entity provider selection confusion attacks in jax-rs applications
TRANSCRIPT
![Page 1: Entity provider selection confusion attacks in JAX-RS applications](https://reader031.vdocument.in/reader031/viewer/2022030317/587152571a28ab8e5b8b4783/html5/thumbnails/1.jpg)
Entity provider selection confusion attacks in JAX-RSapplicationsMikhail Egorov
![Page 2: Entity provider selection confusion attacks in JAX-RS applications](https://reader031.vdocument.in/reader031/viewer/2022030317/587152571a28ab8e5b8b4783/html5/thumbnails/2.jpg)
• Security researcher, bug hunter
• Application security engineer at Odin [ Ingram Micro Cloud ]
• @0ang3el
• http://0ang3el.blogspot.com
• http://www.slideshare.net/0ang3el
About me
![Page 3: Entity provider selection confusion attacks in JAX-RS applications](https://reader031.vdocument.in/reader031/viewer/2022030317/587152571a28ab8e5b8b4783/html5/thumbnails/3.jpg)
• Java API for creating RESTful web services
• Part of J2EE since J2EE 6
• JAX-RS 2.0 [ https://jcp.org/aboutJava/communityprocess/final/jsr339/index.html ]
• RESTEasy [ Red Hat ] , Jersey [ Oracle ]
What is JAX-RS?
![Page 4: Entity provider selection confusion attacks in JAX-RS applications](https://reader031.vdocument.in/reader031/viewer/2022030317/587152571a28ab8e5b8b4783/html5/thumbnails/4.jpg)
• RESTful web services are based on REST architectural style
• Some features
• Resource identification through URI
• Uniform interface
• Self-descriptive messages
• Stateful interactions through hyperlinks
What is RESTful web services?
![Page 5: Entity provider selection confusion attacks in JAX-RS applications](https://reader031.vdocument.in/reader031/viewer/2022030317/587152571a28ab8e5b8b4783/html5/thumbnails/5.jpg)
Simple RESTful web service built w/ JAX-RS
;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
@Path("helloworld")
public class HelloWorldResource {
public static final String CLICHED_MESSAGE = "Hello World!";
@GET
@Produces("text/plain")
public String getHello() {
return CLICHED_MESSAGE;
}
}
![Page 6: Entity provider selection confusion attacks in JAX-RS applications](https://reader031.vdocument.in/reader031/viewer/2022030317/587152571a28ab8e5b8b4783/html5/thumbnails/6.jpg)
Simple RESTful web service built w/ JAX-RS
;
![Page 7: Entity provider selection confusion attacks in JAX-RS applications](https://reader031.vdocument.in/reader031/viewer/2022030317/587152571a28ab8e5b8b4783/html5/thumbnails/7.jpg)
• Annotated parameters
• @PathParam
• @QueryParam
• @FormParam
• @HeaderParam
• @CookieParam
• @MatrixParam
• Entity parameters – parameters without annotation
Passing parameters to resource method
![Page 8: Entity provider selection confusion attacks in JAX-RS applications](https://reader031.vdocument.in/reader031/viewer/2022030317/587152571a28ab8e5b8b4783/html5/thumbnails/8.jpg)
• @QueryParam example
• Entity parameter example
Passing parameters to resource method
@GET
@Path("/order")
public String getOrder(@QueryParam("id") Sting id) {
...
}
@Path("/order")
@PUT
public void putOrder(Order order) {
...
}
![Page 9: Entity provider selection confusion attacks in JAX-RS applications](https://reader031.vdocument.in/reader031/viewer/2022030317/587152571a28ab8e5b8b4783/html5/thumbnails/9.jpg)
• Unmarshalling – process of converting message content into Java object which is passed as parameter into resource method
• Entity providers are used for marshalling/unmarshalling
Entity parameters
![Page 10: Entity provider selection confusion attacks in JAX-RS applications](https://reader031.vdocument.in/reader031/viewer/2022030317/587152571a28ab8e5b8b4783/html5/thumbnails/10.jpg)
• Entity providers – specials Java classes
• Annotated with @Provider
• Implement javax.ws.rs.ext.MessageBodyReader [ isReadable(), readFrom() ]
• Entity provider is selected based on
• Content type specified with @Consumes annotation
• Content-Type HTTP header in request
• Java Class of entity parameter
• There are interesting built-in entity providers
Entity providers
![Page 11: Entity provider selection confusion attacks in JAX-RS applications](https://reader031.vdocument.in/reader031/viewer/2022030317/587152571a28ab8e5b8b4783/html5/thumbnails/11.jpg)
• Jersey performs WEB-INF/lib scanning for entity providers
• RESTEasy by default performs WEB-INF/lib scanning for entity providers, parameter resteasy.scan.providers does not work
[ https://issues.jboss.org/browse/RESTEASY-1504 ]
Automated scanning for entity providers
![Page 12: Entity provider selection confusion attacks in JAX-RS applications](https://reader031.vdocument.in/reader031/viewer/2022030317/587152571a28ab8e5b8b4783/html5/thumbnails/12.jpg)
• Attacker selects entity provider which is not intended for unmarshalling, by manipulating with Content-Type header of HTTP request
Entity provider selection confusion attack
![Page 13: Entity provider selection confusion attacks in JAX-RS applications](https://reader031.vdocument.in/reader031/viewer/2022030317/587152571a28ab8e5b8b4783/html5/thumbnails/13.jpg)
• Occur when resource or resource method does not specify preferred content type via @Consumes annotation
• Or specifies it too permissive
• */*
• application/*
• And in some cases when content type is
• multipart/*
• multipart/form-data
• etc
Entity provider selection confusion attack
![Page 14: Entity provider selection confusion attacks in JAX-RS applications](https://reader031.vdocument.in/reader031/viewer/2022030317/587152571a28ab8e5b8b4783/html5/thumbnails/14.jpg)
• Impact of attack
• RCE
• DoS
• CSRF
• XXE
• etc
Entity provider selection confusion attack
![Page 15: Entity provider selection confusion attacks in JAX-RS applications](https://reader031.vdocument.in/reader031/viewer/2022030317/587152571a28ab8e5b8b4783/html5/thumbnails/15.jpg)
• RESTEasy by default has SerializableProvider entity provider
• Vulnerable resource method doConcat()
Attack for RESTEasy [ CVE-2016-7050 ]
@POST
@Path("/concat")
@Produces(MediaType.APPLICATION_JSON)
public Map doConcat(Pair pair) {
HashMap result = new HashMap();
result.put("Result", pair.getP1() + pair.getP2());
return result;
}
public class Pair implements Serializable {
...
