Same Origin Method Execution ('SOME')
ID |
java.same_origin_method_execution |
Severity |
critical |
Resource |
Injection |
Language |
Java |
Tags |
CWE:923, NIST.SP.800-53, PCI-DSS:6.5.7 |
Description
SOME is a web application attack which abuses callback endpoints by forcing a victim into executing arbitrary scripting methods of any page on the endpoint’s domain.
Rationale
In this example, an attacker may manipulate the callback parameter thus achieving the execution of arbitrary code.
import com.fasterxml.jackson.databind.util.JSONPObject;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.ResponseBody;
import javax.servlet.http.HttpServletRequest;
@Controller
public class SomePoc {
@ResponseBody
@RequestMapping(value = "getData",method = RequestMethod.GET)
public Object getData(HttpServletRequest request){
String callback = request.getParameter("callback");
var dto = new CustomDto();
return new JSONPObject(callback, dto); // FLAW
}
}Remediation
Same Origin Method Execution (SOME) can be mitigated using static callbacks, a white-list approach or cross-domain messaging.
References
-
CWE-923 : Improper Restriction of Communication Channel to Intended Endpoints.