R320. Avoid client-side control enforcement

Requirement

The system must enforce access controls on trusted enforcement points, not on the client’s side.

Description

Systems must enforce access controls on trusted enforcement points such as access control gateways, severs and serverless functions. Client-side access control enforcement can not be trusted because it is prone to being bypassed and/or tampered with.

References

  1. CAPEC-11: Cause Web Server Misclassification. An attack of this type exploits a Web server’s decision to take action based on filename or file extension. Because different file types are handled by different server processes, misclassification may force the Web server to take unexpected action, or expected actions in an unexpected sequence.

  2. CWE-284: Improper Access Control. The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

  3. CWE-285: Improper Authorization. The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

  4. CWE-602: Client-Side Enforcement of Server-Side Security. The software is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.

  5. CWE-639: Authorization Bypass Through User-Controlled Key. The system’s authorization functionality does not prevent one user from gaining access to another user’s data or record by modifying the key value identifying the data.

  6. Directive 2002/58/EC (amended by E-privacy Directive 2009/136/EC). Art. 4: Security of processing.(1a) The measures referred to in paragraph 1 shall at least ensure that personal data can be accessed only by authorized personnel for legally authorized purposes.

  7. OWASP Top 10 A2:2017-Broken Authentication. Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities temporarily or permanently.

  8. OWASP Top 10 A5:2017-Broken Access Control. Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users' data, change access rights, etc.

  9. OWASP-ASVS v4.0.1 V1.4 Access Control Architectural Requirements.(1.4.1) Verify that trusted enforcement points such as at access control gateways, servers, and serverless functions enforce access controls. Never enforce access controls on the client.

  10. OWASP-ASVS v4.0.1 V1.4 Access Control Architectural Requirements.(1.4.4) Verify the application uses a single and well-vetted access control mechanism for accessing protected data and resources. All requests must pass through this single mechanism to avoid copy and paste or insecure alternative paths.

  11. OWASP-ASVS v4.0.1 V1.5 Input and Output Architectural Requirements.(1.5.3) Verify that input validation is enforced on a trusted service layer.

  12. OWASP-ASVS v4.0.1 V4.1 General Access Control Design.(4.1.1) Verify that the application enforces access control rules on a trusted service layer, especially if client-side access control is present and could be bypassed.

  13. OWASP-ASVS v4.0.1 V4.1 General Access Control Design.(4.1.2) Verify that all user and data attributes and policy information used by access controls cannot be manipulated by end users unless specifically authorized.

  14. OWASP-ASVS v4.0.1 V4.2 Operation Level Access Control.(4.2.1) Verify that sensitive data and APIs are protected against direct object attacks targeting creation, reading, updating and deletion of records, such as creating or updating someone else’s record, viewing everyone’s records, or deleting all records.

  15. OWASP-ASVS v4.0.1 V13.1 Generic Web Service Security Verification Requirements.(13.1.4) Verify that authorization decisions are made at both the URI, enforced by programmatic or declarative security at the controller or router, and at the resource level, enforced by model-based permissions.

  16. OWASP-ASVS v4.0.1 V13.4 GraphQL and other Web Service Data Layer Security Requirements.(13.4.2) Verify that GraphQL or other data layer authorization logic should be implemented at the business logic layer instead of the GraphQL layer.

  17. OWASP-ASVS v4.0.1 V14.5 Validate HTTP Request Header Requirements.(14.5.2) Verify that the supplied Origin header is not used for authentication or access control decisions, as the Origin header can easily be changed by an attacker.

  18. PCI DSS v3.2.1 - Requirement 6.5.8 Address common coding vulnerabilities in software-development processes including improper access control (such as insecure direct object references, failure to restrict URL access, directory traversal, and failure to restrict user access to functions).

  19. PCI DSS v3.2.1 - Requirement 6.5.10 Address common coding vulnerabilities in software-development processes such as broken authentication and session management.

Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.

Service status - Terms of Use - Privacy Policy - Cookie Policy