Demystifying Java JNDI attacks

How this Java API — rather its implementation could have catastrophic consequences on your application’s security, and what can you do about it?

Ax Sharma: Sample bytecode representation of a Java application class

Basics

At its core, JNDI is nothing more than an API which lets a developer perform various querying and directory access operations. This StackOverflow post explains it pretty well. Depending on the context of your application, it may be the preferred standard way of accessing services such as LDAP, for example, as opposed to implementing your own solution from scratch.

Attack Mechanisms

The problem arises due to common negligent mistakes made by the developers and not necessarily the API itself. For example, trusting external input coming from HTTP request headers — essentially what we observe in the case of Struts, files, user-input fields, serialized objects and passing that input directly to various JNDI commands used by your program is a bad practice, as is having an incorrectly configured server.

Veracode: An example of how Spring Boot actuators can be exploited by providing rogue JNDI configuration as XML input.

Prevention

So, how do you prevent JNDI vulnerabilities in your web application?

Security Researcher | Tech Columnist | https://hey.ax

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store