Kingdom: API Abuse

An API is a contract between a caller and a callee. The most common forms of API abuse are caused by the caller failing to honor its end of this contract. For example, if a program fails to call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller abuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated.

93 items found

Weaknesses

Mass Assignment: Request Parameters Bound via Input Formatter

C#/VB.NET/ASP.NET

Abstract

The framework binder used for binding the HTTP request parameters to the model class relies on Input Formatters when the [FromBody] annotation is used.

Explanation

To ease development and increase productivity, most modern frameworks allow an object to be automatically instantiated and populated with the HTTP request parameters whose names match an attribute of the class to be bound. Automatic instantiation and population of objects speeds up development, but can lead to serious problems if implemented without caution. Any attribute in the bound classes, or nested classes, will be automatically bound to the HTTP request parameters. Therefore, malicious users will be able to assign a value to any attribute in bound or nested classes, even if they are not exposed to the client through web forms or API contracts.

In this case, when the [FromBody] annotation is applied to a complex parameter of an action, then any other binding attributes such as [Bind] or [BindNever] applied to the type of the parameter or any of its fields are effectively ignored, which means that mitigation using binding annotations is impossible.

Example 1: In an ASP.NET Core MVC Web Application when the [FromBody] annotation is applied to a parameter of an action, the model binder automatically tries to bind all parameters specified in the body of the request using an Input Formatter. By default, the binder uses the JSON Input Formatter to try and bind all possible parameters that come from the body of the request:


[HttpPost]
public ActionResult Create([FromBody] Product p)
{
    return View(p.Name);
}

Note that any binding annotations such as [Bind] or [BindNever] applied to the Product type that follows are ignored due to Input Formatters being used when the [FromBody] annotation is present.


public class Product
{
    ...
    public string Name { get; set; }
    public bool IsAdmin { get; set; }
    ...
}

References

[1] Microsoft [FromBody] attribute

[2] OWASP Mass assignment

[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 4

[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete

[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4

[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3

[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity

[8] Standards Mapping - CIS Kubernetes Benchmark partial

[9] Standards Mapping - Common Weakness Enumeration CWE ID 915

[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001082, CCI-002754

[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)

[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation

[14] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input

[15] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference

[16] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References

[17] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References

[18] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control

[19] Standards Mapping - OWASP Top 10 2021 A08 Software and Data Integrity Failures

[20] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization

[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.2 Input Validation Requirements (L1 L2 L3)

[22] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.2

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[34] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[47] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[48] Standards Mapping - Web Application Security Consortium Version 2.00 Abuse of Functionality (WASC-42)

desc.structural.dotnet.mass_assignment_request_parameters_bound_via_input_formatters

Missing Check against Null

Abstract

The program might dereference a null-pointer because it does not check the return value of a function that might return null.

Explanation

Just about every serious attack on a software system begins with the violation of a programmer's assumptions. After the attack, the programmer's assumptions seem flimsy and poorly founded, but before an attack many programmers would defend their assumptions well past the end of their lunch break.

Two dubious assumptions that are easy to spot in code are "this function call can never fail" and "it doesn't matter if this function call fails". When a programmer ignores the return value from a function, they implicitly state that they are operating under one of these assumptions.
Example 1: The following code does not check to see if the string returned by the Item property is null before calling the member function Equals(), potentially causing a null dereference.


string itemName = request.Item(ITEM_NAME);
	if (itemName.Equals(IMPORTANT_ITEM)) {
		...
	}
	...

The traditional defense of this coding error is:

"I know the requested value will always exist because.... If it does not exist, the program cannot perform the desired behavior so it doesn't matter whether I handle the error or simply allow the program to die dereferencing a null value."

But attackers are skilled at finding unexpected paths through programs, particularly when exceptions are involved.

desc.controlflow.dotnet.missing_check_against_null

Abstract

The program can dereference a null-pointer because it does not check the return value of a function that might return null.

Explanation

Just about every serious attack on a software system begins with the violation of a programmer's assumptions. After the attack, the programmer's assumptions seem flimsy and poorly founded, but before an attack many programmers would defend their assumptions well past the end of their lunch break.

Two dubious assumptions that are easy to spot in code are "this function call can never fail" and "it doesn't matter if this function call fails". When a programmer ignores the return value from a function, they implicitly state that they are operating under one of these assumptions.
Example 1: The following code does not check to see if memory allocation succeeded before attempting to use the pointer returned by malloc().


    buf = (char*) malloc(req_size);
    strncpy(buf, xfer, req_size);

The traditional defense of this coding error is:

"If my program runs out of memory, it will fail. It doesn't matter whether I handle the error or simply allow the program to die with a segmentation fault when it tries to dereference the null-pointer."

This argument ignores three important considerations:

- Depending upon the type and size of the application, it may be possible to free memory that is being used elsewhere so that execution can continue.

- It is impossible for the program to perform a graceful exit if required. If the program performs an atomic operation, it can leave the system in an inconsistent state.

- The programmer has lost the opportunity to record diagnostic information. Did the call to malloc() fail because req_size was too large or because there were too many requests being handled at the same time? Or was it caused by a memory leak that has built up over time? Without handling the error, there is no way to know.

References

[1] J. Viega, G. McGraw Building Secure Software Addison-Wesley

desc.controlflow.cpp.missing_check_against_null

Abstract

The program can dereference a null-pointer because it does not check the return value of a function that might return null.

Explanation

Just about every serious attack on a software system begins with the violation of a programmer's assumptions. After the attack, the programmer's assumptions seem flimsy and poorly founded, but before an attack many programmers would defend their assumptions well past the end of their lunch break.

