CWE-647 使用未经净化的URL路径进行授权决策

admin 2021年12月16日16:27:14评论68 views字数 2359阅读7分51秒阅读模式

CWE-647 使用未经净化的URL路径进行授权决策

Use of Non-Canonical URL Paths for Authorization Decisions

结构: Simple

Abstraction: Variant

状态: Incomplete

被利用可能性: High

基本描述

The software defines policy namespaces and makes authorization decisions based on the assumption that a URL is canonical. This can allow a non-canonical URL to bypass the authorization.

扩展描述

If an application defines policy namespaces and makes authorization decisions based on the URL, but it does not require or convert to a canonical URL before making the authorization decision, then it opens the application to attack. For example, if the application only wants to allow access to http://www.example.com/mypage, then the attacker might be able to bypass this restriction using equivalent URLs such as:

Therefore it is important to specify access control policy that is based on the path information in some canonical form with all alternate encodings rejected (which can be accomplished by a default deny rule).

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 863 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 863 cwe_View_ID: 699 cwe_Ordinal: Primary

适用平台

Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

Paradigm: {'cwe_Name': 'Web Based', 'cwe_Prevalence': 'Undetermined'}

常见的影响

范围 影响 注释
Access Control Bypass Protection Mechanism An attacker may be able to bypass the authorization mechanism to gain access to the otherwise-protected URL.
Confidentiality Read Files or Directories If a non-canonical URL is used, the server may choose to return the contents of the file, instead of pre-processing the file (e.g. as a program).

可能的缓解方案

Architecture and Design

策略:

Make access control policy based on path information in canonical form. Use very restrictive regular expressions to validate that the path is in the expected form.

Architecture and Design

策略:

Reject all alternate path encodings that are not in the expected canonical form.

示例代码

Example from CAPEC (CAPEC ID: 4, "Using Alternative IP Address Encodings"). An attacker identifies an application server that applies a security policy based on the domain and application name, so the access control policy covers authentication and authorization for anyone accessing http://example.domain:8080/application. However, by putting in the IP address of the host the application authentication and authorization controls may be bypassed http://192.168.0.1:8080/application. The attacker relies on the victim applying policy to the namespace abstraction and not having a default deny policy in place to manage exceptions.

分类映射

映射的分类名 ImNode ID Fit Mapped Node Name
The CERT Oracle Secure Coding Standard for Java (2011) IDS02-J Canonicalize path names before validating them

文章来源于互联网:scap中文网

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2021年12月16日16:27:14
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   CWE-647 使用未经净化的URL路径进行授权决策http://cn-sec.com/archives/613065.html

发表评论

匿名网友 填写信息