Reino: API Abuse

Un API es un contrato entre un autor de llamada y un receptor de llamada. Las formas de abuso de API más comunes los produce el autor de llamada cuando no consigue atender su fin de este contrato. Por ejemplo, si un programa no consigue llamar chdir() después de llamar chroot(), se viola el contrato que especifica cómo cambiar el directorio de origen activo de una forma segura. Otro buen ejemplo de un abuso de manual es esperar que el receptor devuelva una información de DNS de confianza al autor de llamada. En este caso, el autor de llamada abusa el API del receptor haciendo determinadas suposiciones sobre su comportamiento (que el valor de retorno se puede usar con fines de autenticación). También se puede violar el contrato entre el autor de llamada y el receptor desde el otro lado. Por ejemplo, si un codificador envía SecureRandom y devuelve un valor no aleatorio, se viola el contrato.

ASP.NET Middleware Out of Order: Insufficient Logging

C#/VB.NET/ASP.NET

Abstract

La aplicación especifica incorrectamente el middleware de registro de ASP.NET Core.

Explanation

El middleware ASP.NET Core que no se agrega a la canalización de middleware en el orden correcto no funcionará según lo previsto, dejando la aplicación expuesta a una variedad de problemas de seguridad.

Ejemplo 1: El método UseHttpLogging() agrega middleware de registro HTTP a la canalización de middleware que permite que los componentes de middleware se registren. Cuando se especifica en el orden incorrecto, como se muestra, no se agrega ningún middleware a la canalización antes de que se registre la llamada a UseHttpLogging().


...
var builder = WebApplication.CreateBuilder(...);
var app = builder.Build(...);
app.UseStaticFiles();
app.UseRouting();
app.UseSession();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
    ...
}

app.UseHttpLogging();
...

Ejemplo 2: El método UseWC3Logging() agrega el middleware de registro W3C a la canalización de middleware que permite que los componentes de middleware se registren. Cuando se especifica en el orden incorrecto, como se muestra, no se agrega ningún middleware a la canalización antes de que se registre la llamada a UseWC3Logging().


...
var builder = WebApplication.CreateBuilder(...);
var app = builder.Build(...);
app.UseStaticFiles();
app.UseRouting();
app.UseSession();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
    ...
}

app.UseWC3Logging();
...

References

[1] Rick Anderson, Steve Smith ASP.NET Core Middleware Microsoft

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[6] Standards Mapping - Common Weakness Enumeration CWE ID 696, CWE ID 778

[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172

[8] Standards Mapping - FIPS200 CM

[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)

[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation

[11] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[12] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[13] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[14] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring

[15] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures

[16] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)

[17] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10, Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2

[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking

[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3680.4 CAT II, APP3680.5 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3680.4 CAT II, APP3680.5 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3680.4 CAT II, APP3680.5 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3680.4 CAT II, APP3680.5 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3680.4 CAT II, APP3680.5 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3680.4 CAT II, APP3680.5 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3680.4 CAT II, APP3680.5 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000830 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000830 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000830 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000830 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000830 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000830 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000830 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000830 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000830 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000830 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-000830 CAT II

[50] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)

desc.controlflow.dotnet.asp_dotnet_middleware_out_of_order_insufficient_logging