Young hacker smiling

We hack your software

zero false positives

Expert intelligence + Specialized technology
DXST - SAST - IAST - SCA - DevSecOps
White Box - Gray Box - Black Box
Attacking Web Applications, APIs, Mobile Apps
Client-Server, Servers, Networks, IoT Devices
ICS: Industrial Control System

REQ.037 Parameters without sensitive data

This document contains the details of the security requirements related to the definition and management of files in the organization. This requirement establishes the importance of discarding potentially harmful data inputs in parameters in order to avoid code injections and data leakage.

Requirement

System must not allow parameter inclusion in directory names or file paths.

Description

A system must not allow the inclusion of directory names or files paths in its parameters. By tampering the fields associated to these parameters, an attacker may access those paths and compromise sensitive information.

Implementation

It must be assumed that all data inputs are malicious, thus using the white list method to discard any type of data input that is not acceptable (strictly complies with the specifications) and rejects anything else or modify it to meet the specifications.

Attacks

  1. An attacker may create or overwrite critical files used to execute code, as programs or libraries. If the target file is used as security mechanism, then the attacker may surpass that mechanism. For example, by adding a new account at the end of a password file to bypass the authentication process.

  2. An attacker may read the content of unexpected files and expose sensitive information. If the target file is used as security mechanism, then the attacker may surpass that mechanism. For example, by reading a password file the attacker may perform a brute force attack to obtain the users credentials.

  3. The attacker may overwrite, delete or corrupt critical files such as programs, libraries, or sensitive information. This may lead to a system malfunction, and in case of having authentication mechanisms, the attacker may block the system access to all users.

Attributes

  • Layer: Application Layer

  • Asset: Files

  • Scope: Confidentiality

  • Phase: Construction

  • Type of Control: Recommendation

References

  1. Path Traversal.

  2. Testing Directory traversal/file include (OTG-AUTHZ-001).

  3. CWE-22: Improper Limitation of a Pathname to a Restricted Directory.

  4. CWE-36: Absolute Path Traversal.

  5. CWE-23: Relative Path Traversal.

  6. OWASP-ASVS v3.1-5.13 Verify that the application is not susceptible to Remote File Inclusion (RFI) or Local File Inclusion (LFI) when content is used that is a path to a file.

  7. OWASP-ASVS v3.1-5.14 Verify that the application is not susceptible to XPath injection or XML injection attacks.


Service status - Terms of Use