Java: add query to detect web.xml auth bypass through verb tampering#3944
Conversation
|
The output of this query against Apache Pluto 3.0.0 can be found at this link. Please note the query runs against my fork of Pluto as I couldn't get LGTM to run this against version 3.0.0 isntead of the current master. |
Marcono1234
left a comment
There was a problem hiding this comment.
It might be good to call them "HTTP method" instead of "verb" since that naming seems to be more common and is also the one used by https://tools.ietf.org/html/rfc1945.
It would probably also be good to rename plutoRce.ql (and the other files) because it appears the query files usually have the name of the vulnerability they detect and not the name of a previously vulnerable application.
| import semmle.code.xml.WebXML | ||
|
|
||
| class ValidHTTPMethods extends string { | ||
| ValidHTTPMethods() { |
There was a problem hiding this comment.
Should this cover PATCH as well?
If so, maybe this class could possibly be renamed to HTTPMethod instead (though it might not matter).
There was a problem hiding this comment.
This is named ValidHttpMethods as the other getHttpMethods calls returns the values preset in the databse. This returns hardcoded predefined strings. HttpMethod is quite similar to the getHttpMethods call. Hence, to prevent confusion, I named it as such.
I am including PATCH in the list. I may have missed that earlier. Thanks for pointing it out.
There was a problem hiding this comment.
Interestingly, PATCHis not a default method, it is considered as an extension to the actual standard and is part of a eparate RFC. I have incldued it nevertheless. But I am concerned with the number of false positives this may cause.
| @@ -0,0 +1 @@ | |||
| public class Test{} No newline at end of file | |||
There was a problem hiding this comment.
Is this file included on purpose?
There was a problem hiding this comment.
Yes, XML extractor can only be called from a parent language extractor. In this case, seeing the Test.java file, the java extractor is invoked which in turn recognizes xml and includes it in the db. Without it, there won't be any xml included in the generated db.
There was a problem hiding this comment.
Are you sure? It appears https://github.com/github/codeql/tree/master/java/ql/test/experimental/query-tests/security/CWE-548 works without Java file
|
I have squashed the commits and included some suggestions from the review. RE: "verb" vs "methods": I can see that the standard calls it a method but the attack is called "HTTP Verb tampering". Hence, to avoid confusion, I have simply included a minor change to the initial line. So that it is now |
| <qhelp> | ||
|
|
||
| <overview> | ||
| <p>An authentication check on a few HTTP verbs(or methods) and not others may allow an attacker to bypass the authentication by tampering the HTTP verb.</p> |
There was a problem hiding this comment.
| <p>An authentication check on a few HTTP verbs(or methods) and not others may allow an attacker to bypass the authentication by tampering the HTTP verb.</p> | |
| <p>An authentication check on a few HTTP verbs (or methods) and not others may allow an attacker to bypass the authentication by tampering the HTTP verb.</p> |
| </example> | ||
| <example> | ||
| <p>This can be corrected easily by including other HTTP methods in the list.</p> | ||
| <sample src="plutoRceGood.xml" /> |
There was a problem hiding this comment.
| <sample src="plutoRceGood.xml" /> | |
| <sample src="verbTamperingGood.xml" /> |
|
|
||
| <example> | ||
| <p>Consider the example below, the constraint applies to HTTP `GET`, `POST` and `PUT` methods but not for `HEAD` method. This results in an authentication bypass.</p> | ||
| <sample src="plutoRceBad.xml" /> |
There was a problem hiding this comment.
| <sample src="plutoRceBad.xml" /> | |
| <sample src="verbTamperingBad.xml" /> |
| /** Gets the security constraint to which this belongs */ | ||
| SecurityConstraint getDeclaringConstraint() { result = getParent() } | ||
|
|
||
| /** Returns all HTTP methods listed in this collection */ |
There was a problem hiding this comment.
| /** Returns all HTTP methods listed in this collection */ | |
| /** Returns a HTTP method listed in this collection */ |
|
This is an interesting area. As not all Servlet implementations take all HTTP verbs, for example, a lot of servlets only take the GET and/or POST verb while denying the rest. E.g. To reduce false positives, will it be a good idea to at least amend the query to check that the Java code does handle additional verbs? Thanks. |
|
To add to @luchua-bc's comment by default you have to override the HttpServlet methods to make your application support them (except |
|
@porcupineyhairs as per comments above, I'd expect a very high false-positive rate from this because many of the methods are very uncommon (e.g. DELETE, PATCH, CONNECT are commonly left in their default reject-bad-method state). In order from least to most false positives (and true positives of course), you could go for:
The later ones could be improved by looking for a Let me know which way you want to go and I'll start an evaluation. |
|
Also am I right thinking there's no bounty application associated with this query at present? |
|
@smowton Your ideas woud reduce the FP's. but I am still concerned with the number of results. Hence, I am keeping this one on hold for a while. Please give me some time to see what can be done to reduce the FP's here. Also, this was meant to be a bug bounty submission but now that I am keeping it on hold, I am not opening a new issue. |
This query detects the case where an
auth-constraintis present for a particular HTTP verb but does not include some other verb.The most common example for this case is CVE-2018-1306, the Apache Pluto 3.0.0 RCE.
Consider the config as shown below
In this case, the
auth-constraintcheck forGET,POSTandPUTmethods but not for theHEADmethod. Essentially resulting in a full authentication bypass and eventually RCE.