R037. Parameters without sensitive data

Requirement

System must not allow parameter inclusion in directory names or file paths.

Description

A system must not allow the inclusion of directory names or files paths in its parameters. By tampering the fields associated to these parameters, an attacker may access those paths and compromise sensitive information.

Implementation

It must be assumed that all data inputs are malicious, therefore, whitelisting and escaping should be used to discard any type of data input that is not acceptable (strictly complies with the specifications) or sanitize it.

Attacks

  1. An attacker may create or overwrite critical files used to execute code, such as programs or libraries. If the target file is used as a security mechanism, then the attacker may surpass that mechanism. For example, by adding a new account at the end of a password file to bypass the authentication process.

  2. An attacker may read the content of unexpected files and expose sensitive information. If the target file is used as a security mechanism, then the attacker may surpass that mechanism. For example, by reading a password file, the attacker may perform a brute force attack to obtain valid user credentials.

  3. The attacker may overwrite, delete or corrupt critical files such as programs, libraries, or sensitive information. This may lead to a system failure, and in case of having authentication mechanisms, the attacker may block the system access to all users.

Attributes

  • Layer: Application Layer

  • Asset: Files

  • Scope: Confidentiality

  • Phase: Construction

  • Type of Control: Recommendation

References

  1. CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path traversal'). The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

  2. CWE-23: Relative Path Traversal. The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as "".." that can resolve to a location that is outside of that directory.

  3. CWE-36: Absolute Path Traversal. The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.

  4. CWE-73: External Control of File Name or Path. The software allows user input to control or influence paths or file names that are used in filesystem operations.

  5. CWE-98: PHP Remote File Inclusion. The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.

  6. CWE-641: Improper Restriction of Names for Files and Other Resources. The application constructs the name of a file or other resource using input from an upstream component, but it does not restrict or incorrectly restricts the resulting name.

  7. OWASP-ASVS v4.0.1 V5.3 Output encoding and Injection Prevention Requirements.(5.3.9) Verify that the application protects against Local File Inclusion (LFI) or Remote File Inclusion (RFI) attacks.

  8. OWASP-ASVS v4.0.1 V5.3 Output encoding and Injection Prevention Requirements.(5.3.10) Verify that the application protects against XPath injection or XML injection attacks.

  9. OWASP-ASVS v4.0.1 V12.3 File execution Requirements.(12.3.1) Verify that user-submitted filename metadata is not used directly with system or framework file and URL API to protect against path traversal.

  10. OWASP-ASVS v4.0.1 V12.3 File execution Requirements.(12.3.2) Verify that user-submitted filename metadata is validated or ignored to prevent the disclosure, creation, updating or removal of local files (LFI).

  11. OWASP-ASVS v4.0.1 V12.3 File execution Requirements.(12.3.3) Verify that user-submitted filename metadata is validated or ignored to prevent the disclosure or execution of remote files (RFI), which may also lead to SSRF.

  12. OWASP-ASVS v4.0.1 V12.3 File execution Requirements.(12.3.4) Verify that the application protects against reflective file download (RFD) by validating or ignoring user-submitted filenames in a JSON, JSONP, or URL parameter, the response Content-Type header should be set to text/plain, and the Content-Disposition header should have a fixed filename.

  13. OWASP-ASVS v4.0.1 V12.3 File execution Requirements.(12.3.5) Verify that untrusted file metadata is not used directly with system API or libraries, to protect against OS command injection.

Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.

Service status - Terms of Use - Privacy Policy - Cookie Policy