Skip to content

Java: Sensitive GET Query#4880

Merged
aschackmull merged 10 commits intogithub:mainfrom
luchua-bc:java/sensitive-query-with-get
Feb 24, 2021
Merged

Java: Sensitive GET Query#4880
aschackmull merged 10 commits intogithub:mainfrom
luchua-bc:java/sensitive-query-with-get

Conversation

@luchua-bc
Copy link
Copy Markdown
Contributor

@luchua-bc luchua-bc commented Dec 26, 2020

When an application uses the GET method to submit sensitive information such as passwords and access tokens, it is transmitted within the query string of the requested URL. Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing passwords into the URL therefore increases the risk that they will be captured by an attacker.

This kind of vulnerabilities is categorized as CWE-598: Use of GET Request Method with Sensitive Query Strings.

This query detects GET requests with sensitive information handled by Java EE Servlets.

Please consider to merge the PR. Thanks.

Copy link
Copy Markdown
Contributor

@smowton smowton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this probably doesn't work as intended at the moment -- waiting to evaluate

@smowton
Copy link
Copy Markdown
Contributor

smowton commented Jan 4, 2021

This still seems very broad -- in doGet(...) { xyz(a, b, c) }, all of a, b and c are considered sinks regardless of the nature of xyz. How about instead the source should be functions that examine the query string and the sink should be storage into a variable whose name suggests it was sensitive information?

@luchua-bc
Copy link
Copy Markdown
Contributor Author

Thanks @smowton for the advice. I've made the requested change. Please review.

Copy link
Copy Markdown
Contributor

@smowton smowton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks better, though there is one major weakness still: we will only notice getParameter and similar calls that occur directly within doGet. This query is good enough to evaluate, or alternatively you could apply taint to the HttpRequest object and then have getParameter propagate taint onto its return value, thus detecting getParameter occurring within a utility method, the HttpRequest being passed to another method, etc.

Let me know whether you'd like me to evaluate this query as-is, or try to improve it.

smowton
smowton previously approved these changes Jan 6, 2021
Copy link
Copy Markdown
Contributor

@smowton smowton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good now; have made some documentation suggestions and started the evaluation.

@luchua-bc
Copy link
Copy Markdown
Contributor Author

As per the suggestion from @m-y-mo, use isRequestGetParamMethod as the source instead.

@m-y-mo
Copy link
Copy Markdown

m-y-mo commented Jan 26, 2021

Thanks! We'll rerun the query and let you know of our feedback.

aschackmull
aschackmull previously approved these changes Feb 23, 2021
@aschackmull
Copy link
Copy Markdown
Contributor

Looks like there's a compilation error:

ERROR: Errors during binding:
ERROR: Predicate isServletMethod/1 is ambiguous between: predicate isServletMethod(Method m) from Servlets.qll:327, predicate isServletMethod(Callable c) from UncaughtServletException.ql:33 (/home/runner/work/semmle-code/semmle-code/ql/java/ql/src/experimental/Security/CWE/CWE-600/UncaughtServletException.ql:51,7-22)
ERROR: Declaration of predicate isServletMethod(Callable c) conflicts with existing declarations: predicate isServletMethod(Method m) from Servlets.qll:327 (/home/runner/work/semmle-code/semmle-code/ql/java/ql/src/experimental/Security/CWE/CWE-600/UncaughtServletException.ql:33,19-34)
ERROR: The predicate isServletMethod(Method m), which was brought into scope by this import, conflicts with existing declarations: predicate isServletMethod(Callable c) from UncaughtServletException.ql:33 (/home/runner/work/semmle-code/semmle-code/ql/java/ql/src/experimental/Security/CWE/CWE-600/UncaughtServletException.ql:11,1-45)
ERROR: The predicate isServletMethod(Method m), which was brought into scope by this import, conflicts with existing declarations: predicate isServletMethod(Callable c) from UncaughtServletException.ql:33 (/home/runner/work/semmle-code/semmle-code/ql/java/ql/src/experimental/Security/CWE/CWE-600/UncaughtServletException.ql:13,1-44)

@luchua-bc
Copy link
Copy Markdown
Contributor Author

Sorry @aschackmull. I've updated the signature of the ambiguous method so that there will be no conflict.

@aschackmull aschackmull added the no-change-note-required This PR does not need a change note label Feb 24, 2021
@aschackmull aschackmull merged commit add960b into github:main Feb 24, 2021
@luchua-bc luchua-bc deleted the java/sensitive-query-with-get branch February 24, 2021 13:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

documentation Java no-change-note-required This PR does not need a change note

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants