached the output of this step. struts2 of those result of the type, is actually several output modes, there are jsp, ajax, redirect, and other plug-in configuration after jsonplugin can also support other output modes. Even support a number of tag libraries, such as the freemarker other tag library. However, we only talk about struts2 tag library comes in a jsp top of the page, written some code, you can use the struts2 pages provided by the data output and data manipulation of the label.
Jsp output than in the past we have "<% = name%>" to be more convenient, the following give an example:
test.jsp Code

<% @ Taglib prefix = "s" uri = "/ struts-tags"%>
<s:property value="username"/>

The first line is to tell the struts are here to use the struts tag library, the second line is a label used, meaning the value of username is the output, username from the session, request, page, etc. to take place here does not care about the order of the data obtained.

struts2 The taglib design flaws (struts2.0 does not support escapeJavaScript)

Speaking of the output, we can think of XSS vulnerabilities, then as a pop framework, struts2 doing here, what control?
struts2.0 on the part of the label has done a default htmlescape:

Effect of that label actually mean just

<s:property value="username" escape="true"/>

Do not think they are doing a htmlescape enough, the output in the javascript in the time will appear xss vulnerability. Therefore, this version of struts in 2.1.6 also supports the javascriptescape:

struts2.1.6:

<s:property value="pass" escape="true" escapeJavaScript="false"/>

Enabled by default as shown above, when you want to output to a js in the time, you can use escapeJavaScript to escape.

In other words, once you determine struts is 2.0, as long as developers put into the js variable output, the likelihood would be a xss problems.

struts2 The taglib design flaws (no rich text safe output label)

To include the highest version 2.1.8 included, still do not support rich text safety output, this is a tragic thing, if the development of a popular blog with struts application, but also support the rich text of the article, developers can only htmlescape and jsescape are removed, in order to ensure the business up and running, it has led to XSS vulnerabilities.

struts2 The taglib design flaws (not all of the output labels have done a default htmlescape)

Several labels are not do htmlescape, such as

<s:a>
<s:text>
<s:url>

In fact, this is a serious trap, as long as that struts2, seniors will tell you, ease of use, which by default do htmlescape. That is what causes some of the labels did not do the default escape it? By turning the next source code, but also failed to identify any specific reason, do not know how those people think.

And, after a simple fuzz, found that in certain circumstances, those who made the label will be output escaping problems.

We know that the default htmlescape are not escaped single quotes, so, when the struts tag library source code in the output of some label attribute, if the label attribute is used around the single quotes, while the attacker can control the label attribute When examining the contents will appear xss vulnerability. Are as follows:

<input name="username">

When this xss's content can be controlled by the attacker, even though the content of xss made htmlescape, can still be an attacker bypass.

Based on this principle, the authors searched the struts tag library source code, those who "XXX.ftl" document search ") '" sign, to find more than N to test one of the following:

-------------
<s:textfield> tags, in normal use, he would put a <s:form> label, the final output html, it will become an input box.
It has a property known as "tooltip", if the label for the user can control, such as to read user input from the database, and this label is located
<s:form> opened up:

<s:form tooltipConfig="#{'jsTooltipEnabled':'true'}">

When the value entered by the user tooltip, there will be the following:

struts2.0 ->

<span dojoType = "tooltip" ... caption = "kxlzx <script> </ script>">

caption content is the value of tooltip from the database to identify

struts2.1.6 & struts2.1.8 ->

<img"domTT_activate(this, -'StrutsTTClassic');alert('xss');a('','styleClass'-" />

onmouseover generate a domTT_activate function call, the parameter in one of the values is the tooltip content. Here is a bypass.

------------

Found in several of these places do not actually do any escape, the output data directly. The following do that even if the default htmlescape, or will be problems, unless it is by default done javascriptEscape. struts2 default, have a place to do javascriptEscape Mody?
The answer is "no." Therefore, they all can be XSS!

struts2 of these escape, is in fact a very eunuch safety programs, safety engineers hated is this program has done a security program, do not complete, leaving a pile of problems.

struts2 addressing deficiencies of HTTP Parameter Pollution

webwork and struts2 have this problem, when a user to a web application submission:

http://www.inbreak.net/app/test!redirect.action?redir=kxlzx&redir=aaad61

When, if we define the action in the

private String redir;
public String getRedir () (
return redir;
)
public void setRedir (String redir) (
this.redir = redir;
)

Action will be taken to the redir value "kxlzx, aaad61" Note that there are spaces in the middle.

