Blog

Avoiding other injections

Secure coding practices prescribe that spring expressions using dynamic values should be avoided.

schedule a call

Directory traversal

Pseudocode example:

with open('/tmp/'+json_req["id"],'r') as f:
	process(f.read())

sidenote: URLs

requests.get("https://url/api/object/{}".format(json_req["id"]))

turns into

GET /api/object/asd/../../admin/get_env HTTP/1.1

Mitigation

  • input validation
  • taint analysis
  • WAF

anything-with-a-query-language injection

  • in general, treat executing string-based queries with caution
  • even the simplest query languages allow for some form of request tampering examples: connections strings, LDAP, XPath

case: JSON IAM policy injection

  • application hosts Word documents on an S3 bucket
  • provides users with a URL with signed policy upon request
  • JSON treated as a string, injecting JSON chars into the URL allows to add claims
String policy = "{{'resource':'{}'}}"; // example
sign(policy.format(document_name));