Kingdom: Security Features

Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.

WCF Misconfiguration: Weak Class Reference

Abstract
The program uses a weak class reference, which might allow an attacker to execute unauthorized code.
Explanation
The program references a user-defined class that is not uniquely identified. When .NET loads this weakly identified class, the CLR type loader searches for the class in the following locations in the specified order:

- If the assembly of the type is known, the loader searches the configuration file's redirect locations, GAC, the current assembly using configuration information, and the application base directory.

- If the assembly is unknown, the loader searches the current assembly, mscorlib, and the location returned by the TypeResolve event handler.

This CLR search order can be modified with hooks such as the Type Forwarding mechanism and the AppDomain.TypeResolve event.

If an attacker exploits the CLR search order by creating an alternative class with the same name and placing it in an alternative location that the CLR will load first, the CLR will unintentionally execute the attacker-supplied code.

Example 1: The <behaviorExtensions/> element of the following WCF configuration file instructs WCF to add a custom behavior class to a particular WCF extension.


<system.serviceModel>
<extensions>
<behaviorExtensions>
<add name="myBehavior" type="MyBehavior" />
</behaviorExtensions>
</extensions>
</system.serviceModel>
References
[1] Microsoft Developer Network (MSDN)
[2] Standards Mapping - Common Weakness Enumeration CWE ID 95
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [18] CWE ID 094
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[5] Standards Mapping - FIPS200 SI
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[8] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[9] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[10] Standards Mapping - OWASP Top 10 2010 A1 Injection
[11] Standards Mapping - OWASP Top 10 2013 A1 Injection
[12] Standards Mapping - OWASP Top 10 2017 A1 Injection
[13] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.4 Sanitization and Sandboxing Requirements, 5.2.5 Sanitization and Sandboxing Requirements, 5.2.8 Sanitization and Sandboxing Requirements, 5.3.6 Output Encoding and Injection Prevention Requirements
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[23] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 116
[24] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
desc.config.dotnet.wcf_misconfiguration_weak_class_reference