Kingdom: Input Validation and Representation

Input validation and representation problems ares caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input. The issues include: "Buffer Overflows," "Cross-Site Scripting" attacks, "SQL Injection," and many others.

Denial of Service: Routing

C#/VB.NET/ASP.NET

Abstract

An attacker could manipulate wildcard routing patterns, effectively encompassing a wide spectrum of URLs or even achieving matches for all URLs, which could potentially result in the initiation of a Denial of Service (DoS) attack.

Explanation

The vulnerability emerges from the integration of wildcard routing patterns via the routes.Ignore method in ASP.NET applications. This method allows external input to define routing behaviors. Specifically, the use of wildcards, such as {*allaspx}, provides attackers with a foothold to manipulate routing actions. The core issue arises when the input controlling these wildcard patterns is not meticulously validated or sanitized.
Malicious actors can leverage this vulnerability to orchestrate a DoS attack. By supplying input that incorporates overly permissive wildcard patterns, an attacker can effectively prompt the routing system to ignore significant categories of URL requests. In the worst-case scenario, the attacker might provide input that encompasses all URLs, resulting in a widespread denial of service where the application becomes inaccessible.

References

[1] Standards Mapping - Common Weakness Enumeration CWE ID 730

[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-002386

[3] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)

[4] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation

[5] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[6] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation

[7] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service

[8] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9

[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6

[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6

[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6

[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6

[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation

[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation

[18] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II

[19] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-003320 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-003320 CAT II

[40] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)

[41] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service

desc.dataflow.dotnet.denial_of_service_routing