of 27
8/14/2019 You Inversion of Control Framework Secure
1/27
Ryan Berg
Co-Founder and Chief Scientist
March 2009
8/14/2019 You Inversion of Control Framework Secure
2/27
Spring is in the air
Arent we all a little tired of SQL injection and XSS?
Want to learn about all the latest rage in frameworkbased vulnerabilities and analysis?
Join me on this whirlwind tour of how yourapplications can be exploited!
8/14/2019 You Inversion of Control Framework Secure
3/27
Spring mission statement
It should be easy and fun to use
Applications developed should be loosely coupledwith the framework
Should leverage existing solutions as much aspossible
Nowhere does it say it should be secure
8/14/2019 You Inversion of Control Framework Secure
4/27
The Weakest Link
As we put more and more trust into the frameworksthat are the foundation of our apps, make sure you
understand the security decisions madeso you can
make the right implementation choices.
Copyright 2009 Ounce Labs, Inc. All rights reserved.
8/14/2019 You Inversion of Control Framework Secure
5/27
Just a little background
For a good overview of the Spring Framework, see:http://www.theserverside.com/tt/articles/article.tss?l=IntrotoSpring25
Here is the main documentation for the Spring Framework:
http://static.springframework.org/spring/docs/2.5.x/reference/index.html
http://static.springframework.org/spring/docs/2.5.x/api/org/springframework/validation/DataBinder.html#setAllowedFields(java.lang.String%5B%5D)http://forum.springframework.org/archive/index.php/t-10820.htmlhttp://forum.springframework.org/archive/index.php/t-10820.htmlhttp://static.springframework.org/spring/docs/2.5.x/api/org/springframework/validation/DataBinder.html#setAllowedFields(java.lang.String%5B%5D)8/14/2019 You Inversion of Control Framework Secure
6/27
Its all about the models, Baby!
(see also http://en.wikipedia.org/wiki/Model-view-controller)
mailto:[email protected]:[email protected]:[email protected]8/14/2019 You Inversion of Control Framework Secure
7/27
8/14/2019 You Inversion of Control Framework Secure
8/27
Time to wire up the app
8/14/2019 You Inversion of Control Framework Secure
9/27
Basic controller
8/14/2019 You Inversion of Control Framework Secure
10/27
Form view
8/14/2019 You Inversion of Control Framework Secure
11/27
Form controller
8/14/2019 You Inversion of Control Framework Secure
12/27
Model
8/14/2019 You Inversion of Control Framework Secure
13/27
Huh?
8/14/2019 You Inversion of Control Framework Secure
14/27
All this gives you
8/14/2019 You Inversion of Control Framework Secure
15/27
I thought this was about security?
Its all aboutauto-binding:
8/14/2019 You Inversion of Control Framework Secure
16/27
It certainly makes it easy for developers
Lets look at some guiding principles:
There does not now, nor will there ever, exist a programming language in which itis the least bit hard to write bad programs.
Lawrence Flon
If there are two or more ways to do something, and one of those ways can resultin a disaster, then someone will do it.
Edward A Murphy
For just about any technology, be it an operating system, application or network,when a sufficient level of adoption is reached, that technology then becomes athreat vector.
Gene Spafford
8/14/2019 You Inversion of Control Framework Secure
17/27
8/14/2019 You Inversion of Control Framework Secure
18/27
8/14/2019 You Inversion of Control Framework Secure
19/27
Demo time
Demo #1
8/14/2019 You Inversion of Control Framework Secure
20/27
But wait, it gets better
Inversion of Control
8/14/2019 You Inversion of Control Framework Secure
21/27
MVC Recap
DispatcherServlet
The DispatcherServlet is the FrontController in the MVC pattern and is
responsible for controller routing.
ModelAndView
Created by the Controller
Holds the Model
Ties the View to the request
ViewResolver
Associates view names to view implementations
HandlerMapping
Used by the DispatcherServlet for request routing
8/14/2019 You Inversion of Control Framework Secure
22/27
Blah Blah Blah, I thought we coveredthis already!
8/14/2019 You Inversion of Control Framework Secure
23/27
Did I say its all about the Model? Maybe its the View
ViewResolver
Provides a mapping between view names and actualviews.
UrlBasesViewResolver Provides direct resolution between symbolic view names and
URLS. InternalResourceViewResolver
Primarily used to route requests to internal JSPS/Servlets
BeanNameViewResolver
Basic resolver that maps views to beans in the currentapplication context.
View resolvers can be chained, this could never
be a problem, right?
8/14/2019 You Inversion of Control Framework Secure
24/27
8/14/2019 You Inversion of Control Framework Secure
25/27
Lets see that in action
Demo #2
8/14/2019 You Inversion of Control Framework Secure
26/27
So, what do you do?
Use DataBinder.setAllowedFields religiously.
http://static.springframework.org/spring/docs/1.2.x/api/org/springfr
amework/validation/DataBinder.html http://forum.springframework.org/archive/index.php/t-10820.html
Never allow direct user input to your Controllersreturn View.
Happy Hunting :) http://www.google.com/codesearch?hl=en&lr=&q=ModelAndView
%5C%28.*request%5C.&sbtn=Search
http://www.ouncelabs.com/springmvchttp://www.ouncelabs.com/springmvc8/14/2019 You Inversion of Control Framework Secure
27/27
Questions
Ryan Berg, Co-Founder and Chief Scientist
For more information, visit:
www.ouncelabs.com/springmvc