This data is from the webwork (struts2) the merger of the two parameters, but if we request.getParameter ( "redir"); get the value, but it is only the first one (the value kxlzx).

We know that struts2 promote the use of interceptors to do something, he can approach the implementation of the action to execute to do some before and after the operation. Then there are a number of development, taken for granted here, what url defense jump, SQL injection, XSS and other attacks. We take a look at how they will do:

@ Override
public String intercept (ActionInvocation arg0) throws Exception (
... ...
String name = request.getParameter ( "name");
if (name! = null & & name.indexOf ("'")>- 1) (
System.out.println ( "find sql injection");
request.getSession (). setAttribute ( "msg", "find sql injection");
return "falseuser";
)
String redir = request.getParameter ( "redir");
if (redir! = null & &! redir.equals ( "http://www.b.com")) (
System.out.println ( "find url redirect");
request.getSession (). setAttribute ( "msg", "find url redirect");
return "falseuser";
)
return arg0.invoke ();
)

In this code, the authors only example in the defense in the interceptor and the url jump vulnerability sql injection, sql injection defense is to check the rules " '" single quotes, but loopholes in the rules is to check the url jump to jump to "http : / / www.b.com "to go. Authors did not fully know the defense, so we do not here to hold the first defense programs, is just an example.

And developers in the business code is as follows:

String sql = "select book_name, book_content from books";
if (name! = null) (
sql + = "where book_name like '%" + name + "%'";
)

Obviously, that can be pumped.

public String redirect () (
return "redir";
)

Is also evident url Jump loopholes.

However, due to the interceptor prior to the implementation of the action, so if we entered the

http://www.inbreak.net/app/test!findUserByName.action?name=a '

Of course, the interceptor will return an error "find sql injection";

As the implementation to the

String name = request.getParameter ( "name");
if (name! = null & & name.indexOf ("'")>- 1) (

Found that the value of the name does have single quotation marks.
But if we entered the

http://www.inbreak.net/app/test!findUserByName.action

? name = aaaaa & name = a 'union select name, pass from user where''<>'

Directly bypassing the interceptor judgments. Because the interceptor obtained request.getParameter ( "name"), is the first value of the parameter aaaaa, abandoned the second parameter, but the action in the name of the value, but it is "aaaaa, a 'union select name, pass from user where''<>' "is why they are injected into

Most of the interceptor is to do the defense, including some filter and so on.
This incident occurred in url jump loopholes, but not obvious, because the attacker at best construct a:

http://www.inbreak.net/app/test!redirect.action?redir=http://www.b.com&redir=www.inbreak.net

Ethereal to see if

It jumped http://www.b.com, www.inbreak.net go. Therefore, a direct Baocuo IE, saying that not open this address. But we still have another browser, always like to give you friendly information on the browser chrome to the user to see what advice:

Chrome also think that this is a wrong link, it gives the "correct" the link. This is not just used by phishing sites Mody?
struts2 official vulnerability announcements and patch the security flaw after the trigger

From there struts2, up to now, the official issued a total of four of loopholes in the

http://struts.apache.org/2.x/docs/security-bulletins.html

* S2-001 - Remote code exploit on form validation error
* S2-002 - Cross site scripting (XSS) vulnerability on <s:url> and <s:a> tags
* S2-003 - XWork ParameterInterceptors bypass allows OGNL statement execution
* S2-004 - Directory traversal vulnerability while serving static content

From the name, you can see the contents of the vulnerability, the author of which only two have done a source-level bug fixes assessment, found a lot of tragic things.
Students who are interested can go to study the remaining two holes.

struts2 official vulnerability announcements and patch security holes caused by post-(S2-002)

Take a look at "S2-002 - Cross site scripting (XSS) vulnerability on <s:url> and tags" this loophole.

