Excessive Data Exposure

2022-01-24

前言

當透過 Checkmarx 集合為 OWASP TOP 10 - 2021 掃 ASP.NET MVC 時，
如果回傳的物件中，如果 類別/屬性名稱 中有一些機敏性名稱時，
Checkmarx 就會出 Excessive_Data_Exposure 的中風險

研究

機敏性名稱類例如以下字串，

*Credit*",
"*credentials*",
"*secret*",
"*Account*",
"*SSN",
"DOB",
"SSN*",
"*SocialSecurity*",
"DeviceUniqueId",
"auth*",
"*passport*"

例如 User Class 為，

public class User
{
    [HiddenInput(DisplayValue = false)]
    public int UserID { get; set; }

    [Required(ErrorMessage = "Please enter a email")]
    [DataType(DataType.EmailAddress)]
    [RegularExpression(@"\w+([-+.']\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*", ErrorMessage = "Invalid email address")]
    public string Email { get; set; }

    [Required]
    [StringLength(100)]
    [Display(Name = "First name")]
    public string FirstName { get; set; }

    [Required]
    [StringLength(100)]
    [Display(Name = "Last name")]
    public string LastName { get; set; }

    [Required, AllowHtml]
    [StringLength(10, ErrorMessage = "The password cannot be longer than 10 characters.")]
    [DataType(DataType.Password)]
    [RegularExpression(@"^([a-zA-Z0-9]+)$", ErrorMessage = "The password cannot contain special characters.")]
    public string Password { get; set; }

    public string PasswordHash { get; set; }

    public string PasswordSalt { get; set; }

    public string CreditCard { get; set; }

    public bool? IsAdmin { get; set; }

    [HiddenInput(DisplayValue = false)]
    public string Token { get; set; }

    [HiddenInput(DisplayValue = false)]
    public DateTime? TokenCreTime { get; set; }
}

Action 程式碼為，

[AllowAnonymous]
public PartialViewResult UserProfiler()
{
    User user = null;
    if(User.Identity.IsAuthenticated)
    {
        user = userRepository.Users.FirstOrDefault(u => string.Compare(u.Email, User.Identity.Name, StringComparison.InvariantCultureIgnoreCase) == 0);  
    }
    if (user == null)
    {
        user = new User();
    }
    return PartialView(user);
}

所以 user 在回傳前，要先將那些機敏性屬性值清掉，或是建立一個沒有那些機敏性屬性的類別回傳出去。
以下是透過 Method ，將機敏性屬性值清掉 (user.WithoutSensitiveData())，如下，

[AllowAnonymous]
public PartialViewResult UserProfiler()
{
    User user = null;
    if(User.Identity.IsAuthenticated)
    {
        user = userRepository.Users.FirstOrDefault(u => string.Compare(u.Email, User.Identity.Name, StringComparison.InvariantCultureIgnoreCase) == 0);  
    }
    if (user == null)
    {
        user = new User();
    }
    return PartialView(user.WithoutSensitiveData());
}

public static User WithoutSensitiveData(this User user)
{
    user.Password = string.Empty;
    user.PasswordHash = string.Empty;
    user.PasswordSalt = string.Empty;
    user.CreditCard = string.Empty;
    return user;
}

jsonContent: meta: false pages: false posts: title: true date: true path: true text: false raw: false content: false slug: false updated: false comments: false link: false permalink: false excerpt: false categories: false tags: true