Insufficient data authenticity validation - Front bypass
Need
Enhancement of data authenticity validation to prevent front bypass
Context
- Usage of C# for building robust and scalable applications
- Usage of Microsoft.AspNetCore.Mvc for building web applications with ASP.NET Core
Description
Non compliant code
public class CredentialController : Controller
{
[HttpPost]
public IActionResult ChangePassword(string newPassword)
{
if (ModelState.IsValid)
{
var user = GetCurrentUser();
user.Password = newPassword;
SaveUser(user);
return Ok();
}
return BadRequest();
}
}
The above code is an example of a vulnerable endpoint in an ASP.NET Core application. This endpoint is designed to change the password of the currently logged in user.
The vulnerability lies in the fact that there is no server-side validation of the new password. The ModelState.IsValid check only validates that the request is properly formed, not that the new password meets any specific requirements.
The ChangePassword method retrieves the currently logged in user with the GetCurrentUser method, then directly assigns the new password from the request to the user.Password property. After this, it saves the user object, which includes the new password, with the SaveUser method.
If an attacker were to intercept the request as it's being sent, they could modify the newPassword parameter to be any value they want, including a password that doesn't meet the system's password policy. For example, they could change the password to a string of consecutive or repeated numbers, which the system's policy is supposed to prevent.
This is a classic example of a front bypass vulnerability, where server-side validation is missing because it's assumed that the client-side validation is sufficient. However, client-side validation can be easily bypassed, so it's important to always include server-side validation as well.
Steps
- Perform server-side validation for the new password to ensure it meets the required criteria.
- Implement data authenticity validation on the server-side to prevent front-end bypass.
- Consider using a password strength policy to enforce complex passwords.
- Encrypt the password before storing it in the database to enhance security.
- Implement secure password storage techniques such as hashing and salting.
- Regularly update and patch the application to address any security vulnerabilities.
Compliant code
public class CredentialController : Controller
{
[HttpPost]
public IActionResult ChangePassword(string newPassword)
{
if (ModelState.IsValid)
{
if (!IsValidPassword(newPassword))
{
return BadRequest("Password does not meet the required criteria.");
}
var user = GetCurrentUser();
user.Password = HashPassword(newPassword);
SaveUser(user);
return Ok();
}
return BadRequest();
}
private bool IsValidPassword(string password)
{
// Implement your password validation logic here
// For example, check for consecutive and/or repeated numbers
// Return true if the password is valid, false otherwise
}
private string HashPassword(string password)
{
// Implement your password hashing logic here
// Return the hashed password
}
}
The updated code now includes server-side validation for the new password. The IsValidPassword method checks if the password meets the required criteria. If the password is not valid, the method returns a bad request response with an appropriate error message.
The password is also hashed before it is stored in the database. The HashPassword method is responsible for this. Hashing the password ensures that even if the database is compromised, the attacker will not be able to obtain the actual password.
These changes ensure that the password policy is enforced even if the client bypasses the front-end validation. They also enhance the overall security of the password management process.