XXe vulnerability Test in SPRINGMVC

SpringmvcFramework SupportXMLto theObjectmapping, internally using two global interfacesMarshallerand theUnmarshaller, one implementation is to useJaxb2marshallerclass, which naturally implements two global interfaces forXMLand theObjectfor bidirectional parsing. andXMLfile can beDOMdocument, input or output stream, orSAX Handler.

springmvc jaxb annotations can be javabean xml xml user user object used annotations:

When inSpringmvcused inJAXBImplementXMLwith theJava Beanwhen mapping, it may causeXXEvulnerability, becauseSpringmvccan also be resolved inRequest Bodyin theXML, which is the principle of using annotations in annotation mode.@RequestBody, you can addHTTPThe requested body is introduced into ourControllermethod, it is generally used as a parameter to the method. In the OpenAnnotation-driventhe time,Httpmessageconverterwill giveAnnotationmethodhandleradapterInitialize7a converter. AsSpringis how to choose the right converter, here does not read the source, guess should be throughAcceptorContent-typeto judge by the head.

If the application does not do effective processing, then by constructing the request Body, we can implement the injection of external entities. For example,when using XML to pass data in aWeb application , there is no restriction on references to external entities, and it is possible to import external entities, resulting in arbitrary file reads.

In the test vulnerability, you only need to configure the note driver and viewresolver in the configuration file .

Upon normal request:

in the request, it is indicated that a application/xml type of content is submitted, and an XMLis submitted in the requests body with thecontent name=exploit. Submit the request, turn to page index.jsp, of course, in the controller we did some processing that would convert the user passed to the JSP to render, the code is:

as you can see, the console prints the content of the ToString method:

Index.jsp results are as follows:

Following the introduction of external entities, submit:

<?xml version= "1.0" encoding= "UTF-8"? ><! DOCTYPE any[<! ENTITY shit SYSTEM  "File:///c:/1.txt" >]><user><name>&shit;</name></user>

This differs from the above, introducing a malicious external entity shit, and using this entityin the echo location <name> , the effect is to read c Below the 1.txt, the content is a string of "2", the result is as follows:

As you can see, external entities are successfully introduced and parsed, resulting in XXE vulnerabilities.

Therefore, when processing the request body of an XML type inspringmvc , the converter (Converter) is used by default to support external entity references. This vulnerability can be resolved through the official website's solution:

https://jira.spring.io/browse/SPR-10806

XXe vulnerability Test in SPRINGMVC