Test the XXE vulnerability in SpringMVC

Source: Internet
Author: User

Test the XXE vulnerability in SpringMVC
The SpringMVC framework supports XML-to-Object ing. Internally, it uses two global interfaces Marshaller and Unmarshaller. One implementation is implemented using the Jaxb2Marshaller class, which naturally implements two global interfaces, it is used for Bidirectional parsing of XML and Object. The XML file can be a DOM file, an input/output stream, or a SAX handler.

SpringMVC is popular with annotations for rapid development. Among them, JAXB annotations can be used to mark the areas in the JavaBean that need to be converted with XML. For example, to map an XML file to a User object, use the JAXB annotation in the User object:



When using JAXB in SpringMVC to map XML to Java Bean, The XXE vulnerability may occur, because SpringMVC can also parse the XML in the request body, in the annotation mode, after the annotation @ RequestBody is used, you can introduce the HTTP Request body to our Controller method, which is generally used as a method parameter. When annotation-driven is enabled, HttpMessageConverter initializes seven Converters for AnnotationMethodHandlerAdapter. As for how Spring selects an appropriate converter, no source code is read here. I guess it should be determined through the Accept or Content-type header.

If the application does not effectively process the request body, we can inject external entities by constructing the request body. For example, when a Web application uses XML to transmit data without restrictions on external entity references, it is possible to import external entities, resulting in arbitrary file reading.

To test the vulnerability, you only need to configure the annotation driver and ViewResolver in the configuration file,
Normal request:





In the request, specify the content of the application/xml type and submit an XML file in the request body with the content name = exploit. Submit the request and switch to page index. jsp. Of course, we have done some processing in the controller and passed the converted user to jsp for presentation. The code is:

You can see that the content of the toString method is printed on the console:


The results of index. jsp are as follows:

The following introduces external entities and submits them:

[Html] view plaincopy
<? Xml version = "1.0" encoding = "UTF-8"?> <! Doctype any [
<! ENTITY shit SYSTEM "file: // c:/1.txt">]> <user> <name> & shit; </name> </user>

Different from the above, a malicious external entity shit is introduced and used in the ECHO position <name>. The effect is to read the 1.txt file under the C drive and the content is a string of "2". The result is as follows:

As you can see, external entities are successfully introduced and parsed, resulting in the XXE vulnerability.

Therefore, when SpringMVC processes XML-type request bodies, Converter supports external entity reference by default. This vulnerability can be solved through solutions on the official website.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.