Uploaded image for project: 'Product Roadmaps'
  1. Product Roadmaps
  2. MMF-2044

Java analyzer detects broken authentication and access control

    Details

    • Type: MMF
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Labels:

      Description

      WHY

      A lot of critical vulnerabilities are related to broken access control (incorrect permission assignments, privilege escalations, unprotected APIs ...).
      Some examples:

      This field is closely linked to "broken authentication" weaknesses, thus the both will be addressed in this MMF with much more focus on "broken access control" category.

      WHAT

      About broken access control, three rules exist in our rule set:

      • RSPEC-2612: Setting loose file permissions is security-sensitive
      • RSPEC-5604: Using intrusive permissions is security-sensitive
      • RSPEC-4834: Controlling permissions is security-sensitive

      The goals of this MMF are:

      • improvements of these previous rules (target Java language or kill the noise (1)...)
      • create new set of rules related to access control or authentication
      • fill the gap in comparison with competitors (2)

      This MMF is just a baby step in this immense field (in green the CWEs we cover in this MMF):

      Broken authentication (OWASP A2) Broken access control (OWASP A5)
      CWE-287: Improper Authentication CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
      CWE-261: Weak Encoding for Password CWE-284: Improper Access Control
      CWE-262: Not Using Password Aging CWE-285: Improper Authorization
      CWE-263: Password Aging with Long Expiration CWE-282: Improper Ownership Management
      CWE-295: Improper Certificate Validation CWE-552: Files or Directories Accessible to External Parties
      CWE-304: Missing Critical Step in Authentication CWE-668: Exposure of Resource to Wrong Sphere
      CWE-306: Missing Authentication for Critical Function CWE-377: Insecure Temporary File
      CWE-307: Improper Restriction of Excessive Authentication Attempts CWE-732: Incorrect Permission Assignment for Critical Resource
      CWE-308: Use of Single-factor Authentication CWE-276: Incorrect Default Permissions
      CWE-521: Weak Password Requirements CWE-277: Insecure Inherited Permissions
      CWE-620: Unverified Password Change CWE-250: Execution with Unnecessary Privileges
      CWE-645: Overly Restrictive Account Lockout Mechanism CWE-266: Incorrect Privilege Assignment
      CWE-620: Use of Hard-coded Credentials CWE-250: Privilege Chaining
      CWE-613: Insufficient Session Expiration CWE-250: Least Privilege Violation

      (1) kill the noise: examples of misunderstanding of the current rules:

      (2) competitors:

      Use Cases

      In this MMF, Spring security is targeted, with this framework there are built-in methods for developers to control authorizations of users. Thus, having a better knowledge of this framework and determine what kind of patterns to statically detect is an interesting first baby step in this field.

      Solution

      Improvements to our current rules:

      • RSPEC-4834: Controlling permissions is security-sensitive
        • will be deprecated by:
          • RSPEC-5808 Authorizations should be based on strong decisions
      • RSPEC-2070 SHA-1 and Message-Digest hash algorithms should not be used in secure contexts
        • is deprecated by:
          • RSPEC-4790 Using weak hashing algorithms is security-sensitive
      • RSPEC-3752 Allowing both safe and unsafe HTTP methods is security-sensitive

      New rules to implement:

      • RSPEC-5804 Allowing user enumeration is security-sensitive
      • RSPEC-5876 A new session should be created during user authentication

      HOW

      Technically, both improvements and new rules do not introduce new concepts that we can't support with the current tools. We already have rules targeting similar concepts, we can write new ones right away.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                eric.therond Eric Therond
                Reporter:
                alexandre.gigleux Alexandre Gigleux
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: