Milking A Horse Or Executing Remote Code In Modern Java Web Frameworks
No ratings
Presented at Ruxcon 2010 by
If you thought from the title that either was unlikely this presentation will prove you wrong. Modern Java web frameworks are very complex and are used by some of the most critical web frontends (banks, airlines, etc). However, due to the nature of Java, a lot of people using such frameworks assume that they are immune to certain classes of vulnerabilities and thus use no exploitation mitigation techniques at all. I'll discuss the current state of (in)security in some of the popular Java web frameworks (e.g. Spring, Struts2) based on my security review, which involved spending no more than one week on each framework. In most cases, I was able to get a shell in a HelloWorld application within 3-4 days. The presentation will also cover some of the ways to harden web applications built using these frameworks.