This project is a simple but effective firewall implemented as a Proof-of-Concept (POC) in Python. It's designed to act as an HTTP server that inspects incoming POST requests to detect and block the specific payload pattern associated with the Spring4Shell (CVE-2022-22965) remote code execution (RCE) vulnerability.
The firewall leverages Python's built-in http.server module. The core logic resides in the do_POST method of the ServerHandler class.
- The server intercepts all incoming
POSTrequests. - It reads the entire request body.
- It searches for the malicious signature string:
class.module.classLoader. This string is the fundamental component of the Spring4Shell exploit and is difficult for an attacker to obfuscate. - If the pattern is found, the server immediately blocks the request by sending a
403 ForbiddenHTTP response. - If the pattern is not found, the request is considered legitimate and is handled normally with a
200 OKresponse.
While other mitigation strategies could focus on headers or specific URL paths, this method was chosen for its robustness:
- Resilient: It is not dependent on fragile indicators like filenames (e.g.,
tomcatwar.jsp) or custom header names, which can be easily changed by an attacker. - Effective: It targets the core mechanism of the exploit itself, making it a highly reliable detection method against this specific vulnerability.
To run the firewall, use the main script firewall_server.py:
python firewall_server.pyThe server will start on localhost:8000.
You can then use the provided Test_Requester.py script to simulate malicious requests and verify that they are being blocked.
This is a Proof-of-Concept and is intended for educational and demonstrative purposes only. It is not a production-ready firewall solution.