Let the Parse Double loophole nowhere to hide engineers must artifact!

Many of us will shop online to buy things. However, many of us are not aware that many e-commerce sites will have security vulnerabilities, such as denial of service vulnerabilities. Denial of service vulnerability based on the impact of low image height can be divided into: invalid, reduced service, self-recovery of service destruction, can be manually restored service failure and unrecoverable service destruction.

In detail, if the ability to attack is insufficient to cause the target to completely deny service, but the target's service capability is reduced, this effect is called service reduction. And when the attack ability reaches a certain level, the attack can make the target completely loses the service ability, calls the service destruction. Service disruption can be divided into recoverable service destruction and unrecoverable service destruction, as if some attacks exploit the target system's vulnerability to destroy the target file system, resulting in the loss of critical data of the system, often lead to unrecoverable service destruction, even if the system re-provide services, Still unable to revert to the service state before the break. This shows that the denial of service vulnerability is so horrible!

Denial of service vulnerability: Parse Double

The denial of service vulnerability is an old bug that still exists in some legacy systems, in Windows and Linux JDK1.623 and earlier JDK1.527 and earlier JRE 1.4.2_29 and earlier versions. For systems that use Apache TOMCAT servers, if their JRE is weak, an unauthorized user can completely exhaust all of its resources.

Implementation--Implementing java.lang.Double.parseDouble () and its associated methods can cause threads to parse [2^ (-1022)-2^ (-1075): 2^ (-1022)-2^ (-1076)] Any number in the range causes the thread to hover. This flaw can be used for DOS (denial of service) attacks. For example, the following code uses a more vulnerable method.

Double d = Double.parseDouble(request.getParameter("d"));

An attacker could send such a request whose parameter d is in the range above, for example, "0.0222507385850720119e-00306", which in turn causes the program to hover while processing the request.

The commentary in hacker news points out that the Bigdecimal.doublevalue method actually simply converts the argument to a string and then calls the Double.parsedouble method. So unfortunately, the above mechanism only works when I give up some precision calls to Math.pow (exponent) instead of using Scalebypoweroften. The above version, unfortunately, does not work.

Although this error has been fixed in the JDK 1.6_24 and later versions, security industry research agencies have found that many Java systems may still be running risky old versions. The general recommendation is to upgrade the system or simply standardize the cleaned string, pass it on to the new Java.math.BigDecimal () method, and convert the result to the basic double type. Unfortunately, BigDecimal's constructor also invokes troublesome double.parsedouble code, so we're back to the origin. Finally, we can try the following code, although not efficient, but it passes all the Float tests and does not deny services like double.parsedouble.

 public static double parseDouble(String value)    String normalString = normalizeDoubleString(value);   int offset = normalString.indexOf(‘E‘);   BigDecimal base;   int exponent;   if (offset == -1) {     base = new BigDecimal(value);     exponent = 0;     } else {    base = new BigDecimal(normalString.substring(0, offset));   exponent = Integer.parseInt(normalString.charAt(offset + 1) == ‘+‘ ?    normalString.substring(offset + 2)    normalString.substring(offset + 1));     }    return base.scaleByPowerOfTen(exponent).doubleValue();     }

Although this method has some effect, but the efficiency is not very high. Because there are many e-commerce sites in the country are using the old Java version, so this vulnerability is often attacked.

RASP: Let the Parse Double loophole nowhere to hide

According to Gartner, more than 80% of attacks are targeted at the application layer, and most of the sabotage is done through the application. They found that the software provider's investment in application security was generally inadequate. Gartner's analyst and researcher Joseph Feiman puts forward the concept of "real-time application of self-protection (Runtime application self-protection)."

As a new application security technology, rasp the protection program like a vaccine into the application and application integration, can detect and block security attacks in real time, so that the application has self-protection ability. For example, for a denial of service vulnerability, Parse Double, rasp customizes the response rule set and the protection class, then uses Java bytecode technology to modify the protected class according to the rules before the protected class is loaded into the virtual machine, and to weave the protection class into the protected class. So as to ensure the security of our servers.

Onerasp (Real-time application self-protection) is a cloud-based application self-protection service that provides real-time protection of software products from vulnerabilities.

Transferred from: http://news.oneapm.com/parse-double-onerasp/

MORE: https://www.oneasp.com/

Let the Parse Double loophole nowhere to hide engineers must artifact!