Spring View Manipulation Vulnerability
In this article, we explain how dangerous an unrestricted view name manipulation in Spring Framework could be. Before doing so, lets look at the simplest Spring application that uses Thymeleaf as a templating engine: Structure: HelloController.java: @Controller public class HelloController { @GetMapping("/") public String index(Model model) { model.addAttribute("message", "happy birthday"); ... Read More
Exploiting Spring Boot Actuators
The Spring Boot Framework includes a number of features called actuators to help you monitor and manage your web application when you push it to production. Intended to be used for auditing, health, and metrics gathering, they can also open a hidden door to your server when misconfigured. When a ... Read More
Exploiting JNDI Injections in Java
Java Naming and Directory Interface (JNDI) is a Java API that allows clients to discover and look up data and objects via a name. These objects can be stored in different naming or directory services, such as Remote Method Invocation (RMI), Common Object Request Broker Architecture (CORBA), Lightweight Directory Access ... Read More
