Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Java. Show all posts

SSRF Attacks can be Used to Compromise Java RMI Services

 

According to a detailed analysis of the problem by security researcher Tobias Neitzel, Java RMI services can be targeted using server-side request forgery (SSRF) attacks. Server-side request forgery (SSRF) is a type of attack that allows attackers to send fraudulent requests to other systems by exploiting a vulnerable web server. 

Requests between HTTP servers can be initiated by web applications. These are commonly used to retrieve remote resources such as software updates or to import metadata from a URL or another web application. Such inter-server requests are not inherently harmful, but if not performed correctly, they can expose a server to server-side request forgery. When user-controllable data is utilized to construct the target URL, an SSRF vulnerability is introduced. An attacker can then use an SSRF attack to initiate or control requests from the vulnerable server by changing a parameter value in the vulnerable web application.

Java RMI is an object-oriented Remote Procedure Call (RPC) mechanism that is included in the vast majority of Java installations. The technology can be used by software developers to make functionality available through a network. Java RMI relies on serialized Java objects for communication, a mechanism that attackers can exploit despite the fact that the technology has been hardened and tempered in recent years, according to Neitzel.

“As with all SSRF techniques, the major problem is that attackers may be able to attack RMI services that are supposed to only be accessed from trusted networks,” Neitzel explained. “Securing RMI properly is not that intuitive and there is a lot of hidden attack surface. Instead of configuring it properly, administrators often take the easy route and only allow access from trusted networks or clients.” 

JMX is the most often utilized RMI service. Neitzel demonstrated that SSRF can be used to compromise a backend JMX service, but only if the system delivers responses from the backend service and accepts arbitrary bytes inside them. Similarly, SSRF-based attacks on default RMI components like the RMI registry are conceivable, but only if the system enables arbitrary bytes to be delivered to the backend service. 

The German researcher goes on to list security best practices and counter-measures for RMI services against potential attacks in his blog post. These include enabling TLS-enabled communication for all RMI endpoints, employing deserialization filters, and implementing stricter authentication controls.

PayPal Suffered Cross-Site Scripting -XSS Vulnerability

 

The PayPal currency converter functionality was damaged by severe cross-site scripting (XSS) vulnerability. An attacker might be able to run destructive scripts if the vulnerability is abused. This could lead to the malicious user injecting malicious JavaScript, HTML, or some other form of browser file. The bug was noticed on PayPal's web domain with the currency converter functionality of PayPal wallets. 

On February 19, 2020, the vulnerability was first identified as a concern of "reflected XSS and CSP bypass" by a security researcher who goes by the name "Cr33pb0y" – he's been granted $2,900 in bug bounty programming by HackerOne. 

PayPal said that a flaw occurred in the currency conversion endpoint which was triggered by an inability to adequately sanitize user feedback, in a restricted disclosure that was released on February 10 – almost a year after the researcher identified the problem privately. 

PayPal acknowledged the flaw- in response to the HackerOne forum, that contributed to the currency translation URL managing user feedback inappropriately. A vulnerability intruder may use the JavaScript injection to access a document object in a browser or apply other malicious code to the URL. If hackers load a malicious payload into the browser of a victim, they can steal data or use the computer to take control of the system. As a consequence, malicious payloads can trigger a victim's browser page without its knowledge or consent in the Document Object Model (DOM). 

Typically, XSS attacks represent a browser's script from a specific website and can enable a target to click a malicious connection. Payloads can be used as a theft point in larger attacks or for the stealing of cookies, session tokens, or account information. PayPal has now carried out further validation tests to monitor users’ feedback in the currency exchange function and wipe out errors following the disclosure of the bug bounty hunter. 

XSS bugs are a frequent hacker attack vector. Several recent leaks of data have been related to bugs like what some analysts claim is an XSS flaw. 

While telling that the vulnerability has been fixed, PayPal said, “by implementing additional controls to validate and sanitize user input before being returned in the response.”