4 itens encontrados

Vulnerabilidades

Mass Assignment: Insecure Binder Configuration

C#/VB.NET/ASP.NET
Java/JSP

Abstract

O associador de estrutura usado para associar os parâmetros da solicitação HTTP à classe de modelo não foi explicitamente configurado para permitir, ou proibir, certos atributos.

Explanation

Para facilitar o desenvolvimento e aumentar a produtividade, a maioria das estruturas moderna permite que um objeto seja instanciado automaticamente e preenchido com os parâmetros de solicitações HTTP cujos nomes correspondem a um atributo da classe a ser associada. A instanciação e o preenchimento automáticos de objetos acelera o desenvolvimento, mas podem provocar sérios problemas se forem implementados sem precauções. Qualquer atributo nas classes associadas, ou classes aninhadas, será automaticamente associado aos parâmetros de solicitações HTTP. Portanto, usuários mal-intencionados poderão atribuir um valor a qualquer atributo em classes vinculadas ou aninhadas, mesmo se que estas não estejam expostas ao cliente por meio de formulários da Web ou contratos de API.

Exemplo 1: Sem configuração adicional, o seguinte método de controlador MVC ASP.NET associará os parâmetros de solicitações HTTP a qualquer atributo nas classes RegisterModel ou Details:


public ActionResult Register(RegisterModel model)
{
    if (ModelState.IsValid)
    {
        try
        {
            return RedirectToAction("Index", "Home");
        }
        catch (MembershipCreateUserException e)
        {
            ModelState.AddModelError("", "");
        }
    }
    return View(model);
}

Em que a classe RegisterModel é definida como:


public class RegisterModel
{
    [BindRequired]
    [Display(Name = "User name")]
    public string UserName { get; set; }

    [BindRequired]
    [DataType(DataType.Password)]
    [Display(Name = "Password")]
    public string Password { get; set; }

    [DataType(DataType.Password)]
    [Display(Name = "Confirm password")]
    public string ConfirmPassword { get; set; }

    public Details Details { get; set; }

    public RegisterModel()
    {
        Details = new Details();
    }
}

e a classe Details é definida como:


public class Details
{
    public bool IsAdmin { get; set; }
    ...
}

Exemplo 2: Ao usar TryUpdateModel() ou UpdateModel() em aplicativos ASP.NET MVC ou Web API, o associador de modelo tentará vincular automaticamente todos os parâmetros de solicitações HTTP por padrão:


public ViewResult Register()
{
    var model = new RegisterModel();
    TryUpdateModel<RegisterModel>(model);
    return View("detail", model);
}

Exemplo 3: Em aplicativos ASP.NET Web Form, o associador do modelo tentará vincular automaticamente todos os parâmetros de solicitação HTTP ao usar TryUpdateModel() ouUpdateModel() com a interface IValueProvider.


Employee emp = new Employee();
TryUpdateModel(emp, new System.Web.ModelBinding.FormValueProvider(ModelBindingExecutionContext)); 
if (ModelState.IsValid)
{
    db.SaveChanges();
}

e a classe Employee é definida como:


 public class Employee
    {
        public Employee()
        {
            IsAdmin = false;
            IsManager = false;
        }
        public string Name { get; set; }
        public string Email { get; set; }
        public bool IsManager { get; set; }
        public bool IsAdmin { get; set; }
    }

References

[1] OWASP Mass assignment

[2] Standards Mapping - Common Weakness Enumeration CWE ID 915

[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001082, CCI-002754

[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-2 Application Partitioning (P1), SI-10 Information Input Validation (P1)

[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-2 Separation of System and User Functionality, SI-10 Information Input Validation

[7] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization

[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.2 Input Validation Requirements (L1 L2 L3)

[9] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[10] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration

[11] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input

[12] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference

[13] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References

[14] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References

[15] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control

[16] Standards Mapping - OWASP Top 10 2021 A08 Software and Data Integrity Failures

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.2

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[29] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[30] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[31] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[32] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[33] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[34] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[35] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[36] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[37] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[45] Standards Mapping - Web Application Security Consortium Version 2.00 Abuse of Functionality (WASC-42)

desc.structural.dotnet.mass_assignment_insecure_binder_configuration

Abstract

O associador da estrutura usado para vincular os parâmetros de solicitação HTTP à classe do modelo não foi explicitamente configurado para permitir ou proibir certos atributos

Explanation


    <view-state id="enterBookingDetails" model="booking">
		<on-render>
			<render fragments="body" />
		</on-render>
        <transition on="proceed" to="reviewBooking">
        </transition>
		<transition on="cancel" to="cancel" bind="false" />
	</view-state>

Onde a classe Booking é definida como:


public class Booking implements Serializable {
	private Long id;
	private User user;
	private Hotel hotel;
	private Date checkinDate;
	private Date checkoutDate;
	private String creditCard;
	private String creditCardName;
	private int creditCardExpiryMonth;
	private int creditCardExpiryYear;
	private boolean smoking;
	private int beds;
	private Set<Amenity> amenities;

   // Public Getters and Setters
   ...
}

References

[1] OWASP Mass assignment

[2] Pivotal Spring MVC Known Vulnerabilities and Issues

[3] Standards Mapping - Common Weakness Enumeration CWE ID 915

[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001082, CCI-002754

[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-2 Application Partitioning (P1), SI-10 Information Input Validation (P1)

[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-2 Separation of System and User Functionality, SI-10 Information Input Validation

