@@ -23,59 +23,140 @@ the CodeIgniter provisions to address the problem.
2323A01:2021 Broken Access Control
2424******************************
2525
26- Insecure Direct Object References occur when an application provides direct
27- access to objects based on user-supplied input. As a result of this vulnerability
28- attackers can bypass authorization and access resources in the system directly,
29- for example database records or files.
30-
31- Sensitive data must be protected when it is transmitted through the network.
32- Such data can include user credentials and credit cards. As a rule of thumb,
33- if data must be protected when it is stored, it must be protected also during
34- transmission.
35-
36- CSRF is an attack that forces an end user to execute unwanted actions on a web
37- application in which he/she is currently authenticated.
26+ Access control enforces policy such that users cannot act outside of their intended
27+ permissions. Failures typically lead to unauthorized information disclosure,
28+ modification, or destruction of all data or performing a business function outside
29+ the user's limits.
30+
31+ Common access control vulnerabilities include:
32+
33+ - Violation of the principle of least privilege or deny by default, where access
34+ should only be granted for particular capabilities, roles, or users, but is
35+ available to anyone.
36+ - Bypassing access control checks by modifying the URL (parameter tampering or
37+ force browsing), internal application state, or the HTML page, or by using an
38+ attack tool modifying API requests.
39+ - Permitting viewing or editing someone else's account, by providing its unique
40+ identifier (insecure direct object references)
41+ - Accessing API with missing access controls for POST, PUT and DELETE.
42+ - Elevation of privilege. Acting as a user without being logged in or acting as
43+ an admin when logged in as a user.
44+ - Metadata manipulation, such as replaying or tampering with a JSON Web Token (JWT)
45+ access control token, or a cookie or hidden field manipulated to elevate
46+ privileges or abusing JWT invalidation.
47+ - CORS misconfiguration allows API access from unauthorized/untrusted origins.
48+ - Force browsing to authenticated pages as an unauthenticated user or to privileged
49+ pages as a standard user.
3850
3951OWASP recommendations
4052=====================
4153
42- - Presentation: don't expose internal data; use random reference maps
43- - Controller: obtain data from trusted sources or random reference maps
44- - Model: validate user roles before updating data
45-
46- - Presentation: ensure that non-web data is outside the web root; validate users and roles; send CSRF tokens
47- - Controller: validate users and roles; validate CSRF tokens
48- - Model: validate roles
49-
50- - Presentation: validate users and roles; send CSRF tokens
51- - Controller: validate users and roles; validate CSRF tokens
52- - Model: validate roles
54+ Access control is only effective in trusted server-side code or server-less API,
55+ where the attacker cannot modify the access control check or metadata.
56+
57+ - Except for public resources, deny by default.
58+ - Implement access control mechanisms once and re-use them throughout the application,
59+ including minimizing Cross-Origin Resource Sharing (CORS) usage.
60+ - Model access controls should enforce record ownership rather than accepting that
61+ the user can create, read, update, or delete any record.
62+ - Unique application business limit requirements should be enforced by domain models.
63+ - Disable web server directory listing and ensure file metadata (e.g., .git) and
64+ backup files are not present within web roots.
65+ - Log access control failures, alert admins when appropriate (e.g., repeated failures).
66+ - Rate limit API and controller access to minimize the harm from automated attack
67+ tooling.
68+ - Stateful session identifiers should be invalidated on the server after logout.
69+ Stateless JWT tokens should rather be short-lived so that the window of opportunity
70+ for an attacker is minimized. For longer lived JWTs it's highly recommended to
71+ follow the OAuth standards to revoke access.
5372
5473CodeIgniter provisions
5574======================
5675
76+ - :ref: `Public <application-structure-public >` folder, with application and system outside
5777- :doc: `../libraries/validation ` library
78+ - :doc: `Security </libraries/security >` library provides for :ref: `CSRF protection <cross-site-request-forgery >`
79+ - :doc: `../libraries/throttler ` for rate limit
80+ - :php:func: `log_message() ` function for logging
5881- An official authentication and authorization framework :ref: `CodeIgniter Shield <shield >`
5982- Easy to add third party authentication
6083
61- - :ref: `Public <application-structure-public >` folder, with application and system outside
62- - :doc: `Security </libraries/security >` library provides for :ref: `CSRF validation <cross-site-request-forgery >`
63-
6484*******************************
6585A02:2021 Cryptographic Failures
6686*******************************
6787
68- Sensitive data must be protected when it is transmitted through the network.
