search

Code-Racing / brickyard

0 stars 0 forks source link

CONTRAST: Expression Language Injection from "input" Parameter on "/jsp-2.0/evaluate.jsp" page #6

Open valvolineford opened 5 years ago

valvolineford commented 5 years ago

Vulnerability ID: 5NN8-2LPX-7C72-5K9D

Application Name: AgentMessageGeneratorJava

Vulnerability Link: http://localhost:19080/Contrast/static/ng/index.html#/7c6cfec5-a187-4d5e-984a-d11d96d2ef63/applications/6394f24f-037b-43bb-8ac2-05fa5fb5d862/vulns/5NN8-2LPX-7C72-5K9D

What Happened?

We tracked the following data from "input" Parameter:

GET /jsp-2.0/evaluate.jsp?input=8*8

...which was accessed within the following code:

evaluate.jsp, line 13

...and ended up evaluated in this expression:

${8*8}

What's the risk?

The application takes user data and passes it to be evaluated by an Expression Language interpreter. It's likely that the result of this evaluation will be returned to the user. If this is the case, users can provide variables in their data, like\"\${applicationScope}\", that will be evaluated, populated with sensitive server information, and returned to the user.

Recommendation

No user input should be allowed to evaluated by an Expression Language interpreter without strict validation.

First Event


Stack:
  org.apache.catalina.connector.RequestFacade.getParameter(RequestFacade.java:355)
  evaluate_jsp.service(evaluate.jsp:8)
  org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
  javax.servlet.http.HttpServlet.service(HttpServlet.java:723)
  org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:388)
  org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:321)
  org.apache.jasper.servlet.JspServlet.service(JspServlet.java:267)
  javax.servlet.http.HttpServlet.service(HttpServlet.java:723)
  org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
  org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
  org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
  org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
  org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
  org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
  org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
  org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
  org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:610)
  org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:503)
  java.lang.Thread.run(Thread.java:748)

Last Event


Stack:
  org.apache.jasper.el.ExpressionEvaluatorImpl.evaluate(ExpressionEvaluatorImpl.java:60)
  evaluate_jsp.service(evaluate.jsp:13)
  org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
  javax.servlet.http.HttpServlet.service(HttpServlet.java:723)
  org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:388)
  org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:321)
  org.apache.jasper.servlet.JspServlet.service(JspServlet.java:267)
  javax.servlet.http.HttpServlet.service(HttpServlet.java:723)
  org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
  org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
  org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
  org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
  org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
  org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
  org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
  org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
  org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
  org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:610)
  org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:503)
  java.lang.Thread.run(Thread.java:748)

HTTP Request

GET http://localhost:32817/jsp-2.0/evaluate.jsp?input=8*8 HTTP/1.0 Connection: Keep-Alive Host: localhost:32817 Contrast-Mq-Name: queue-060-JspIT.it_tests_expression_evaluator_sink-contrastsecurity-docker.jfrog.io/contrast/tomcat-jsp:6.0.53-rev3 User-Agent: okhttp/3.9.1 Accept-Encoding: gzip

References

https://www.owasp.org/index.php/Expression_Language_Injection