When validating user input from forms and exposed services, we often ignore the URL or think to ourselves, "that information is validated later, it'll be fine," but when hacks like the following start turning up, in common web-frameworks, it's time to start thinking seriously about URL validation. Fortunately, it's easy to accomplish using a number of methods, but first, let's look at how these attacks work.
If you look at the attacks sited as examples in the Aspect Security report, you’ll see that both use the URL as the attack vector, or point of access, and both use the execution of Runtime.getRuntime().exec("system command"), which gives the ability to run any native system command available to the user under which the Java Virtual Machine (JVM) is running; once you are running code on the host system, as the article explains, the potential threat exists of losing control of the server entirely. The first example is Struts 2 – still a popular framework in many places.
The next example, surprisingly enough, is applications that use the Spring Expression Language (EL). I wouldn’t be too shocked if this problem actually extends to most EL implementations created around the same era. After doing a bit of digging, JBoss Seam suffered from a similar vulnerability, and has subsequently been updated to close the gap; I’m sure Spring has done the same, but there are still compromised versions of these frameworks running on live servers across the world.
How can we protect ourselves from unknown vulnerabilities in the web frameworks we use?