Reino: Input Validation and Representation

Problemas de validação e representação da entrada são causados por metacaracteres, codificações alternativas e representações numéricas. Confiar na entrada resulta em problemas de segurança. Os problemas incluem: “Buffer Overflows”, ataques de “Cross-Site Scripting”, “SQL Injection”, entre outros.

Session Puzzling: Spring

Java/JSP

Abstract

Os invasores podem modificar os atributos da sessão Spring que podem levar ao abuso da lógica do aplicativo.

Explanation

Uma classe anotada com @SessionAttributes significará que o Spring replica as alterações nos atributos de modelo no objeto de sessão. Se um invasor for capaz de armazenar valores arbitrários dentro de um atributo de modelo, essas alterações serão replicadas no objeto de sessão, onde podem ser confiáveis pelo aplicativo. Se o atributo de sessão for inicializado com dados confiáveis que o usuário não deve poder modificar, o invasor poderá realizar um ataque de Session Puzzling e abusar da lógica do aplicativo.

Exemplo 1: O seguinte controlador contém um método que carrega os dados do usuário na sessão após um logon bem-sucedido.


@Controller
@SessionAttributes("user")
public class HomeController {
    ...
    @RequestMapping(value= "/auth", method=RequestMethod.POST)
    public String authHandler(@RequestParam String username, @RequestParam String password, RedirectAttributes attributes, Model model) {
        User user = userService.findByNamePassword(username, password);
        if (user == null) {
            // Handle error
            ...
        } else {
            // Handle success
            attributes.addFlashAttribute("user", user);
            return "redirect:home";
        }
    }
    ...
}

Um controlador diferente lida com o recurso de redefinição de senha. Ele tenta carregar a instância User a partir da sessão, pois a classe é anotada com @SessionAttributes("user") e a usa para verificar a questão de redefinição da senha.


@Controller
@SessionAttributes("user")
public class ResetPasswordController {

    @RequestMapping(value = "/resetQuestion", method = RequestMethod.POST)
    public String resetQuestionHandler(@RequestParam String answerReset, SessionStatus status, User user, Model model) {

        if (!user.getAnswer().equals(answerReset)) {
            // Handle error
            ...
        } else {
            // Handle success
            ...
        }
    }
}

A intenção do desenvolvedor era carregar a instância user da sessão na qual ela foi armazenada durante o processo de logon. No entanto, o Spring verificará a solicitação e tentará vincular seus dados na instância do modelo user. Se a solicitação recebida contiver dados que podem ser vinculados à classe User, o Spring combinará os dados recebidos no atributo de sessão do usuário. É possível abusar desse cenário, enviando uma resposta arbitrária no parâmetro de consulta answerReset e também o mesmo valor para substituir o valor armazenado na sessão. Dessa forma, o invasor pode definir uma nova senha arbitrária para usuários aleatórios.

References

[1] Alexey Tyurin Spring MVC and Autobinding vulns.

[2] Alexey Tyurin Autobinding vulns and Spring MVC

[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-001664, CCI-001941, CCI-001942

[4] Standards Mapping - FIPS200 IA

[5] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-2 Identification and Authentication (Organizational Users) (P1), SC-23 Session Authenticity (P1), SI-10 Information Input Validation (P1)

[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-2 Identification and Authentication (Organizational Users), SC-23 Session Authenticity, SI-10 Information Input Validation

[8] Standards Mapping - OWASP API 2023 API2 Broken Authentication

[9] Standards Mapping - OWASP Mobile 2014 M9 Improper Session Handling

[10] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation

[11] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management

[12] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management

[13] Standards Mapping - OWASP Top 10 2010 A3 Broken Authentication and Session Management

[14] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management

[15] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication

[16] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.3

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation

[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3405 CAT I

[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3405 CAT I

[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3405 CAT I

[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3405 CAT I

[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3405 CAT I

[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3405 CAT I

[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3405 CAT I

[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II, APSC-DV-002530 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II, APSC-DV-002530 CAT II

desc.dataflow.java.session_puzzling_spring