AppSec Blog

Top 25 Series - Rank 6 - Reliance on Untrusted Inputs in a Security Decision

During a code review I came across code that looked like this:

// for testing only
String testId = request.getParameter("secretId");
if (testId != null && !testId.equals(""))
id = testId;
id = codeToLookupTheRealId();

This code allows a malicious user to perform an access control bypass attack by simply supplying the "secretId" parameter in the request. As you can tell from the "for testing only" comment, this code was accidentally left in the system by a careless developer who created it for convenience purposes during testing. Normally, the value of the "id", when properly looked up, prevents unauthorized access to data in other accounts. Here though, relying on untrusted data from the request allows the attacker to completely bypass the access control check. This is the essence of CWE-807 [1].

Historically PHP also suffered from the same issue. In the past, when enabled, PHP's register_globals directive [2] set all GET, POST, Cookie, Server, and environment variables as global variables. This led to numerous security issues and eventually resulted in register_globals being disabled by default in PHP 4.2.0, deprecated in PHP 5.3.0, and finally removed in PHP 6.0.0.

Make sure that you never rely on untrusted inputs to make a security decision and always perform access control checks on the server side.


Post a Comment


* Indicates a required field.