Skip to content
This repository has been archived by the owner on May 7, 2019. It is now read-only.

chuajiesheng/spring-xml-bomb

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits

spring-mvc-json-and-xml

spring-mvc-json-and-xml

 
 

spring-mvc-sample

spring-mvc-sample

 
 

.gitignore

.gitignore

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

Repository files navigation

Vulnerability of Spring to XML Bomb

Referencing CVE-2015-3192:

  1. Pivotal CVE
  2. SourceClear CVE
  3. Spring Bug Report

Objective of this project:

  1. Determine the vulnerable methods causing this bug
  2. Proof of concept of the vulnerability

Plan:

  1. Have a simple hello world Spring application
  2. Accept XML payload
  3. Send XML bomb
  4. Demonstrate vulnerability

Steps

  1. Run the sample app via mvn jetty:run
  2. Upgrade sample code to use 3.2.0.RELEASE which is one of the vulnerable version

Reference

  1. Spring sample app

Outcome

  1. Did not manage to trigger the vulnerability even if the converter was initialised
  2. Need to better understand Spring initialisation and setup

About

No description, website, or topics provided.

Resources

Readme

License

Apache-2.0 license
Activity

Stars

1 star

Watchers

3 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages