Deploying to gh-pages from @ 828d958 🚀

rules/S5301/default-description.html

@@ -1,32 +1,108 @@
 <div class="sect1">
 <h2 id="_description">Description</h2>
 <div class="sectionbody">
-
+<div class="paragraph">
+<p>ActiveMQ can send/receive JMS Object messages (ObjectMessage in ActiveMQ
+context) to comply with JMS specifications. Internally, ActiveMQ relies on
+Java&#8217;s serialization mechanism for the marshaling and unmarshalling of the
+messages' payload.</p>
+</div>
+<div class="paragraph">
+<p>Applications should restrict the types that can be unserialized from JMS
+messages.</p>
+</div>
 </div>
 </div>
 <div class="sect1">
 <h2 id="_why_is_this_an_issue">Why is this an issue?</h2>
 <div class="sectionbody">
 <div class="paragraph">
-<p>ActiveMQ can send/receive JMS Object messages (named ObjectMessage in ActiveMQ context) to comply with JMS specification. Internally, ActiveMQ relies on Java serialization mechanism for marshaling/unmarshalling of the message payload. Deserialization based on data supplied by the user could lead to remote code execution attacks, where the structure of the serialized data is changed to modify the behavior of the object being unserialized.</p>
+<p>When the application does not implement controls over the JMS object types, its
+clients could be able to force the deserialization of arbitrary objects. This
+may lead to deserialization injection attacks.</p>
+</div>
+<div class="sect2">
+<h3 id="_what_is_the_potential_impact">What is the potential impact?</h3>
+<div class="paragraph">
+<p>Attackers will be able to force the deserialization of arbitrary objects. This
+process will trigger the execution of magic unmarshalling methods on the object
+and its properties. With a specially crafted serialized object, the attackers
+can exploit those magic methods to achieve malicious purposes.</p>
+</div>
+<div class="paragraph">
+<p>While the exact impact depends on the types available in the execution context
+at the time of deserialization, such an attack can generally lead to the
+execution of arbitrary code on the application server.</p>
+</div>
+<div class="sect3">
+<h4 id="_application_specific_attacks">Application-specific attacks</h4>
+<div class="paragraph">
+<p>By exploiting the behavior of some of the application-defined types and objects,
+the attacker could manage to affect the application&#8217;s business logic. The exact
+consequences will depend on the application&#8217;s nature:</p>
+</div>
+<div class="ulist">
+<ul>
+<li>
+<p>Payment bypass in an e-commerce application.</p>
+</li>
+<li>
+<p>Privilege escalation.</p>
+</li>
+<li>
+<p>Unauthorized users' data access.</p>
+</li>
+</ul>
+</div>
+</div>
+<div class="sect3">
+<h4 id="_publicly_known_exploitation">Publicly-known exploitation</h4>
+<div class="paragraph">
+<p>In some cases, depending on the library the application uses and their versions,
+there may exist publicly known deserialization attack payloads known as <strong>gadget
+chains</strong>. In general, they are designed to have severe consequences, such as:</p>
+</div>
+<div class="ulist">
+<ul>
+<li>
+<p>Arbitrary code execution</p>
+</li>
+<li>
+<p>Arbitrary file read or write</p>
+</li>
+<li>
+<p>Server-side request forgery</p>
+</li>
+</ul>
 </div>
 <div class="paragraph">
-<p>To limit the risk to be victim of such attack, ActiveMQ 5.12.2+ enforces developers to explicitly whitelist packages that can be exchanged using ObjectMessages.</p>
+<p>Those attacks are independent of the application&#8217;s own logic and from the types
+it specifies.</p>
+</div>
+</div>
+</div>
+</div>
 </div>
+<div class="sect1">
+<h2 id="_how_to_fix_it_in_java_ee">How to fix it in Java EE</h2>
+<div class="sectionbody">
 <div class="sect2">
-<h3 id="_noncompliant_code_example">Noncompliant code example</h3>
+<h3 id="_code_examples">Code examples</h3>
+<div class="paragraph">
+<p>The following code example is vulnerable to a deserialization injection attack
