Type: Security Hotspot Detection
Message:Make sure that exposing this HTTP endpoint is safe here.
Irrelevant for Languages:ABAP, Cobol, CSS, Flex, HTML, PL/I, PL/SQL, RPG, Solidity, Swift, T-SQL, VB.Net, VB6, XML
Analysis Scope:Main Sources
Exposing HTTP endpoints is security-sensitive. It has led in the past to the following vulnerabilities:
HTTP endpoints are webservices' main entrypoint. Attackers will take advantage of any vulnerability by sending crafted inputs for headers (including cookies), body and URI. No input should be trusted and extreme care should be taken with all returned value (header, body and status code).
This rule flags code which creates HTTP endpoint. It guides security code reviews to security-sensitive code.
- an input is not sanitized before being used. This includes any value coming from the URI, header, body and cookies.
- the response contains some unsafe data. for example the input could come from a database which contains user inputs. Check the response's headers, cookies, body and status code.
- the response contains some sensitive information which the user shouldn't have access to.
- no access control prevents attackers from successfully performing a forbidden request.
- an attacker can get sensitive information by analyzing the returned errors. For example, a web service can expose the existence of user accounts by returning 403 (Forbidden) instead of 404 (Not Found) when an attacker ask for them.
You are at risk if you answered yes to any of those questions.
Never trust any part of the request to be safe. Make sure that the URI, header and body are properly sanitized before being used. Their content, length, encoding, name (ex: name of URL query parameters) should be checked. Validate that the values are in a predefined whitelist. The opposite, i.e. searching for dangerous values in a given input, can easily miss some of them.
Do not rely solely on cookies when you implement your authentication and permission logic. Use additional protections such as CSRF tokens when possible.
Sanitize all values before returning them in a response, be it in the body, header or status code. Special care should be taken to avoid the following attacks:
- Cross-site Scripting (XSS), which happens when an unsafe value is included in an HTML page.
- Unvalidated redirects which can happen when the Location header is compromised.
Restrict security-sensitive actions, such as file upload, to authenticated users.
Be careful when errors are returned to the client, as they can provide sensitive information. Use 404 (Not Found) instead of 403 (Forbidden) when the existence of a resource is sensitive.
- OWASP Top 10 2017 Category A1 - Injection
- OWASP Top 10 2017 Category A3 - Sensitive Data Exposure
- OWASP Top 10 2017 Category A7 - Cross-Site Scripting (XSS)
- MITRE, CWE-20 - Improper Input Validation
- MITRE, CWE-352 - Cross-Site Request Forgery (CSRF)
- MITRE, CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- MITRE, CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- SANS Top 25 - Insecure Interaction Between Components
- SANS Top 25 - Risky Resource Management
- SANS Top 25 - Porous Defenses