[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[WEB SECURITY] Hacking AJAX DWR Applications
- From: "Amichai Shulman" <shulman@xxxxxxxxxxx>
- Subject: [WEB SECURITY] Hacking AJAX DWR Applications
- Date: Wed, 3 Jan 2007 16:24:01 +0200
------_=_NextPart_001_01C72F42.D122358C
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
By Guy Karlebach & Amichai Shulman
=20
Introduction
************************************************************************
*********************
=20
The introduction of AJAX into a web application improves the user
experience significantly. However, the complexity of some AJAX
frameworks and the limited field experience with them requires a careful
examination of potential vulnerabilities.
DWR is a Java open source library, which has already been incorporated
into several web sites. It is composed of two main parts:
* A Java servlet that runs on the server. This servlet processes
requests that arrive from clients and sends back responses. =20
* Javascript code that is executed on the browser, and sends requests to
the servlet.
The Javascript code for method invocation is generated by the DWR
framework. The web application designer only needs to embed the
returned values in his web pages.
At the time this document is written the DWR stable release is 1.1.3.
Version 2.0 is under development. The two versions differ by several
features, though both share the vulnerability that we discuss in the
next section.=20
=20
=20
=20
Forceful Method Invocation Attacks
************************************************************************
*********************
=20
DWR 1.1.3 provides a configuration option that forbids the invocation of
class methods. This exclusion can be applied to some or all of a
class's methods, and it is configured in the dwr.xml file. DWR 2.0 adds
an additional configuration option that includes JAVA code annotations.
However, both methods enforce their restrictions only on the client
side. Therefore, by manipulating HTTP requests through a proxy, excluded
methods can be invoked. This also applies to public methods that are
inherited from super classes.
As a consequence of the above vulnerability restricted operations may be
unintentionally exposed to web users.
2.1 Example: The TestClass class methods
The following test was repeated in DWR releases 1.1.3 and 2.0, and with
all of the possible method exclusion mechanisms for each release.
We created a class named TestClass with two methods:
forbiddenTestMethod and allowedTestMethod. Both methods were defined as
public (private and protected methods are not vulnerable to invocation
by the client). forbiddenTestMethod was excluded using the exclusion
mechanism. The result of this exclusion was that DWR did not provide
the browser with Javascript code that generates requests for
forbiddenTestMethod. At this point, we used the browser to generate the
following legitimate request (this example is taken from the 2.0 release
test):
=20
callCount=3D1
httpSessionId=3D6F7C818937E118A82F4B8A3518951A3B
scriptSessionId=3D04CE97DFB0B87AA4E8D3FEF92FA5898E
page=3D/dwr/test/TestClass
c0-scriptName=3DTestClass
c0-methodName=3DallowedTestMethod
c0-id=3D2925_1165312875568
=20
We then changed the parameter methodName to forbiddenTestMethod, and
sent the request to the server. We received a HTTP 200 OK response with
the output of forbiddenTestMethod.
=20
=20
=20
Denial of Service Attacks
************************************************************************
*********************
=20
There are several ways to send very costly requests to a web application
that uses DWR. We present here several ways by which a malicious user
can manipulate DWR requests and create denial of service attack vectors.
=20
Example: The Date class
The Java clone method is implemented as a public method by several
native library classes, for example java.lang.Date. If a class that
implements clone is available for client side calls, a batch call that
executes clone calls can be sent to the server. This will have a steep
performance cost, due to the memory space that the cloned objects
occupy. We tested the following attack vector (Embedded in a HTTP
request body) on the DWR stable release running on JBoss, and witnessed
a sharp rise in CPU usage:
=20
callCount=3D100000
c0-scriptName=3DJDate
c0-methodName=3Dclone
c1-scriptName=3DJDate
c1-methodName=3Dclone
c2-scriptName=3DJDate
c2-methodName=3Dclone
.
.
.
C99999-scriptName=3DJDate
C99999-methodName=3Dclone
=20
Furthermore, in the DWR stable release, the following short attack
vector causes the servlet to throw an OutOfMemoryError exception:
=20
callCount=3D1000000
c0-scriptName=3DJDate
c0-methodName=3Dclone
=20
In the latter case, only one Date object is created, but the server
attempts 1000000 clone calls, which exhaust the VM's memory resources.
Limiting the number of calls in a batch is therefore essential for
preventing denial of service attacks of this sort.
=20
=20
=20
Mitigation
************************************************************************
*********************
=20
We suggest several options for mitigation, all of which require writing
Java code:
* Don't expose classes that have methods which should not be invoked by
the client. This approach should be applied during the application's
development.
* Instead of exposing class A and all of its methods, create and expose
a class ProxyA.