+because it allows the deserialization of arbitrary types from JMS messages.</p>
+</div>
+<div class="sect3">
+<h4 id="_noncompliant_code_example">Noncompliant code example</h4>
 <div class="listingblock">
 <div class="content">
 <pre class="highlight"><code class="language-java" data-lang="java">ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory("tcp://localhost:61616");
-factory.setTrustAllPackages(true); // Noncompliant
-
-ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory("tcp://localhost:61616");
-// no call to factory.setTrustedPackages(...);</code></pre>
+factory.setTrustAllPackages(true); // Noncompliant</code></pre>
 </div>
 </div>
 </div>
-<div class="sect2">
-<h3 id="_compliant_solution">Compliant solution</h3>
+<div class="sect3">
+<h4 id="_compliant_solution">Compliant solution</h4>
 <div class="listingblock">
 <div class="content">
 <pre class="highlight"><code class="language-java" data-lang="java">ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory("tcp://localhost:61616");
@@ -35,32 +111,65 @@ <h3 id="_compliant_solution">Compliant solution</h3>
 </div>
 </div>
 </div>
+<div class="sect2">
+<h3 id="_how_does_this_work">How does this work?</h3>
+<div class="paragraph">
+<p>The noncompliant code example calls the <code>setTrustAllPackages</code> method that
+explicitly allows the deserialization of arbitrary types. On the contrary, the
+compliant code example, thanks to the <code>setTrustedPackages</code> method, defines a
+short list of classes allowed for the deserialization.</p>
+</div>
+<div class="paragraph">
+<p>While defining a short list of trusted types is generally the state-of-the-art
+solution to avoid deserialization injection attacks, it is important to ensure
+that the allowed classes and packages can not be used to exploit the issue. In
+that case, a vulnerability would still be present.</p>
+</div>
+<div class="paragraph">
+<p>Note that ActiveMQ, starting with version 5.12.2, forces developers to
+explicitly list packages that JMS messages can contain. This limits the risk of
+successful exploitation. In versions before that one, calling the
+<code>ActiveMQConnectionFactory</code> constructor without further configuration would
+leave the application at risk.</p>
+</div>
+</div>
+</div>
 </div>
 <div class="sect1">
 <h2 id="_resources">Resources</h2>
 <div class="sectionbody">
+<div class="sect2">
+<h3 id="_documentation">Documentation</h3>
 <div class="ulist">
 <ul>
 <li>
-<p><a href="https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/">OWASP Top 10 2021 Category A8</a> - Software and Data Integrity Failures</p>
+<p>Apache ActiveMQ Documentation - <a href="https://activemq.apache.org/objectmessage.html">ObjectMessage</a></p>
 </li>
 <li>
-<p><a href="https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization">OWASP Top 10 2017 Category A8</a> - Insecure Deserialization</p>
+<p>CVE - <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5254">CVE-2015-5254</a></p>
 </li>
+</ul>
+</div>
+</div>
+<div class="sect2">
+<h3 id="_standards">Standards</h3>
+<div class="ulist">
+<ul>
 <li>
-<p><a href="https://cwe.mitre.org/data/definitions/502">MITRE, CWE-502</a> - Deserialization of Untrusted Data</p>
+<p>OWASP - <a href="https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/">Top 10 2021 - Category A8 - Software and Data Integrity Failures</a></p>
 </li>
 <li>
-<p><a href="https://activemq.apache.org/objectmessage.html">ActiveMQ ObjectMessage Security Advisory</a></p>
+<p>OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization">Top 10 2017 - Category A8 - Insecure Deserialization</a></p>
 </li>
 <li>
-<p><a href="https://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt">CVE-2015-5254</a></p>
+<p>CWE - <a href="https://cwe.mitre.org/data/definitions/502">CWE-502 - Deserialization of Untrusted Data</a></p>
 </li>
 </ul>
 </div>
 <hr>
 </div>
 </div>
+</div>
 <div class="sect1">
 <h2 id="_implementation_specification">Implementation Specification</h2>
 <div class="sectionbody">

