界: API Abuse

API 就像是呼叫者與被呼叫者之間簽訂的規定。最常見的 API 濫用形式是由呼叫者這一當事方未能遵守此規定所造成的。例如，如果程式在呼叫 chroot() 後無法呼叫 chdir()，即違反規範如何以安全方式變更使用中根目錄的規定。程式庫濫用的另一個好例子是期待被呼叫者向呼叫者傳回值得信賴的 DNS 資訊。在這種情況下，呼叫者是透過對其行為做出某些假設 (傳回值可用於驗證目的) 來濫用被呼叫者 API。另一方也可能違反呼叫者與被呼叫者間的規定。例如，如果編碼器衍生出子類別 SecureRandom 並傳回一個非隨機值，則違反了規定。

ASP.NET MVC Bad Practices: Optional Submodel With Required Property

C#/VB.NET/ASP.NET

Abstract

模型類別擁有所需的屬性，該屬性的類型是父系模型類型的選用成員，因此可能容易受到公佈不足攻擊。

Explanation

若模型類別擁有所需的屬性，該屬性的類型是父系模型類型的選用成員，則在攻擊者傳送的要求所含資料少於預期時，可能容易受到公佈不足攻擊。

ASP.NET MVC 框架嘗試將要求參數繫結至模型屬性 (包括子模型)。

若子模型為選用項目 (即父系模型擁有的某個屬性沒有 [Required] 屬性)，則在攻擊者未傳送該子模型時，父系屬性的值將是 null，模型驗證將不會宣告子模型的所需欄位。這是公佈不足攻擊的一種形式。

請考慮以下模型類別定義：


public class ChildModel
{
    public ChildModel()
    {
    }

    [Required]
    public String RequiredProperty { get; set; }
}

public class ParentModel
{
    public ParentModel()
    {
    }

    public ChildModel Child { get; set; }
}

若攻擊者未傳送 ParentModel.Child 屬性的值，則 ChildModel.RequiredProperty 屬性將擁有未宣告的 [Required]。這可能會產生非預期且不適當的結果。

References

[1] Input Validation vs. Model Validation in ASP.NET MVC

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0

[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete

[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0

[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3

[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity

[7] Standards Mapping - CIS Kubernetes Benchmark partial

[8] Standards Mapping - Common Weakness Enumeration CWE ID 345

[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002422

[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-8 Transmission Confidentiality and Integrity (P1)

[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-8 Transmission Confidentiality and Integrity

[12] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input

[13] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws

[14] Standards Mapping - OWASP Top 10 2010 A1 Injection

[15] Standards Mapping - OWASP Top 10 2013 A1 Injection

[16] Standards Mapping - OWASP Top 10 2017 A1 Injection

[17] Standards Mapping - OWASP Top 10 2021 A03 Injection

[18] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization

[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.5.3 Token-based Session Management (L2 L3), 13.2.6 RESTful Web Service Verification Requirements (L2 L3)

[20] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6

[22] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002470 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002470 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002470 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002470 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002470 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002470 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002470 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002470 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002470 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002470 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002470 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002470 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002470 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002470 CAT II

[36] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)

desc.structural.dotnet.aspnet_mvc_bad_practices_optional_submodel_with_required_property