[8] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization

[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.2 Input Validation Requirements (L1 L2 L3)

[10] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[11] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration

[12] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input

[13] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference

[14] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References

[15] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References

[16] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control

[17] Standards Mapping - OWASP Top 10 2021 A08 Software and Data Integrity Failures

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.2

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[30] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[31] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[32] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[33] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[34] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[35] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[36] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[37] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[46] Standards Mapping - Web Application Security Consortium Version 2.00 Abuse of Functionality (WASC-42)

desc.config.java.mass_assignment_insecure_binder_configuration

Mass Assignment: Request Parameters Bound into Persisted Objects

C#/VB.NET/ASP.NET
Java/JSP

Abstract

Permitir que entidades persistentes de banco de dados sejam preenchidas automaticamente por parâmetros de solicitação pode permitir que um invasor crie registros não intencionais em entidades de associação ou atualize campos não pretendidos no objeto de entidade.

Explanation

Objetos de modelo são uma representação orientada a objetos de entidades de banco de dados. Eles fornecem métodos de conveniência para carregar, armazenar, atualizar e excluir entidades de banco de dados associadas.
O Hibernate, a estrutura Microsoft .NET Entity e o LINQ são exemplos de estruturas Object Relational Mapping (ORM) que ajudam você a construir objetos de modelo reforçados por banco de dados.

Muitas estruturas da Web se esforçam para facilitar a vida dos desenvolvedores fornecendo um mecanismo de associação de parâmetros de solicitação a objetos associados a solicitações com base em nomes de parâmetro de solicitação correspondentes a nomes de atributo de objetos de modelo (com base em métodos "getter" e "setter" públicos correspondentes).

Se um aplicativo usar classes ORM como objetos associados a solicitações, é provável que um parâmetro de solicitação possa modificar qualquer campo em objetos de modelo correspondentes e em qualquer campo aninhado de um atributo de objeto.

Exemplo 1: As classes Order, Customer e Profile são classes do Microsoft .NET Entity mantidas como persistentes.


public class Order {
	public string ordered { get; set; }
	public List<LineItem> LineItems { get; set; }
	pubilc virtual Customer Customer { get; set; }
...
}
public class Customer {
	public int CustomerId { get; set; }
	...
	public virtual Profile Profile { get; set; }
...
}
public class Profile {
	public int profileId { get; set; }
	public string username { get; set; }
	public string password { get; set; }
	...
}

OrderController é uma de classe de controlador MVC ASP.NET que lida com a solicitação:



public class OrderController : Controller{
	StoreEntities db = new StoreEntities();
...

	public String updateOrder(Order order) {
		...
		db.Orders.Add(order);
		db.SaveChanges();
	}
}

Como classes de entidades de modelo são automaticamente associadas a solicitações, um invasor pode usar essa vulnerabilidade para atualizar a senha de outro usuário adicionando os seguintes parâmetros de solicitação à solicitação: "http://www.yourcorp.com/webApp/updateOrder?order.customer.profile.profileId=1234&order.customer.profile.password=urpowned"

References

[1] Standards Mapping - Common Weakness Enumeration CWE ID 915

[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001082, CCI-002754

[3] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-2 Application Partitioning (P1), SI-10 Information Input Validation (P1)

[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-2 Separation of System and User Functionality, SI-10 Information Input Validation

[6] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization

[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.2 Input Validation Requirements (L1 L2 L3)

[8] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[9] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input

[10] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference

[11] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References

[12] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References

[13] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control

[14] Standards Mapping - OWASP Top 10 2021 A08 Software and Data Integrity Failures

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.2

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[25] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[26] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[27] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[28] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[29] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[30] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[31] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[32] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[33] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[34] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[35] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[36] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[37] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[43] Standards Mapping - Web Application Security Consortium Version 2.00 Abuse of Functionality (WASC-42)

desc.structural.dotnet.mass_assignment_request_parameters_bound_into_persisted_objects

Abstract

Permitir que entidades persistentes de banco de dados sejam preenchidas automaticamente por parâmetros de solicitação permitirá que um invasor crie registros não intencionais em entidades de associação ou atualize campos não pretendidos no objeto de entidade.

Explanation

Objetos persistentes estão vinculados ao banco de dados subjacente e são atualizados automaticamente pela estrutura de persistência, como o Hibernate ou o JPA. Permitir que esses objetos sejam dinamicamente associados à solicitação pelo Spring MVC permitirá que um invasor injete valores inesperados no banco de dados, fornecendo parâmetros de solicitação adicionais.
Exemplo 1: As classes Order, Customer e Profile são classes do Hibernate mantidas como persistentes.


public class Order {
	String ordered;
	List lineItems;
	Customer cust;
...
}
public class Customer {
	String customerId;
	...
    Profile p;
...
}
public class Profile {
	String profileId;
	String username;
	String password;
	...
}

OrderController é uma de classe de controlador Spring que lida com a solicitação:


@Controller
public class OrderController {
...
	@RequestMapping("/updateOrder")
	public String updateOrder(Order order) {
		...
		session.save(order);
	}
}

Como classes de comandos são automaticamente associadas à solicitação, um invasor pode usar essa vulnerabilidade para atualizar a senha de outro usuário adicionando os seguintes parâmetros de solicitação à solicitação: "http://www.yourcorp.com/webApp/updateOrder?order.customer.profile.profileId=1234&order.customer.profile.password=urpowned"

References

[1] Ryan Berg and Dinis Cruz Two Security Vulnerabilities in the Spring Framework's MVC