Exploit the possiblities


Posted Aug 14, 2007
Authored by Meder Kydyraliev | Site o0o.nu

OWASP Stinger and Struts servlet input validation filters suffer from a bypass vulnerability.

tags | advisory, bypass
MD5 | 09b2efb70510c9796e3e1b76c2a7ee91


Change Mirror Download
Bypassing servlet input validation filters (OWASP Stinger + Struts example)


NOTE: This advisory will use OWASP's Stinger and Struts framework to
illustrate the concept, however this technique should be applicable to
other input validation servlet filters that do not handle multipart
requests properly and frameworks that automatically parse multipart

Java Servlets provide a filter component which can dynamically intercept
requests and responses to transform information contained in the
requests or responses[1]. Servlet filters are often recommended as an
effective way to perform input validation in Java web applications due
to the centralized nature and little modifications required to the
application's code.

Open Web Application Security Project (OWASP) has developed Stinger,
which aims to provide a centralized input validation component which can
be easily applied to existing or developmental applications[4].

There is a vulnerability in servlet filters, such as the Stinger filter,
which under certain conditions will allow attacker to bypass input
validation routines of the filter thus supplying unvalidated input to
the application, potentially exploiting vulnerabilities, such as XSS or
SQL injection.

OWASP Stinger is built with the assumption that content of requests passing
through it are always form-urlencoded. This assumption is harmless in a
simple J2EE web application setup as both Stinger and application will
use the same methods to access HTTP parameters (i.e. Request.getParameter()
or Request.getParameterNames()[3]). However, in an application that uses
frameworks that abstract HTTP protocol and provide automatic request
handling/parsing, this assumption can result in the ability to bypass
Stinger filtering while still delivering inputs to the target application.

The following Stinger code snippet illustrates the problem (Stinger.java):

private int checkMalformedParameters(...) {

e = request.getParameterNames();
while(e.hasMoreElements()) {

If HTTP request content was form-urlencoded then request.getParameterNames()
will return Enumeration of all HTTP parameters names. However, if the request
is multipart encoded, Enumeration that is returned will be empty and
e.hasMoreElements() will return false, which in turn will result in
Stinger not performing any input validation on the multipart encoded HTTP
requests. It should be noted that standard servlet API doesn't provide a
convenient way of handling multipart requests.

If the target application is a plain vanilla servlet application,
multipart encoded HTTP parameters will not be returned by the
Request.getParameter() call and thus input will not be honored by the
target application. However, frameworks like Struts abstract HTTP
details from the application and perform automatic parsing of HTTP
requests, including multipart encoded requests. The framework will then
pass the input parameters supplied in a multipart request to the
application, which will be unaware whether parameters came in through a
multipart request or a regular form-urlencoded request. And as Stinger
did not perform any validation on the multipart request, unescaped and
unvalidated data will be supplied to the application, which in turn may
result in a security vulnerability such as XSS or SQL injection being

III. Testing
Following WebScarab beanshell script can be used test existing servlet
filter implementations:


Servlet filters should handle multipart requests and perform input
validation on the multipart encoded content.

Additionally, following the multi-layered security approach,
applications should not rely on the filter to provide input validation
and be the only line of defense. Most of the frameworks today provide
a way to perform input validation within the application [5,6].

Also, if multipart requests are not required by the application (e.g.
no file uploads are performed) automatic handling of multipart requests
should be disabled in the framework and servlet filter could be
configured to drop multipart requests.

OWASP Stinger 2.5 contains a quick fix to drop non-urlencoded requests.

18/07/2007 - Vulnerability details sent to the maintainer
23/07/2007 - Vulnerability details resent
26/07/2007 - Initial vendor response (delay due to spam filters)
05/08/2007 - Quick-fix implemented dropping multipart requests in
Stinger 2.5

blshkv, jml for helping to verify the issue. Rogan Dawes and Jeff
Williams for helping to get in contact with maintainer. Eric Sheridan
for a timely resolution of the issue.

1. "The Essentials of Filters", http://java.sun.com/products/servlet/Filters.html
2. "Form-based File Upload in HTML", http://www.ietf.org/rfc/rfc1867.txt
3. "Interface ServletRequest",
4. "OWASP Stinger Project",
5. "Struts Validator", http://struts.apache.org/1.3.8/faqs/validator.html
6. "Validation", http://struts.apache.org/2.x/docs/validation.html


RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?

Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

February 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    15 Files
  • 2
    Feb 2nd
    15 Files
  • 3
    Feb 3rd
    15 Files
  • 4
    Feb 4th
    13 Files
  • 5
    Feb 5th
    16 Files
  • 6
    Feb 6th
    15 Files
  • 7
    Feb 7th
    15 Files
  • 8
    Feb 8th
    15 Files
  • 9
    Feb 9th
    18 Files
  • 10
    Feb 10th
    8 Files
  • 11
    Feb 11th
    8 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    15 Files
  • 14
    Feb 14th
    15 Files
  • 15
    Feb 15th
    17 Files
  • 16
    Feb 16th
    18 Files
  • 17
    Feb 17th
    37 Files
  • 18
    Feb 18th
    2 Files
  • 19
    Feb 19th
    16 Files
  • 20
    Feb 20th
    16 Files
  • 21
    Feb 21st
    15 Files
  • 22
    Feb 22nd
    16 Files
  • 23
    Feb 23rd
    31 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2018 Packet Storm. All rights reserved.

Security Services
Hosting By