Mass Assignment:Request Parameters Bound into Persisted Objects 质量分配：请求绑定到持久对象中的参数

Abstract:

 

Channel.java 中的类既是数据库持久实体，又是动态绑定请求对象。如果允许使用请求参数自动填充数据库持久实体，攻击者将能够在关联实体中创建计划外的数据库记录，或者更新实体对象中的计划外字段。

 

 

Explanation:

 

持久对象通常绑定到底层数据库，并由持久性框架（如 Hibernate 或 JPA）自动更新。如果允许这些对象自动绑定到 Spring MVC 的请求，攻击者将能够通过提供附加的请求参数向数据库中注入非预期的值。

例 1：Order、Customer 和 Profile 都是 Hibernate 持久类。

 

public class Order {

            String ordered;

            List lineItems;

            Customer cust;

...

} public class Customer {            String customerId;

            ...

    Profile p;

...

} public class Profile {     String profileId;             String username;            String password;

            ...

}

 

OrderController 是处理该请求的 Spring 控制器类：

 

@Controller

public class OrderController {

...

            @RequestMapping("/updateOrder")       public String updateOrder(Order order) {

                        ...

                        session.save(order);

            }

}

 

因为命令类会自动绑定到该请求，所以利用这一漏洞，攻击者可以通过在该请求中添加如下请求参数来更新其他用户的密码："http://www.yourcorp.com/webApp/updateOrder?order.customer.profile.profileId=1234&order.customer.profile.password=urpowned"

 

 

 

Instance ID: B662F07294A63FAB5003A902EE57D350

 

Priority Metadata Values:

 

            IMPACT: 3.0

 

            LIKELIHOOD: 3.2

 

Legacy Priority Metadata Values:

 

            SEVERITY: 3.0

 

            CONFIDENCE: 5.0

 

 

Remediation Effort: 3.0

 

 

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 

 

 

 

Recommendations:

 

请不要使用持久实体对象作为请求绑定对象。应手动将请求绑定对象中需要持久保留的属性复制到持久实体对象。或者，应明确定义请求绑定对象中可以通过请求参数设置的属性。

 

 

References:

 

[1] Ryan Berg and Dinis Cruz, Two Security Vulnerabilities in the Spring Framework's MVC, 2008, http://o2platform.files.wordpress.com/2011/07/ounce_springframework_vulnerabilities.pdf

 

[2] Standards Mapping - Common Weakness Enumeration, CWE ID 915

 

[3] Standards Mapping - NIST Special Publication 800-53 Revision 4, SI-10 Information Input Validation (P1)

 

[4] Standards Mapping - OWASP Mobile Top 10 Risks 2014, M1 Weak Server Side Controls

 

[5] Standards Mapping - OWASP Top 10 2004, A1 Unvalidated Input

 

[6] Standards Mapping - OWASP Top 10 2007, A4 Insecure Direct Object Reference

 

[7] Standards Mapping - OWASP Top 10 2010, A4 Insecure Direct Object References

 

[8] Standards Mapping - OWASP Top 10 2013, A4 Insecure Direct Object References

 

[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1, Requirement 6.5.6

 

[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2, Requirement 6.5.2

 

[11] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0, Requirement 6.5.1

 

[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0, Requirement 6.5.1

 

[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1, Requirement 6.5.8

 

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2, Requirement 6.5.8

 

[15] Standards Mapping - Security Technical Implementation Guide Version 4.1, APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

 

[16] Standards Mapping - Web Application Security Consortium Version 2.00, Abuse of Functionality (WASC-42)