Same Origin Method Execution ('SOME')

kotlin.same_origin_method_execution

Severity

critical

Resource

Injection

Language

Kotlin

Description

SOME is a web application attack which abuses callback endpoints by forcing a victim into executing arbitrary scripting methods of any page on the endpoint’s domain.

Rationale

In this example, an attacker may manipulate the callback parameter thus achieving the execution of arbitrary code.

import com.fasterxml.jackson.databind.util.JSONPObject
import org.springframework.stereotype.Controller
import org.springframework.web.bind.annotation.GetMapping
import org.springframework.web.bind.annotation.ResponseBody
import javax.servlet.http.HttpServletRequest

@Controller
class SomePoc {

    @ResponseBody
    @GetMapping("getData")
    fun getData(request: HttpServletRequest): Any {
        val callback = request.getParameter("callback")

        val dto = CustomDto()

        return JSONPObject(callback, dto) // FLAW
    }
}

Remediation

Same Origin Method Execution (SOME) can be mitigated using static callbacks, a white-list approach or cross-domain messaging.

References

CWE-923 : Improper Restriction of Communication Channel to Intended Endpoints.