* ProxyA relates to A in a has-a relationship. That is, one of the
private class fields of ProxyA is an A object.
* The methods of ProxyA can be used for calling only those methods of A
that may be invoked by the client. This approach can be applied to an
application without changing the code of existing classes.
* Add stubs to override inherited methods which should not be exposed.
For example, create a toString method that returns an empty string.
=20
Amichai Shulman
CTO
Imperva, Inc. <http://www.imperva.com/>=20
12 Hachilazon St.
Ramat Gan
Israel
(972) 3-6120133 x103 Office
(972) 54-5885083 Mobile
(972) 3-5711133 Fax
shulman@imperva.com
=20
................................<outbind://34-0000000044163070C8CC2F4FAE
7B0EB7C70691860700BC3B7C5C1CE51F4093A17834685D3AC100000000CD6700004965B6
605BEB6D44856CE13B716ECF8800000183F4EE0000/cid:252450106@30112006-1993>
<http://imperva.com/go/nc/> =20
SecureSphere
Named=20
Editor's Choice for
Web Application Firewall
http://imperva.com/go/nc/ <http://imperva.com/go/nc/>=20
=20
=20
------_=_NextPart_001_01C72F42.D122358C
Content-Type: text/html;
charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<META content=3D"MSHTML 6.00.2900.3020" name=3DGENERATOR></HEAD>
<BODY>
<DIV><SPAN class=3D040582214-03012007><FONT face=3DArial size=3D2>By Guy =
Karlebach=20
& Amichai Shulman</FONT></SPAN></DIV>
<DIV> </DIV>
<DIV><SPAN class=3D040582214-03012007><FONT face=3DArial=20
size=3D2>Introduction<BR>************************************************=
*********************************************</FONT></SPAN></DIV>
<DIV> </DIV>
<DIV><SPAN class=3D040582214-03012007><FONT face=3DArial size=3D2>The =
introduction of=20
AJAX into a web application improves the user experience =
significantly. =20
However, the complexity of some AJAX frameworks and the limited field =
experience=20
with them requires a careful examination of potential =
vulnerabilities.<BR>DWR is=20
a Java open source library, which has already been incorporated into =
several web=20
sites. It is composed of two main parts:<BR>• A Java =
servlet that=20
runs on the server. This servlet processes requests that arrive =
from=20
clients and sends back responses. <BR>• Javascript code =
that is=20
executed on the browser, and sends requests to the servlet.<BR>The =
Javascript=20
code for method invocation is generated by the DWR framework. The =
web=20
application designer only needs to embed the returned values in his web=20
pages.<BR>At the time this document is written the DWR stable release is =
1.1.3. Version 2.0 is under development. The two versions =
differ by=20
several features, though both share the vulnerability that we discuss in =
the=20
next section. </FONT></SPAN></DIV>
<DIV> </DIV>
<DIV><SPAN class=3D040582214-03012007><FONT face=3DArial=20
size=3D2></FONT></SPAN> </DIV>
<DIV> </DIV>
<DIV><SPAN class=3D040582214-03012007><FONT face=3DArial =
size=3D2>Forceful Method=20
Invocation=20
Attacks<BR>**************************************************************=
*******************************</FONT></SPAN></DIV>
<DIV> </DIV>
<DIV><SPAN class=3D040582214-03012007><FONT face=3DArial size=3D2>DWR =
1.1.3 provides a=20
configuration option that forbids the invocation of class methods. =
This=20
exclusion can be applied to some or all of a class’s methods, and =
it is=20
configured in the dwr.xml file. DWR 2.0 adds an additional =
configuration=20
option that includes JAVA code annotations. However, both methods =
enforce=20
their restrictions only on the client side. Therefore, by manipulating =
HTTP=20
requests through a proxy, excluded methods can be invoked. This also =
applies to=20
public methods that are inherited from super classes.<BR>As a =
consequence of the=20
above vulnerability restricted operations may be unintentionally exposed =
to web=20
users.<BR>2.1 Example: The TestClass class methods<BR>The =
following=20
test was repeated in DWR releases 1.1.3 and 2.0, and with all of the =
