Reino: Input Validation and Representation

Problemas de validação e representação da entrada são causados por metacaracteres, codificações alternativas e representações numéricas. Confiar na entrada resulta em problemas de segurança. Os problemas incluem: “Buffer Overflows”, ataques de “Cross-Site Scripting”, “SQL Injection”, entre outros.

Server-Side Request Forgery

Abstract

O aplicativo inicia uma conexão de rede com um sistema de terceiros usando dados controlados pelo usuário para criar o URI de recurso.

Explanation

Uma Falsificação de Solicitação no Lado do Servidor ocorre quando um invasor pode influenciar uma conexão de rede estabelecida pelo servidor de aplicativos. A conexão de rede se originará do IP interno do servidor de aplicativos, e um invasor pode usar essa conexão para ignorar os controles de rede e verificar ou atacar recursos internos que não seriam expostos.

Exemplo 1: No exemplo a seguir, um invasor pode controlar a URL à qual o servidor está se conectando.


...
PageReference ref = ApexPages.currentPage();
Map<String,String> params = ref.getParameters();
HttpRequest req = new HttpRequest();
req.setEndpoint(params.get('url'));
HTTPResponse res = new Http().send(req);

A capacidade do invasor de sequestrar a conexão de rede depende da parte específica do URI que pode ser controlada e das bibliotecas usadas para estabelecer a conexão. Por exemplo, controlar o esquema de URI permite que o invasor use protocolos diferentes de http ou https, como:

- up://
- ldap://
- jar://
- gopher://
- mailto://
- ssh2://
- telnet://
- expect://

Um invasor pode aproveitar essa conexão de rede sequestrada para executar os seguintes tipos de ataques:

- Varredura de portas de recursos de intranet.
- Desvio de firewalls.
- Ataque a problemas vulneráveis em execução no servidor de aplicativos ou na Intranet.
- Ataque a aplicativos Web internos/externos usando ataques de Injeção ou CSRF.
- Realização de um ataque de envenenamento de cache DNS.

References

[1] Standards Mapping - Common Weakness Enumeration CWE ID 918

[2] Standards Mapping - Common Weakness Enumeration Top 25 2021 [24] CWE ID 918

[3] Standards Mapping - Common Weakness Enumeration Top 25 2022 [21] CWE ID 918

[4] Standards Mapping - Common Weakness Enumeration Top 25 2023 [19] CWE ID 918

[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754

[6] Standards Mapping - FIPS200 SI

[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)

[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation

[10] Standards Mapping - OWASP API 2023 API7 Server Side Request Forgery

[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.6 Sanitization and Sandboxing Requirements (L1 L2 L3), 12.6.1 SSRF Protection Requirements (L1 L2 L3), 13.1.1 Generic Web Service Security Verification Requirements (L1 L2 L3)

[12] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication

[13] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation

[14] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input

[15] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference

[16] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References

[17] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References

[18] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control

[19] Standards Mapping - OWASP Top 10 2021 A10 Server-Side Request Forgery

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control

[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation

[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation

[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I

[47] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I

[48] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I

[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I

[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I

[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I

[52] Standards Mapping - Web Application Security Consortium Version 2.00 Abuse of Functionality (WASC-42)

desc.dataflow.apex.server_side_request_forgery

Abstract

O aplicativo inicia uma conexão de rede com um sistema de terceiros usando dados controlados pelo usuário para criar o URI de recurso.

Explanation

Uma Falsificação de Solicitação no Lado do Servidor ocorre quando um invasor pode influenciar uma conexão de rede estabelecida pelo servidor de aplicativos. A conexão de rede se originará do IP interno do servidor de aplicativos, e um invasor pode usar essa conexão para ignorar os controles de rede e verificar ou atacar recursos internos que não seriam expostos.

