Unsafe JAX-RS: Breaking REST API

March 22, 2017 (at 11:30 a.m.) in Attack and Research

Using RESTful web services for building web application’s API is a common thing nowadays. Java EE includes JAX-RS API for building RESTful web services. There are several JAX-RS implementations exist. The most popular are RESTEasy, Jersey, and Apache CXF.

The author inquired security of RESTEasy, Jersey, and Apache CXF JAX-RS implementations and figured out weaknesses and vulnerabilities which lead to practical attacks against JAX-RS applications. RedHat Product Security assigned CVE-2016-7050, CVE-2016-6346, CVE-2016-6345, CVE-2016-6348, CVE-2016-6347 IDs for vulnerabilities found in RESTEasy during the research. Research cover entity provider selection confusion attacks, CSRF attacks, DoS attacks, Information disclosure attacks, XSS attacks, and more. As the result of the research, the author developed extension “Unsafe JAX-RS” for Burp Suite which helps to identify vulnerabilities in JAX-RS applications.

Mikhail Egorov

Mikhail Egorov is an independent security researcher, bug hunter, conference speaker. His main interests lay in web application security, mobile security, practical cryptography and reverse engineering. Acknowledged by Adobe, Oracle, Red Hat for finding vulnerabilities in their products. Had talks on Hack In The Box, Zero Nights, and PHDays security conferences.

Mikhail graduated from Moscow State Technical University n.a. Bauman with master degree in information security. Has about ten years of working experience in information security and programming. Now he works for Ingram Micro as the application security engineer.