Referencing CVE-2015-3192:
Objective of this project:
- Determine the vulnerable methods causing this bug
- Proof of concept of the vulnerability
Plan:
- Have a simple hello world Spring application
- Accept XML payload
- Send XML bomb
- Demonstrate vulnerability
- Run the sample app via
mvn jetty:run
- Upgrade sample code to use 3.2.0.RELEASE which is one of the vulnerable version
- Did not manage to trigger the vulnerability even if the converter was initialised
- Need to better understand Spring initialisation and setup