69- Such data can include user credentials and credit cards. As a rule of thumb,
70- if data must be protected when it is stored, it must be protected also during
71- transmission.
88+ The first thing is to determine the protection needs of data in transit and at
89+ rest. For example, passwords, credit card numbers, health records, personal
90+ information, and business secrets require extra protection, mainly if that data
91+ falls under privacy laws, e.g., EU's General Data Protection Regulation (GDPR),
92+ or regulations, e.g., financial data protection such as PCI Data Security Standard
93+ (PCI DSS). For all such data:
94+
95+ - Is any data transmitted in clear text? This concerns protocols such as HTTP,
96+ SMTP, FTP also using TLS upgrades like STARTTLS. External internet traffic is
97+ hazardous. Verify all internal traffic, e.g., between load balancers, web servers,
98+ or back-end systems.
99+ - Are any old or weak cryptographic algorithms or protocols used either by default
100+ or in older code?
101+ - Are default crypto keys in use, weak crypto keys generated or re-used, or is
102+ proper key management or rotation missing? Are crypto keys checked into source
103+ code repositories?
104+ - Is encryption not enforced, e.g., are any HTTP headers (browser) security
105+ directives or headers missing?
106+ - Is the received server certificate and the trust chain properly validated?
107+ - Are initialization vectors ignored, reused, or not generated sufficiently secure
108+ for the cryptographic mode of operation? Is an insecure mode of operation such
109+ as ECB in use? Is encryption used when authenticated encryption is more appropriate?
110+ - Are passwords being used as cryptographic keys in absence of a password base key
111+ derivation function?
112+ - Is randomness used for cryptographic purposes that was not designed to meet
113+ cryptographic requirements? Even if the correct function is chosen, does it need
114+ to be seeded by the developer, and if not, has the developer over-written the
115+ strong seeding functionality built into it with a seed that lacks sufficient
116+ entropy/unpredictability?
117+ - Are deprecated hash functions such as MD5 or SHA1 in use, or are non-cryptographic
118+ hash functions used when cryptographic hash functions are needed?
119+ - Are deprecated cryptographic padding methods such as PKCS number 1 v1.5 in use?
120+ - Are cryptographic error messages or side channel information exploitable, for
121+ example in the form of padding oracle attacks?
72122
73123OWASP recommendations
74124=====================
75125
76- - Presentation: use TLS1.2; use strong ciphers and hashes; do not send keys or hashes to browser
77- - Controller: use strong ciphers and hashes
78- - Model: mandate strong encrypted communications with servers
126+ Do the following, at a minimum, and consult the references:
127+
128+ - Classify data processed, stored, or transmitted by an application. Identify which
129+ data is sensitive according to privacy laws, regulatory requirements, or business
130+ needs.
131+ - Don't store sensitive data unnecessarily. Discard it as soon as possible or use
132+ PCI DSS compliant tokenization or even truncation. Data that is not retained
133+ cannot be stolen.
134+ - Make sure to encrypt all sensitive data at rest.
135+ - Ensure up-to-date and strong standard algorithms, protocols, and keys are in
136+ place; use proper key management.
137+ - Encrypt all data in transit with secure protocols such as TLS with forward secrecy
138+ (FS) ciphers, cipher prioritization by the server, and secure parameters. Enforce
139+ encryption using directives like HTTP Strict Transport Security (HSTS).
140+ - Disable caching for response that contain sensitive data.
141+ - Apply required security controls as per the data classification.
142+ - Do not use legacy protocols such as FTP and SMTP for transporting sensitive data.
143+ - Store passwords using strong adaptive and salted hashing functions with a work
144+ factor (delay factor), such as Argon2, scrypt, bcrypt or PBKDF2.
145+ - Initialization vectors must be chosen appropriate for the mode of operation.
146+ For many modes, this means using a CSPRNG (cryptographically secure pseudo random
147+ number generator). For modes that require a nonce, then the initialization vector
148+ (IV) does not need a CSPRNG. In all cases, the IV should never be used twice for
149+ a fixed key.
150+ - Always use authenticated encryption instead of just encryption.
151+ - Keys should be generated cryptographically randomly and stored in memory as byte
152+ arrays. If a password is used, then it must be converted to a key via an
153+ appropriate password base key derivation function.
154+ - Ensure that cryptographic randomness is used where appropriate, and that it has
155+ not been seeded in a predictable way or with low entropy. Most modern APIs do
156+ not require the developer to seed the CSPRNG to get security.
