search

cloudfoundry-incubator / kubecf

Cloud Foundry on Kubernetes
Apache License 2.0
115 stars 62 forks source link

Medium: Bypass Business Logic (Web Security Vulnerability) #1740

Closed anugu-vijaykanth closed 3 years ago

anugu-vijaykanth commented 3 years ago

Stratos Version

Stratos 4.4.0

Expected behaviour

It should not report Bypass business logic medium issue .

Actual behaviour

It is reporting this as a medium issue .

Steps to reproduce the behavior

Login into the application and go to spaces https://xxxxxx.ocp44-ibm-xxxxxxx-staging-2025abf5e73a457f12bb6f6fae6f9c13-0000.tor01.containers.appdomain.cloud/cloud-foundry/AvCk-xOs89DDDe-5kjOr4rjr2VY/organizations/9f957acf-bf1c-4052-95ed-144064b81432/spaces Select a space and click on Quota definition. Application by default expects a positive integral value. Client side validation is in place for negative and large integral values as seen in screenshots. Capture the request and send it to a proxy tool. Modify the memory_limit to -1 Forward the request and validate for 200 ok response code. Unlimited memory is assigned to that space.9. Please check attached screenshots for reference.

Detailed Description

Business logic vulnerabilities are ways of using the legitimate processing flow of an application in a way that results in a negative. The likelihood of business logic problems really depends on the circumstances. Every application has a different business process, application specific logic and can be manipulated in an infinite number of combinations.

Context

The risks of business logic attacksinclude data theft, revenue loss and network security breaches. The scenario can lead to memory exhaustion and result into server crash.

Reference of Stratos Issue: https://github.com/cloudfoundry/stratos/issues/4967

Affected URL/API

https://xx-ui.ocp44-test-xxxxxxxx-staging-2025abf5e73a457f12bb6f6fae6f9c13-0000.tor01.containers.appdomain.cloud/pp/v1/proxy/v2/space_quota_definitions/b10aa7fd-5571-45ad-bbbc-41eece15ae07##

Possible Implementation

Ensure that any input validation performed on the client is also performed on the server. Please refer below link for more information:https://www.owasp.org/index.php/Testing_for_business_logic

mook-as commented 3 years ago

I believe this is intentional on the CAPI side: the space memory quota defaults to unlimited. I believe the problem is in the docs, which didn't document the fact that unlimited is valid. That is to say, I believe this is functioning as intended (as otherwise you'd be unable to have unlimited memory).