possible=20
method exclusion mechanisms for each release.<BR>We created a class =
named=20
TestClass with two methods: forbiddenTestMethod and=20
allowedTestMethod. Both methods were defined as public (private =
and=20
protected methods are not vulnerable to invocation by the client). =
forbiddenTestMethod was excluded using the exclusion mechanism. =
The result=20
of this exclusion was that DWR did not provide the browser with =
Javascript code=20
that generates requests for forbiddenTestMethod. At this point, we =
used=20
the browser to generate the following legitimate request (this example =
is taken=20
from the 2.0 release test):</FONT></SPAN></DIV>
<DIV> </DIV>
<DIV><SPAN class=3D040582214-03012007><FONT face=3DArial=20
size=3D2>callCount=3D1<BR>httpSessionId=3D6F7C818937E118A82F4B8A3518951A3=
B<BR>scriptSessionId=3D04CE97DFB0B87AA4E8D3FEF92FA5898E<BR>page=3D/dwr/te=
st/TestClass<BR>c0-scriptName=3DTestClass<BR>c0-methodName=3DallowedTestM=
ethod<BR>c0-id=3D2925_1165312875568</FONT></SPAN></DIV>
<DIV> </DIV>
<DIV><SPAN class=3D040582214-03012007><FONT face=3DArial size=3D2>We =
then changed the=20
parameter methodName to forbiddenTestMethod, and sent the request to the =
server. We received a HTTP 200 OK response with the output of=20
forbiddenTestMethod.</FONT></SPAN></DIV>
<DIV> </DIV>
<DIV><SPAN class=3D040582214-03012007><FONT face=3DArial=20
size=3D2></FONT></SPAN> </DIV>
<DIV> </DIV>
<DIV><SPAN class=3D040582214-03012007><FONT face=3DArial size=3D2>Denial =
of Service=20
Attacks<BR>**************************************************************=
*******************************</FONT></SPAN></DIV>
<DIV> </DIV>
<DIV><SPAN class=3D040582214-03012007><FONT face=3DArial size=3D2>There =
are several=20
ways to send very costly requests to a web application that uses =
DWR. We=20
present here several ways by which a malicious user can manipulate DWR =
requests=20
and create denial of service attack vectors. </FONT></SPAN></DIV>
<DIV> </DIV>
<DIV><SPAN class=3D040582214-03012007><FONT face=3DArial =
size=3D2>Example: The=20
Date class<BR>The Java clone method is implemented as a public method by =
several=20
native library classes, for example java.lang.Date. If a class =
that=20
implements clone is available for client side calls, a batch call that =
executes=20
clone calls can be sent to the server. This will have a steep =
performance=20
cost, due to the memory space that the cloned objects occupy. We =
tested=20
the following attack vector (Embedded in a HTTP request body) on the DWR =
stable=20
release running on JBoss, and witnessed a sharp rise in CPU=20
usage:</FONT></SPAN></DIV>
<DIV> </DIV>
<DIV><SPAN class=3D040582214-03012007><FONT face=3DArial=20
size=3D2>callCount=3D100000<BR>c0-scriptName=3DJDate<BR>c0-methodName=3Dc=
lone<BR>c1-scriptName=3DJDate<BR>c1-methodName=3Dclone<BR>c2-scriptName=3D=
JDate<BR>c2-methodName=3Dclone<BR>.<BR>.<BR>.<BR>C99999-scriptName=3DJDat=
e<BR>C99999-methodName=3Dclone</FONT></SPAN></DIV>
<DIV> </DIV>
<DIV><SPAN class=3D040582214-03012007><FONT face=3DArial =
size=3D2>Furthermore, in the=20
DWR stable release, the following short attack vector causes the servlet =
to=20
throw an OutOfMemoryError exception:</FONT></SPAN></DIV>
<DIV> </DIV>
<DIV><SPAN class=3D040582214-03012007><FONT face=3DArial=20
size=3D2>callCount=3D1000000<BR>c0-scriptName=3DJDate<BR>c0-methodName=3D=
clone</FONT></SPAN></DIV>
<DIV> </DIV>
<DIV><SPAN class=3D040582214-03012007><FONT face=3DArial size=3D2>In the =
latter case,=20
only one Date object is created, but the server attempts 1000000 clone =
calls,=20
which exhaust the VM’s memory resources. Limiting the number =
of calls in a=20
batch is therefore essential for preventing denial of service attacks of =
this=20
sort.</FONT></SPAN></DIV>
<DIV> </DIV>
<DIV><SPAN class=3D040582214-03012007><FONT face=3DArial=20
size=3D2></FONT></SPAN> </DIV>
<DIV> </DIV>
