Skip to main content

Lack of data validation - Content Spoofing

Description

An unauthorized attacker generating a token without credentials, due to a misconfiguration in the file upload can replace files already uploaded by a client since the application does not validate if these were already sent in the file upload request.

Impact

Replace information sent by customers.

Recommendation

Enable a mechanism to identify the status of the procedure and restrict access to objects to authorized users.

Threat

Unauthorized external attacker with process ID.

Expected Remediation Time

โŒš 60 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: A
  • Attack complexity: L
  • Privileges required: L
  • User interaction: N
  • Scope: U
  • Confidentiality: N
  • Integrity: L
  • Availability: N

Temporal

  • Exploit code madurity: X
  • Remediation level: X
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:X/RL:X/RC:X
  • Score:
    • Base: 3.5
    • Temporal: 3.5
  • Severity:
    • Base: Low
    • Temporal: Low

Code Examples

Compliant code

The application uses user input after validating its contents

function uploadFile(request){
const storage = getStorage();
const storageRef = ref(storage, `/files/${request.file.name}`);
if !checkIfFileExists{
const uploadTask = uploadBytesResumable(storageRef, request.file);
}
}

//A function to check if the file being uploaded already exists in the db
function checkIfFileExists(filePath: string): Promise<boolean> {
const storage = getStorage();
const storageRef = ref(storage, filePath);

getDownloadURL(storageRef)
.then(url => {
return Promise.resolve(true);
})
.catch(error => {
if (error.code === 'storage/object-not-found') {
return Promise.resolve(false);
} else {
return Promise.reject(error);
}
});
}

Non compliant code

The application uses user input without server side validation

function uploadFile(request){
const storage = getStorage();
const storageRef = ref(storage, `/files/${request.file.name}`)
const uploadTask = uploadBytesResumable(storageRef, request.file);
}

Requirements