Vulnerability Development mailing list archives
JSP hacking
From: Sid Womac <disidis () bellsouth net>
Date: Wed, 27 Sep 2000 23:05:10 -0400
Greetings all, First time post, but I have to say you guys have gotten me thinking about exploit potentials and what is possible. Not that I don't necessarily do that out of course of habit. There were posts earlier regarding jsp hacking. I found that quite, uhm, intriguing. It's a tool I'm familiar with, and to be quite honest, one I like very much. I do see the potential. . . About 2 or 3 years ago, I wrote a bastardized version of the jsp, before the jsp emerged as a viable design tool. It was quite a bit more limited, and was focused around SQL processing. It was java based, of course, using some cgi wrappers, and was basically an HTML template generating program. Supply a template name as an input parameter, retrieve the template from a database, and send it out to the http server, pretty much as is. . . When certain sequences of characters were encountered, then break out of the suck/push mode, and perform the special processing. Most often this was just a SQL call to a database, and designed as such, and the output formatted on masse. It worked well within the parameters, but was a bit unwieldy. I could break it without too much effort. Still, an interesting design problem. This bastardization was designed to solve a particular problem. But it was also reinventing the wheel, though the wheel may not have been quite formed at the time. It seems I've done this more than once. . . Anyway, this was abandoned because the maintenance factor was just too high. But I learned quite a bit from the experience, and was able to coupe one of those elusive feelings of "hey, I've done something kinda neat here." I see alot of potential for the jsp platform. It's powerful, but it is also somewhat dangerous. It is basically unleashed java programming accessible through a web server. What can you do with java, and can you do it through a jsp, or make that dedicated servelet misbehave? It provides some interesting security challenges. Unfortunately fast and loose is the norm, and I admit I've been guilty of it too often. I also inherit some interesting challenges. My biggest disclaimer is perhaps that I began with programming from an efficiency point of view. Make it as small, compact, and efficient as possible. And time has always been important. One thing I might bring forward, however, is the use of the Class.forName () method. whoa. It's designed to dynamically load a java class, unknown at the instance. With it, in the bastardization that I mentioned before, I could break out of all processing and dynamically load a custom written java program or whatever. It kinda rings of the current format specification vulnerabilities. Overwriting variables (environment perhaps) at some point. This is one that could really bite someone. . . Or alot of people. If the method is invoked, and irregardless of importing java.io.* or similar at the program's initiation, if you can manipulate *what* is called by this method, then you can load any existing class desired, including java.*, or any custom written classes on the local classpath, or. . . Could the class be loaded from a separate source? Downloaded from a server as an applet might (granted, servlet type implimentation, though jsp's don't quite behave as servlets in my eyes)? This blurs some lines to me. Or maybe if a partial vulnerability were exploited to drop a malicious app (or class) into the right place, or overwrite what might already be in that location? How is security managed in the directory path? Compound vulnerabilities are quite fascinating. Give me enough time, and I think I could break it, by a variety of methods. Depends on how the prog is written. I just don't get to play enough, I think. Thanks for the security audit, by the way. I've lots to address, in conjunction with the daily chores. But some things never change. Cheers, greetz, and peace! DisidiS
Current thread:
- JSP hacking Sid Womac (Sep 27)
- Re: JSP hacking Ben Galehouse (Sep 30)