CWE-647 使用未经净化的URL路径进行授权决策
Use of Non-Canonical URL Paths for Authorization Decisions
结构: Simple
Abstraction: Variant
状态: Incomplete
被利用可能性: High
基本描述
The software defines policy namespaces and makes authorization decisions based on the assumption that a URL is canonical. This can allow a non-canonical URL to bypass the authorization.
扩展描述
If an application defines policy namespaces and makes authorization decisions based on the URL, but it does not require or convert to a canonical URL before making the authorization decision, then it opens the application to attack. For example, if the application only wants to allow access to http://www.example.com/mypage, then the attacker might be able to bypass this restriction using equivalent URLs such as:
Therefore it is important to specify access control policy that is based on the path information in some canonical form with all alternate encodings rejected (which can be accomplished by a default deny rule).
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 863 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 863 cwe_View_ID: 699 cwe_Ordinal: Primary
适用平台
Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}
Paradigm: {'cwe_Name': 'Web Based', 'cwe_Prevalence': 'Undetermined'}
常见的影响
| 范围 | 影响 | 注释 |
|---|---|---|
| Access Control | Bypass Protection Mechanism | An attacker may be able to bypass the authorization mechanism to gain access to the otherwise-protected URL. |
| Confidentiality | Read Files or Directories | If a non-canonical URL is used, the server may choose to return the contents of the file, instead of pre-processing the file (e.g. as a program). |
可能的缓解方案
Architecture and Design
策略:
Make access control policy based on path information in canonical form. Use very restrictive regular expressions to validate that the path is in the expected form.
Architecture and Design
策略:
Reject all alternate path encodings that are not in the expected canonical form.
示例代码
例
Example from CAPEC (CAPEC ID: 4, "Using Alternative IP Address Encodings"). An attacker identifies an application server that applies a security policy based on the domain and application name, so the access control policy covers authentication and authorization for anyone accessing http://example.domain:8080/application. However, by putting in the IP address of the host the application authentication and authorization controls may be bypassed http://192.168.0.1:8080/application. The attacker relies on the victim applying policy to the namespace abstraction and not having a default deny policy in place to manage exceptions.
分类映射
| 映射的分类名 | ImNode ID | Fit | Mapped Node Name |
|---|---|---|---|
| The CERT Oracle Secure Coding Standard for Java (2011) | IDS02-J | Canonicalize path names before validating them |