JSP hacking

[Sid Womac <disidis () bellsouth net>]

Greetings all,

First time post, but I have to say you guys have gotten me thinking
about exploit potentials and what is possible.  Not that I don't
necessarily do that out of course of habit.

There were posts earlier regarding jsp hacking.  I found that quite,
uhm, intriguing.  It's a tool I'm familiar with, and to be quite honest,
one I like very much.  I do see the potential. . .

About 2 or 3 years ago, I wrote a bastardized version of the jsp, before
the jsp emerged as a viable design tool.  It was quite a bit more
limited, and was focused around SQL processing.  It was java based, of
course, using some cgi wrappers, and was basically an HTML template
generating program.  Supply a template name as an input parameter,
retrieve the template from a database, and send it out to the http
server, pretty much as is. . .  When certain sequences of characters
were encountered, then break out of the suck/push mode, and perform the
special processing.  Most often this was just a SQL call to a database,
and designed as such, and the output formatted on masse.  It worked well
within the parameters, but was a bit unwieldy.  I could break it without
too much effort.

Still, an interesting design problem.  This bastardization was designed
to solve a particular problem.  But it was also reinventing the wheel,
though the wheel may not have been quite formed at the time.  It seems
I've done this more than once. . .

Anyway, this was abandoned because the maintenance factor was just too
high.  But I learned quite a bit from the experience, and was able to
coupe one of those elusive feelings of "hey, I've done something kinda
neat here."

I see alot of potential for the jsp platform.  It's powerful, but it is
also somewhat dangerous.  It is basically unleashed java programming
accessible through a web server.  What can you do with java, and can you
do it through a jsp, or make that dedicated servelet misbehave?  It
provides some interesting security challenges.  Unfortunately fast and
loose is the norm, and I admit I've been guilty of it too often.  I also
inherit some interesting challenges.  My biggest disclaimer is perhaps
that I began with programming from an efficiency point of view.  Make it
as small, compact, and efficient as possible.  And time has always been
important.

One thing I might bring forward, however, is the use of the
Class.forName () method.  whoa.  It's designed to dynamically load a
java class, unknown at the instance.  With it, in the bastardization
that I mentioned before, I could break out of all processing and
dynamically load a custom written java program or whatever.  It kinda
rings of the current format specification vulnerabilities.  Overwriting
variables (environment perhaps) at some point.  This is one that could
really bite someone. . .  Or alot of people.

If the method is invoked, and irregardless of importing java.io.* or
similar at the program's initiation, if you can manipulate *what* is
called by this method, then you can load any existing class desired,
including java.*, or any custom written classes on the local classpath,
or. . .  Could the class be loaded from a separate source?  Downloaded
from a server as an applet might (granted, servlet type implimentation,
though jsp's don't quite behave as servlets in my eyes)?  This blurs
some lines to me.  Or maybe if a partial vulnerability were exploited to
drop a malicious app (or class) into the right place, or overwrite what
might already be in that location?  How is security managed in the
directory path?  Compound vulnerabilities are quite fascinating.

Give me enough time, and I think I could break it, by a variety of
methods.  Depends on how the prog is written.  I just don't get to play
enough, I think.

Thanks for the security audit, by the way.  I've lots to address, in
conjunction with the daily chores.  But some things never change.

Cheers, greetz, and peace!

DisidiS