157+ - Avoid deprecated cryptographic functions and padding schemes, such as MD5, SHA1,
158+ PKCS number 1 v1.5 .
159+ - Verify independently the effectiveness of configuration and settings.
79160
80161CodeIgniter provisions
81162======================
@@ -84,40 +165,65 @@ CodeIgniter provisions
84165- :php:func: `force_https() ` function
85166- :doc: `../libraries/encryption `
86167- The :ref: `database config <database-config-explanation-of-values >` (``encrypt ``)
168+ - An official authentication and authorization framework :ref: `CodeIgniter Shield <shield >`
87169
88170******************
89171A03:2021 Injection
90172******************
91173
92- An injection is the inappropriate insertion of partial or complete data via
93- the input data from the client to the application. Attack vectors include SQL,
94- XML, ORM, code & buffer overflows.
95-
96- Insufficient input validation where one user can add content to a web site
97- that can be malicious when viewed by other users to the web site.
174+ An application is vulnerable to attack when:
175+
176+ - User-supplied data is not validated, filtered, or sanitized by the application.
177+ - Dynamic queries or non-parameterized calls without context-aware escaping are
178+ used directly in the interpreter.
179+ - Hostile data is used within object-relational mapping (ORM) search parameters
180+ to extract additional, sensitive records.
181+ - Hostile data is directly used or concatenated. The SQL or command contains the
182+ structure and malicious data in dynamic queries, commands, or stored procedures.
183+
184+ Some of the more common injections are SQL, NoSQL, OS command, Object Relational
185+ Mapping (ORM), LDAP, and Expression Language (EL) or Object Graph Navigation Library
186+ (OGNL) injection. The concept is identical among all interpreters. Source code
187+ review is the best method of detecting if applications are vulnerable to injections.
188+ Automated testing of all parameters, headers, URL, cookies, JSON, SOAP, and XML
189+ data inputs is strongly encouraged. Organizations can include static (SAST),
190+ dynamic (DAST), and interactive (IAST) application security testing tools into
191+ the CI/CD pipeline to identify introduced injection flaws before production deployment.
98192
99193OWASP recommendations
100194=====================
101195
102- - Presentation: set correct content type, character set & locale
103- - Submission: validate fields and provide feedback
104- - Controller: sanitize input; positive input validation using correct character set
105- - Model: parameterized queries
106-
107- - Presentation: output encode all user data as per output context; set input constraints
108- - Controller: positive input validation
109- - Tips: only process trustworthy data; do not store data HTML encoded in DB
196+ Preventing injection requires keeping data separate from commands and queries:
197+
198+ - The preferred option is to use a safe API, which avoids using the interpreter
199+ entirely, provides a parameterized interface, or migrates to Object Relational
200+ Mapping Tools (ORMs).
201+ - Note: Even when parameterized, stored procedures can still introduce SQL
202+ injection if PL/SQL or T-SQL concatenates queries and data or executes hostile
203+ data with EXECUTE IMMEDIATE or exec().
204+ - Use positive server-side input validation. This is not a complete defense as
205+ many applications require special characters, such as text areas or APIs for
206+ mobile applications.
207+ - For any residual dynamic queries, escape special characters using the specific
208+ escape syntax for that interpreter.
209+ - Note: SQL structures such as table names, column names, and so on cannot be
210+ escaped, and thus user-supplied structure names are dangerous. This is a
211+ common issue in report-writing software.
212+ - Use LIMIT and other SQL controls within queries to prevent mass disclosure of
213+ records in case of SQL injection.
110214
111215CodeIgniter provisions
112216======================
113217
114218- :ref: `invalidchars ` filter
115219- :doc: `../libraries/validation ` library
116- - :doc: `HTTP library <../incoming/incomingrequest >` provides for :ref: `input field filtering <incomingrequest-filtering-input-data >` & content metadata
117-
118220- :php:func: `esc() ` function
119- - :doc: `../libraries/validation ` library
221+ - :doc: `HTTP library <../incoming/incomingrequest >` provides for
222+ :ref: `input field filtering <incomingrequest-filtering-input-data >` & content metadata
120223- Support for :ref: `content-security-policy `
224+ - :doc: `../database/query_builder `
225+ - :ref: `Database escape methods <database-queries-escaping >`
226+ - :ref: `database-queries-query-bindings `
121227
122228************************
123229A04:2021 Insecure Design
0 commit comments