Reino: API Abuse

Uma API é um contrato entre quem chama e o que se chama. As formas mais comuns de abuso de API ocorrem quando o responsável pela chamada não respeita sua parte do contrato. Por exemplo, se um programa não chama chdir() após chamar chroot(), ele viola o contrato que especifica como alterar o diretório raiz ativo de forma segura. Outro bom exemplo de abuso de biblioteca é esperar que o elemento chamado retorne informações confiáveis de DNS ao responsável pela chamada. Nesse caso, o responsável pela chamada abusa a API do elemento chamado ao fazer certas suposições sobre seu comportamento (isto é, que o valor de retorno pode ser usado para fins de autenticação). A outra parte também pode violar o contrato entre quem chama e o que se chama. Por exemplo, se um programador definir SecureRandom como subclasse e retornar um valor não aleatório, o contrato será violado.

Mass Assignment: Insecure Binder Configuration

C#/VB.NET/ASP.NET
Java/JSP

Abstract

O associador de estrutura usado para associar os parâmetros da solicitação HTTP à classe de modelo não foi explicitamente configurado para permitir, ou proibir, certos atributos.

Explanation

Para facilitar o desenvolvimento e aumentar a produtividade, a maioria das estruturas moderna permite que um objeto seja instanciado automaticamente e preenchido com os parâmetros de solicitações HTTP cujos nomes correspondem a um atributo da classe a ser associada. A instanciação e o preenchimento automáticos de objetos acelera o desenvolvimento, mas podem provocar sérios problemas se forem implementados sem precauções. Qualquer atributo nas classes associadas, ou classes aninhadas, será automaticamente associado aos parâmetros de solicitações HTTP. Portanto, usuários mal-intencionados poderão atribuir um valor a qualquer atributo em classes vinculadas ou aninhadas, mesmo se que estas não estejam expostas ao cliente por meio de formulários da Web ou contratos de API.

Exemplo 1: Sem configuração adicional, o seguinte método de controlador MVC ASP.NET associará os parâmetros de solicitações HTTP a qualquer atributo nas classes RegisterModel ou Details:


public ActionResult Register(RegisterModel model)
{
    if (ModelState.IsValid)
    {
        try
        {
            return RedirectToAction("Index", "Home");
        }
        catch (MembershipCreateUserException e)
        {
            ModelState.AddModelError("", "");
        }
    }
    return View(model);
}

Em que a classe RegisterModel é definida como:


public class RegisterModel
{
    [BindRequired]
    [Display(Name = "User name")]
    public string UserName { get; set; }

    [BindRequired]
    [DataType(DataType.Password)]
    [Display(Name = "Password")]
    public string Password { get; set; }

    [DataType(DataType.Password)]
    [Display(Name = "Confirm password")]
    public string ConfirmPassword { get; set; }

    public Details Details { get; set; }

    public RegisterModel()
    {
        Details = new Details();
    }
}

e a classe Details é definida como:


public class Details
{
    public bool IsAdmin { get; set; }
    ...
}

Exemplo 2: Ao usar TryUpdateModel() ou UpdateModel() em aplicativos ASP.NET MVC ou Web API, o associador de modelo tentará vincular automaticamente todos os parâmetros de solicitações HTTP por padrão:


public ViewResult Register()
{
    var model = new RegisterModel();
    TryUpdateModel<RegisterModel>(model);
    return View("detail", model);
}

Exemplo 3: Em aplicativos ASP.NET Web Form, o associador do modelo tentará vincular automaticamente todos os parâmetros de solicitação HTTP ao usar TryUpdateModel() ouUpdateModel() com a interface IValueProvider.


