A recent security assessment of an application by Ounce Labs has resulted in the discovery of two vulnerabilities
that can affect Java Web applications that use the Spring Framework.
Spring has been downloaded more than 5 million times to date, which means the security vulnerabilities identified could affect countless companies that use this framework.
The specific vulnerabilities the Ounce Labs' Advanced Research Team (ART) documented are "ModelView Injection" and "Data Submission to Non-Editable Fields." These vulnerabilities allow attackers to subvert the expected application logic and behavior, gaining control of the application and providing access to any data, credentials or keys held in the application.
Ryan Berg, chief scientist and co-founder of Ounce Labs, said the vulnerabilities affect frameworks that use some sort of model view controller (MVC). With the ModelView Injection vulnerability, which deals with the model aspect, researchers found that there's automatic binding between the view and the form fields. So it automatically sets the value for fields.
"One of the problems is there's no default checking to make sure the users are only submitting fields that are visible in the form," Berg said. "That means someone can submit additional data in a request and put it into the Java bean."
Researchers discovered that they could manipulate trades because they could change the values in the underlying model that should never be changed, he said.
When the researchers then looked at the sample applications included in the Spring Framework, such as the shopping cart application, they noticed that those applications had the same vulnerability.
"They use the same account object in two different forms. And you can modify the account ID and take over another user's account," Berg said, referring to the shopping cart application.
The second vulnerability ART found deals with the view side of MVC. As you populate the model there's an internal resolution process to decide what to display back to the user. It let's you specify a name, so it will try to find a view to render that matches that name, Berg said.
"The thing that we found in the commercial side and open source version was that the name being called was being pulled out of a hidden field," he said. "We found we could access files an external user should never be able to get to. We can see how the app is built as well as get all the backing code from them. It's like allowing a hacker to back a truck up to your app and take all of the information."
How to prevent exploitation of the vulnerabilities
Berg said the problem with the Spring Framework is that it is so large and complex that developers don't understand the security implications of what they're doing.
"The risk is two fold," Berg said. "First, it is the default nature of spring. Second, if you don't do anything to protect against it, then you're going to be vulnerable."
On top of that, until recently, information about the vulnerabilities was not readily available.
"We first discovered the vulnerabilities about four or five months ago," Berg said. "We found a posting from 2004 on a form that said if you're doing this, this could be a security issue. But there wasn't any follow up or good dialogue on how to fix this. There wasn't a lot of awareness."
It's important to note, Berg said, that the vulnerabilities are not flaws in the framework. "The issue is developers not understanding the complexity of the framework they're using," he said.
Since discovering the vulnerabilities, Ounce researchers have been working with SpringSource -- creator of the Spring Framework -- to make people aware of the issue and to modify the framework so it isn't a problem.
"We walked through our findings, and they agreed that these are some pretty serious issues. And we worked to craft an advisory," Berg said.
Keith Donald, principal software engineer at SpringSource, said they are working with security experts at Ounce Labs to raise awareness within the Spring community of these two issues.
"We are committed to ensuring that our community has all the information they need to secure their Spring applications, and we appreciate the collaboration with Ounce's team in this effort," he said in a prepared statement.
In order to avoid the vulnerabilities, Ounce Labs' ART recommends the following:
- Never directly use data that a user can control, through hidden fields, cookies, or direct form submissions to control the actual views that are rendered in the MVC pattern.
- Always use the setAllowedFields method to limit the auto-binding of all fields to only those fields that are required for the form.
- Remember that validation is not just about protecting against SQL injection and cross-site scripting (XSS), but you need to validate all data that can be used to control a business process.
Berg also said Ounce Labs hopes to work with SpringSource on the next release of Spring. That release, he said, will make it so the developer has to do something special to make it insecure.
"By default it will force them into a secure state. They will have to do something to be insecure," Berg said.