Difference between revisions of "OWASP O2 Platform/Spring Framework/MVC"

From OWASP
Jump to: navigation, search
Line 3: Line 3:
 
=== Spring MVC info ===
 
=== Spring MVC info ===
  
* http://diniscruz.blogspot.com/2009/09/spring-mvc-30-mvc-binding-rules.html
+
* [http://diniscruz.blogspot.com/2009/09/spring-mvc-30-mvc-binding-rules.html Spring MVC 3.0 MVC Binding Rules]
  
 
=== O2 support for Spring MVC ===
 
=== O2 support for Spring MVC ===

Revision as of 11:24, 15 November 2009

This page will have information about how to analyze the MVC Part of the Spring Framework using O2

Contents

Spring MVC info

O2 support for Spring MVC

http://deploy.o2-ounceopen.com/O2_Cmd_SpringMvc/

Vulnerabilities in the JPetStore sample application

Start by downloading the files from http://deploy.o2-ounceopen.com/DemoFiles/SpringMvc/

Auto-Binding on EditOwner.do

Draft explanation:

Install a clean copy of pet clinic on Tomcat.
Use Firefox + LiveHttpHeaders or similar
List the owners.
Select owner 2 (Betty Davis).
Click edit.
Make a trivial change.
Click edit again.
Use LiveHttpHeaders replay to replay the previous edit but modify the POST body
from:
firstName=Betty&lastName=Davis&address=638+Cardinal+Ave&city=Sun+Prairie&telephone=6085551749

to:
firstName=Betty&lastName=Davis&address=638+Cardinal+Ave&city=Sun+Prairie&telephone=6085551749&pets[0].owner.id=3

The upshot is that you end up over-writing owner 3 with Betty Davis's info even
though the URL that the POST goes to is:
http://localhost:8080/petclinic/editOwner.do?ownerId=2

go back to the main OWASP O2 Platform page