Skip to content

Commit f8ea0a8

Browse files
monperrusmonperrus
authored
Create maven-hijack.html
1 parent 52482bf commit f8ea0a8

File tree

1 file changed

+228
-0
lines changed

1 file changed

+228
-0
lines changed

maven-hijack.html

Lines changed: 228 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,228 @@
1+
<!DOCTYPE html>
2+
<html lang="en">
3+
<head>
4+
<meta charset="UTF-8">
5+
<meta name="viewport" content="width=device-width, initial-scale=1.0">
6+
<title>Maven-Hijack: Supply Chain Attack</title>
7+
<script src="https://cdn.tailwindcss.com"></script>
8+
<link href="https://fonts.googleapis.com/css2?family=Inter:wght@300;400;500;600;700&display=swap" rel="stylesheet">
9+
<style>
10+
body {
11+
font-family: 'Inter', sans-serif;
12+
}
13+
.gradient-bg {
14+
background: linear-gradient(135deg, #1e40af 0%, #3730a3 100%);
15+
}
16+
.card-hover {
17+
transition: all 0.3s ease;
18+
}
19+
.card-hover:hover {
20+
transform: translateY(-5px);
21+
box-shadow: 0 20px 25px -5px rgba(0, 0, 0, 0.1), 0 10px 10px -5px rgba(0, 0, 0, 0.04);
22+
}
23+
.step-number {
24+
background: linear-gradient(135deg, #6366f1, #8b5cf6);
25+
color: white;
26+
width: 40px;
27+
height: 40px;
28+
display: flex;
29+
align-items: center;
30+
justify-content: center;
31+
border-radius: 50%;
32+
font-weight: 700;
33+
}
34+
</style>
35+
</head>
36+
<body class="bg-gray-50">
37+
<!-- Header -->
38+
<header class="gradient-bg text-white py-16">
39+
<div class="container mx-auto px-6">
40+
<div class="max-w-4xl mx-auto text-center">
41+
<h1 class="text-5xl font-bold mb-6">Maven-Hijack</h1>
42+
<p class="text-xl mb-8 opacity-90">A Novel Software Supply Chain Attack Exploiting Java Packaging Order</p>
43+
<div class="flex justify-center space-x-4">
44+
<a href="#overview" class="bg-white text-indigo-600 px-6 py-3 rounded-lg font-semibold hover:bg-gray-100 transition">Learn More</a>
45+
<a href="#mitigations" class="border border-white text-white px-6 py-3 rounded-lg font-semibold hover:bg-white hover:text-indigo-600 transition">Mitigations</a>
46+
</div>
47+
</div>
48+
</div>
49+
</header>
50+
51+
<!-- Overview Section -->
52+
<section id="overview" class="py-20">
53+
<div class="container mx-auto px-6">
54+
<div class="max-w-4xl mx-auto">
55+
<h2 class="text-3xl font-bold text-center mb-12">Attack Overview</h2>
56+
<div class="bg-white rounded-xl shadow-lg p-8 mb-12">
57+
<p class="text-lg mb-6">Maven-Hijack is a sophisticated software supply chain attack that exploits the order in which Maven packages dependencies and how the Java Virtual Machine resolves classes at runtime. By injecting a malicious class with the same fully qualified name as a legitimate one into a dependency that is packaged earlier, an attacker can silently override core application behavior without modifying the main codebase or library names.</p>
58+
<div class="grid md:grid-cols-2 gap-8 mt-8">
59+
<div class="bg-red-50 border-l-4 border-red-500 p-6 rounded-r-lg">
60+
<h3 class="font-bold text-red-800 mb-2">Attack Vector</h3>
61+
<p class="text-red-700">Exploits Maven's depth-first search packaging order and Java's classpath resolution mechanism.</p>
62+
</div>
63+
<div class="bg-blue-50 border-l-4 border-blue-500 p-6 rounded-r-lg">
64+
<h3 class="font-bold text-blue-800 mb-2">Real-World Impact</h3>
65+
<p class="text-blue-700">Successfully demonstrated on the Corona-Warn-App, gaining control over database connection logic.</p>
66+
</div>
67+
</div>
68+
</div>
69+
70+
<!-- Attack Steps -->
71+
<h3 class="text-2xl font-bold mb-8 text-center">How the Attack Works</h3>
72+
<div class="space-y-8">
73+
<div class="flex items-start space-x-6">
74+
<div class="step-number">1</div>
75+
<div>
76+
<h4 class="text-xl font-semibold mb-2">Attack Preparation</h4>
77+
<p>Identify a target application with two key dependencies: a 'gadget' dependency (containing the class to be hijacked) and an 'infection' dependency (which can be compromised).</p>
78+
</div>
79+
</div>
80+
