Difference between revisions of "OWASP O2 Platform/Spring Framework/MVC"

Jump to: navigation, search
Line 3: Line 3:
=== Spring MVC info ===
=== Spring MVC info ===
* http://diniscruz.blogspot.com/2009/09/spring-mvc-30-mvc-binding-rules.html
* [http://diniscruz.blogspot.com/2009/09/spring-mvc-30-mvc-binding-rules.html Spring MVC 3.0 MVC Binding Rules]
=== O2 support for Spring MVC ===
=== O2 support for Spring MVC ===

Revision as of 11:24, 15 November 2009

This page will have information about how to analyze the MVC Part of the Spring Framework using O2

Spring MVC info

O2 support for Spring MVC


Vulnerabilities in the JPetStore sample application

Start by downloading the files from http://deploy.o2-ounceopen.com/DemoFiles/SpringMvc/

Auto-Binding on EditOwner.do

Draft explanation:

Install a clean copy of pet clinic on Tomcat.
Use Firefox + LiveHttpHeaders or similar
List the owners.
Select owner 2 (Betty Davis).
Click edit.
Make a trivial change.
Click edit again.
Use LiveHttpHeaders replay to replay the previous edit but modify the POST body


The upshot is that you end up over-writing owner 3 with Betty Davis's info even
though the URL that the POST goes to is:

go back to the main OWASP O2 Platform page