Reino: Input Validation and Representation

Los problemas de validación y representación de entradas están causados por metacaracteres, codificaciones alternativas y representaciones numéricas. Los problemas de seguridad surgen de entradas en las que se confía. Estos problemas incluyen: «desbordamientos de búfer», ataques de «scripts de sitios», "SQL injection" y muchas otras acciones.

JSON Path Manipulation

PHP
Scala

Abstract

La aplicación realiza una consulta JSON con datos que no son de confianza y pueden permitir que usuarios malintencionados realicen consultas en partes inesperadas del documento JSON.

Explanation

Hay una serie de tecnologías que brindan la capacidad de maniobrar a través de documentos JSON utilizando una sintaxis de acceso en forma de árbol. Al utilizar este tipo de escalado de directorios de documentos, un adversario puede consultar partes de un documento JSON a las que no debería tener acceso.

Ejemplo 1: El código siguiente utiliza una palabra clave definida por el usuario para acceder a un documento JSON que contiene detalles de usuario públicos, como su nombre y dirección, pero también privados, como su contraseña.


    $userInput = getUserIn();
    $document = getJSONDoc();
    $part = simdjson_key_value($document, $userInput);
    echo json_decode($part);

Como el usuario puede controlar userInput, un usuario malintencionado puede aprovecharlo para acceder a cualquier dato confidencial en el documento JSON.

References

[1] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754

[2] Standards Mapping - FIPS200 SI

[3] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[4] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3

[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1

[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3

[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)

[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation

[9] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization

[10] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection

[11] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation

[12] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws

[13] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws

[14] Standards Mapping - OWASP Top 10 2010 A1 Injection

[15] Standards Mapping - OWASP Top 10 2013 A1 Injection

[16] Standards Mapping - OWASP Top 10 2017 A1 Injection

[17] Standards Mapping - OWASP Top 10 2021 A03 Injection

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation

[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation

[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I

[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I

[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I

[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I

[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I

[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I

[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I

[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I

[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I

[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I

[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I

[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I

[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I

desc.dataflow.php.json_path_manipulation

Abstract

La aplicación realiza una consulta JSON con datos que no son de confianza y pueden permitir que usuarios malintencionados realicen consultas en partes inesperadas del documento JSON.

Explanation


  def searchUserDetails(key:String) = Action.async { implicit request =>
    val user_json = getUserDataFor(user)
    val value = (user_json \ key).get.as[String]
    ...
  }

Como key es controlable por el usuario, un atacante puede aprovecharse de esto para acceder a las contraseñas del usuario y cualquier otro dato privado que pueda contener el documento JSON.