8/14/2019 You Inversion of Control Framework Secure

1/27

Ryan Berg

Co-Founder and Chief Scientist

March 2009

8/14/2019 You Inversion of Control Framework Secure

2/27

Spring is in the air

Arent we all a little tired of SQL injection and XSS?

Want to learn about all the latest rage in frameworkbased vulnerabilities and analysis?

Join me on this whirlwind tour of how yourapplications can be exploited!

8/14/2019 You Inversion of Control Framework Secure

3/27

Spring mission statement

It should be easy and fun to use

Applications developed should be loosely coupledwith the framework

Should leverage existing solutions as much aspossible

Nowhere does it say it should be secure

8/14/2019 You Inversion of Control Framework Secure

4/27

The Weakest Link

As we put more and more trust into the frameworksthat are the foundation of our apps, make sure you

understand the security decisions madeso you can

make the right implementation choices.

Copyright 2009 Ounce Labs, Inc. All rights reserved.

8/14/2019 You Inversion of Control Framework Secure

5/27

Just a little background

For a good overview of the Spring Framework, see:http://www.theserverside.com/tt/articles/article.tss?l=IntrotoSpring25

Here is the main documentation for the Spring Framework:

http://static.springframework.org/spring/docs/2.5.x/reference/index.html

http://static.springframework.org/spring/docs/2.5.x/api/org/springframework/validation/DataBinder.html#setAllowedFields(java.lang.String%5B%5D)http://forum.springframework.org/archive/index.php/t-10820.htmlhttp://forum.springframework.org/archive/index.php/t-10820.htmlhttp://static.springframework.org/spring/docs/2.5.x/api/org/springframework/validation/DataBinder.html#setAllowedFields(java.lang.String%5B%5D)

8/14/2019 You Inversion of Control Framework Secure

6/27

Its all about the models, Baby!

(see also http://en.wikipedia.org/wiki/Model-view-controller)

mailto:ryan.berg@ouncelabs.commailto:ryan.berg@ouncelabs.commailto:ryan.berg@ouncelabs.com

8/14/2019 You Inversion of Control Framework Secure

7/27

8/14/2019 You Inversion of Control Framework Secure

8/27

Time to wire up the app

8/14/2019 You Inversion of Control Framework Secure

9/27

Basic controller

8/14/2019 You Inversion of Control Framework Secure

10/27

Form view

8/14/2019 You Inversion of Control Framework Secure

11/27

Form controller

8/14/2019 You Inversion of Control Framework Secure

12/27

Model

8/14/2019 You Inversion of Control Framework Secure

13/27

Huh?

8/14/2019 You Inversion of Control Framework Secure

14/27

All this gives you

8/14/2019 You Inversion of Control Framework Secure

15/27

I thought this was about security?

Its all aboutauto-binding:

8/14/2019 You Inversion of Control Framework Secure

16/27

It certainly makes it easy for developers

Lets look at some guiding principles:

There does not now, nor will there ever, exist a programming language in which itis the least bit hard to write bad programs.

Lawrence Flon

If there are two or more ways to do something, and one of those ways can resultin a disaster, then someone will do it.

Edward A Murphy

For just about any technology, be it an operating system, application or network,when a sufficient level of adoption is reached, that technology then becomes athreat vector.

Gene Spafford

8/14/2019 You Inversion of Control Framework Secure

17/27

8/14/2019 You Inversion of Control Framework Secure

18/27

8/14/2019 You Inversion of Control Framework Secure

19/27

Demo time

Demo #1

8/14/2019 You Inversion of Control Framework Secure

20/27

But wait, it gets better

Inversion of Control

8/14/2019 You Inversion of Control Framework Secure

21/27

MVC Recap

DispatcherServlet

The DispatcherServlet is the FrontController in the MVC pattern and is

responsible for controller routing.

ModelAndView

Created by the Controller

Holds the Model

Ties the View to the request

ViewResolver

Associates view names to view implementations

HandlerMapping

Used by the DispatcherServlet for request routing

8/14/2019 You Inversion of Control Framework Secure

22/27

Blah Blah Blah, I thought we coveredthis already!

8/14/2019 You Inversion of Control Framework Secure

23/27

Did I say its all about the Model? Maybe its the View

ViewResolver

Provides a mapping between view names and actualviews.

UrlBasesViewResolver Provides direct resolution between symbolic view names and

URLS. InternalResourceViewResolver

Primarily used to route requests to internal JSPS/Servlets

BeanNameViewResolver

Basic resolver that maps views to beans in the currentapplication context.

View resolvers can be chained, this could never

be a problem, right?

8/14/2019 You Inversion of Control Framework Secure

24/27

8/14/2019 You Inversion of Control Framework Secure

25/27

Lets see that in action

Demo #2

8/14/2019 You Inversion of Control Framework Secure

26/27

So, what do you do?

Use DataBinder.setAllowedFields religiously.

http://static.springframework.org/spring/docs/1.2.x/api/org/springfr

amework/validation/DataBinder.html http://forum.springframework.org/archive/index.php/t-10820.html

Never allow direct user input to your Controllersreturn View.

Happy Hunting :) http://www.google.com/codesearch?hl=en&lr=&q=ModelAndView

%5C%28.*request%5C.&sbtn=Search

http://www.ouncelabs.com/springmvchttp://www.ouncelabs.com/springmvc

8/14/2019 You Inversion of Control Framework Secure

27/27

Questions

Ryan Berg, Co-Founder and Chief Scientist

ryan.berg@ouncelabs.com

For more information, visit:

www.ouncelabs.com/springmvc