Exemplo: No exemplo a seguir, um invasor pode controlar a URL à qual o servidor está se conectando.


string url = Request.Form["url"];
HttpClient client = new HttpClient();
HttpResponseMessage response = await client.GetAsync(url);

A capacidade do invasor de sequestrar a conexão de rede depende da parte específica do URI que pode ser controlada e das bibliotecas usadas para estabelecer a conexão. Por exemplo, controlar o esquema de URI permite que o invasor use protocolos diferentes de http ou https, como:

- up://
- ldap://
- jar://
- gopher://
- mailto://
- ssh2://
- telnet://
- expect://

Um invasor pode aproveitar essa conexão de rede sequestrada para executar os seguintes ataques:

- Varredura de portas de recursos de intranet.
- Desvio de firewalls.
- Ataque a problemas vulneráveis em execução no servidor de aplicativos ou na Intranet.
- Ataque a aplicativos Web internos/externos usando ataques de Injeção ou CSRF.
- Acesso a arquivos locais usando o esquema file://.
- Em sistemas Windows, o esquema file:// e caminhos UNC podem permitir que um invasor varra e acesse compartilhamentos internos.
- Realização de um ataque de envenenamento de cache DNS.

References

[1] Alexander Polyakov SSRF vs. Business critical applications BlackHat 2012

[2] SSRF bible. Cheatsheet ONSec Labs

[3] Standards Mapping - Common Weakness Enumeration CWE ID 918

[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [24] CWE ID 918

[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [21] CWE ID 918

[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [19] CWE ID 918

[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754

[8] Standards Mapping - FIPS200 SI

[9] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)

[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation

[12] Standards Mapping - OWASP API 2023 API7 Server Side Request Forgery

[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.6 Sanitization and Sandboxing Requirements (L1 L2 L3), 12.6.1 SSRF Protection Requirements (L1 L2 L3), 13.1.1 Generic Web Service Security Verification Requirements (L1 L2 L3)

[14] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication

[15] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation

[16] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input

[17] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference

[18] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References

[19] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References

[20] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control

[21] Standards Mapping - OWASP Top 10 2021 A10 Server-Side Request Forgery

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation

[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I

[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I

[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I

[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I

[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I

[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I

[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I

[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I

[54] Standards Mapping - Web Application Security Consortium Version 2.00 Abuse of Functionality (WASC-42)

desc.dataflow.dotnet.server_side_request_forgery

Abstract

O aplicativo inicia uma conexão de rede com um sistema de terceiros usando dados controlados pelo usuário para criar o URI de recurso.

Explanation

Uma Falsificação de Solicitação no Lado do Servidor ocorre quando um invasor pode influenciar uma conexão de rede estabelecida pelo servidor de aplicativos. A conexão de rede se originará do IP interno do servidor de aplicativos, e um invasor pode usar essa conexão para ignorar os controles de rede e verificar ou atacar recursos internos que não seriam expostos.

Exemplo: No exemplo a seguir, um invasor pode controlar a URL à qual o servidor está se conectando.


char *url = maliciousInput(); 
CURL *curl = curl_easy_init();
curl_easy_setopt(curl, CURLOPT_URL, url);
CURLcode res = curl_easy_perform(curl);

A capacidade de um invasor de sequestrar a conexão de rede depende da parte específica do URI que pode ser controlada e das bibliotecas usadas para estabelecer a conexão. Por exemplo, controlar o esquema de URI permite que o invasor use protocolos diferentes de http ou https, como:

- up://
- ldap://
- jar://
- gopher://
- mailto://
- ssh2://
- telnet://
- expect://

Um invasor pode aproveitar essa conexão de rede sequestrada para executar os seguintes ataques:

- Varredura de portas de recursos de intranet.
- Desvio de firewalls.
- Ataque a problemas vulneráveis em execução no servidor de aplicativos ou na Intranet.
- Ataque a aplicativos Web internos/externos usando ataques de Injeção ou CSRF.
- Acesse arquivos locais usando o esquema file://.
- Em sistemas Windows, o uso do esquema file:// e de caminhos UNC pode permitir que um invasor verifique e acesse compartilhamentos internos.
- Realização de um ataque de envenenamento de cache DNS.