Employee emp = new Employee();
TryUpdateModel(emp, new System.Web.ModelBinding.FormValueProvider(ModelBindingExecutionContext)); 
if (ModelState.IsValid)
{
    db.SaveChanges();
}

e a classe Employee é definida como:


 public class Employee
    {
        public Employee()
        {
            IsAdmin = false;
            IsManager = false;
        }
        public string Name { get; set; }
        public string Email { get; set; }
        public bool IsManager { get; set; }
        public bool IsAdmin { get; set; }
    }

References

[1] OWASP Mass assignment

[2] Standards Mapping - Common Weakness Enumeration CWE ID 915

[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001082, CCI-002754

[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-2 Application Partitioning (P1), SI-10 Information Input Validation (P1)

[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-2 Separation of System and User Functionality, SI-10 Information Input Validation

[7] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization

[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.2 Input Validation Requirements (L1 L2 L3)

[9] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[10] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration

[11] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input

[12] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference

[13] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References

[14] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References

[15] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control

[16] Standards Mapping - OWASP Top 10 2021 A08 Software and Data Integrity Failures

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.2

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[29] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[30] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[31] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[32] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[33] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[34] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[35] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[36] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[37] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[44] Standards Mapping - Web Application Security Consortium Version 2.00 Abuse of Functionality (WASC-42)

desc.structural.dotnet.mass_assignment_insecure_binder_configuration

Abstract

O associador da estrutura usado para vincular os parâmetros de solicitação HTTP à classe do modelo não foi explicitamente configurado para permitir ou proibir certos atributos

Explanation

Para facilitar o desenvolvimento e aumentar a produtividade, a maioria das estruturas modernas permite que um objeto seja automaticamente instanciado e preenchido com os parâmetros de solicitação HTTP cujos nomes correspondem a um atributo da classe a ser vinculada. A instanciação e o preenchimento automáticos de objetos aceleram o desenvolvimento, mas podem levar a sérios problemas se implementados sem cuidado. Qualquer atributo nas classes vinculadas, ou classes aninhadas, será automaticamente vinculado aos parâmetros de solicitação HTTP. Portanto, usuários mal-intencionados poderão atribuir um valor a qualquer atributo em classes vinculadas ou aninhadas, mesmo que não sejam expostos ao cliente por meio de formulários da web ou contratos de API.

Exemplo 1: Ao usar Spring WebFlow sem configuração adicional, a ação a seguir vinculará os parâmetros de solicitação HTTP a qualquer atributo na classe Booking:


    <view-state id="enterBookingDetails" model="booking">
		<on-render>
			<render fragments="body" />
		</on-render>
        <transition on="proceed" to="reviewBooking">
        </transition>
		<transition on="cancel" to="cancel" bind="false" />
	</view-state>

Onde a classe Booking é definida como:


public class Booking implements Serializable {
	private Long id;
	private User user;
	private Hotel hotel;
	private Date checkinDate;
	private Date checkoutDate;
	private String creditCard;
	private String creditCardName;
	private int creditCardExpiryMonth;
	private int creditCardExpiryYear;
	private boolean smoking;
	private int beds;
	private Set<Amenity> amenities;

   // Public Getters and Setters
   ...
}

References

[1] OWASP Mass assignment

[2] Pivotal Spring MVC Known Vulnerabilities and Issues

[3] Standards Mapping - Common Weakness Enumeration CWE ID 915

[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001082, CCI-002754

[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-2 Application Partitioning (P1), SI-10 Information Input Validation (P1)

[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-2 Separation of System and User Functionality, SI-10 Information Input Validation

[8] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization

[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.2 Input Validation Requirements (L1 L2 L3)

[10] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[11] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration

[12] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input

[13] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference

[14] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References

[15] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References

[16] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control

[17] Standards Mapping - OWASP Top 10 2021 A08 Software and Data Integrity Failures

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.2

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[30] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[31] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[32] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[33] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[34] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[35] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[36] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[37] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[45] Standards Mapping - Web Application Security Consortium Version 2.00 Abuse of Functionality (WASC-42)

desc.config.java.mass_assignment_insecure_binder_configuration