Insecure service configuration - Container level access policy
Description
Container level policy is not set when generating a service Shared Access Signature (SAS). A container-level access policy can be modified or revoked at any time. It provides greater flexibility and control over the permissions that are granted
Impact
Create IDORs, excessive privileges, or broken authentication vulnerabilities
Recommendation
Specify a valid group policy identifier when generating the service SAS.
Threat
Authenticated attacker from the Internet
Expected Remediation Time
⌚ minutes.
Score
Default score using CVSS 3.1. It may change depending on the context of the src.
Base
- Attack vector: N
- Attack complexity: H
- Privileges required: L
- User interaction: N
- Scope: U
- Confidentiality: L
- Integrity: L
- Availability: N
Temporal
- Exploit code madurity: U
- Remediation level: O
- Report confidence: R
Result
- Vector string: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:R
- Score:
- Base: 4.2
- Temporal: 3.5
- Severity:
- Base: Medium
- Temporal: Low
Compliant code
The service SAS is correctly configured with a group policy
var storageAccount = CloudStorageAccount.Parse(connectionString);
var blobClient = storageAccount.CreateCloudBlobClient();
var blobContainer = blobClient.GetContainerReference(containerName);
blobContainer.CreateIfNotExists();
var storedPolicy = new SharedAccessPolicy()
{
SharedAccessExpiryTime = DateTime.UtcNow.AddHours(10),
Permissions = SharedAccessBlobPermissions.Read |
SharedAccessBlobPermissions.Write |
SharedAccessBlobPermissions.List
AccessPolicy = groupPolicy();
};
//Define access permissions before generating the key
var permissions = blobContainer.GetPermissions();
permissions.SharedAccessPolicies.Clear();
permissions.SharedAccessPolicies.Add(policyName, storedPolicy);
blobContainer.SetPermissions(permissions);
var containerSignature = blobContainer.GetSharedAccessSignature(null, policyName);
var uri = blobContainer.Uri + containerSignature;
Non compliant code
The service SAS does not specify any group policy identifier
var storageAccount = CloudStorageAccount.Parse(connectionString);
var blobClient = storageAccount.CreateCloudBlobClient();
var blobContainer = blobClient.GetContainerReference(containerName);
blobContainer.CreateIfNotExists();
var storedPolicy = new SharedAccessPolicy()
{
SharedAccessExpiryTime = DateTime.UtcNow.AddHours(10),
Permissions = SharedAccessBlobPermissions.Read |
SharedAccessBlobPermissions.Write |
SharedAccessBlobPermissions.List
AccessPolicy = defaultPolicy();
};
//Generate SAS
var containerSignature = blobContainer.GetSharedAccessSignature(null, policyName);
var uri = blobContainer.Uri + containerSignature;
Requirements
Fixes
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.