Milking a horse or executing remote code in modern Java web frameworks

March 30, 2011 (at 2:30 p.m.) in Attacks & Research

If you thought that either was unlikely this presentation will prove you wrong. Modern Java web frameworks are very complex and are used by some of the most critical web frontends (banks, airlines, etc). However, due to the nature of Java, a lot of people using such frameworks assume that they are immune to certain classes of vulnerabilities and thus use no exploitation mitigation techniques at all. I’ll discuss the current state of (in)security in some of the popular Java web frameworks (e.g. Spring, Struts2, Seam) based on my security review, which involved spending no more than 1 week on each framework. In most cases, I was able to get a shell in a HelloWorld application within 3-4 days. Presentation will also cover some of the ways to harden web applications built using these frameworks.

Meder Kydyraliev

Meder Kydyraliev has been working in the area of web app security for the past 6 years. He’s worked as a security consultant for one of the Big 4 and currently works in Google Security Team. Meder has contributed some of his time to open-source projects such as xprobe2 and webscarab and was a speaker at various security conferences.