Lack of data validation - Content Spoofing
Description
An unauthorized attacker generating a token without credentials, due to a misconfiguration in the file upload can replace files already uploaded by a client since the application does not validate if these were already sent in the file upload request.
Impact
Replace information sent by customers.
Recommendation
Enable a mechanism to identify the status of the procedure and restrict access to objects to authorized users.
Threat
Unauthorized external attacker with process ID.
Expected Remediation Time
โ 60 minutes.
Score
Default score using CVSS 3.1. It may change depending on the context of the vulnerability.
Base
- Attack vector: A
- Attack complexity: L
- Privileges required: L
- User interaction: N
- Scope: U
- Confidentiality: N
- Integrity: L
- Availability: N
Temporal
- Exploit code madurity: X
- Remediation level: X
- Report confidence: X
Result
- Vector string: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:X/RL:X/RC:X
- Score:
- Base: 3.5
- Temporal: 3.5
- Severity:
- Base: Low
- Temporal: Low
Code Examples
Compliant code
The application uses user input after validating its contents
function uploadFile(request){
const storage = getStorage();
const storageRef = ref(storage, `/files/${request.file.name}`);
if !checkIfFileExists{
const uploadTask = uploadBytesResumable(storageRef, request.file);
}
}
//A function to check if the file being uploaded already exists in the db
function checkIfFileExists(filePath: string): Promise<boolean> {
const storage = getStorage();
const storageRef = ref(storage, filePath);
getDownloadURL(storageRef)
.then(url => {
return Promise.resolve(true);
})
.catch(error => {
if (error.code === 'storage/object-not-found') {
return Promise.resolve(false);
} else {
return Promise.reject(error);
}
});
}
Non compliant code
The application uses user input without server side validation
function uploadFile(request){
const storage = getStorage();
const storageRef = ref(storage, `/files/${request.file.name}`)
const uploadTask = uploadBytesResumable(storageRef, request.file);
}