}
![Page 16: Entity provider selection confusion attacks in JAX-RS applications](https://reader031.vdocument.in/reader031/viewer/2022030317/587152571a28ab8e5b8b4783/html5/thumbnails/16.jpg)
• isReadable() method of SerializableProvider
• SerializableProvider is used when Content-Type is application/x-java-serialized-object and Java class of entity parameter is serializable
Attack for RESTEasy [ CVE-2016-7050 ]
public boolean isReadable(Class type, Type genericType, Annotation[] annotations,
MediaType mediaType) {
return (Serializable.class.isAssignableFrom(type)) &&
(APPLICATION_SERIALIZABLE_TYPE.getType().equals(mediaType.getType())) &&
(APPLICATION_SERIALIZABLE_TYPE.getSubtype().equals(mediaType.getSubtype()));
}
![Page 17: Entity provider selection confusion attacks in JAX-RS applications](https://reader031.vdocument.in/reader031/viewer/2022030317/587152571a28ab8e5b8b4783/html5/thumbnails/17.jpg)
• readFrom() method of SerializableProvider
Attack for RESTEasy [ CVE-2016-7050 ]
public Serializable readFrom(Class type, Type genericType, Annotation[]
annotations, MediaType mediaType, MultivaluedMap httpHeaders, InputStream
entityStream) throws IOException, WebApplicationException {
BufferedInputStream bis = new BufferedInputStream(entityStream);
ObjectInputStream ois = new ObjectInputStream(bis);
try {
return (Serializable)Serializable.class.cast(ois.readObject());
} catch (ClassNotFoundException e) {
throw new WebApplicationException(e);
}
}
![Page 18: Entity provider selection confusion attacks in JAX-RS applications](https://reader031.vdocument.in/reader031/viewer/2022030317/587152571a28ab8e5b8b4783/html5/thumbnails/18.jpg)
Attack for RESTEasy [ CVE-2016-7050 ]
![Page 19: Entity provider selection confusion attacks in JAX-RS applications](https://reader031.vdocument.in/reader031/viewer/2022030317/587152571a28ab8e5b8b4783/html5/thumbnails/19.jpg)
Attack for RESTEasy [ CVE-2016-7050 ]
![Page 20: Entity provider selection confusion attacks in JAX-RS applications](https://reader031.vdocument.in/reader031/viewer/2022030317/587152571a28ab8e5b8b4783/html5/thumbnails/20.jpg)
• Jersey has default jersey-media-kryo entity provider
• Vulnerable resource method doShowSize()
Attack for Jersey
@POST
@Path("/size")
@Produces(MediaType.APPLICATION_JSON)
public Map<String, String> doShowSize(ArrayList<Pair> pairs) {
HashMap<String, String> result = new HashMap<String, String>();
result.put("Count", String.valueOf(pairs.size()));
return result;
}
![Page 21: Entity provider selection confusion attacks in JAX-RS applications](https://reader031.vdocument.in/reader031/viewer/2022030317/587152571a28ab8e5b8b4783/html5/thumbnails/21.jpg)
• DoS payload - https://gist.github.com/coekie/a27cc406fc9f3dc7a70d
Attack for Jersey
![Page 22: Entity provider selection confusion attacks in JAX-RS applications](https://reader031.vdocument.in/reader031/viewer/2022030317/587152571a28ab8e5b8b4783/html5/thumbnails/22.jpg)
• DoS payload - https://gist.github.com/coekie/a27cc406fc9f3dc7a70d
Attack for Jersey
![Page 23: Entity provider selection confusion attacks in JAX-RS applications](https://reader031.vdocument.in/reader031/viewer/2022030317/587152571a28ab8e5b8b4783/html5/thumbnails/23.jpg)
• Narrow possible content types for resource or resource method using @Consumes annotation
• Use multipart/*, multipart/form-data, etc. content types with caution
• Java deserialization bugs exist not only in RMI/JMX/JMS
Takeaways