所以我一直在考虑是否有办法发送一个XML,使得XML包含(字节码)中的代码,这些代码将被JVM无意中执行。 我正在使用java,所以我认为未编译的代码将无法工作。 我想我需要在XML中插入字节码来欺骗JVM? 我想尝试确保我构建的Web服务是安全的。 我正在使用JAXB进行xml编组解码和Jersey作为Web服务处理程序。
So I have been thinking whether there is a way to send an XML such that the XML contains code in (bytecode) that will be unintentionally executed by the JVM. I am using java so I think uncompiled code will not work. I think I need to inject bytecode in the XML to trick the JVM? I want to try to make sure that the web service that I am building is secure. I am using JAXB for xml marshalling unmarshalling and Jersey as the web service handler.
最满意答案
无意? 我不这么认为。
JAXB marshaller将会将XML值反序列化为给定对象的状态,但该类及其行为将由您决定。 我没有看到在XML中发送原始字节码,并做了任何有害的事情。
您可以发送Java对象可以使用Rhino执行的JSON对象,但这不是无意的。
您的服务可能存在其他安全问题,但Java字节码注入攻击不是其中之一。
无论如何,你应该在绑定之前验证发送给你的所有数据。
Unintentionally? I don't think so.
The JAXB marshaller is going to deserialize XML values into the state of a given object, but the class and its behavior will be decided by you. I don't see sending raw bytecode in the XML and doing anything harmful with it.
You could send a JSON object that your Java object could execute using Rhino, but that's hardly unintentional.
Your service might have other security issues, but Java byte code injection attack isn't one of them.
You should be validating all data sent to you before binding, anyway.
更多推荐
发布评论