As the name suggests is a <s:url> and <s:url> the xss bug fixes, but the previously mentioned, there are XSS vulnerabilities, is it that everyone in the Huyou? We take a look at how the gang of engineers to repair, and came to this svn Address:

http://svn.apache.org/viewvc/struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/util/UrlHelper.java?r1=614814&r2=615103&diff_format=h

Attention to these two lines:

To see when these two lines of code, the author laughed, because the author seems to see the tragedy of at least two things, and now to formulate them in story:
A tragedy of the first things a certain period of a day, a script-kiddies to the official reports of vulnerabilities that, when using the <s:url> tag code as follows:

<s:url action="%{#parameters.url}"> </ s: url>

He then entered the

http://www.inbreak.net/app/test!testpro.action?url = <script> alert ( 'hacked by kxlzx') </ script>

And told the official that this is a XSS vulnerability, which I hope fixes out.
Government attaches great importance to, a development went to repair, add the following judgments:

if (result.indexOf ( "<script>")> = 0) (
result = result.replaceAll ( "<script>", "script");

And conducted smoke testing, functional testing, black box testing, white box. That there is no problem, since the author of a malicious attacker to the url, the output of the

scriptalert ( 'hacked by kxlzx') </ script>

Results and not the implementation of xss script pages. Later, script kiddies also tested a bit and found no problem, the matter would have passed without the knowledge of the people of the public, quietly repaired.

The tragedy of the first two things, then after a certain person on a particular day, a one script kiddies has made a flaw, or that part of the code, but the url changed to:

http://www.inbreak.net/app/test!testpro.action?url = <<script>> alert ( 'hacked by kxlzx') </ script>

Note that, here is <<script>>, after a replaceAll function after just become a <script>, re-formed the XSS vulnerabilities.
The government had to pay attention to it, decided to determine if into a while, no matter how much you gave you become <<<<<<< script >>>>>>>,

scriptalert ( 'hacked by kxlzx') </ script>

And conducted smoke testing, functional testing, black box testing, white box. This has also issued a bulletin out and say that there is no problem, we attach great importance to security vulnerabilities have been repaired.

Authors can see here, to test new bypass the official patch code url is:

http://www.inbreak.net/app/test!testpro.action?url = <script kxlzx=kxlzx> alert ( 'hacked by kxlzx') </ script>

So XSS script has been executed, because here is <script kxlzx=kxlzx>, not <script>, so I do not meet the conditions to judge, have not been replaceAll, again bypas of bug fixes. . .

struts2 official vulnerability announcements and patch security holes caused by post-(S2-004)

This vulnerability patch, is more frustrating than the previous one, this is a / .. / access to the resource file vulnerability

S2-004 - Directory traversal vulnerability while serving static content

To learn more about the causes of this vulnerability, we need to first understand a knowledge point.

When the struts of the FilterDispatcher received a request for the following two path url of file:

http://www.inbreak.net/app/struts/

Or

http://www.inbreak.net/app/static/

Would be to fetch struts-core package core.src.main.resources.org.apache.struts2 following static resource files, these resources are in fact some js script file and some css files. Mentioned earlier

<img"domTT_activate(this, -'StrutsTTClassic');alert('xss');a('','styleClass'-" />

Code domTT_activate, in fact the

http://www.inbreak.net/app/struts/domTT.js

File a function.

The struts2.0 time, as long as you dare, on a number of versions of the struts2, an attacker can, through

http://www.inbreak.net/app/struts/ ..% 252f

http://www.inbreak.net/app/struts/ ..% 252f ..% 252f ..% 252fWEB-INF/classess/example/Login.class /

Browse to your web directory, web directory to download files.
I will not speak bug fixes, the reader is quickly think about your company's developers, whether to use the struts2, and put "Struts 2.0.0 - Struts 2.0.11.2" between the several versions of packaged or no packaging, direct on the web application. If there is such a situation, the above methods can be directly attack these days by a few large portals to find the loopholes that they were all there this loophole, by the way downloaded their database configuration file, while reporting a loophole.

Struts official may have been attacked, and then fix the code.
Authors also looked at svn repair records:

http://svn.apache.org/viewvc/struts/struts2/trunk/core/src/main/java/org/apache/struts2/dispatcher/DefaultStaticContentLoader.java?r1=674498&r2=687425&pathrev=687425&diff_format=h

Can be seen "if (! Name.endsWith (". Class ")) (" This line of code to fix them, they were deleted.

