Struts2 framework security defects

By kxlzx
Summary

This article introduces some security defects of the popular java development frameworks struts2 and webwork, and provides examples to illustrate the framework itself and the use of webwork.
Various security problems arising from the framework, as well as some experiences from the author mining the framework security vulnerabilities.

Recommended for the following:

Java Development
Understand framework development
Understand web application Security
"Network Security enthusiasts"

Body
Currently, java Development websites are generally not pure JSP, and most of them use java framework.

With these frameworks, developers can develop code more quickly and make the code highly scalable,
It is deeply rooted in the hearts of the people. These also greatly affected the security code review, and once put forward the idea of "hierarchical review code", for example, specialized inspection at the DAO Layer
SQL Injection, xss check at the view layer. These frameworks all have their own layers. This article focuses on the struts framework.
Security issues also involve a small part of the DAO layer after struts.

Struts is a framework with a huge market share. It is located at the following levels:

 
 
You can see that struts is responsible for processing, calling, and displaying user data in web applications. Therefore
Struts functions are divided into the controller layer and view layer. The controller layer receives user data and distributes user requests.
Displays data.

It is not logical to create a single struts, because architects usually like a variety of framework sets so that they are responsible for processing a specific layer.
To study the security of a framework, we should not only look at the framework, but also fully consider how developers use these frameworks,
What kind of code do they like to write to restore a normal and complete web Application Scenario.

According to the search results, most tutorials on the Internet recommend a combination of struts, hibernate, and spring.
An application uses this combination to analyze struts design defects from the perspective of attackers.

Struts2 Development Review and simple learning

To let everyone review or learn about struts2, let's create an action and jsp page together to receive user input, and then
This step can be skipped if you are proficient in struts2.

----------------------------------- Struts review start
First, create an action called AaaaAction:

Public class AaaaAction extends ActionSupport {
Private String name;
Public String getName (){
Return name;
}
Public void setName (String name ){
This. name = name;
}
Public String execute (){
System. out. println ("exe ");
Return SUCCESS;
}
Public String bbb (){
System. out. println ("bbbbb ");
Return SUCCESS;
}
}

Note the execute method. After the user enters the action address, the method is accessed by default.

Then configure the struts. xml file

<Action name = "aaaaaaa" class = "net. inbreak. AaaaAction">
<Result name = "success"> user/aaa. jsp </result>
</Action>

After this file is configured

Http://www.inbreak.net/app/aaaaaaa.action

Struts is responsible for letting the execute method in AaaaAction process user requests.

After processing, the method returns "return SUCCESS;", and struts is responsible for finding that the name of the result is the jsp page pointed to by seccuess.
Resolve the page and return it to the user.

The user can see the html code of the aaa. jsp page.

Struts2 inherits all the advantages of webwork. In fact, it is equivalent to the upgrade of webwork. If developers want users to directly access
Instead of accessing the default execute method, you can directly enter

Http://www.inbreak.net/app/aaaaaaa! Bbb. action

The bbb method is directly accessed.

What if the parameters in the request are received? In struts2, this process is encapsulated and easy to use, as long as it is defined in the action
A property called public String name ;. Then add the getName and setName methods to receive
The variable passed by the user. Both get requests and post requests can receive user input in this way.

The entire process is so simple. Now that you have an understanding of the process, we will start to discuss the text. If you still want to know more, please google it on your own.

---------------------------------- Struts review end

Struts2 security defects

We can see that struts2 has two key points in data flow direction: entry (in) and output (out ). I am working on a vulnerability.
The idea of data mining is also followed by the data process. Next we will start to let the data.

The default value of the Action property can overwrite the defect:

In daily java projects, we often encounter a new object (such as registering a user), and then assign some
Here, you only need to define an object class:

Public class User {
Private Long id = 0l;
Private String name;
Private String pass;
Private Integer type = 1;
... The following get and set method code is omitted
}

After definition, add an attribute to the action

User reguser;

The user registration page code is as follows:

<Form XXXXXXX>
<Input name = "reguser. name">

After the user submits the form to the action, struts2 automatically maps the value of reguser. name to the relevant attribute (name) of reguser)
So in the execute method, you can use reguser. getName () to get the value of reguser. name submitted by the user. So we
The following code is simple:

Public String execute (){
Add (user );

The add method is simpler, because hibernate is integrated in our project. This framework automatically maps all attributes in the user class and automatically forms
Insert statement. You only need to call session. save (user); In add to save the user to the database.

As mentioned above, these two words are "simple". Are these processes safe and convenient for us?

Struts2 only maps all objects. It provides form Verification and can only verify the content of the attribute values in form, such as the email format,
Users cannot submit other attributes, so this becomes a very dangerous function.

When a User has an attribute type that indicates whether the User is an administrator (1 is a common User and 2 is an administrator), the attacker
In the registry list, add a new input called

<Input name = "reguser. type">

Then the input value is 2, and the value is handed to action together. In this process, this value will also be automatically taken to the database, down
In the processing logic, this user has become an administrator.

When you see a struts2 or webwork application, you can try to use the attribute attack to modify the current form, and you may guess
When the attribute is submitted together, the entire logic may be affected to achieve the attack goal. This article is just an example. In fact
In the process, the default value of data can be overwritten. This is a dangerous defect, and the struts2 and webwork frameworks only see
And ignore the security considerations. It only focuses on the correctness of data submitted by users. Comparison in the absence of struts2
In this function, We need to extract the required variables one by one from the request submitted by the user in the action, one by one
This security issue cannot occur. Now it encapsulates this process, and thinks it is very good, but there is a serious problem.

The method in Action is cracked by brute force.

As mentioned above, there is a way for a user to access action, instead of accessing the default execute method, but directly accessing other actions
The condition is to write a public method in the action. If you need to log on to the console
Feature, and one of his "decoupling" development habits will cause security defects here.

Define the following action

Public class Userlogin extends ActionSupport {
Private String uname = "";
Private String upwd;
Private List list;
// Getter and setter method omitted
Public String login (){
If (uname! = Null & upwd! = Null & uname. equals ("kxlzx") & upwd. equals ("pass "))
{// If login success
Return list ();
}
Return false;
}
Public String list (){
List. add ("kxlzx"); list. add ("kxlzx1"); list. add ("kxlzx2"); list. add ("kxlzx3 ");
Return "list ";
}
}

In Userlogin, the list function (displaying the list of all users) is a common function and can be easily called elsewhere,
Therefore, developers write it as a separate method.

When a user logs in

Http://www.inbreak.net/app/userlogin! Login. action

On the user's login page, we can see that the list () method can be finally called only when the user enters the correct user name and password to display the result.

 
 
However, struts2 exposes all public methods, resulting in the input

Http://www.inbreak.net/app/userlogin! List. action

After the user accesses this link, struts2 calls the list method and returns the result to the user. If the user does not log on, all user information is displayed,
The login authentication in login is directly bypassed.
 
 

When struts2 is not available