Exploring the Vulnerability That Affected Equifax Using ShiftLeft Technology

In this blog I discuss using ShiftLeft technology to discover vulnerabilities in Java application code. In so doing I build on two prior blog posts from my colleagues: Fabian Yamaguchi’s introduction to the backbone technology of ShiftLeft, our code-property-graph (CPG); and Vlad Ionescu’s discussion of how a simple coding mistake can lead to major problems. Prophetically, the vulnerability Vlad blogged about was later revealed to have been the culprit behind the now infamous Equifax breach.The question I want to answer in this blog post is this: How can we discover this vulnerability using ShiftLeft technology?Background on the VulnerabilityFirst, let me clarify something about the Apache Struts vulnerability CVE-2017–5638. Although Apache assigned two bulletins to this CVE (S2–045 and S2–046), each maps to the same sink:parser.evaluate(openChars, expression, ognlEval, maxLoopCount)The difference is the injection vector, which we call the source. Equifax only committed to the CVE, not to a specific source. To keep it simple I focus on the S2–045 source for this example.What makes this vulnerability intriguing, not to mention dangerous, is that it stems from improper error handling that causes an exception to be thrown. The issue is that the HTTP-header parameter Content-Type is not properly handled...
Read more