界: API Abuse

API 是调用方和被调用方之间的约定。最常见的 API 滥用是由于调用方未能遵守此约定的终止导致的。例如，如果某个程序在调用 chroot() 后未能调用 chdir()，则违反了用于指定如何安全地更改活动根目录的约定。库滥用的另一个典型示例是期望被调用方向调用方返回可信的 DNS 信息。在这种情况下，调用方通过对被调用方行为做出某种假设（返回值可用于身份验证目的）滥用其 API。另一方也可能违反调用方-被调用方约定。例如，如果编码器子类化 SecureRandom 并返回一个非随机值，则将违反此约定。

Mass Assignment: Request Parameters Bound into Persisted Objects

C#/VB.NET/ASP.NET
Java/JSP

Abstract

如果允许使用请求参数自动填充数据库持久实体，攻击者将能够在关联实体中创建计划外的记录，或者更新实体对象中的计划外字段。

Explanation

模型对象是数据库实体面向对象的表示。它们为加载、存储、更新和删除相关数据库实体提供了简便的方法。
例如，Hibernate、Microsoft .NET 实体框架和 LINQ 都是对象关系映射 (ORM) 框架，可以帮助您构建基于数据库的模型对象。

为了减轻开发人员的压力，许多 Web 框架都在努力提供相应的机制，即根据将请求参数名称与模型对象属性名称相匹配的方法将请求参数绑定到请求绑定对象（根据匹配的公共 getter 和 setter 方法）。

如果应用程序将 ORM 类作为请求绑定对象，请求参数就能够修改模型对象中的任何字段以及对象属性中的任何嵌入字段。

示例 1：Order、Customer 和 Profile 都是 Microsoft .NET 实体持久类。


public class Order {
	public string ordered { get; set; }
	public List<LineItem> LineItems { get; set; }
	pubilc virtual Customer Customer { get; set; }
...
}
public class Customer {
	public int CustomerId { get; set; }
	...
	public virtual Profile Profile { get; set; }
...
}
public class Profile {
	public int profileId { get; set; }
	public string username { get; set; }
	public string password { get; set; }
	...
}

OrderController 是处理该请求的 ASP.NET MVC 控制器类：



public class OrderController : Controller{
	StoreEntities db = new StoreEntities();
...

	public String updateOrder(Order order) {
		...
		db.Orders.Add(order);
		db.SaveChanges();
	}
}

由于模型实体类会自动绑定到该请求，因此攻击者可以利用这一漏洞，通过在该请求中添加下列请求参数来更新其他用户的密码："http://www.yourcorp.com/webApp/updateOrder?order.customer.profile.profileId=1234&order.customer.profile.password=urpowned"

References

[1] Standards Mapping - Common Weakness Enumeration CWE ID 915

[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001082, CCI-002754

[3] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-2 Application Partitioning (P1), SI-10 Information Input Validation (P1)

[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-2 Separation of System and User Functionality, SI-10 Information Input Validation

[6] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization

[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.2 Input Validation Requirements (L1 L2 L3)

[8] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[9] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input

[10] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference

[11] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References

[12] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References

[13] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control

[14] Standards Mapping - OWASP Top 10 2021 A08 Software and Data Integrity Failures

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.2

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[25] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[26] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[27] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[28] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[29] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[30] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[31] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[32] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[33] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[34] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[35] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[36] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[37] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[42] Standards Mapping - Web Application Security Consortium Version 2.00 Abuse of Functionality (WASC-42)

desc.structural.dotnet.mass_assignment_request_parameters_bound_into_persisted_objects

Abstract

如果允许使用请求参数自动填充数据库持久实体，攻击者将能够在关联实体中创建计划外的记录，或者更新实体对象中的计划外字段。

Explanation

持久对象通常绑定到底层数据库，并由持久性框架（如 Hibernate 或 JPA）自动更新。如果允许这些对象动态地绑定到 Spring MVC 发出的请求，则攻击者将能够通过提供附加的请求参数向数据库中注入非预期的值。
例 1：Order、Customer 和 Profile 都是 Hibernate 持久类。


public class Order {
	String ordered;
	List lineItems;
	Customer cust;
...
}
public class Customer {
	String customerId;
	...
    Profile p;
...
}
public class Profile {
	String profileId;
	String username;
	String password;
	...
}

OrderController 是处理该请求的 Spring 控制器类：


@Controller
public class OrderController {
...
	@RequestMapping("/updateOrder")
	public String updateOrder(Order order) {
		...
		session.save(order);
	}
}

因为命令类会自动绑定到该请求，所以利用这一漏洞，攻击者可以通过在该请求中添加如下请求参数来更新其他用户的密码："http://www.yourcorp.com/webApp/updateOrder?order.customer.profile.profileId=1234&order.customer.profile.password=urpowned"

References

[1] Ryan Berg and Dinis Cruz Two Security Vulnerabilities in the Spring Framework's MVC

[2] Standards Mapping - Common Weakness Enumeration CWE ID 915

[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001082, CCI-002754

[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-2 Application Partitioning (P1), SI-10 Information Input Validation (P1)

[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-2 Separation of System and User Functionality, SI-10 Information Input Validation

[7] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization

[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.2 Input Validation Requirements (L1 L2 L3)

[9] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[10] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input

[11] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference

[12] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References

[13] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References

[14] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control

[15] Standards Mapping - OWASP Top 10 2021 A08 Software and Data Integrity Failures

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.2

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[28] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[29] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[30] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[31] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[32] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[33] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[34] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[35] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[36] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[37] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[43] Standards Mapping - Web Application Security Consortium Version 2.00 Abuse of Functionality (WASC-42)

desc.structural.java.mass_assignment_request_parameters_bound_into_persisted_objects