Kingdom: Code Quality
Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an attacker it provides an opportunity to stress the system in unexpected ways.
Dead Code: Unused Parameter
Abstract
Use of parameters that trigger unexposed, privileged functionality can allow an attacker to gain unauthorized access to application resources.
Explanation
Unused parameters represent data that is processed by the application code but is not made available to the users through any of the request parameters. These parameters can be used to aid debugging, enable privileged functionality known only to the programmers or administrators of the web site, or act as a backdoor. If discovered by an attacker, use of these parameters can lead to unauthorized access to privileged functionality or be used to inject arbitrary code into the application. Programmers sometimes leave behind functionality in product code that was only meant for debugging and incorrectly assume they can hide privileged functionality by not exposing it through publicly accessible interfaces.
The presence of unused parameters can expose an application to certain risks:
- It can indicate dead code in an application, which is not exposed to legitimate application users. However, a malicious user might get access to functionality in dead code by supplying brute force parameter name/value pairs (e.g. debug=true). If the code accesses sensitive resources such as databases and file IO, it can threaten the overall security of the application.
- It can indicate a backdoor into the application planted by a developer with malicious intent, which can be used later to gain unlawful access to application data or perform serious attacks against the application.
The presence of unused parameters can expose an application to certain risks:
- It can indicate dead code in an application, which is not exposed to legitimate application users. However, a malicious user might get access to functionality in dead code by supplying brute force parameter name/value pairs (e.g. debug=true). If the code accesses sensitive resources such as databases and file IO, it can threaten the overall security of the application.
- It can indicate a backdoor into the application planted by a developer with malicious intent, which can be used later to gain unlawful access to application data or perform serious attacks against the application.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 235
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001082
[3] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-2 Application Partitioning (P1)
[4] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-2 Separation of System and User Functionality
[5] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.1 Input Validation Requirements (L1 L2 L3), 8.1.3 General Data Protection (L2 L3)
[6] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[7] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3050 CAT II
[8] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3050 CAT II
[9] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3050 CAT II
[10] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3050 CAT II
[11] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3050 CAT II
[12] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3050 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3050 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002150 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002150 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002150 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002150 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002150 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002150 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002150 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002150 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002150 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002150 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002150 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002150 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002150 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002150 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002150 CAT II
desc.dynamic.xtended_preview.dead_code_unused_parameter