Products
Contrast Application Detection and Response (ADR)

Contrast Application and API Security Testing (AST)

Contrast One^TM

Contrast Runtime Security Platform

Contrast Protect (RASP)

Contrast Assess (IAST/DAST)

Contrast Scan (SAST)

Contrast Software Composition Analysis (SCA)
Developer Central

Log4j Response

Pricing

How We Compare

Languages

Integrations
Solutions
BY USE CASE

Why IAST?

DevSecOps

Automated Penetration Testing

AppSec Monitoring

API Security

Software Supply Chain Security

Runtime Protection

Software Bills of Materials (SBOMs)

GitHub CI/CD

Compliance Testing

Services

BY DEPARTMENT

Dev and DevOps Teams

Security

DevSecOps

CISO

BY INDUSTRY

Government

Financial Services

Healthcare

Others
Partner
Technology Partners

Systems Integrators

Ecosystem Integrations

Managed Security Services Providers

Channel Partners Overview

Cloud Partners

GitHub
Partner Program Overview

Become a Partner

Find a Partner

Visit Partner Portal
GITHUB ACTIONS BLOG SERIES, PART 1: PIPELINE NATIVE CODE ANALYSIS

Read the Blog
Customers
Company
About Us

Leadership Team

Culture & Careers

Women of Contrast

Contact Us
Blog

Events & Webinars

Newsroom

Podcast

Awards
Contrast Security recognized as a Visionary by Gartner in Application Security Testing.

Learn More
Resources
Contrast for Developers

Contrast Secure Code Learn Hub

Contrast Community

Resource Center

OWASP Top 10

Accountability & Transparency

SBOMs

ContrastLive

Support

Services

Trust Center

Documentation

Product Release Notes

Blog

Podcast

Events

Glossary
Contrast Incident Response Hub

Spring4Shell Vulnerability

Log4j Vulnerability

Weekly CISO Update

Trust Center
Developers

Contrast Labs: Blocking Spring View Manipulation Attacks

By David Lindner, Chief Information Security Officer

September 4, 2020

Contrast Labs: Blocking Spring View Manipulation Attacks

On September 4, 2020, Michael Stepankin published a proof-of-concept (PoC) exploit that took advantage of a fairly new application vulnerability dubbed “Spring View Manipulation.” The Spring View Manipulation vulnerability takes advantage of a recently discovered Thymeleaf Server-Side Template Injection (SSTI) vulnerability using Expression Language Injection. The PoC utilized Spring Boot to show how the vulnerability worked. The PoC allows malicious actors to create a specially crafted Expression Language injection payload to run local system commands. In the case of the PoC, the “id” command was run to return the local system user.

The good news is that Contrast Protect customers are protected from this vulnerability being exploited out of the box.

What Does the Exploit of Spring View Manipulation Look Like?

To confirm the vulnerability, Contrast Labs used the PoC from the Github. The exploit relies on crafting an Expression Language payload into the query string “lang” parameter. An example payload is provided below:

expression-language-payload

After running the payload with the “id” command against the path action, Contrast Labs was able to return the local user account id. Returning the local user account id showed that we could run code on the local system, thus confirming the Expression Language Injection and remote code execution.

remote-code-execution-2

How Does Contrast Protect Block Spring View Manipulation?

Contrast Protect is equipped for out-of-the-box deployment without configuration to detect and block the Spring View Manipulation as it uses Expression Language Injection as the exploit. To show how this works, Contrast Labs’ internal security researchers ran the above-referenced PoC, but this time added the Contrast Protect Java. Once we had the Contrast Protect agent running in block mode, we ran the exploit and saw the following:

contrast-protect-java

Readers will notice that the above is much different than when the exploit was successful: The “id” command was not run, so nothing was returned to the user. Finally, we browsed to the Contrast Protect UI and saw the detected and blocked attack:

Contrast-Protect-UI

Contrast customers are actively protected from this vulnerability class if Contrast Protect is enabled and blocking mode is enabled for Expression Language Injection. If monitoring mode is enabled, the attack will be detected but not blocked.

To enable the block mode on Expression Language Injection, users need to navigate in the Contrast Protect user interface to “Policy Management” -> “Protect Rules” -> “Expression Language Injection.” At that point, users need to verify the environment running their vulnerable instance is in “block” mode.

Screen Shot 2020-09-04 at 2.07.20 PM

Useful References

Readers seeking more information on the Spring View Manipulation vulnerability can leverage the below links:

GitHub: Click here
Thymeleaf SSTI: Click here

In addition, readers without Contrast Protect can get more information by downloading a copy of our solution brief, “Contrast Protect with Runtime Application Self-Protection (RASP).”

Contrast Protect

David Lindner, Chief Information Security Officer

David is an experienced application security professional with over 20 years in cybersecurity. In addition to serving as the chief information security officer, David leads the Contrast Labs team that is focused on analyzing threat intelligence to help enterprise clients develop more proactive approaches to their application security programs. Throughout his career, David has worked within multiple disciplines in the security field—from application development, to network architecture design and support, to IT security and consulting, to security training, to application security. Over the past decade, David has specialized in all things related to mobile applications and securing them. He has worked with many clients across industry sectors, including financial, government, automobile, healthcare, and retail. David is an active participant in numerous bug bounty programs.

WHY OBSERVABILITY IS THE NEXT BIG THING IN SECURITY

XML External Entity (XXE) Attack Vulnerability and JAXB Pitfalls

BY USE CASE

BY DEPARTMENT

BY INDUSTRY

GITHUB ACTIONS BLOG SERIES, PART 1: PIPELINE NATIVE CODE ANALYSIS

Contrast Security recognized as a Visionary by Gartner in Application Security Testing.

Contrast Incident Response Hub

Contrast Labs: Blocking Spring View Manipulation Attacks

What Does the Exploit of Spring View Manipulation Look Like?

How Does Contrast Protect Block Spring View Manipulation?

Useful References

David Lindner, Chief Information Security Officer

Loving our content? Subscribe now!