Kingdom: API Abuse

An API is a contract between a caller and a callee. The most common forms of API abuse are caused by the caller failing to honor its end of this contract. For example, if a program fails to call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller abuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated.

Struts 2 Bad Practices: Session Map Tampering

Java/JSP

Abstract

A Struts 2.x Action implements a class which allows an attacker to modify the application business logic by binding arbitrary data into the session, application or request server side objects

Explanation

Apache Struts 2.x included the new Aware interfaces to allow developers to easily inject maps with relevant runtime information into their Actions code. These interfaces include: org.apache.struts2.interceptor.ApplicationtAware, org.apache.struts2.interceptor.SessionAware and org.apache.struts2.interceptor.RequestAware. In order to get any of these data maps injected into their Actions code, developers need to implement the setter specified in the interface (eg: setSession for SessionAware Interface):


public class VulnerableAction extends ActionSupport implements SessionAware {

  protected Map<String, Object> session;

  @Override
  public void setSession(Map<String, Object> session) {
    this.session = session;
  }

On the other hand, Struts 2.x automatically binds the request data coming from the user to the Action's properties through public accessors defined in the Action. As the Aware interfaces require the implementation of the public setter defined in the Aware interface, this setter will also be automatically bound to any request parameter that matches the Aware interface setter name which might allow remote attackers to modify run-time data values via a crafted parameter to an application that implements an affected interface, as demonstrated by the SessionAware, RequestAware, ApplicationAware interfaces.

The following URL will let an attacker overwrite the "roles" attribute in the session map. This can potentially allow the attacker to become an administrator.


http://server/VulnerableAction?session.roles=admin

While these interfaces only require the implementation of the setter accessors, if the corresponding getter is also implemented, the changes to these map collections will be session-scoped persisted, rather than just affect the current request scope.

References

[1] Standards Mapping - Common Weakness Enumeration CWE ID 20

[2] Standards Mapping - Common Weakness Enumeration Top 25 2021 [4] CWE ID 020

[3] Standards Mapping - Common Weakness Enumeration Top 25 2022 [4] CWE ID 020

[4] Standards Mapping - Common Weakness Enumeration Top 25 2023 [6] CWE ID 020

[5] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020

[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001082, CCI-002754

[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-2 Application Partitioning (P1), SI-10 Information Input Validation (P1)

[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-2 Separation of System and User Functionality, SI-10 Information Input Validation

[10] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization

[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3)

[12] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[13] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input

[14] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference

[15] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References

[16] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References

[17] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control

[18] Standards Mapping - OWASP Top 10 2021 A03 Injection

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.2

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection

[31] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[32] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[33] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[34] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[35] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[36] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[37] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[46] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Process Validation (WASC-40)

desc.structural.java.struts2_bad_practices_session_map_tampering