rules/S5301/java-description.html

@@ -1,32 +1,108 @@
 <div class="sect1">
 <h2 id="_description">Description</h2>
 <div class="sectionbody">
-
+<div class="paragraph">
+<p>ActiveMQ can send/receive JMS Object messages (ObjectMessage in ActiveMQ
+context) to comply with JMS specifications. Internally, ActiveMQ relies on
+Java&#8217;s serialization mechanism for the marshaling and unmarshalling of the
+messages' payload.</p>
+</div>
+<div class="paragraph">
+<p>Applications should restrict the types that can be unserialized from JMS
+messages.</p>
+</div>
 </div>
 </div>
 <div class="sect1">
 <h2 id="_why_is_this_an_issue">Why is this an issue?</h2>
 <div class="sectionbody">
 <div class="paragraph">
-<p>ActiveMQ can send/receive JMS Object messages (named ObjectMessage in ActiveMQ context) to comply with JMS specification. Internally, ActiveMQ relies on Java serialization mechanism for marshaling/unmarshalling of the message payload. Deserialization based on data supplied by the user could lead to remote code execution attacks, where the structure of the serialized data is changed to modify the behavior of the object being unserialized.</p>
+<p>When the application does not implement controls over the JMS object types, its
+clients could be able to force the deserialization of arbitrary objects. This
+may lead to deserialization injection attacks.</p>
+</div>
+<div class="sect2">
+<h3 id="_what_is_the_potential_impact">What is the potential impact?</h3>
+<div class="paragraph">
+<p>Attackers will be able to force the deserialization of arbitrary objects. This
+process will trigger the execution of magic unmarshalling methods on the object
+and its properties. With a specially crafted serialized object, the attackers
+can exploit those magic methods to achieve malicious purposes.</p>
+</div>
+<div class="paragraph">
+<p>While the exact impact depends on the types available in the execution context
+at the time of deserialization, such an attack can generally lead to the
+execution of arbitrary code on the application server.</p>
+</div>
+<div class="sect3">
+<h4 id="_application_specific_attacks">Application-specific attacks</h4>
+<div class="paragraph">
+<p>By exploiting the behavior of some of the application-defined types and objects,
+the attacker could manage to affect the application&#8217;s business logic. The exact
+consequences will depend on the application&#8217;s nature:</p>
+</div>
+<div class="ulist">
+<ul>
+<li>
+<p>Payment bypass in an e-commerce application.</p>
+</li>
+<li>
+<p>Privilege escalation.</p>
+</li>
+<li>
+<p>Unauthorized users' data access.</p>
+</li>
+</ul>
+</div>
+</div>
+<div class="sect3">
+<h4 id="_publicly_known_exploitation">Publicly-known exploitation</h4>
+<div class="paragraph">
+<p>In some cases, depending on the library the application uses and their versions,
+there may exist publicly known deserialization attack payloads known as <strong>gadget
+chains</strong>. In general, they are designed to have severe consequences, such as:</p>
+</div>
+<div class="ulist">
+<ul>
+<li>
+<p>Arbitrary code execution</p>
+</li>
+<li>
+<p>Arbitrary file read or write</p>
+</li>
+<li>
+<p>Server-side request forgery</p>
+</li>
+</ul>
 </div>
 <div class="paragraph">
-<p>To limit the risk to be victim of such attack, ActiveMQ 5.12.2+ enforces developers to explicitly whitelist packages that can be exchanged using ObjectMessages.</p>
+<p>Those attacks are independent of the application&#8217;s own logic and from the types
+it specifies.</p>
+</div>
+</div>
+</div>
+</div>
 </div>
+<div class="sect1">
+<h2 id="_how_to_fix_it_in_java_ee">How to fix it in Java EE</h2>
+<div class="sectionbody">
 <div class="sect2">
-<h3 id="_noncompliant_code_example">Noncompliant code example</h3>
+<h3 id="_code_examples">Code examples</h3>
+<div class="paragraph">
+<p>The following code example is vulnerable to a deserialization injection attack
+because it allows the deserialization of arbitrary types from JMS messages.</p>
