Skip to content

Latest commit

 

History

History
82 lines (74 loc) · 8.82 KB

attack-tree.md

File metadata and controls

82 lines (74 loc) · 8.82 KB

Attack Tree Analysis for dropwizard/dropwizard

Objective: [[Attacker Goal: Gain Unauthorized Access/DoS via Dropwizard]]

Attack Tree Visualization

                                  [[Attacker Goal: Gain Unauthorized Access/DoS via Dropwizard]]
                                                  |||
                                  =================================================
                                  |||                                               |||
                  [[Exploit Dropwizard Configuration Issues]]       [[Exploit Dropwizard Component Vulnerabilities]]
                                  |||                                               |||
                  =================================               =================================================
                  |||                                                               |||

[[Misconfigured Server Settings]] [[Vulnerable Jetty Version]] [[Vulnerable Jackson Version]] ||| ||| ||| ================================= ================================= ================================= ||| ||| ||| ||| [[Exposed [[Unencrypted [[Known Jetty [[Known Jackson [[Jackson Admin HTTP RCE/DoS]] RCE/DoS]] Deserialization Interface]] Traffic]] (CVEs)] (CVEs)] Vulnerabilities]]

Attack Tree Path: [[Exploit Dropwizard Configuration Issues]]

  • Description: Attackers leverage misconfigurations in the Dropwizard application's settings to gain unauthorized access or cause a denial of service. This is a high-risk area because configuration errors are common and often easily exploitable.
    • [[Misconfigured Server Settings]]
      • Description: Incorrect server configurations expose vulnerabilities.
      • [[Exposed Admin Interface]]
        • Attack Vector: The attacker directly accesses the Dropwizard admin interface (usually on a separate port) without authentication.
        • Mechanism: The attacker uses a web browser or a tool like curl to send HTTP requests to the admin port (e.g., http://example.com:8081/). If the interface is not secured, the attacker gains access to health checks, metrics, thread dumps, and potentially other administrative functions.
        • Impact: Information disclosure (application state, metrics, configuration), potential for denial of service (e.g., by triggering thread dumps), and in some cases, the ability to execute administrative commands or reconfigure the application.
        • Mitigation:
          • Require strong authentication for the admin interface.
          • Restrict access to the admin interface to specific IP addresses (whitelisting).
          • Disable the admin interface entirely in production environments if it's not strictly necessary.
          • Use a reverse proxy to control access and add an additional layer of security.
      • [[Unencrypted HTTP Traffic]]
        • Attack Vector: The attacker intercepts network traffic between the client and the Dropwizard application.
        • Mechanism: The attacker uses a network sniffing tool (e.g., Wireshark) to capture unencrypted HTTP traffic. This can be done on a shared network (e.g., public Wi-Fi) or by compromising a network device (e.g., a router). If the application uses HTTP instead of HTTPS, the attacker can see all transmitted data in plain text, including credentials, session tokens, and API keys.
        • Impact: Complete compromise of user accounts, data breaches, and potential for further attacks (e.g., session hijacking, man-in-the-middle attacks).
        • Mitigation:
          • Enforce HTTPS only. Configure Dropwizard to use the https connector and obtain a valid SSL/TLS certificate.
          • Redirect all HTTP requests to HTTPS.
          • Use HTTP Strict Transport Security (HSTS) to instruct browsers to always use HTTPS.
          • Regularly check certificate validity and configuration.

Attack Tree Path: [[Exploit Dropwizard Component Vulnerabilities]]

  • Description: Attackers exploit known vulnerabilities in Dropwizard's core components (Jetty, Jackson) to gain control of the application or cause a denial of service. This is high-risk due to the severity of potential exploits (RCE) and the prevalence of unpatched systems.
    • [[Vulnerable Jetty Version]]
      • Description: The embedded Jetty web server has known vulnerabilities.
      • [[Known Jetty RCE/DoS (CVEs)]]
        • Attack Vector: The attacker sends a crafted request to the Dropwizard application that exploits a known vulnerability in Jetty.
        • Mechanism: The attacker researches publicly disclosed vulnerabilities (CVEs) for the specific version of Jetty used by the Dropwizard application. They then craft a malicious request (e.g., a specially formatted HTTP header, a malformed request body) that triggers the vulnerability. The exploit may involve buffer overflows, request smuggling, or other techniques specific to the CVE.
        • Impact: Remote Code Execution (RCE) allows the attacker to execute arbitrary code on the server, potentially gaining complete control of the system. Denial of Service (DoS) makes the application unavailable to legitimate users.
        • Mitigation:
          • Keep Jetty up-to-date. Use the latest stable version of Dropwizard, which should include a patched version of Jetty.
          • Monitor for CVEs related to Jetty and apply patches promptly.
          • Use a vulnerability scanner to identify known issues.
          • Implement Web Application Firewall (WAF) rules to block known exploit patterns.
    • [[Vulnerable Jackson Version]]
      • Description: The Jackson JSON processing library has known vulnerabilities, particularly related to deserialization.
      • [[Known Jackson RCE/DoS (CVEs)]]
        • Attack Vector: The attacker sends a malicious JSON payload to the Dropwizard application that exploits a known deserialization vulnerability in Jackson.
        • Mechanism: Similar to Jetty CVEs, the attacker researches known Jackson vulnerabilities. They craft a JSON payload that, when deserialized by Jackson, triggers the vulnerability. These exploits often involve manipulating type information or using "gadget chains" to execute arbitrary code.
        • Impact: Remote Code Execution (RCE) or Denial of Service (DoS).
        • Mitigation:
          • Keep Jackson up-to-date.
          • Monitor for CVEs and apply patches promptly.
          • Use a vulnerability scanner.
      • [[Jackson Deserialization Vulnerabilities]]
        • Attack Vector: The attacker sends a malicious JSON payload that exploits insecure deserialization configurations, even without a known CVE.
        • Mechanism: The attacker crafts a JSON payload that leverages insecure Jackson features, such as polymorphic type handling, to instantiate arbitrary classes or execute code. This often involves finding "gadget chains" – sequences of classes and methods that, when deserialized in a specific order, lead to unintended code execution.
        • Impact: Remote Code Execution (RCE).
        • Mitigation:
          • Avoid deserializing untrusted data whenever possible. This is the most effective mitigation.
          • If deserialization is necessary, use a whitelist of allowed classes. Do not allow arbitrary classes to be deserialized.
          • Enable Jackson's secure processing features, such as FAIL_ON_UNKNOWN_PROPERTIES.
          • Consider using a safer alternative to Jackson's default polymorphic type handling, such as @JsonTypeInfo with a restricted set of allowed subtypes.
          • Thoroughly review and understand Jackson's deserialization configuration. Use the most secure settings possible.
          • Use a library like jackson-databind-blacklist to block known dangerous gadget classes.