Spring4shell with Basic Auth

Spring4shell exploits a critical vulnerability in Spring Framework's parameter binding when combined with Basic Auth authentication flows. The vulnerability allows unauthenticated remote code execution through malicious Content-Type headers, but when Basic Auth is in use, the attack surface expands significantly.

In Basic Auth scenarios, attackers can craft requests that bypass authentication checks by exploiting the way Spring processes authentication headers. A typical attack pattern involves sending a POST request with:

POST /api/resource HTTP/1.1
Host: example.com
Authorization: Basic YWRtaW46cGFzc3dvcmQ=
Content-Type: application/xml
Content-Length: 123

The malicious payload leverages Spring's SpEL (Spring Expression Language) evaluation in deserialization contexts. When Basic Auth is configured, Spring's authentication filter processes the Authorization header before the main controller, but the deserialization vulnerability allows bypassing this security layer.

Common attack vectors in Basic Auth contexts include:

• XML External Entity (XXE) injection through Basic Auth-protected endpoints
• JNDI injection via malicious Content-Type headers
• Deserialization of untrusted data in POST/PUT requests
• SpEL expression injection in query parameters

The combination of Basic Auth and Spring4shell creates a particularly dangerous scenario because authentication headers are processed separately from request body validation, creating a window where malicious payloads can execute before authentication is fully established.

Detecting Spring4shell in Basic Auth-protected APIs requires specialized scanning that understands both the authentication mechanism and the underlying vulnerability patterns. Traditional security scanners often miss these combinations because they don't properly handle Basic Auth authentication flows.

middleBrick's black-box scanning approach excels at detecting Spring4shell in Basic Auth contexts. The scanner automatically detects Basic Auth endpoints and crafts specialized payloads that test for:

• Deserialization vulnerabilities in request bodies
• SpEL expression evaluation in parameter binding
• XML/JSON parsing vulnerabilities
• JNDI injection points

During scanning, middleBrick sends requests with carefully crafted Basic Auth headers combined with malicious Content-Type values. The scanner monitors for telltale signs like:

HTTP/1.1 500 Internal Server Error
Content-Type: text/plain;charset=UTF-8
Content-Length: 1234

Or more subtle indicators such as:

HTTP/1.1 200 OK
X-Application-Context: application:8080
Server: Apache Tomcat/9.0.50

The scanner also tests for timing differences that indicate successful exploitation attempts. A properly configured Basic Auth endpoint should reject all malicious requests immediately, but vulnerable implementations may show delayed responses or error messages that reveal internal system information.

middleBrick's LLM security module adds another layer of detection by scanning for AI/ML endpoints that might be exposed through Basic Auth-protected APIs, ensuring comprehensive coverage of modern attack surfaces.

Remediating Spring4shell in Basic Auth-protected APIs requires a multi-layered approach that addresses both the authentication mechanism and the underlying vulnerability. The first step is upgrading Spring Framework to a patched version (5.3.18+ or 5.2.20+).

For Basic Auth specifically, implement these security measures:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .headers()
                .contentSecurityPolicy("default-src 'self'")
                .and()
                .contentTypeOptions()
                .and()
                .xssProtection()
                .and()
                .httpStrictTransportSecurity()
                .and()
                .frameOptions()
                .and()
                .addHeaderWriter(new StaticHeadersWriter(
                    HttpHeaders.X_CONTENT_TYPE_OPTIONS, "nosniff"))
            .and()
            .httpBasic()
            .and()
            .csrf().disable()
            .authorizeRequests()
                .antMatchers("/api/**").authenticated();
    }
}

Key remediation steps include:

• Disable XML processing entirely if not needed: spring.mvc.contentnegotiation.favor-parameter=false
• Enable strict Content-Type checking: spring.mvc.contentnegotiation.favor-path-extension=false
• Configure class filters to prevent dangerous deserialization: serialFilter=org.springframework.web.util.pattern.PathPatternParser$PathPattern

For Basic Auth specifically, implement request validation before authentication processing:

@Component
public class BasicAuthPreFilter extends OncePerRequestFilter {
    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
        // Validate Content-Type before authentication
        String contentType = request.getContentType();
        if (contentType != null && contentType.toLowerCase().contains("xml")) {
            response.sendError(HttpServletResponse.SC_BAD_REQUEST, "XML content not allowed");
            return;
        }
        filterChain.doFilter(request, response);
    }
}

Add this filter before the Basic Auth filter in your security chain to prevent malicious content types from being processed.