Title: ABAC_Level3 Vulnerability on GET:/api/v1/recepient/{id}
Project: Bismillah
Description: The ABAC exploit allows an attacker to read, modify, delete, add and perform actions on customer/un-authorized data.
Assertion
Name: Attribute Based Access Control 3 (ABAC 3) ( 1 )
Overview: Access Control (or Authorization) is the process of granting or denying specific requests from a user, program, or process. Access control also involves the act of granting and revoking those privileges. Attribute Based Access Control (ABAC) will grant or deny user requests based on arbitrary attributes of the user and arbitrary attributes of the object, and environment conditions that may be globally recognized and more relevant to the policies at hand.
'Attribute-based-access-control 3' identifies dependent and nested resource/data/record vulnerabilities. e.g. vulnerabilities in tasks which is nested within a project and the access-controls may only be applied at the project level. ABAC scanning identifies data/resource leak/attack vulnerabilities. Looks for private user/account data being illegally read, written, updated, deleted or operated by other users or tenants or accounts.
This scanner requires a private-account/user to create private data/resources e.g. UserA. And it also requires other users who shouldn't have any access to UserA's data like UserB, UserC, & UserD based on your App multi-tenancy model. e.g. UserA can be a user from tenant/org-a and UserB can be a user in tenant-b and UserC can be a user in tenant-c with admin privileges.
APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface Level Access Control issue. Object-level authorization checks should be considered in every function that accesses a data source using input from the user.
Severity: OWASP 2019 API Top 10 ranks ABAC vulnerabilities at Top 1 position and is named Broken Object Level Authorization. ( 2 )
Vulnerability Impact: With flawed or broken ABAC security control policy in place, The following are some of the consequences.
Unauthorized access can result in data disclosure to unauthorized parties, data loss, or data manipulation.
Unauthorized access to objects can also lead to full account takeover.
Exploitation: Attackers can exploit API endpoints that are vulnerable to broken object level authorization by manipulating the ID of an object that is sent within the request. This may lead to unauthorized access to sensitive data. This issue is extremely common in API-based applications because the server component usually does not fully track the client’s state, and instead, relies more on parameters like object IDs, that are sent from the client to decide which objects to access.
Remediation: The following techniques may be checked for ensuring RBAC is in place ( 2 ) ( 3 ) ( 4 ).
Implement a proper authorization mechanism that relies on the user policies and hierarchy.
Prefer not to use an ID that has been sent from the client, but instead use an ID that is stored in the session object when accessing a database record by the record ID.
Use an authorization mechanism to check if the logged-in user has access to perform the requested action on the record in every function that uses an client input to access a record in the database.
Prefer to use random and unpredictable values as GUIDs for records’ IDs.
Write tests to evaluate the authorization mechanism. Do not deploy vulnerable changes that break the tests.
Title: ABAC_Level3 Vulnerability on GET:/api/v1/recepient/{id} Project: Bismillah Description: The ABAC exploit allows an attacker to read, modify, delete, add and perform actions on customer/un-authorized data.
Assertion Name: Attribute Based Access Control 3 (ABAC 3) ( 1 )
Overview: Access Control (or Authorization) is the process of granting or denying specific requests from a user, program, or process. Access control also involves the act of granting and revoking those privileges. Attribute Based Access Control (ABAC) will grant or deny user requests based on arbitrary attributes of the user and arbitrary attributes of the object, and environment conditions that may be globally recognized and more relevant to the policies at hand.
'Attribute-based-access-control 3' identifies dependent and nested resource/data/record vulnerabilities. e.g. vulnerabilities in tasks which is nested within a project and the access-controls may only be applied at the project level. ABAC scanning identifies data/resource leak/attack vulnerabilities. Looks for private user/account data being illegally read, written, updated, deleted or operated by other users or tenants or accounts.
This scanner requires a private-account/user to create private data/resources e.g. UserA. And it also requires other users who shouldn't have any access to UserA's data like UserB, UserC, & UserD based on your App multi-tenancy model. e.g. UserA can be a user from tenant/org-a and UserB can be a user in tenant-b and UserC can be a user in tenant-c with admin privileges.
APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface Level Access Control issue. Object-level authorization checks should be considered in every function that accesses a data source using input from the user.
Severity: OWASP 2019 API Top 10 ranks ABAC vulnerabilities at Top 1 position and is named Broken Object Level Authorization. ( 2 )
Vulnerability Impact: With flawed or broken ABAC security control policy in place, The following are some of the consequences.
- Unauthorized access can result in data disclosure to unauthorized parties, data loss, or data manipulation.
- Unauthorized access to objects can also lead to full account takeover.
Exploitation: Attackers can exploit API endpoints that are vulnerable to broken object level authorization by manipulating the ID of an object that is sent within the request. This may lead to unauthorized access to sensitive data. This issue is extremely common in API-based applications because the server component usually does not fully track the client’s state, and instead, relies more on parameters like object IDs, that are sent from the client to decide which objects to access.Remediation: The following techniques may be checked for ensuring RBAC is in place ( 2 ) ( 3 ) ( 4 ).
- Implement a proper authorization mechanism that relies on the user policies and hierarchy.
- Prefer not to use an ID that has been sent from the client, but instead use an ID that is stored in the session object when accessing a database record by the record ID.
- Use an authorization mechanism to check if the logged-in user has access to perform the requested action on the record in every function that uses an client input to access a record in the database.
- Prefer to use random and unpredictable values as GUIDs for records’ IDs.
- Write tests to evaluate the authorization mechanism. Do not deploy vulnerable changes that break the tests.
References:Risk: ABAC_Level3 Severity: High API Endpoint: http://netbanking.apisec.ai:8080/api/v1/recepient/null Environment: Master_github Playbook: ApiV1RecepientIdGetRecepientuserbDisallowAbact3 Researcher: [apisec Bot]
QUICK TIPS
Suggestion: Add access-control checks on incoming requests against all data calls. Effort Estimate: 4.0 Hrs Wire Logs: 07:21:40 [D] [ UCUAI3] : Endpoint [http://netbanking.apisec.ai:8080/api/v1/users/team-sign-up] 07:21:40 [D] [ UCUAI3] : Method [POST] 07:21:40 [D] [ UCUAI3] : Authorization [UserA] 07:21:40 [D] [ UCUAI3] : Request headers [[Content-Type:"application/json", Accept:"application/json", Authorization=[**]]] 07:21:40 [D] [ UCUAI3] : Request [{ "accountNonExpired" : false, "accountNonLocked" : false, "company" : "Thiel-Thiel", "createdBy" : "", "createdDate" : "", "credentialsNonExpired" : false, "email" : "luna.keebler@apisec.ai", "enabled" : false, "id" : "", "inactive" : false, "jobTitle" : "Sales Facilitator", "location" : "lE3CSQrb", "modifiedBy" : "", "modifiedDate" : "", "name" : "lE3CSQrb", "password" : "lE3CSQrb", "username" : "cortez.carroll", "version" : "" }] 07:21:40 [D] [ UCUAI3] : Status code [200] 07:21:40 [D] [ UCUAI3] : Response headers [[X-Content-Type-Options:"nosniff", X-XSS-Protection:"1; mode=block", Cache-Control:"no-cache, no-store, max-age=0, must-revalidate", Pragma:"no-cache", Expires:"0", X-Frame-Options:"DENY", Set-Cookie:"SESSION=Mzc0ZmY3MGYtZmFhYi00ZWU4LWJkNDMtMWNkODMyMGVjYjUy; Path=/; HttpOnly", Content-Type:"application/json;charset=UTF-8", Transfer-Encoding:"chunked", Date:"Thu, 26 May 2022 07:21:40 GMT"]] 07:21:40 [D] [ UCUAI3] : Response [{ "requestId" : "None", "requestTime" : "2022-05-26T07:21:40.294+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : "", "value" : "Org name [Thiel-Thiel] exists." } ], "data" : false, "totalPages" : 0, "totalElements" : 0 }] 07:21:40 [D] [ UCUAI3] : Response time [1009] 07:21:40 [D] [ UCUAI3] : Response size [205] 07:21:40 [I] [ UCUAI3] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [200 == 200 OR 200 == 201] result [Passed] 07:21:40 [D] [UCUAIAHeaders] : Headers [[X-Content-Type-Options:"nosniff", X-XSS-Protection:"1; mode=block", Cache-Control:"no-cache, no-store, max-age=0, must-revalidate", Pragma:"no-cache", Expires:"0", X-Frame-Options:"DENY", Set-Cookie:"SESSION=Mzc0ZmY3MGYtZmFhYi00ZWU4LWJkNDMtMWNkODMyMGVjYjUy; Path=/; HttpOnly", Content-Type:"application/json;charset=UTF-8", Transfer-Encoding:"chunked", Date:"Thu, 26 May 2022 07:21:40 GMT"]] 07:21:40 [D] [UCUAIAHeaders] : Headers [[X-Content-Type-Options:"nosniff", X-XSS-Protection:"1; mode=block", Cache-Control:"no-cache, no-store, max-age=0, must-revalidate", Pragma:"no-cache", Expires:"0", X-Frame-Options:"DENY", Set-Cookie:"SESSION=Mzc0ZmY3MGYtZmFhYi00ZWU4LWJkNDMtMWNkODMyMGVjYjUy; Path=/; HttpOnly", Content-Type:"application/json;charset=UTF-8", Transfer-Encoding:"chunked", Date:"Thu, 26 May 2022 07:21:40 GMT"]] 07:21:40 [D] [ UCUAIA]] : Headers [[X-Content-Type-Options:"nosniff", X-XSS-Protection:"1; mode=block", Cache-Control:"no-cache, no-store, max-age=0, must-revalidate", Pragma:"no-cache", Expires:"0", X-Frame-Options:"DENY", Set-Cookie:"SESSION=Mzc0ZmY3MGYtZmFhYi00ZWU4LWJkNDMtMWNkODMyMGVjYjUy; Path=/; HttpOnly", Content-Type:"application/json;charset=UTF-8", Transfer-Encoding:"chunked", Date:"Thu, 26 May 2022 07:21:40 GMT"]] 07:21:40 [D] [ UCUAIA]] : Headers [[X-Content-Type-Options:"nosniff", X-XSS-Protection:"1; mode=block", Cache-Control:"no-cache, no-store, max-age=0, must-revalidate", Pragma:"no-cache", Expires:"0", X-Frame-Options:"DENY", Set-Cookie:"SESSION=Mzc0ZmY3MGYtZmFhYi00ZWU4LWJkNDMtMWNkODMyMGVjYjUy; Path=/; HttpOnly", Content-Type:"application/json;charset=UTF-8", Transfer-Encoding:"chunked", Date:"Thu, 26 May 2022 07:21:40 GMT"]] 07:21:41 [D] [ RCUAI3] : Endpoint [http://netbanking.apisec.ai:8080/api/v1/recepient] 07:21:41 [D] [ RCUAI3] : Method [POST] 07:21:41 [D] [ RCUAI3] : Authorization [UserA] 07:21:41 [D] [ RCUAI3] : Request headers [[Content-Type:"application/json", Accept:"application/json", Authorization=[**]]] 07:21:41 [D] [ RCUAI3] : Request [{ "accountNumber" : "nXSkm0Et", "createdBy" : "", "createdDate" : "", "description" : "nXSkm0Et", "email" : "elouise.hirthe@apisec.ai", "id" : "", "inactive" : false, "modifiedBy" : "", "modifiedDate" : "", "name" : "nXSkm0Et", "phone" : "1-348-780-7815 x734", "users" : "false", "version" : "" }] 07:21:41 [D] [ RCUAI3] : Status code [200] 07:21:41 [D] [ RCUAI3] : Response headers [[X-Content-Type-Options:"nosniff", X-XSS-Protection:"1; mode=block", Cache-Control:"no-cache, no-store, max-age=0, must-revalidate", Pragma:"no-cache", Expires:"0", X-Frame-Options:"DENY", Set-Cookie:"SESSION=ODc3YzI0NTktNDRkYi00YzBkLWIwNTUtODE2NTI5NWEzYWQ0; Path=/; HttpOnly", Content-Type:"application/json;charset=UTF-8", Transfer-Encoding:"chunked", Date:"Thu, 26 May 2022 07:21:41 GMT"]] 07:21:41 [D] [ RCUAI3] : Response [{ "requestId" : "None", "requestTime" : "2022-05-26T07:21:41.736+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : "", "value" : "could not extract ResultSet; SQL [n/a]; nested exception is org.hibernate.exception.SQLGrammarException: could not extract ResultSet" } ], "data" : null, "totalPages" : 0, "totalElements" : 0 }] 07:21:41 [D] [ RCUAI3] : Response time [498] 07:21:41 [D] [ RCUAI3] : Response size [306] 07:21:41 [I] [ RCUAI3] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [200 == 200 OR 200 == 201] result [Passed] 07:21:41 [D] [RCUAIAHeaders] : Headers [[X-Content-Type-Options:"nosniff", X-XSS-Protection:"1; mode=block", Cache-Control:"no-cache, no-store, max-age=0, must-revalidate", Pragma:"no-cache", Expires:"0", X-Frame-Options:"DENY", Set-Cookie:"SESSION=ODc3YzI0NTktNDRkYi00YzBkLWIwNTUtODE2NTI5NWEzYWQ0; Path=/; HttpOnly", Content-Type:"application/json;charset=UTF-8", Transfer-Encoding:"chunked", Date:"Thu, 26 May 2022 07:21:41 GMT"]] 07:21:41 [D] [RCUAIAHeaders] : Headers [[X-Content-Type-Options:"nosniff", X-XSS-Protection:"1; mode=block", Cache-Control:"no-cache, no-store, max-age=0, must-revalidate", Pragma:"no-cache", Expires:"0", X-Frame-Options:"DENY", Set-Cookie:"SESSION=ODc3YzI0NTktNDRkYi00YzBkLWIwNTUtODE2NTI5NWEzYWQ0; Path=/; HttpOnly", Content-Type:"application/json;charset=UTF-8", Transfer-Encoding:"chunked", Date:"Thu, 26 May 2022 07:21:41 GMT"]] 07:21:41 [D] [ RCUAIA]] : Headers [[X-Content-Type-Options:"nosniff", X-XSS-Protection:"1; mode=block", Cache-Control:"no-cache, no-store, max-age=0, must-revalidate", Pragma:"no-cache", Expires:"0", X-Frame-Options:"DENY", Set-Cookie:"SESSION=ODc3YzI0NTktNDRkYi00YzBkLWIwNTUtODE2NTI5NWEzYWQ0; Path=/; HttpOnly", Content-Type:"application/json;charset=UTF-8", Transfer-Encoding:"chunked", Date:"Thu, 26 May 2022 07:21:41 GMT"]] 07:21:41 [D] [ RCUAIA]] : Headers [[X-Content-Type-Options:"nosniff", X-XSS-Protection:"1; mode=block", Cache-Control:"no-cache, no-store, max-age=0, must-revalidate", Pragma:"no-cache", Expires:"0", X-Frame-Options:"DENY", Set-Cookie:"SESSION=ODc3YzI0NTktNDRkYi00YzBkLWIwNTUtODE2NTI5NWEzYWQ0; Path=/; HttpOnly", Content-Type:"application/json;charset=UTF-8", Transfer-Encoding:"chunked", Date:"Thu, 26 May 2022 07:21:41 GMT"]] 07:21:42 [D] [ AVRIGRD3] : Endpoint [http://netbanking.apisec.ai:8080/api/v1/recepient/null] 07:21:42 [D] [ AVRIGRD3] : Method [GET] 07:21:42 [D] [ AVRIGRD3] : Authorization [UserB] 07:21:42 [D] [ AVRIGRD3] : Request headers [[Accept:"application/json", Content-Type:"application/json", Authorization=[**]]] 07:21:42 [D] [ AVRIGRD3] : Request [] 07:21:42 [D] [ AVRIGRD3] : Status code [200] 07:21:42 [D] [ AVRIGRD3] : Response headers [[X-Content-Type-Options:"nosniff", X-XSS-Protection:"1; mode=block", Cache-Control:"no-cache, no-store, max-age=0, must-revalidate", Pragma:"no-cache", Expires:"0", X-Frame-Options:"DENY", Set-Cookie:"SESSION=YjMwODZhMDUtZTMzNy00MTAzLTg3ZDQtNzY1Y2RiOGIxZTEz; Path=/; HttpOnly", Content-Type:"application/json;charset=UTF-8", Transfer-Encoding:"chunked", Date:"Thu, 26 May 2022 07:21:42 GMT"]] 07:21:42 [D] [ AVRIGRD3] : Response [{ "requestId" : "None", "requestTime" : "2022-05-26T07:21:42.423+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : "", "value" : "could not extract ResultSet; SQL [n/a]; nested exception is org.hibernate.exception.SQLGrammarException: could not extract ResultSet" } ], "data" : null, "totalPages" : 0, "totalElements" : 0 }] 07:21:42 [D] [ AVRIGRD3] : Response time [642] 07:21:42 [D] [ AVRIGRD3] : Response size [306] 07:21:42 [E] [ AVRIGRD3] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [200 == 401 OR 200 == 403] result [Failed] 07:21:43 [D] [ AVRID3] : Endpoint [http://netbanking.apisec.ai:8080/api/v1/recepient/null] 07:21:43 [D] [ AVRID3] : Method [DELETE] 07:21:43 [D] [ AVRID3] : Authorization [UserA] 07:21:43 [D] [ AVRID3] : Request headers [[Content-Type:"application/json", Accept:"application/json", Authorization=[**]]] 07:21:43 [D] [ AVRID3] : Request [null] 07:21:43 [D] [ AVRID3] : Status code [200] 07:21:43 [D] [ AVRID3] : Response headers [[X-Content-Type-Options:"nosniff", X-XSS-Protection:"1; mode=block", Cache-Control:"no-cache, no-store, max-age=0, must-revalidate", Pragma:"no-cache", Expires:"0", X-Frame-Options:"DENY", Set-Cookie:"SESSION=ZGNkMmEwNDEtMTAxOS00YmY5LTkzNmEtMjZlZTA4NTFlZGVj; Path=/; HttpOnly", Content-Type:"application/json;charset=UTF-8", Transfer-Encoding:"chunked", Date:"Thu, 26 May 2022 07:21:42 GMT"]] 07:21:43 [D] [ AVRID3] : Response [{ "requestId" : "None", "requestTime" : "2022-05-26T07:21:43.177+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : "", "value" : "could not extract ResultSet; SQL [n/a]; nested exception is org.hibernate.exception.SQLGrammarException: could not extract ResultSet" } ], "data" : null, "totalPages" : 0, "totalElements" : 0 }] 07:21:43 [D] [ AVRID3] : Response time [784] 07:21:43 [D] [ AVRID3] : Response size [306] 07:21:43 [I] [ AVRIGRD3] : Assertion [@StatusCode == 200] resolved-to [200 == 200] result [Passed]
IMPORTANT LINKS
Vulnerability Details: https://20.120.71.252/#/app/projects/8a70803680faf14f0180ff0340040534/dashboard/8a70808e80faf1570180ff3e21f34a9f/details
Project: https://20.120.71.252/#/app/projects/8a70803680faf14f0180ff0340040534/allScans
Environment: https://20.120.71.252/#/app/projects/8a70803680faf14f0180ff0340040534/environments/8a70803680faf14f0180ff39a86e480c/edit
Scan Dashboard: https://20.120.71.252/#/app/projects/8a70803680faf14f0180ff0340040534/profiles/8a70803680faf14f0180ff39a883480e/runs/8a70803680faf14f0180ff3c15334811
Playbook: https://20.120.71.252/#/app/projects/8a70803680faf14f0180ff0340040534/playbooks/ApiV1RecepientIdGetRecepientuserbDisallowAbact3
Coverage: https://20.120.71.252/#/app/projects/8a70803680faf14f0180ff0340040534/categories
Code Sample: https://20.120.71.252/#/app/projects/8a70803680faf14f0180ff0340040534/dashboard/8a70808e80faf1570180ff3e21f34a9f/codesamples
PS: Please contact support@apisec.ai for apisec access and login issues.
--- apisec Bot ---