Test the XXE vulnerability in SpringMVC

Test the XXE vulnerability in SpringMVC
The SpringMVC framework supports XML-to-Object ing. Internally, it uses two global interfaces Marshaller and Unmarshaller. One implementation is implemented using the Jaxb2Marshaller class, which naturally implements two global interfaces, it is used for Bidirectional parsing of XML and Object. The XML file can be a DOM file, an input/output stream, or a SAX handler.

SpringMVC is popular with annotations for rapid development. Among them, JAXB annotations can be used to mark the areas in the JavaBean that need to be converted with XML. For example, to map an XML file to a User object, use the JAXB annotation in the User object:



When using JAXB in SpringMVC to map XML to Java Bean, The XXE vulnerability may occur, because SpringMVC can also parse the XML in the request body, in the annotation mode, after the annotation @ RequestBody is used, you can introduce the HTTP Request body to our Controller method, which is generally used as a method parameter. When annotation-driven is enabled, HttpMessageConverter initializes seven Converters for AnnotationMethodHandlerAdapter. As for how Spring selects an appropriate converter, no source code is read here. I guess it should be determined through the Accept or Content-type header.

If the application does not effectively process the request body, we can inject external entities by constructing the request body. For example, when a Web application uses XML to transmit data without restrictions on external entity references, it is possible to import external entities, resulting in arbitrary file reading.

To test the vulnerability, you only need to configure the annotation driver and ViewResolver in the configuration file,
Normal request:





In the request, specify the content of the application/xml type and submit an XML file in the request body with the content name = exploit. Submit the request and switch to page index. jsp. Of course, we have done some processing in the controller and passed the converted user to jsp for presentation. The code is:

You can see that the content of the toString method is printed on the console:


The results of index. jsp are as follows:

The following introduces external entities and submits them:

[Html] view plaincopy
<? Xml version = "1.0" encoding = "UTF-8"?> <! Doctype any [
<! ENTITY shit SYSTEM "file: // c:/1.txt">]> <user> <name> & shit; </name> </user>

Different from the above, a malicious external entity shit is introduced and used in the ECHO position <name>. The effect is to read the 1.txt file under the C drive and the content is a string of "2". The result is as follows:

As you can see, external entities are successfully introduced and parsed, resulting in the XXE vulnerability.

Therefore, when SpringMVC processes XML-type request bodies, Converter supports external entity reference by default. This vulnerability can be solved through solutions on the official website.