Broken Authentication

Debido a una incorrecta validación de la autenticación, el atacante puede acceder a áreas  a la cual no debería. Por ejemplo, una validación de autenticación en cliente o mediante datos provenientes de este.

Riesgo del ataque

  • Robo de informaciĂłn no autorizada.

  • Posibilidad de modificaciĂłn o borrado de datos no autorizados.

  • EjecuciĂłn de acciones no autorizadas.

  • Posibilidad de suplantaciĂłn del rol administrador.

 

CĂłdigo vulnerable 1:

[...] public void doFilter(ServletRequest req, ServletResponse res,             FilterChain chain) throws IOException, ServletException {            HttpServletRequest request = (HttpServletRequest) req;         HttpServletResponse response = (HttpServletResponse) res;         String url = request.getServletPath();         boolean isSessionValid=true;         boolean allowedRequest = false;         HttpSession session = request.getSession(false);                    if(urlList.contains(url)) {             allowedRequest = true;         }                   if (!allowedRequest) {                           if (null == session) {                 isSessionValid=false;                 redirectToInvalidErrorPage(request, response, url);                 return;             }             if(isSessionValid){                 try{                     if ((Object)session.getAttribute("isValidUser")==null) {                         isSessionValid=false;                     }                 }catch(NullPointerException ne){                     isSessionValid=false;                 }             }             if(!isSessionValid){                 redirectToInvalidErrorPage(request, response, url);                 return;             }             else {                 UserInfo user = (UserInfo)session.getAttribute("user");                 if (url.contains("admin") && user == null) { // this code line                     redirectToInvalidErrorPage(request, response, url);                     return;                 }             }         }         chain.doFilter(req, res);     } [...]

SoluciĂłn:

Se debe garantizar que la validaciĂłn de la autenticaciĂłn se realiza del lado del servidor.

 

[...]     public void doFilter(ServletRequest req, ServletResponse res,             FilterChain chain) throws IOException, ServletException {            HttpServletRequest request = (HttpServletRequest) req;         HttpServletResponse response = (HttpServletResponse) res;         String url = request.getServletPath();         boolean isSessionValid=true;         boolean allowedRequest = false;         HttpSession session = request.getSession(false);                    if(urlList.contains(url)) {             allowedRequest = true;         }                   if (!allowedRequest) {                           if (null == session) {                 isSessionValid=false;                 redirectToInvalidErrorPage(request, response, url);                 return;             }             if(isSessionValid){                 try{                     if ((Object)session.getAttribute("isValidUser")==null) {                         isSessionValid=false;                     }                 }catch(NullPointerException ne){                     isSessionValid=false;                 }             }             if(!isSessionValid){                 redirectToInvalidErrorPage(request, response, url);                 return;             }else{                 UserInfo user = (UserInfo)session.getAttribute("user");                 if(!validateForSecureURL(url, "/admin", user.getRole_id())){  // solution                     redirectToInvalidErrorPage(request, response, url);                     return;                 }                               }         }         chain.doFilter(req, res);     } [...]

Referencias:

Authentication - OWASP Cheat Sheet Series

https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/README