Same Origin Method Execution ('SOME')

java.same_origin_method_execution

Severity

critical

Resource

Injection

Language

Java

Description

SOME is a web application attack which abuses callback endpoints by forcing a victim into executing arbitrary scripting methods of any page on the endpoint’s domain.

Rationale

In this example, an attacker may manipulate the callback parameter thus achieving the execution of arbitrary code.

import com.fasterxml.jackson.databind.util.JSONPObject;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.ResponseBody;

import javax.servlet.http.HttpServletRequest;

@Controller
public class SomePoc {

  @ResponseBody
  @RequestMapping(value = "getData",method = RequestMethod.GET)
  public Object getData(HttpServletRequest request){
    String callback = request.getParameter("callback");

    var dto = new CustomDto();

    return  new JSONPObject(callback, dto); // FLAW
  }
}

java

Remediation

Same Origin Method Execution (SOME) can be mitigated using static callbacks, a white-list approach or cross-domain messaging.

References

https://cwe.mitre.org/data/definitions/923.html