<div class="flex items-start space-x-6">
81+
<div class="step-number">2</div>
82+
<div>
83+
<h4 class="text-xl font-semibold mb-2">Order Tampering</h4>
84+
<p>Inject a malicious class with the same fully qualified name as the legitimate class into the infection dependency. This dependency must appear earlier in Maven's packaging order.</p>
85+
</div>
86+
</div>
87+
<div class="flex items-start space-x-6">
88+
<div class="step-number">3</div>
89+
<div>
90+
<h4 class="text-xl font-semibold mb-2">Hijacking Execution</h4>
91+
<p>At runtime, the Java class loader loads the first matching class it finds in the classpath. The malicious class from the infection dependency is loaded instead of the legitimate one from the gadget dependency.</p>
92+
</div>
93+
</div>
94+
</div>
95+
</div>
96+
</div>
97+
</section>
98+
99+
<!-- Proof of Concept Section -->
100+
<section class="py-20 bg-gray-100">
101+
<div class="container mx-auto px-6">
102+
<div class="max-w-4xl mx-auto">
103+
<h2 class="text-3xl font-bold text-center mb-12">Proof of Concept</h2>
104+
<div class="bg-white rounded-xl shadow-lg p-8">
105+
<div class="flex flex-col md:flex-row items-center gap-8">
106+
<div class="md:w-1/2">
107+
<img src="https://placehold.co/600x400/1e40af/white?text=Corona-Warn-App+Logo" alt="Corona-Warn-App" class="rounded-lg shadow-md">
108+
</div>
109+
<div class="md:w-1/2">
110+
<h3 class="text-2xl font-bold mb-4">Corona-Warn-App Compromise</h3>
111+
<p class="mb-4">The attack was successfully demonstrated on Germany's coronavirus tracking application, which uses Spring Boot for its backend services.</p>
112+
<ul class="space-y-2 mb-6">
113+
<li class="flex items-start">
114+
<span class="text-green-500 mr-2"></span>
115+
<span><strong>Infection Dependency:</strong> everit-json-schema</span>
116+
</li>
117+
<li class="flex items-start">
118+
<span class="text-green-500 mr-2"></span>
119+
<span><strong>Gadget Dependency:</strong> PostgreSQL JDBC driver (org.postgresql:postgresql)</span>
120+
</li>
121+
<li class="flex items-start">
122+
<span class="text-green-500 mr-2"></span>
123+
<span><strong>Outcome:</strong> Gained control over database connection logic</span>
124+
</li>
125+
</ul>
126+
<a href="https://github.com/chains-project/maven-class-hijack-poc/" target="_blank" class="inline-block bg-indigo-600 text-white px-6 py-3 rounded-lg font-semibold hover:bg-indigo-700 transition">View PoC on GitHub</a>
127+
</div>
128+
</div>
129+
</div>
130+
</div>
131+
</div>
132+
</section>
133+
134+
<!-- Mitigations Section -->
135+
<section id="mitigations" class="py-20">
136+
<div class="container mx-auto px-6">
137+
<div class="max-w-4xl mx-auto">
138+
<h2 class="text-3xl font-bold text-center mb-12">Mitigation Strategies</h2>
139+
<div class="grid md:grid-cols-3 gap-8">
140+
<!-- Sealed JARs -->
141+
<div class="bg-white rounded-xl shadow-lg p-6 card-hover">
142+
<div class="w-12 h-12 bg-yellow-100 rounded-lg flex items-center justify-center mb-4">
143+
<svg xmlns="http://www.w3.org/2000/svg" class="h-6 w-6 text-yellow-600" fill="none" viewBox="0 0 24 24" stroke="currentColor">
144+
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 15v2m-6 4h12a2 2 0 002-2v-6a2 2 0 00-2-2H6a2 2 0 00-2 2v6a2 2 0 002 2zm10-10V7a4 4 0 00-8 0v4h8z" />
145+
</svg>
146+
</div>
147+
<h3 class="text-xl font-bold mb-3">Sealed JARs</h3>
148+
<p class="mb-4">Enforces that all classes belonging to a specific Java package must be loaded from the same archive.</p>
149+
<div class="bg-yellow-50 p-3 rounded-lg mb-4">
150+
<p class="text-sm text-yellow-800"><strong>Limitation:</strong> Can be bypassed if attacker includes a fully self-contained copy of the original package.</p>
151+
</div>
152+
<span class="inline-block bg-yellow-100 text-yellow-800 text-xs px-2 py-1 rounded">Runtime Protection</span>
153+
</div>
154+
155+
<!-- Java Modules -->
156+
<div class="bg-white rounded-xl shadow-lg p-6 card-hover">
157+
<div class="w-12 h-12 bg-green-100 rounded-lg flex items-center justify-center mb-4">