Patch before the code, why the former should be filtered. Class documents? Is because the struts provides a function:
If the developers want to use their own static file mapping feature, you can configure the web.xml

<filter>
<filter-name> struts </ filter-name>
<filter-class>
org.apache.struts2.dispatcher.FilterDispatcher
</ filter-class>
<init-param>
<param-name> packages </ param-name>
<param-value> net.inbreak.action </ param-value>
</ init-param>
</ filter>

Above configuration, when the user input

http://www.inbreak.net/app/struts/domTT.js

When, in fact struts are going to see net.inbreak.action this folder under domTT.js documents to users, rather than the core of the package to find that folder. This feature is opening up, the official packages in order to prevent the corresponding class files are downloaded under the following anti-compiled source code, so writing lines of code, filter. Class files.

This line of code because of the existence of a time, it happened again struts2 popular era. The article describes a large number of Internet struts2-core source code, in introducing to the FilterDispatcher time, inevitably referred to here will be filtered. Class files, if the developers use this feature, you can rest assured that your class file will not be downloaded.

Later, out of vulnerability, an attacker can use

http://www.inbreak.net/app/struts/ ..% 252f ..% 252f ..% 252fWEB-INF/classess/example/Login.class /

To bypass the official limit, download class files. Indeed, this finally fixes / .. / loopholes. But the tragedy is that because the file is still the class can be downloaded, so the official fix at the same time, removing "if (! Name.endsWith (". Class ")) (" This line of code, you may feel that this line of code is too shameful.

Once the tutorial is also on the Internet, to tell you class file is not downloaded, the official has issued a statement repaired / .. / vulnerability. However, the development of tutorials to see who has long been to map the directory static files:

<param-name> packages </ param-name>
<param-value> net.inbreak.action </ param-value>

If this development net.inbreak.action package under a UserLogin.class documents, there are loopholes in the struts2 version, the server will face the fate of all the files have been downloaded. Even if the development of upgraded struts, because the core code of the class to determine the file removed, resulting in this file can still be

http://www.inbreak.net/app/struts/UserLogin.class

Official in the absence of any notification under the premise of flying in the tutorial to tell you class file is not downloaded the premise, in order to face this judge Qudiao quietly. Well this time, no matter whether upgrade, people do not break, if developers become dizzy, configuration is as follows:

<param-name> packages </ param-name>
<param-value> / </ param-value>

On a major, and you can download all the files under the resource directory.

http://www.inbreak.net/app/struts/hibernate.cfg.xml

Summary

Author struts2 dug some of the holes, but also dug a number of web vulnerability in other frameworks (not in the scope of this article), summarized these frameworks digging holes under way.

First of all, is not on the framework. Once developed using these frameworks, web applications will directly face a number of vulnerabilities:

1, open a certain function, leading to the default application to adopt a framework vulnerabilities

Because this framework, without permission, the quietly opened some of the features may be in order to facilitate the development of such effects, resulting in the generation of the holes.

For example:
This AJAX frameworks such as DWR, once used, in some versions, the input

http://www.inbreak.net/app/dwr/

Will be able to see a page, which is a method of mapping all the ajax, and even some service method is not configured to automatically map out. On this page you can map out ways to those who submit arguments, call the method. For example there getUserpasswdByid way to see the name, we know that passing the user id, return your password.

Another example is the article in the ../../ vulnerability struts2.
If you want to dig such a loophole is absolutely level 0day vulnerabilities, so we need to suspect that an implementation of each step, this loophole in fact mostly be found in the development environment and the formal differences in the environment as well as some weird function of point .

2, extending a certain function, leading to security problems

Our web application, that could have been writing their own code to achieve some of the features, but this framework in order to facilitate the development and management, the developers write the code packaged, so long as a few simple lines can achieve the original code can achieve a large number of functions. These facilities, has brought a lot of security issues. Digging holes at the same time, we should pay special attention to where a lot of convenience than the original, extended a lot of these extensions and convenient, whether it takes into account the safety factors.

This article describes the struts example of the result (urlredirect) related vulnerabilities.

3, DEMO, or tutorial or user's guide to mislead

Since the emergence of the framework, in order to let people understand and use the framework of the fastest, the official was right out the user's manual, demo and other functions. And many large cattle, have also out of the corresponding tutorials or books, but these tutorials, DEMO, examples of books, just had a lot of loopholes. Even the development did not go according to tutorial, there will be no loopholes, but was misled tutorial. If a hacker to see these books, please do not hesitate to put him out of your scanner, we do have a lot of development will follow the tutorial to do.

For example, that book mentioned in this article we use the ajax thing.

