Milking a Horse or Executing Remote Code in Modern Java Web Frameworks
- Type
- Slides
- Tags
- Java, vulnerability
- Authors
- Meder Kydyraliev
- Event
- Ruxcon 2010
- Indexed on
- Mar 26, 2013
- URL
- http://www.ruxcon.org.au/assets/Presentations/meder-kydyraliev.java-frameworks.2010.pdf
- File name
- meder-kydyraliev.java-frameworks.2010.pdf
- File size
- 22.7 MB
- MD5
- 958a333d18d3c8fe810b72160fc38ef7
- SHA1
- fdd5dd43c2b371fe0f43f886d50bfa4cffb19ef8
If you thought from the title that either was unlikely this presentation will prove you wrong. Modern Java web frameworks are very complex and are used by some of the most critical web frontends (banks, airlines, etc). However, due to the nature of Java, a lot of people using such frameworks assume that they are immune to certain classes of vulnerabilities and thus use no exploitation mitigation techniques at all. I'll discuss the current state of (in)security in some of the popular Java web frameworks (e.g. Spring, Struts2) based on my security review, which involved spending no more than one week on each framework. In most cases, I was able to get a shell in a HelloWorld application within 3-4 days. The presentation will also cover some of the ways to harden web applications built using these frameworks.
About us
Secdocs is a project aimed to index high-quality IT security and hacking documents. These are fetched from multiple data sources: events, conferences and generally from interwebs.
Statistics
Serving 8166 documents and 531.0 GB of hacking knowledge, indexed from 2419 authors from 163 security conferences.
Contribute
To support this site and keep it alive, you can click on the buttons below. Any help is really appreciated! This service is provided for free, but real money is needed to pay bills.