+</div>
+<div class="sect3">
+<h4 id="_noncompliant_code_example">Noncompliant code example</h4>
 <div class="listingblock">
 <div class="content">
 <pre class="highlight"><code class="language-java" data-lang="java">ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory("tcp://localhost:61616");
-factory.setTrustAllPackages(true); // Noncompliant
-
-ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory("tcp://localhost:61616");
-// no call to factory.setTrustedPackages(...);</code></pre>
+factory.setTrustAllPackages(true); // Noncompliant</code></pre>
 </div>
 </div>
 </div>
-<div class="sect2">
-<h3 id="_compliant_solution">Compliant solution</h3>
+<div class="sect3">
+<h4 id="_compliant_solution">Compliant solution</h4>
 <div class="listingblock">
 <div class="content">
 <pre class="highlight"><code class="language-java" data-lang="java">ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory("tcp://localhost:61616");
@@ -35,32 +111,65 @@ <h3 id="_compliant_solution">Compliant solution</h3>
 </div>
 </div>
 </div>
+<div class="sect2">
+<h3 id="_how_does_this_work">How does this work?</h3>
+<div class="paragraph">
+<p>The noncompliant code example calls the <code>setTrustAllPackages</code> method that
+explicitly allows the deserialization of arbitrary types. On the contrary, the
+compliant code example, thanks to the <code>setTrustedPackages</code> method, defines a
+short list of classes allowed for the deserialization.</p>
+</div>
+<div class="paragraph">
+<p>While defining a short list of trusted types is generally the state-of-the-art
+solution to avoid deserialization injection attacks, it is important to ensure
+that the allowed classes and packages can not be used to exploit the issue. In
+that case, a vulnerability would still be present.</p>
+</div>
+<div class="paragraph">
+<p>Note that ActiveMQ, starting with version 5.12.2, forces developers to
+explicitly list packages that JMS messages can contain. This limits the risk of
+successful exploitation. In versions before that one, calling the
+<code>ActiveMQConnectionFactory</code> constructor without further configuration would
+leave the application at risk.</p>
+</div>
+</div>
+</div>
 </div>
 <div class="sect1">
 <h2 id="_resources">Resources</h2>
 <div class="sectionbody">
+<div class="sect2">
+<h3 id="_documentation">Documentation</h3>
 <div class="ulist">
 <ul>
 <li>
-<p><a href="https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/">OWASP Top 10 2021 Category A8</a> - Software and Data Integrity Failures</p>
+<p>Apache ActiveMQ Documentation - <a href="https://activemq.apache.org/objectmessage.html">ObjectMessage</a></p>
 </li>
 <li>
-<p><a href="https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization">OWASP Top 10 2017 Category A8</a> - Insecure Deserialization</p>
+<p>CVE - <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5254">CVE-2015-5254</a></p>
 </li>
+</ul>
+</div>
+</div>
+<div class="sect2">
+<h3 id="_standards">Standards</h3>
+<div class="ulist">
+<ul>
 <li>
-<p><a href="https://cwe.mitre.org/data/definitions/502">MITRE, CWE-502</a> - Deserialization of Untrusted Data</p>
+<p>OWASP - <a href="https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/">Top 10 2021 - Category A8 - Software and Data Integrity Failures</a></p>
 </li>
 <li>
-<p><a href="https://activemq.apache.org/objectmessage.html">ActiveMQ ObjectMessage Security Advisory</a></p>
+<p>OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization">Top 10 2017 - Category A8 - Insecure Deserialization</a></p>
 </li>
 <li>
-<p><a href="https://activemq.apache.org/security-advisories.data/CVE-2015-5254-announcement.txt">CVE-2015-5254</a></p>
+<p>CWE - <a href="https://cwe.mitre.org/data/definitions/502">CWE-502 - Deserialization of Untrusted Data</a></p>
 </li>
 </ul>
 </div>
 <hr>
 </div>
 </div>
+</div>
 <div class="sect1">
 <h2 id="_implementation_specification">Implementation Specification</h2>
 <div class="sectionbody">