The next stage was finding a reference to an arbitrary class, which Peter M said would allow “direct method invocation or reflection-based invocation to get at the method we want”. “I suspected this would not work, but when trying to work around a WAF it’s really important to build up from small things that you know work, to larger and more complex payloads,” the researcher said. The most obvious route was to find a way to the class, starting with SpEL reference $, but this was blocked by Akamai’s software. RELATED JSON syntax hack allowed SQL injection payloads to be smuggled past WAFs However, the team persisted in looking for ways of utilizing SpEL to invoke an operating system command – likely via Java. When a vulnerable framework is used, this injection is evaluated server-side – opening a potential pathway for abuse.Īkamai’s WAF blocked the SSTI during testing. Vulnerable versions of Spring Boot throw up error messages in a SpEL expression with whitelabel error pages, they explained. Server-side template injectionĪ server-side template injection (SSTI) is at the core of the bypass, a technical write-up by Peter M reveals. The bug bounty hunter found the bypass with the assistance of Synack pentester Usman Mansha during an engagement with a private Bugcrowd program. Security researcher Peter M, who also goes by the pseudonym ‘ pmnh’, said the attack used Spring Expression Language (SpEL) injection. UPDATED A researcher has disclosed a technique that bypassed Akamai web application firewalls (WAF) running Spring Boot, potentially leading to remote code execution (RCE).Īkamai’s WAF, which was patched several months ago, has been designed to mitigate the risk of Distributed Denial-of-Service (DDoS) attacks and uses adaptive technologies to block known web security threats. Akamai issued an update to resolve the flaw several months ago
0 Comments
Leave a Reply. |