Posts List

#hackyou2014 Web400 write-up

I did not solve this level during the CTF, but found it so interesting reading Xelenonz write-up that I couldnt help trying it myself just for the fun and since this blog is my personal notes, I decided to write it here for future reference, but all credits go to Xelenonz. We are given the code of a Image hostig web app. Reading the code we see how it handle the requests:

More on XStream RCE: SpringMVC WS

Continuing my previous post where I mentioned that the XStream RCE issue issue also affected SpringMVC RESTful WebServices using the XStream SpringOXM wrapper, I wanted to share a POC server. The code is quite simple and can be found in the XStreamServer GitHub Repo. It contains a WebService defined by the ContactController: @Controller @RequestMapping("/contacts") public class ContactController { @Autowired private ContactRepository contactRepository; @RequestMapping( value = "/{id}", method = RequestMethod.GET ) @ResponseStatus(HttpStatus.

RCE via XStream object deserialization

When researching SpringMVC RESTful APIs and their XXE vulnerabilities I found that XStream was not vulnerable to XXE because it ignored the <DOCTYPE /> blocks. Curious about it I decided to took a deeper look at XStream and found out that its not just a simple marshalling library as JAXB but a much more powerful serializing library capable of serializing to an XML representation really complex types and not just POJOs.