понедельник, 1 февраля 2016 г.

Mini-post: Execution After Redirect for J2EE

About EAR

Several years ago a white paper about a “new” type of vulnerability – Execution After Redirect was published http://cs.ucsb.edu/~bboe/public/pubs/fear-the-ear-ccs2011.pdf.
This is a “logical” vulnerability. And the idea of EAR is pretty simple. A web application does not halt execution after returning Redirect header to user and it continues execution. Therefore, sometimes there is an opportunity to bypass authorization and perform some actions in the web application or steal some critical information.

The following example shows it clearer:
if (!(request.getParameter("pass").equals(adminPswd))) {
        response.sendRedirect("login.jsp");
    }
admin.critFunc();
If a user inputs an incorrect password, a web application sends a response to the user with the redirect header to a login page. Otherwise, it executes some critical functions.
And in case of EAR vulnerability, the web application continues execution even after the sendRedirect function.
Actually, the possibility of EAR depends on framework/platform’s specifics. There is a list of frameworks in the white paper where EAR vuln can be found.
Also, there is a subtype of EAR – blind EAR. This is when a web application doesn’t return any output to user after a redirect function. And only this subtype is possible in J2EE applications.

Something new?

I would like to share the result of a little research on EAR for J2EE, because the problem is wider here.
So, for redirection we use:
response.sendRedirect("any.jsp");
And a web application continues execution after this function.
But also there is a forwarding function (when a full user request is passed from one servlet/script to another within the web application):
request.getRequestDispatcher("any.jsp").forward(request, response);
Moreover, we can return an error page to a user:
response.sendError(500, "Text of Error");
In both of these cases, a web application continues execution too. So, we have here Execution After Forward and Execution After Error ;)

It’s been interesting for me to check built-in features of JSP and JSTL:
1)    JSP gives us an ability to forward a request:
<jsp:forward page="any.jsp"></jsp:forward>
2)    with JSTL we can redirect a user:
<c:redirect url="any.jsp"/>
But in the both cases, the web application doesn’t execute code after these tags. Why so?
If we look at the "converted" JSP files to java classes, we can see:
1) For "forward":
if (true) {
        _jspx_page_context.forward("any.jsp");
        return;
      }
2) For "redirect":
 if (_jspx_meth_c_005fredirect_005f0(_jspx_page_context))
        return;
Thus, returns “stops” a web application execution.