Skip to main content

Business information leak - Corporate information

Need

Protection of sensitive corporate information from unauthorized access

Context

  • Usage of C# for developing robust and scalable applications
  • Usage of Microsoft.AspNetCore.Mvc for building web applications using the ASP.NET Core MVC framework
  • Usage of System.Collections.Generic for working with generic collections in .NET

Description

Non compliant code

using Microsoft.AspNetCore.Mvc;
using System.Collections.Generic;

namespace VulnerableApp.Controllers
{
    [Route("api/[controller]")]
    [ApiController]
    public class EmployeesController : ControllerBase
    {
        // GET api/employees
        [HttpGet]
        public ActionResult<IEnumerable<Employee>> Get()
        {
            var employees = new List<Employee>
            {
                new Employee { Id = 1, Name = "John Doe", Role = "Manager", Email = "[email protected]" },
                new Employee { Id = 2, Name = "Jane Doe", Role = "Developer", Email = "[email protected]" },
                // More employees...
            };

            return employees;
        }
    }

    public class Employee
    {
        public int Id { get; set; }
        public string Name { get; set; }
        public string Role { get; set; }
        public string Email { get; set; }
    }
}

In the above code, the EmployeesController exposes a GET endpoint (api/employees) that returns a list of employees, including sensitive information like their names, roles, and email addresses. This endpoint does not require any authentication or authorization, meaning any user or even non-users can access this information.

This is a serious security vulnerability as it can lead to a business information leak. Malicious users can exploit this endpoint to gather information about the company's employees, which can be used for phishing attacks or other harmful activities. The roles of employees can also provide information about the company's structure, which can be useful information for competitors or attackers.

This vulnerability can be fixed by implementing proper authentication and authorization mechanisms, ensuring that only authorized users can access sensitive information.

Steps

  • Implement authentication and authorization mechanisms to restrict access to sensitive information.
  • Use role-based access control (RBAC) to ensure that only authorized users can access employee information.
  • Consider implementing a permission system to control access to specific employee attributes.
  • Encrypt sensitive employee information, such as email addresses, to protect it from unauthorized access.
  • Implement input validation to prevent any potential injection attacks.
  • Regularly review and update access control policies to ensure they align with the organization's security requirements.
  • Perform security testing and code reviews to identify and address any other potential vulnerabilities.

Compliant code

using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using System.Collections.Generic;
using System.Security.Claims;

namespace VulnerableApp.Controllers
{
    [Route("api/[controller]")]
    [ApiController]
    [Authorize]
    public class EmployeesController : ControllerBase
    {
        // GET api/employees
        [HttpGet]
        [Authorize(Roles = "Manager, HR")]
        public ActionResult<IEnumerable<Employee>> Get()
        {
            var employees = new List<Employee>
            {
                new Employee { Id = 1, Name = "John Doe", Role = "Manager", Email = "[email protected]" },
                new Employee { Id = 2, Name = "Jane Doe", Role = "Developer", Email = "[email protected]" },
                // More employees...
            };

            return employees;
        }
    }

    public class Employee
    {
        public int Id { get; set; }
        public string Name { get; set; }
        public string Role { get; set; }
        [ProtectedPersonalData]
        public string Email { get; set; }
    }
}

The updated code includes several changes to address the identified vulnerability:

  1. Authentication and Authorization: The [Authorize] attribute is added to the EmployeesController class to ensure that only authenticated users can access the controller's actions. This attribute is also added to the Get method with the Roles parameter set to "Manager, HR" to implement role-based access control (RBAC). This ensures that only users with the "Manager" or "HR" roles can access employee information.

  2. Data Protection: The [ProtectedPersonalData] attribute is added to the Email property in the Employee class. This attribute is part of ASP.NET Core's data protection API and it encrypts the email addresses before they are stored and decrypts them when they are retrieved. This protects the email addresses from unauthorized access.

Remember to configure the authentication and authorization services in the Startup class of your application. Also, ensure that you have a user management system in place that assigns the correct roles to users and handles user authentication.

Regularly review and update your access control policies, perform security testing, and conduct code reviews to identify and address any potential vulnerabilities.

References

Last updated on