Two dubious assumptions that are easy to spot in code are "this function call can never fail" and "it doesn't matter if this function call fails". When a programmer ignores the return value from a function, they implicitly state that they are operating under one of these assumptions.

Example 1: The following code does not check to see if the string returned by getParameter() is null before calling the member function compareTo(), potentially causing a null dereference.


String itemName = request.getParameter(ITEM_NAME);
	if (itemName.compareTo(IMPORTANT_ITEM)) {
		...
	}
	...

Example 2:. The following code shows a system property that is set to null and later dereferenced by a programmer who mistakenly assumes it will always be defined.


System.clearProperty("os.name");
...
String os = System.getProperty("os.name");
if (os.equalsIgnoreCase("Windows 95") )
	System.out.println("Not supported");

desc.controlflow.java.missing_check_against_null

Missing Check for Null Parameter

Java/JSP

Abstract

This function violates the contract that it must compare its parameter with null.

Explanation

The Java standard requires that implementations of Object.equals(), Comparable.compareTo(), and Comparator.compare() must return a specified value if their parameters are null. Failing to follow this contract may result in unexpected behavior.

Example 1: The following implementation of the equals() method does not compare its parameter with null.


public boolean equals(Object object)
{
   return (toString().equals(object.toString()));
}

References

[1] MET10-J. Follow the general contract when implementing the compareTo() method CERT

[2] MET08-J. Preserve the equality contract when overriding the equals() method CERT

desc.controlflow.java.missing_check_for_null_parameter

Object Model Violation: Erroneous clone() Method

Java/JSP

Abstract

A clone() method should call super.clone() to obtain the new object.

Explanation

All implementations of clone() should obtain the new object by calling super.clone(). If a class fails to follow this convention, a subclass's clone() method will return an object of the wrong type.

Example 1: The following two classes demonstrate a bug introduced by failing to call super.clone(). Because of the way Kibitzer implements clone(), FancyKibitzer's clone method will return an object of type Kibitzer instead of FancyKibitzer.


public class Kibitzer implements Cloneable {
  public Object clone() throws CloneNotSupportedException {
    Object returnMe = new Kibitzer();
    ...
  }
}

public class FancyKibitzer extends Kibitzer
                           implements Cloneable {
  public Object clone() throws CloneNotSupportedException {
    Object returnMe = super.clone();
    ...
  }
}

References

[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1

[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4

[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[5] Standards Mapping - Common Weakness Enumeration CWE ID 580

desc.structural.java.object_model_violation_erroneous_clone_method

Object Model Violation: Just One of Equals() and GetHashCode() Defined

C#/VB.NET/ASP.NET

Abstract

This class overrides only one of Equals() and GetHashCode().

Explanation

.NET objects are expected to obey a number of invariants related to equality. One of these invariants is that equal objects must have equal hashcodes. In other words, if a.Equals(b) == true then a.GetHashCode() == b.GetHashCode().

Failure to uphold this invariant is likely to cause trouble if objects of this class are stored in a collection. If the objects of the class in question are used as a key in a Hashtable or if they are inserted into a Dictionary, it is critical that equal objects have equal hashcodes.

Example 1: The following class overrides Equals() but not GetHashCode().


public class Halfway() {
  public override boolean Equals(object obj) {
    ...
  }
}

References

[1] MSDN Library: Equals Method (Object) Microsoft Corporation

[2] MSDN Library: GetHashCode Method (Object) Microsoft Corporation

[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1

[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5

[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[7] Standards Mapping - Common Weakness Enumeration CWE ID 581

desc.structural.dotnet.object_model_violation.just_one_of_equals_hashcode_defined

Object Model Violation: Just one of equals() and hashCode() Defined

Java/JSP

Abstract

This class overrides only one of equals() and hashCode().

Explanation

Java objects are expected to obey a number of invariants related to equality. One of these invariants is that equal objects must have equal hashcodes. In other words, if a.equals(b) == true then a.hashCode() == b.hashCode().

Failure to uphold this invariant is likely to cause trouble if objects of this class are stored in a collection. If the objects of the class in question are used as a key in a Hashtable or if they are inserted into a Map or Set, it is critical that equal objects have equal hashcodes.

Example 1: The following class overrides equals() but not hashCode().


public class halfway() {
  public boolean equals(Object obj) {
    ...
  }
}

References

[1] D. H. Hovermeyer FindBugs User Manual

[2] MET09-J. Classes that define an equals() method must also define a hashCode() method CERT

[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1

[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5

[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[7] Standards Mapping - Common Weakness Enumeration CWE ID 581

desc.structural.java.object_model_violation_just_one_of_equals_hashcode_defined

Object Model Violation: Just one of restoreState() and saveState() Defined

Java/JSP

Abstract

This class overrides only one of saveState() and restoreState().

Explanation

Any class that inherits the StateHolder interface must implement both saveState(javax.faces.context.FacesContext) and restoreState(javax.faces.context.FacesContext, java.lang.Object) or implement neither of them. Because these two methods have a tightly coupled relationship, it is not permissible to have the saveState(javax.faces.context.FacesContext) and restoreState(javax.faces.context.FacesContext, java.lang.Object) methods reside at different levels of the inheritance hierarchy.

Example 1: The following class defines saveState() and not restoreState(), so it is always in error no matter what any class that extends
it might do.


public class KibitzState implements StateHolder {
  public Object saveState(FacesContext fc) {
    ...
  }
}

References

[1] Sun Microsystems JavaDoc for StateHolder Interface

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[6] Standards Mapping - Common Weakness Enumeration CWE ID 398

desc.structural.java.object_model_violation_just_one_of_restoreState_saveState_defined