Here is the description
Public REST APIs have become mainstream. Now, almost every company that wants to expose services or an application programming interface does it using a publicly exposed REST API. This talk will give participants the skills they need to identify and understand REST vulnerabilities. The findings are a result of reviewing production REST applications as well as researching popular REST frameworks.
By Abraham Kang, Alvaro Muñoz and Dinis CruzIn addition to the original demos we did, Alvaro added a nice Metasploit PoC which really should drive home the problem with XStream and XMLDecoder.
- XStream "Remote Code Execution" exploit on code from "Standard way to serialize and deserialize Objects with XStream" article
- Using XMLDecoder to execute server-side Java Code on an Restlet application (i.e. Remote Command Execution)
- Neo4J CSRF payload to start processes (calc and nc) on the server
- 3 Patterns for deserialising Xml into Objects (1 good and 2 very dangerous (XStream and XMLDecoder)) and a bunch of questions on how to handle them
- From Alvaro's Blog:
- RCE via XStream Object Deserialization
- More on XStream RCE: SpringMVC WS
- CVE-2011-2894: Deserialization Spring RCE
- SpringMVC Vulnerable to XXE
- CVE-2014-0792 Nexus Security Advisory - xstream
- My PoC files are at the https://github.com/o2platform/DefCon_RESTing repository, and Alvaro's are at https://github.com/pwntester/RSA_RESTing
- XStream v1.4.7 contains a patch for the RCE vuln (see http://xstream.codehaus.org/changes.html )
You can see the presentation at SlideShare (and embedded below):