4, had a safety program, but was a functional code coverage

In fact, this is a tragic thing, tell us should pay attention to in their daily development and bug fixes, whether there are any developers who know the truth, in order to achieve a particular function, quietly taken out of context to the original security plan coverage out. When digging holes, paying particular attention to the annex to the code changes in safety programs, it may find a very mentally retarded logic.

For example, this class of documents submitted by the judge.

5, imperfect security

The implementation of a safety program should be thoroughly, pay attention to the integrity of the program can not be that some local programs OK, in some places can not be implemented. When digging holes, and do not be intimidated by the security program, not with the program, it sounds like cattle X, absolutely no flaws, at least, should there be a comprehensive fuzz.

For example, XSS missing points mentioned in this article, as well as rich text omission.

6, version upgrade, there is no visible security bulletins

We know that all architects are reluctant to upgrade the framework of emergency all right, especially in the framework of an unstable version, because the upgrade may bring a lot of unexpected problems, so we may even see the security bulletin, it did not go to upgrade. If you do not understand security, even more reluctant to upgrade the framework of the. So, the official must do a vulnerability patch, the release of an announcement to be associated with the code log. To tell you specifically where to do changes. The students dug holes should close watch on these areas, in every possible way to change part of refining and testing, not to be a common test results startled and ambiguous that the vulnerability has been repaired.

7, the tragedy of the program

Very often, we will see an official patch vulnerabilities, or the results of the implementation of some safety programs. It was not really able to achieve the effect of plugging the loopholes to do?

For example, this article <s:url> tag xss vulnerabilities, the official patch all the loopholes, really racked his brains, ultimately a tragedy.

8, excellent programs, the implementation of the tragedy

RT, no explanation.

9, Challenges web server configuration

This problem it is necessary to say, struts emergency all right to be a static mapping to do? In fact the purpose is to separate the framework and applications, it is clear that js file should be placed in the project in the web directory, but why do so? Is because the package is not released when the struts, no project, only a framework.

In order to achieve even if it is on any projects can also be a way to provide access to its purpose of those js had to reluctantly forced to carry out this function, the static directory is mapped. Regardless of any project, deployment, just behind the root directory url add / struts, or the / static can access js. Later, this feature did not also feel good, actually provide the functionality out to recommend to the developers. In the final analysis because the struts of the web server configuration challenges that must make their own static mapping. Need to know other people to do web server mapping is the result of many years grinding out hacking, struts have all these?

This underscores the map a directory in a separate, individual right to do access a directory, do DIR list of features, if you see a framework that has done such a function, Congratulations! Quickly dig up, there are loopholes in all likelihood!

10, there is no safety program, and no reminder

In fact, this article does not mention a number of web vulnerabilities, such as csrf, such as session fix, such as transmission encryption, it is clear the existence of loopholes in struts, but authors think that these things do not need to say here that we are all discerning eye to see form where there is no token , hundred percent csrf Well!

Think of the Crown, the government has also clearly know that the framework of their own will, after the existence of these loopholes, why did not even have to remind it? Originally developed do not know, you wish to hide:. If the framework of responsible, issued a notice, saying that if you use my framework to be careful what is in fact what the attack. . .

Uh. . . I understand why the official did not dare to say. -_-!
In addition to these frameworks that "as long as you use will inevitably flawed" security flaws, there are many problems that will appear on developers use the framework of the process:
1, two frameworks are convenient, there are loopholes in combination with a framework called Spring security, is based on the url of access control, and do it well. If you are not an administrator, absolutely can not access the admin directory. However, there are many web frameworks, access to an action or access a controller, more than one url can be accessed, where did the compatibility processing, multiple url point to the same application, leading to Spring security of this url-based access control, exists in name only.

2, the developer of "normal" use of the framework, it may create loopholes that is among the most miserable thing, the framework would not claim this type of vulnerability, he will think this is a development issue. However, this article "action method of brute force, url redirect magnify" The two security flaws, and indeed there is the meaning of the framework (facilitate the development of) the consequences. Yao will be an official patch? I think it will, at most, said we should not just one kind or another, will not do what the security program. Should be aware of these vulnerabilities is a struts or webwork characteristics, and only the use of only some of these frameworks.

3-point framework dangerous features brought some function point, such as Tag lib some of the XSS, when used, must have loopholes.

4, the framework for developers digging and this is fundamentally a trap, or say / static, / struts, if the development is not configured to download at most a js, little impact, if the development to use this feature, map a certain directory, then fell into the pit went.