158+
<svg xmlns="http://www.w3.org/2000/svg" class="h-6 w-6 text-green-600" fill="none" viewBox="0 0 24 24" stroke="currentColor">
159+
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M9 12l2 2 4-4m5.618-4.016A11.955 11.955 0 0112 2.944a11.955 11.955 0 01-8.618 3.04A12.02 12.02 0 003 9c0 5.591 3.824 10.29 9 11.622 5.176-1.332 9-6.03 9-11.622 0-1.042-.133-2.052-.382-3.016z" />
160+
</svg>
161+
</div>
162+
<h3 class="text-xl font-bold mb-3">Java Modules</h3>
163+
<p class="mb-4">Java 9+ module system detects package collisions and fails the build process with a compilation error.</p>
164+
<div class="bg-green-50 p-3 rounded-lg mb-4">
165+
<p class="text-sm text-green-800"><strong>Limitation:</strong> Low adoption rate (only ~1.7% of Maven Central artifacts use modules).</p>
166+
</div>
167+
<span class="inline-block bg-green-100 text-green-800 text-xs px-2 py-1 rounded">Build-time Protection</span>
168+
</div>
169+
170+
<!-- Maven Enforcer Plugin -->
171+
<div class="bg-white rounded-xl shadow-lg p-6 card-hover border-2 border-indigo-500">
172+
<div class="w-12 h-12 bg-indigo-100 rounded-lg flex items-center justify-center mb-4">
173+
<svg xmlns="http://www.w3.org/2000/svg" class="h-6 w-6 text-indigo-600" fill="none" viewBox="0 0 24 24" stroke="currentColor">
174+
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M9 12l2 2 4-4m6 2a9 9 0 11-18 0 9 9 0 0118 0z" />
175+
</svg>
176+
</div>
177+
<h3 class="text-xl font-bold mb-3">Maven Enforcer Plugin</h3>
178+
<p class="mb-4">When configured with <code>banDuplicateClasses</code>, it stops the build if duplicate classes are found.</p>
179+
<div class="bg-indigo-50 p-3 rounded-lg mb-4">
180+
<p class="text-sm text-indigo-800"><strong>Recommendation:</strong> Most practical and effective defense for current Java projects.</p>
181+
</div>
182+
<span class="inline-block bg-indigo-100 text-indigo-800 text-xs px-2 py-1 rounded">Build-time Protection</span>
183+
</div>
184+
</div>
185+
</div>
186+
</div>
187+
</section>
188+
189+
<!-- Gradle Comparison Section -->
190+
<section class="py-20 bg-gray-100">
191+
<div class="container mx-auto px-6">
192+
<div class="max-w-4xl mx-auto">
193+
<h2 class="text-3xl font-bold text-center mb-12">Impact on Gradle</h2>
194+
<div class="bg-white rounded-xl shadow-lg p-8">
195+
<p class="text-lg mb-6">While Maven-Hijack is primarily designed for Maven, similar attacks are possible on Gradle, though significantly more challenging:</p>
196+
<div class="grid md:grid-cols-2 gap-8">
197+
<div class="bg-blue-50 p-6 rounded-lg">
198+
<h4 class="font-bold text-blue-800 mb-3">Gradle Differences</h4>
199+
<ul class="space-y-2 text-blue-700">
200+
<li>• Uses breadth-first search for classpath generation</li>
201+
<li>• Direct dependencies are included first</li>
202+
<li>• Custom repositories for transitive dependencies are ignored</li>
203+
</ul>
204+
</div>
205+
<div class="bg-purple-50 p-6 rounded-lg">
206+
<h4 class="font-bold text-purple-800 mb-3">Attack Feasibility</h4>
207+
<p class="text-purple-700">The attack is still feasible but requires the infection dependency to be at the same level as the gadget dependency and appear before it in the classpath.</p>
208+
</div>
209+
</div>
210+
</div>
211+
</div>
212+
</div>
213+
</section>
214+
215+
<!-- Footer -->
216+
<footer class="gradient-bg text-white py-12">
217+
<div class="container mx-auto px-6 text-center">
218+
<p class="mb-4">Research by Frank Reyes, Federico Bono, Aman Sharma, Benoit Baudry, and Martin Monperrus</p>
219+
<p class="text-sm opacity-75">KTH Royal Institute of Technology & Université de Montréal</p>
220+
<div class="mt-6">
221+
<a href="#" class="text-white hover:opacity-80 mx-2">Paper</a>
222+
<a href="https://github.com/chains-project/maven-class-hijack-poc/" class="text-white hover:opacity-80 mx-2">GitHub</a>
223+
<a href="#" class="text-white hover:opacity-80 mx-2">Contact</a>
224+
</div>
225+
</div>
226+
</footer>
227+
</body>
228+
</html>

0 commit comments

Comments
 (0)