Re: [SC-L] Java DOS

2011-02-16 Thread Kevin W. Wall
On 02/15/2011 09:59 AM, Shanahan Pete wrote: All of the structures laying on top of the basic string-number parsing assume that the parsing works. If it's broken then repeatedly fixing the issue in frameworks is not going to address the issue, it is merely going to defer it. I completely

Re: [SC-L] Java DOS

2011-02-16 Thread Kevin W. Wall
On 02/15/2011 11:38 AM, Jim Manico wrote: [snip[ Ryan Barnett just spit out a new (impressive) mod security rule so you can tactically patch without touching code (see below). [snip] First step is to inspect the ARGS and REQUEST_HEADERS data using a regex to match on potential floating point

Re: [SC-L] Java DOS

2011-02-15 Thread Chris Schmidt
I would assume just about any app with a shopping cart does. This is of course compounded by libraries like struts and spring mvc that autobind your form variables for you. Use a form with a double in it and your boned. Sent from my iPwn On Feb 14, 2011, at 8:57 AM, Wall, Kevin

Re: [SC-L] Java DOS

2011-02-15 Thread Wall, Kevin
[chrisisb...@gmail.com] Sent: Tuesday, February 15, 2011 12:06 AM To: Wall, Kevin Cc: Jim Manico; Rafal Los; sc-l@securecoding.org Subject: Re: [SC-L] Java DOS This communication is the property of Qwest and may contain confidential or privileged information. Unauthorized use

Re: [SC-L] Java DOS

2011-02-15 Thread Shanahan Pete
Anger growing string - number. it breaks, deal with it, and move on. why is this a problem again? On 15 Feb 2011, at 05:06, Chris Schmidt wrote: I would assume just about any app with a shopping cart does. This is of course compounded by libraries like struts and spring mvc that

Re: [SC-L] Java DOS

2011-02-14 Thread Wall, Kevin
Jim Manico wrote... Rafal, It's not that tough to blacklist this vuln while you are waiting for your team to patch your JVM (IBM and other JVM's have not even patched yet). I've seen three generations of this filter already. Walk with me, Rafal and I'll show you. :) 1) Generation 1 WAF

Re: [SC-L] Java DOS

2011-02-13 Thread Jim Manico
Rafal, It's not that tough to blacklist this vuln while you are waiting for your team to patch your JVM (IBM and other JVM's have not even patched yet). I've seen three generations of this filter already. Walk with me, Rafal and I'll show you. :) 1) Generation 1 WAF rule (reject one number

[SC-L] Java DOS

2011-02-12 Thread Brian Chess
There's a very interesting vulnerability in Java kicking around. I wrote about it here: http://blog.fortify.com/blog/2011/02/08/Double-Trouble In brief, you can send Java (and some versions of PHP) into an infinite loop if you can provide some malicious input that will be parsed as a