C# API - Common Security Threats & Vulnerabilities - Part 2/2
7. Mass Assignment
Mass assignment is a class of vulnerabilities whereby an active record or ORM pattern in a web application is modified by an attacker that should otherwise be protected from modification e.g. objects that may contain sensitive fields such as administrator status flags, permission flags, etc.
Bob attempts to modify the isAdmin parameter's value by setting it from false to true.
Mitigation
In order to effectively mitigate against Mass Assignment attacks, developers must ensure that all the parameters and payloads the method is expecting are explicitly defined instead of relying on the generic entity objects passed as parameters.
8. Security Misconfiguration - Part 1
Cross-origin resource sharing (CORS) is a browser mechanism that enables controlled access to resources located outside of a given domain. Further, many modern web applications use CORS to allow access from subdomains and trusted third parties. However, since CORS is an access control mechanism, it can be misconfigured, thereby enabling an attacker to bypass it and make the client browser act as a proxy between a malicious website and the target web application.
Mitigation
To mitigate against Clickjacking attacks, developers must configure their web servers or load balancers to include X-Frame-Options or Content-Security-Policy header.
Both X-Frame-Options and Content-Security-Policy response headers define whether or not a browser should be allowed to embed or render a page in an <iframe> element. For example, setting X-Frame-Options: deny will prevent browsers from rendering your web application in an <iframe> element.
# Enable on Nginx
add_header X-Frame-Options "sameorigin" always;
# Enable on Apache
header always set X-Frame-Options "sameorigin"
# Content Security Policy
Content-Security-Policy: frame-src https://www.coinpay.com/
9. SQL Injection
SQL Injection is a type of code injection vulnerability that allows an attacker to interfere with the queries an application makes to its database. By injecting malicious SQL code, an attacker can read database content and thus gain access to sensitive information, modify or delete data, and in some cases execute administrative operations on the backed SQL server.
sqlmap: Automatic SQL injection and database takeover tool
python sqlmap.py -u "http://www.invoiceable.com/login" --data "ipAddress=1" -p "ipAddress" --method POST
10. Insufficient Logging & Monitoring
Insufficient logging and monitoring is a common issue when developing and deploying web applications and can result in sensitive information being accessed or stolen by malicious or unauthorized parties, without having the relevant audit trail data to identify or trace the source of the problem.
Mitigation
In order to effectively mitigate against Insufficient Logging & Monitoring issues, developers must follow the following logging best practices:
- Ensure all login, access control failures, and server-side input validation failures can be logged with sufficient user context to identify suspicious or malicious accounts, and held for sufficient time to allow delayed forensic analysis.
- Ensure that logs are generated in a format that can be easily consumed by centralized log management solutions.
- Ensure sensitive actions have an audit trail with integrity controls to prevent tampering or deletion, such as append-only database tables or similar.
- Establish effective monitoring and alerting such that suspicious activities are detected and responded to in a timely fashion.
11. XXE Injection
XML External Entity (XXE) Injection is an attack targeting applications that transmit data between browser and server in XML format. By intercepting and modifying the data, an attacker can exploit potentially dangerous features of standard XML libraries, such as the parsing and loading of external entities, in order to gain access to the server's filesystem or to interact with backend systems that the application has access to.
Mitigation
In order to effectively mitigate against XXE injection attacks, developers must configure their application's XML parsers to disable the parsing of XML eXternal Entities (XXE) and Document Type Definitions (DTD) when parsing XML documents.
If DTDs cannot be completely disabled, developers must disable the parsing of external general entities and external parameter entities when parsing untrusted XML files.
XmlReaderSettings settings = new XmlReaderSettings();
settings.DtdProcessing = DtdProcessing.Prohibit;
XmlReader reader = XmlReader.Create(inputStream, settings);
12. Security Misconfiguration - Part 2
Cross-origin resource sharing (CORS) is a browser mechanism that enables controlled access to resources located outside of a given domain. Further, many modern web applications use CORS to allow access from subdomains and trusted third parties. However, since CORS is an access control mechanism, it can be misconfigured, thereby enabling an attacker to bypass it and make the client browser act as a proxy between a malicious website and the target web application.
Upon registering a new domain name xyzcoinpay.com and accessing the test file index.html, Bob has successfully managed to load Coinpay's website in an iframe, bypassing Coinpay's X-Frame-Options policy!
Mitigation
To prevent this kind of security breach, developers should be extremely careful when using regular expressions for security configuration purposes, as it is quite easy to overlook a mistake in such an expression.
In our example, regular expressions could be completely avoided by using the Content-Security-Policy header instead of the X-Frame-Options header, the ALLOW-FROM directive of which is actually considered deprecated and does not work in modern browsers.
# Enable on Nginx
add_header Content-Security-Policy "frame-ancestors 'self' https://*.coinpay.com https://*.coinexchange.com";
# Enable on Apache
header always set Content-Security-Policy "frame-ancestors 'self' https://*.coinpay.com https://*.coinexchange.com";
No comments: