5.3.4. Framework

5.3.4.1. Servlet

5.3.4.1.1. Introduction

Servlet (Server Applet) is the abbreviation of Java Servlet, called servlet or service connector. It is a server-side program written in Java. Its main function is to interactively browse and modify data and generate dynamic Web content.

Servlet in the narrow sense refers to an interface implemented by the Java language, and Servlet in the broad sense refers to any class that implements the Servlet interface. In general, people understand Servlet as the latter. Servlets run on application servers that support Java. In principle, servlets can respond to any type of request, but in most cases, servlets are only used to extend web servers based on the HTTP protocol.

5.3.4.1.2. Lifecycle

• The client requests the Servlet

• Load the servlet class into memory

• Instantiate and call the init() method to initialize the servlet

• service() (Called according to the request method doGet() / doPost() / … / destroy()

5.3.4.1.3. Interfaces

init()

The init() method is executed only once during the life of the servlet, when the server loads the servlet.

service()

The service() method is the heart of a servlet. Whenever a client requests an HttpServlet object, the object’s service() method is called, and the method is passed a “request” (ServletRequest) object and a “response” (ServletResponse) object as parameters.

5.3.4.2. Struts 2

5.3.4.2.1. Introduction

Struts2 is a web application framework based on the MVC design pattern, which is essentially equivalent to a servlet. In the MVC design pattern, Struts2 acts as a controller (Controller) to establish the data interaction between the model and the view.

5.3.4.2.2. Request Flow

• The tomcat server that the client sends the request to

• The request goes through a series of filters

• FilterDispatcher calls ActionMapper to decide whether the request should call an Action

• ActionMppaer decides to call an ActionFilterDispatcher to send the request to ActionProxy

• ActionProxy checks structs.xml through Configuration Manager and finds the corresponding Action class

• ActionProxy creates an ActionInvocation object

• The ActionInvocation object calls back the execute method of the Action

• After the Action is executed, ActionInvocation finds the corresponding result according to the returned string and returns it to the server through HttpServletResponse

5.3.4.2.3. Related CVE

• CVE-2016-3081 (S2-032)

• CVE-2016-3687 (S2-033)

• CVE-2016-4438 (S2-037)

• CVE-2017-5638

• CVE-2017-7672

• CVE-2017-9787

• CVE-2017-9793

• CVE-2017-9804

• CVE-2017-9805

• CVE-2017-12611

• CVE-2017-15707

• CVE-2018-1327

• CVE-2018-11776

5.3.4.3. Spring

5.3.4.3.1. Introduction

Spring generally refers to the Spring Framework, a lightweight Java application open source framework that provides an easy way to develop.

5.3.4.3.2. Spring MVC

Spring MVC is an MVC framework designed according to the Spring pattern, which is mainly used to develop Web applications and simplify development.

5.3.4.3.3. Spring Boot

Spring was relatively cumbersome at the beginning of its launch, so Spring Boot was provided as an automated configuration tool to reduce the complexity of project construction.

5.3.4.3.4. Request Flow

• User sends request to server

• The server receives the request and processes it using DispatchServlet

• Dispatch uses HandleMapping to check whether the url has a corresponding Controller, and if so, execute

• If the Controller returns a string, the ViewResolver converts the string to the corresponding view object

• DispatchServlet outputs the data in the view object to the server

• The server outputs data to the client

5.3.4.3.5. CVE overview

• CVE-2018-1270

  • Spring Websocket Remote Code Execution Vulnerability

  • Spring Framework 5.0 - 5.0.5

  • Spring Framework 4.3 - 4.3.15

• CVE-2018-1273

  • Spring Data Remote Code Execution Vulnerability

  • Spring Data Commons 1.13 - 1.13.10

  • Spring Data Commons 2.0 - 2.0.5

  • Spring Data REST 2.6 - 2.6.10

  • Spring Data REST 3.0 - 3.0.5

• CVE-2017-8046

  • Spring Data REST Remote Code Execution Vulnerability

• CVE-2017-4971

  • Spring Web Flow Remote Code Execution Vulnerability

5.3.4.4. Shiro

5.3.4.4.1. Introduction

Apache Shiro is a powerful and easy-to-use Java security framework with features including authentication, authorization, encryption and session management.

5.3.4.4.2. CVE overview

• CVE-2020-13933

  • Apache Shiro < 1.6.0

  • Authentication Bypass Vulnerability

• CVE-2020-11989

  • SHIRO-782

  • Apache Shiro < 1.5.3

  • Authentication Bypass Vulnerability

• CVE-2020-1957

  • SHIRO-682

  • Apache Shiro < 1.5.2

  • Authentication Bypass Vulnerability

• CVE-2019-12422

  • SHIRO-721

  • Apache Shiro < 1.4.2

  • Padding Oracle Attack Remote Code Execution Vulnerability

• CVE-2016-4437

  • SHIRO-550

  • Apache Shiro <= 1.2.4

  • Deserialization Remote Code Execution Vulnerability

• CVE-2014-0074

  • SHIRO-460

  • Apache Shiro < 1.2.3

  • Authentication Bypass Vulnerability

5.3.4.4.3. CVE-2020-13933

Before Apache Shiro 1.6.0, because the matching process between Shiro interceptor and requestURI is different from the matching process of web framework interceptor, an attacker constructs a special http request, which can bypass Shiro’s authentication, and unauthorized access is sensitive. path.

5.3.4.4.4. CVE-2020-11989

In versions prior to Apache Shiro 1.5.3, since the matching process between Shiro interceptors and requestURIs is different from that of web framework interceptors, an attacker constructs a special http request to bypass Shiro’s authentication, and unauthorized access is sensitive. path. There are two attack methods for this vulnerability.

5.3.4.4.5. CVE-2020-1957

In versions prior to Apache Shiro 1.5.2, since the matching process between Shiro interceptors and requestURIs is different from that of web framework interceptors, an attacker constructs a special http request to bypass Shiro’s authentication, and unauthorized access is sensitive. path.

5.3.4.4.6. CVE-2019-12422

Apache Shiro versions prior to 1.4.2 use AES/CBC/PKCS5Padding mode . The Shiro component with the RememberMe function enabled will allow remote attackers to construct serialized data and blast through Padding Oracle Attack, even if the secret key is unknown. Execute any command on it.

5.3.4.4.7. CVE-2016-4437

Before Apache Shiro 1.2.5 org.apache.shiro.mgt.AbstractRememberMeManager, there is a default AES key kPH+bIxk5D2deZiIxcaaaA==. The Shiro component with the RememberMe function enabled will allow remote attackers to construct serialized data and execute arbitrary commands on the target server.