Java Unsafe Object Binding
Description
A vulnerability in Java applications where unsafe object binding using Apache Commons BeanUtils library can allow attackers to manipulate object properties through untrusted input. This can lead to remote code execution or sensitive data exposure by setting arbitrary object properties when using methods like populate() or setProperty() with user-controlled data.
Detection Strategy
• Check if code imports Apache Commons BeanUtils library (org.apache.commons.beanutils or org.apache.commons.beanutils2)
• Look for calls to BeanUtils methods 'populate' or 'setProperty'
• Verify if the method arguments contain user-controlled input
• Report a vulnerability when BeanUtils populate/setProperty methods are called with untrusted data
Vulnerable code example
import org.apache.commons.beanutils.BeanUtils;
import javax.servlet.http.HttpServletRequest;
public class VulnerableExample {
public void insecurePattern(HttpServletRequest request) throws Exception {
UserDataBean bean = new UserDataBean();
String field = request.getParameter("field"); // Untrusted user input from request
String value = request.getParameter("value"); // Untrusted user input from request...✅ Secure code example
import org.apache.commons.beanutils.BeanUtils;
import javax.servlet.http.HttpServletRequest;
import java.util.Set;
import java.util.Map;
public class SecureExample {
// Whitelist of allowed bean properties
private static final Set<String> ALLOWED_FIELDS = Set.of(...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.