5.3.11. Common Sink¶
5.3.11.1. Command execution/injection¶
java.lang.Runtime.getRuntime().exec()
java.lang.ProcessBuilder
5.3.11.2. XXE¶
java.net.bull.javamelody.PayloadNameRequestWrapper
javax.xml.bind.Unmarshaller
javax.xml.parsers.DocumentBuilderFactory
javax.xml.parsers.SAXParser
javax.xml.stream.XMLStreamReader
javax.xml.transform.sax.SAXSource
javax.xml.transform.sax.SAXTransformerFactory
javax.xml.transform.TransformerFactory
javax.xml.validation.SchemaFactory
javax.xml.validation.Validator
javax.xml.xpath.XpathExpression
org.apache.commons.digester3.Digester
org.apache.ofbiz.base.util.UtilXml
org.dom4j.io.SAXReader
org.jdom.input.SAXBuilder
org.jdom2.input.SAXBuilder
org.xml.sax.helpers.XMLReaderFactory
org.xml.sax.XMLReader
5.3.11.3. SSRF¶
HttpClient.execute
HttpClients.execute
HttpURLConnection.getInputStream
ImageIO.read
OkHttpClient.newCall.execute
Request.Get.execute
Request.Post.execute
URL.openStream
URLConnection.getInputStream
5.3.11.4. Deserialization¶
5.3.11.4.2. Magic Call¶
The following magic methods are automatically called during deserialization.
readObjectreadExternalreadResolvereadObjectNoDatavalidateObjectfinalize
5.3.11.4.3. Mainstream JSON Libraries¶
The mainstream JSON libraries include Gson, Jackson, Fastjson, etc. Because JSON is often used in deserialization, related libraries have a greater impact.
Among them, Gson can only deserialize basic types by default. If it is a complex type, the programmer needs to implement a deserialization mechanism, which is relatively safe.
Jackson will not deserialize non-public properties unless @jsonAutoDetect is specified. In defense, you can not use the enableDefaultTyping method. The relevant CVEs are CVE-2017-7525 and CVE-2017-15095.
FastJson is Alibaba’s open-source JSON parsing library. It supports serializing Java Beans to JSON strings, and also supports deserializing from JSON strings to Java Beans. The related CVEs include CVE-2017-18349, etc.
The common sink points of FastJson are:
JSON.toJSONStringJSON.parseObjectJSON.parse