Unsafe JAX-RS: Breaking REST API

Using RESTful web services for building web application’s API is a common thing nowadays. Java EE includes JAX-RS API for building RESTful web services. There are several JAX-RS implementations exist. The most popular are RESTEasy, Jersey, and Apache CXF.

The author inquired security of RESTEasy, Jersey, and Apache CXF JAX-RS implementations and figured out weaknesses and vulnerabilities which lead to practical attacks against JAX-RS applications. RedHat Product Security assigned CVE-2016-7050, CVE-2016-6346, CVE-2016-6345, CVE-2016-6348, CVE-2016-6347 IDs for vulnerabilities found in RESTEasy during the research. Research cover entity provider selection confusion attacks, CSRF attacks, DoS attacks, Information disclosure attacks, XSS attacks, and more. As the result of the research, the author developed extension “Unsafe JAX-RS” for Burp Suite which helps to identify vulnerabilities in JAX-RS applications.

Download Slides

About the Speaker