5, a framework for vulnerability brought about by another framework to maximize the variables mentioned herein are the default value is overwritten, and also because hibernate do not need to write sql statement, and ultimately be stored into the database.
I recall a problem, If we allow ourselves to write sql statement to achieve, can you add the time ordinary users will be really special to write a variable to receive the user registration of the administrator's field of incoming Mody?

But this is too hibernate problem? Of course not, but because of it, leading to more serious vulnerabilities only.

Added

In this paper, struts2 various security flaws, it referred to here. Personally think that this is a direction of digging holes, digging holes on the framework.
We are focused on the code may be safe, there is not much to see the framework of their own safety and the use of the framework, does it really safe.
Therefore, many people ignore this issue, I believe this is not a new beginning, nor is it an end, just so that everyone began to pay more attention to the security framework.
The author also mentioned in this article only the struts, webwork these two frameworks, in fact, a lot of the framework, they really secure? Yet to be verified!
Addressed to those who actually intend to end technology for the practice of students, the framework of vulnerability scanner, it can make out, the guess for the solution of the problem difficult to solve, you can look at spiders the site, and then save those developers who prefer to use the field name, and concern about the input's name, action name, directory name and so on, generates a list of guess solution. The struts used to determine whether a more simple:

Feature 1: XXX.action may be struts or webwork
Feature 2: XXX.do may be struts or webwork
Feature 3: XXX! Bbb.action may be struts or webwork
Feature 4: XXX / struts / ..% 252f necessarily struts2

This article comes from: http://huaidan.org/archives/3433.html, thank you share
  • del.icio.us
  • StumbleUpon
  • Digg
  • TwitThis
  • Mixx
  • Technorati
  • Facebook
  • NewsVine
  • Reddit
  • Google
  • LinkedIn
  • YahooMyWeb

Related Posts of Struts2 framework security flaws

  • extjs development environment set up and practice

    1, download and extract the extjs 2, download eclipse and Eclipse AJAX Toolkit Framework (ATF) I have been accustomed to using eclipse as a development environment, a variety of open-source plugin so that eclipse has all-around performance, operating effi

  • fck pages

    <% @ Page contentType = "text / html; charset = UTF-8"%> <% @ Include file = "/ commons / taglibs.jsp"%> <% @ Taglib uri = "/ FCKeditor" prefix = "FCK"%> <script language = "javascript

  • Msxml2.XMLHTTP version problem

    Projects with an import feature prototype.js of Ajax functionality to update the prompt, the code is very simple, do not have the framework of the background on a jsp to output Text, future use of timers and to update the page Ajax.request encountere ...

  • What is the JPA

    Same, JDO, also started compatible JPA. At the field of ORM, it seems that JPA is a benevolent government, is the normative specification. At the support of major manufacturers, JPA use became widespread. 2 Spring Spring + Hibernate often referred to as t

  • Maven 2.0: Compile. Test. Deployment. Run

    <url> http://maven.apache.org </ url> <dependencies> <dependency> <groupId> junit </ groupId> <artifactId> junit </ artifactId> <version> 3.8.1 </ version> <scope> test </ scope> <

  • jBPM Development Getting Started Guide

    Although the workflow is still immature stage of development, not even a recognized standard. But its application has already been launched in the Express, indicating the market's demand for job-flow framework are urgent and enormous. Backgrounds of o

  • js page Jump implementation of a number of ways

    The first is: <script language="javascript" type="text/javascript"> window.location.href = "login.jsp? backurl =" + window.location.href; </ script> The second: <script language="javascript"> alert

  • log4j easy application in java

    JAVA development, frequently used the log output, in a so-called most of the software company will have its own set of configuration style, re-read the configuration file to initialize property of the log, it will be good, but sometimes may not need to fu

  • RoR explained

    ROR is Ruby on Rails. Ruby is a well-known has been very good dynamic language It's dynamic language. Simple and easy. Dynamic languages are interpreted, but the performance may make a discount, but not absolute, because the application is complex, th

  • Some interview questions java

    The first is the company give you a chance to meet, it is necessary to know to meet from time to equal the interview, and have a lot of companies to see you at the first time will give you a ready point of doing something trivial, these questions, althoug

blog comments powered by Disqus
Recent
Recent Entries
Tag Cloud
Random Entries