Difference between revisions of "OWASP O2 Platform/Spring Framework/MVC"

From OWASP
Jump to: navigation, search
Line 9: Line 9:
 
Start by downloading the files from http://deploy.o2-ounceopen.com/DemoFiles/SpringMvc/
 
Start by downloading the files from http://deploy.o2-ounceopen.com/DemoFiles/SpringMvc/
  
 +
==== Auto-Binding on EditOwner.do ====
  
 +
Draft explanation:
 +
 +
<pre>
 +
Install a clean copy of pet clinic on Tomcat.
 +
Use Firefox + LiveHttpHeaders or similar
 +
List the owners.
 +
Select owner 2 (Betty Davis).
 +
Click edit.
 +
Make a trivial change.
 +
Click edit again.
 +
Use LiveHttpHeaders replay to replay the previous edit but modify the POST body
 +
from:
 +
firstName=Betty&lastName=Davis&address=638+Cardinal+Ave&city=Sun+Prairie&telephone=6085551749
 +
 +
to:
 +
firstName=Betty&lastName=Davis&address=638+Cardinal+Ave&city=Sun+Prairie&telephone=6085551749&pets[0].owner.id=3
 +
 +
The upshot is that you end up over-writing owner 3 with Betty Davis's info even
 +
though the URL that the POST goes to is:
 +
http://localhost:8080/petclinic/editOwner.do?ownerId=2
 +
</pre>
 
-----
 
-----
 
go back to the main [[OWASP O2 Platform]] page
 
go back to the main [[OWASP O2 Platform]] page
  
 
[[Category:OWASP_O2_Platform]]
 
[[Category:OWASP_O2_Platform]]

Revision as of 11:21, 15 November 2009

This page will have information about how to analyze the MVC Part of the Spring Framework using O2

O2 support for Spring MVC

http://deploy.o2-ounceopen.com/O2_Cmd_SpringMvc/

Vulnerabilities in the JPetStore sample application

Start by downloading the files from http://deploy.o2-ounceopen.com/DemoFiles/SpringMvc/

Auto-Binding on EditOwner.do

Draft explanation:

Install a clean copy of pet clinic on Tomcat.
Use Firefox + LiveHttpHeaders or similar
List the owners.
Select owner 2 (Betty Davis).
Click edit.
Make a trivial change.
Click edit again.
Use LiveHttpHeaders replay to replay the previous edit but modify the POST body
from:
firstName=Betty&lastName=Davis&address=638+Cardinal+Ave&city=Sun+Prairie&telephone=6085551749

to:
firstName=Betty&lastName=Davis&address=638+Cardinal+Ave&city=Sun+Prairie&telephone=6085551749&pets[0].owner.id=3

The upshot is that you end up over-writing owner 3 with Betty Davis's info even
though the URL that the POST goes to is:
http://localhost:8080/petclinic/editOwner.do?ownerId=2

go back to the main OWASP O2 Platform page