Skip to content

Latest commit

 

History

History
94 lines (83 loc) · 6.8 KB

threat-modeling.md

File metadata and controls

94 lines (83 loc) · 6.8 KB

Threat Model Analysis for apache/struts

Threat: OGNL Injection

  • Description: An attacker injects malicious Object-Graph Navigation Language (OGNL) expressions into application inputs. Struts processes these inputs, and without proper sanitization, the injected OGNL code executes on the server. This allows attackers to control the application, access data, or execute system commands.
  • Impact:
    • Remote Code Execution (RCE) - Complete server compromise and control.
    • Information Disclosure - Exposure of sensitive data and configuration details.
    • Data Tampering - Modification or corruption of application data.
    • Denial of Service (DoS) - Application becomes unavailable to legitimate users.
  • Struts Component Affected:
    • OGNL Expression Evaluation Mechanism
    • Parameter Interceptor
    • ValueStack
    • Action Mappings
  • Risk Severity: Critical
  • Mitigation Strategies:
    • Upgrade to the latest patched Struts version.
    • Implement rigorous input validation and sanitization for all user-supplied data.
    • Avoid dynamic OGNL expression evaluation based on user input.
    • Utilize parameterized actions and prevent embedding user input in action configurations or result mappings.
    • Deploy and properly configure a Web Application Firewall (WAF) to detect and block OGNL injection attempts.

Threat: Deserialization Vulnerability

  • Description: An attacker provides malicious serialized data to the application. If the application deserializes this data without validation, it can lead to arbitrary code execution. This is often relevant when Struts uses Java serialization for sessions or with vulnerable plugins. Attackers craft serialized objects containing malicious code that executes during deserialization.
  • Impact:
    • Remote Code Execution (RCE) - Full server compromise and control.
    • Denial of Service (DoS) - Application crash or unavailability due to resource exhaustion during deserialization.
  • Struts Component Affected:
    • Java Serialization mechanism (if in use)
    • Session Management (if using serialization)
    • Vulnerable Struts Plugins
  • Risk Severity: Critical
  • Mitigation Strategies:
    • Upgrade to the latest patched Struts version.
    • Avoid deserializing untrusted data whenever possible.
    • If deserialization is necessary, implement strong validation of serialized data before processing.
    • Consider using alternative, more secure serialization methods or data formats.
    • Restrict access to endpoints that handle deserialization.

Threat: File Upload Vulnerability (via Struts File Upload Interceptor)

  • Description: An attacker uploads malicious files through the Struts file upload functionality. If file type validation and storage are not correctly secured, attackers can upload executable files (like web shells) and gain control of the server. Exploitation can involve bypassing weak file type checks or uploading files to executable locations.
  • Impact:
    • Remote Code Execution (RCE) - Server compromise through uploaded malicious executables.
    • Data Tampering - Overwriting legitimate application files with malicious content.
    • Denial of Service (DoS) - Uploading excessively large files to exhaust server resources.
  • Struts Component Affected:
    • File Upload Interceptor
    • Multipart Request Handling
  • Risk Severity: High
  • Mitigation Strategies:
    • Implement strict file type validation based on file content (magic numbers) and not solely on file extensions. Use a whitelist of allowed file types.
    • Enforce restrictive file size limits to prevent DoS and resource exhaustion.
    • Store uploaded files outside the web application's document root to prevent direct execution.
    • Sanitize uploaded filenames to prevent directory traversal and other injection-based attacks.
    • Disable file upload functionality if it is not a required feature.

Threat: Forced Double Evaluation/Double Evaluation Vulnerability

  • Description: Specific Struts configurations or coding patterns can lead to expressions being evaluated multiple times. This creates injection points similar to OGNL injection, even with initial input sanitization. Attackers can craft inputs that bypass initial checks and are re-evaluated in a vulnerable context, leading to code execution.
  • Impact:
    • Remote Code Execution (RCE) - Server compromise through injected code execution.
    • Information Disclosure - Unauthorized access to sensitive information via expression evaluation.
  • Struts Component Affected:
    • Expression Evaluation Mechanism
    • Parameter Interceptor
    • ValueStack
    • Action Configurations
  • Risk Severity: High
  • Mitigation Strategies:
    • Upgrade to the latest patched Struts version.
    • Thoroughly review Struts configuration files (struts.xml, etc.) and action configurations to identify and eliminate potential double evaluation scenarios.
    • Avoid complex or nested expressions that could be susceptible to double evaluation.
    • Adhere to secure coding practices for Struts development and expression handling.

Threat: Using Outdated Struts Version

  • Description: Utilizing an outdated version of Apache Struts exposes the application to all known vulnerabilities present in that version. Attackers can easily exploit these publicly disclosed vulnerabilities using readily available exploit code and tools.
  • Impact:
    • Remote Code Execution (RCE) - Highly probable due to numerous known RCE vulnerabilities in older Struts versions.
    • Information Disclosure - Exploitation of known information disclosure vulnerabilities.
    • Data Tampering - Exploitation of vulnerabilities allowing unauthorized data modification.
    • Denial of Service (DoS) - Exploitation of vulnerabilities leading to application crashes or resource exhaustion.
    • Elevation of Privilege - Exploitation of vulnerabilities allowing attackers to gain higher access levels.
  • Struts Component Affected:
    • Entire Struts Framework - All components are potentially vulnerable in outdated versions.
  • Risk Severity: Critical
  • Mitigation Strategies:
    • Immediately upgrade to the latest stable and patched version of Struts.
    • Establish a robust process for regularly updating Struts and all application dependencies.
    • Implement automated vulnerability scanning to proactively detect outdated Struts versions and other vulnerable dependencies.