For example, they can use this technique to cause a service to generate a new revision of a given entity every time an HTTP request is made to the service. An attacker can also use this technique to cause a service to update entity attributes that are marked as being read-only. Both of these scenarios can result in unexpected behaviour if the domain model is dependent on those entity attributes. Spring Data REST supports data validation for most domain model data through annotations. For domain model data that is validated, an attacker can use the PATCH technique to inject new or updated data into the validated domain model. An attacker can also use this technique to inject new or updated data into unvalidated domain model data. An unvalidated domain model is vulnerable to any form of injection attack. PATCH can be used to inject data into Spring Data REST endpoints.

The Basics of Rest Endpoints in Spring Data REST

Spring Data REST can be used to create endpoints for a variety of different RESTful services. Spring Data REST uses annotations to define the behaviour, validation and processing for REST services.
An attacker could use PATCH to cause unexpected behaviour in the application by injecting arbitrary data into an entity, or by updating the entity's attributes that are marked as being read-only.
The Spring Security OAuth 2.0 implementation was found to be vulnerable to this type of attack in CVE-2018-1002102, CVE-2018-1002103 and CVE-2018-1002104. This vulnerability was made public on 9 April 2018 as part of a coordinated disclosure with eight vendors (Google, Cloudflare, Facebook, Twitter, LinkedIn, Microsoft, Uber and Yahoo!) In the case where an authorization code is sent unsolicited and not protected by authentication or tokenization mechanisms such as OAuth 2.0 JWT bearer tokens or HTTP Basic Authentication credentials, an attacker can use this technique to cause a service call to return multiple authorization codes without requiring any interactions with the authorization server whatsoever.

Detecting Spring Data REST Vulnerabilities

At the time of writing, Spring Data REST has no built-in support for detecting vulnerabilities. The following sections will outline a few techniques to use when defending against Spring Data REST attacks.

Detecting PATCH Vulnerabilities

A simple pattern to detect PATCH vulnerabilities is to perform a JSON serialization of the entity in question and compare that with the actual entity being queried. If the two are different, this could indicate a vulnerability. A simple example of this approach is shown below:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 import org . apache . commons . io . IOUtils ; import org . springframework . data . jpa2 . JpaRepository ; import org . springframework . data . pkgenmap . JsonGenerator ; public class DetectPATCHVulnerableEntity { private final static String path = "/api/v1/customer/12345678" ; private final static String key = "customer" ; public static void main ( String [] args ) throws Exception { new DetectPATCHVulnerableEntity () } @Autowired private JpaRepository repository ; @GET @Path ( "{customer}" ) @Produces ( "application/json" ) public Response getCustomerById ( int id ) { return repository - >

What you need to test for

An attacker can use the PATCH technique to inject data into Spring Data REST endpoints. For example, they can use this technique to cause a service to generate a new revision of a given entity every time an HTTP request is made to the service. An attacker can also use this technique to cause a service to update entity attributes that are marked as being read-only. Both of these scenarios can result in unexpected behaviour if the domain model is dependent on those entity attributes. Spring Data REST supports data validation for most domain model data through annotations. For domain model data that is validated, an attacker can use the PATCH technique to inject new or updated data into the validated domain model. An attacker can also use this technique to inject new or updated data into unvalidated domain model data. An unvalidated domain model is vulnerable to any form of injection attack. PATCH can be used to inject data into Spring Data REST endpoints

Timeline

Published on: 09/21/2022 18:15:00 UTC
Last modified on: 09/22/2022 19:42:00 UTC

References