Misusing oop in mvc frameworks. How to conveniently develop broken apps

Transcript

1. Misusing OOP in mvc frameworks

2. Disclaimer • No new super-puper attack techniques • No new

   mind-blowing vulnerabilities • Not about OOP misuse in general, but rather a single OOP principle 2

3. Disclaimer • No new super-puper attack techniques • No new

   mind-blowing vulnerabilities • Not about OOP misuse in general, but rather a single OOP principle • Which is Inheritance. in MVC frameworks. 3

4. Disclaimer • No new super-puper attack techniques • No new

   mind-blowing vulnerabilities • Not about OOP misuse in general, but rather a single OOP principle • Which is Inheritance. in MVC frameworks. 4 Model–View–Controller (usually known as MVC) is a software design pattern[1] commonly used for developing user interfaces which divides the related program logic into three interconnected elements. This is done to separate internal representations of information from the ways information is presented to and accepted from the use (c) wikipedia

5. MVC in 3 words 5 View (template) Model Controller User

6. MVC in 3 words 6 URL matching Routing table url1

   -> handler1 url2 -> handler2 ... urlN -> handlerN handler Controller + method Request

7. Disclaimer • No new super-puper attack techniques • No new

   mind-blowing vulnerabilities • Not about OOP misuse in general, but rather a single OOP principle • Which is Inheritance. in MVC frameworks. 7 In object-oriented programming, inheritance is the mechanism of basing an object or class upon another object (prototype-based inheritance) or class (class-based inheritance), retaining similar implementation (c) wikipedia

8. Private Controller Allows authorized users to manipulate stuff 8 Inheritance

   is the thing PrivateAPI # fetchStuff + getStuff + editStuff + deleteStuff - stuff

9. Private Controller Allows authorized users to manipulate stuff Now you

   want to show some public stuff to anonymous users as well • But you don't want to re-invent code 9 Inheritance is the thing PrivateAPI # fetchStuff + getStuff + editStuff + deleteStuff - stuff

10. Private Controller Public Controller 10 Inheritance is the thing PrivateAPI

    # fetchStuff + getStuff + editStuff + deleteStuff - stuff PublicAPI + getPublicStuff Inherits

11. Public Controller 11 Inheritance is the thing PublicAPI # fetchStuff

    + getPublicStuff - stuff Now we can utilize protected methods of a parent class

12. Public Controller 12 Inheritance is the thing PublicAPI # fetchStuff

    + getPublicStuff + getStuff + editStuff + deleteStuff - stuff Now we can utilize protected methods of a parent class • But also all the other methods as well

13. How to find (or more like how do I find

    it. Which is probably the worst way of doing it) • Gather a list of registered routes -Using debug and monitoring features of frameworks • Parse the list for similar endpoints Such as: - /admin/whatever/endpoint - /public/whatever/endpoint • Try to access similar routes with the same user role 13 Very Important slide (no)

14. Examples The above can turn out to be really sad,

    as the examples below might (or might not) show 14

15. Private Controller • Has action mapped to: Controller prefix +

    action route = /admin/user-list 15 Examples. PHP + Symfony

16. Private Controller • Has action mapped to: Controller prefix +

    action route = /admin/user-list • Has access control policies properly set: access to /admin is only allowed to users with role ROLE_ADMIN 16 Examples. PHP + Symfony

17. Examples. PHP + Symfony 17

18. Public Controller • Inherited from Private controller (because reasons) 18

    Examples. PHP + Symfony

19. Public Controller • Inherited from Private controller (because reasons) •

    Has access control policies properly set: aсcess to /user is allowed to any user with role ROLE_USER 19 Examples. PHP + Symfony

20. Examples. PHP + Symfony 20

21. How to catch. Symfony debug command (through bin/console) php bin/console

    debug:router 21 Examples. PHP + Symfony

22. Private Controller • Has action mapped to: Controller prefix +

    action route = /private/admin 22 Examples. Java + Spring MVC

23. Private Controller • Has action mapped to: Controller prefix +

    action route = /private/admin • Has access control policies properly set: access to /private is only allowed to users with ADMIN role 23 Examples. Java + Spring MVC

24. Examples. Java + Spring MVC 24

25. Public Controller • Inherited from Private controller (because reasons) 25

    Examples. Java + Spring MVC

26. Public Controller • Inherited from Private controller (because reasons) •

    Has access control policies properly set aсcess to /user is allowed to any user with role ROLE_USER 26 Examples. Java + Spring MVC

27. Examples. Java + Spring MVC 27

28. How to catch. Spring boot actuator 28 Examples. Java +

    Spring MVC http://localhost:8080/mappings

29. 29 Examples. Other frameworks (Well, potential examples to be honest)

    • ruby on rails (+ devise + cancan) - to some extent • node.js (stuff like sails.js)

30. @author THANKS FOR ATTENTION