<DIV><SPAN class=3D040582214-03012007><FONT face=3DArial=20
size=3D2>Mitigation<BR>**************************************************=
*******************************************</FONT></SPAN></DIV>
<DIV> </DIV>
<DIV><SPAN class=3D040582214-03012007><FONT face=3DArial size=3D2>We =
suggest several=20
options for mitigation, all of which require writing Java =
code:<BR>• Don’t=20
expose classes that have methods which should not be invoked by the=20
client. This approach should be applied during the =
application’s=20
development.<BR>• Instead of exposing class A and all of its =
methods,=20
create and expose a class ProxyA.<BR>• ProxyA relates to A in =
a has-a=20
relationship. That is, one of the private class fields of ProxyA =
is an A=20
object.<BR>• The methods of ProxyA can be used for calling =
only those=20
methods of A that may be invoked by the client. This approach can =
be=20
applied to an application without changing the code of existing=20
classes.<BR>• Add stubs to override inherited methods which =
should not be=20
exposed. For example, create a toString method that returns an =
empty=20
string.<BR></FONT></SPAN></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV dir=3Dltr align=3Dleft>
<TABLE cellSpacing=3D0 cellPadding=3D0 align=3Dleft border=3D0>
<TBODY>
<TR>
<TD noWrap colSpan=3D3><FONT face=3DVerdana color=3D#2f506d =
size=3D2>
<P=20
style=3D"FONT-SIZE: 11px; COLOR: #2f506d; FONT-FAMILY: Verdana, =
sans-serif"=20
align=3Dleft><STRONG>Amichai=20
Shulman</STRONG><BR>CTO<BR><BR></P></FONT></TD></TR>
<TR>
<TD vAlign=3Dtop noWrap><FONT face=3DVerdana color=3D#2f506d =
size=3D2>
<P=20
style=3D"FONT-SIZE: 11px; COLOR: #2f506d; FONT-FAMILY: Verdana, =
sans-serif"><A=20
title=3Dhttp://www.imperva.com/ =
href=3D"http://www.imperva.com/";><IMG=20
title=3Dhttp://www.imperva.com/ style=3D"MARGIN-BOTTOM: 3px" =
height=3D24=20
alt=3D"Imperva, Inc."=20
=
src=3D"outbind://34-0000000044163070C8CC2F4FAE7B0EB7C70691860700BC3B7C5C1=
CE51F4093A17834685D3AC100000000CD6700004965B6605BEB6D44856CE13B716ECF8800=
000183F4EE0000/cid:252450106@30112006-198C"=20
width=3D112 border=3D0></A><BR>12 Hachilazon St.<BR>Ramat =
Gan<BR>Israel</P>
<P=20
style=3D"FONT-SIZE: 11px; COLOR: #2f506d; FONT-FAMILY: Verdana, =
sans-serif">(972)=20
3-6120133 x103 Office<BR>(972) 54-5885083 Mobile<BR>(972) =
3-5711133=20
Fax<BR><A title=3Dmailto:shulman@imperva.com=20
=
href=3D"mailto:shulman@imperva.com";>shulman@imperva.com</A></P></FONT></T=
D>
<TD vAlign=3Dtop width=3D1><IMG height=3D112=20
alt=3D................................=20
=
src=3D"outbind://34-0000000044163070C8CC2F4FAE7B0EB7C70691860700BC3B7C5C1=
CE51F4093A17834685D3AC100000000CD6700004965B6605BEB6D44856CE13B716ECF8800=
000183F4EE0000/cid:252450106@30112006-1993"=20
width=3D41 border=3D0></TD>
<TD vAlign=3Dtop noWrap align=3Dmiddle><FONT face=3DVerdana =
color=3D#333333=20
size=3D2>
<P=20
style=3D"FONT-SIZE: 11px; COLOR: #333; FONT-FAMILY: Verdana, =
sans-serif"><A=20
title=3Dhttp://imperva.com/go/nc/ =
href=3D"http://imperva.com/go/nc/";><IMG=20
title=3Dhttp://imperva.com/go/nc/ height=3D40 alt=3D""=20
=
src=3D"outbind://34-0000000044163070C8CC2F4FAE7B0EB7C70691860700BC3B7C5C1=
CE51F4093A17834685D3AC100000000CD6700004965B6605BEB6D44856CE13B716ECF8800=
000183F4EE0000/cid:252450106@30112006-199A"=20
width=3D140 border=3D0></A> =
<BR><BR><STRONG>SecureSphere</STRONG><BR>Named=20
<BR>Editor's Choice for<BR><SPAN style=3D"COLOR: =
#d7182a"><STRONG>Web=20
Application Firewall</STRONG></SPAN><BR><A =
title=3Dhttp://imperva.com/go/nc/=20
href=3D"http://imperva.com/go/nc/";><SPAN =
title=3Dhttp://imperva.com/go/nc/=20
style=3D"FONT-SIZE: 10px; COLOR: blue; LINE-HEIGHT: 20px; =
FONT-FAMILY: Verdana, =
sans-serif">http://imperva.com/go/nc/</SPAN></A></P></FONT></TD></TR></TB=
ODY></TABLE>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV></BODY></HTML>
------_=_NextPart_001_01C72F42.D122358C--
Brought to you by http://www.webappsec.org
Search this site
|