-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathConditionalBypass.cs
More file actions
133 lines (116 loc) · 3.58 KB
/
ConditionalBypass.cs
File metadata and controls
133 lines (116 loc) · 3.58 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
using System;
using System.Net;
using System.Web;
public class ConditionalBypassHandler : IHttpHandler
{
public void ProcessRequest(HttpContext ctx)
{
string user = ctx.Request.QueryString["user"];
string password = ctx.Request.QueryString["password"];
string isAdmin = ctx.Request.QueryString["isAdmin"];
// BAD: login is only executed if isAdmin is false, but isAdmin
// is controlled by the user
if (isAdmin == "false")
login(user, password);
HttpCookie adminCookie = ctx.Request.Cookies["adminCookie"];
// BAD: login is only executed if the cookie value is false, but the cookie
// is controlled by the user
if (adminCookie.Value.Equals("false"))
login(user, password);
// FALSE POSITIVES: both methods are conditionally executed, but they probably
// both perform the security-critical action
if (adminCookie.Value == "false")
{
login(user, password);
}
else
{
reCheckAuth(user, password);
}
// FALSE NEGATIVE: we have no way of telling that the skipped method is sensitive
if (adminCookie.Value == "false")
doReallyImportantSecurityWork();
// BAD: DNS may be controlled by the user
IPAddress hostIPAddress = IPAddress.Parse("1.2.3.4");
IPHostEntry hostInfo = Dns.GetHostByAddress(hostIPAddress);
// Exact comparison
if (hostInfo.HostName == "trustme.com")
{
login(user, password);
}
// Substring comparison
if (hostInfo.HostName.EndsWith("trustme.com"))
{
login(user, password);
}
}
public static void Test(HttpContext ctx, String user, String password)
{
HttpCookie adminCookie = ctx.Request.Cookies["adminCookie"];
// GOOD: login always happens
if (adminCookie.Value == "false")
login(user, password);
else
{
// do something else
login(user, password);
}
}
public static void Test2(HttpContext ctx, String user, String password)
{
HttpCookie adminCookie = ctx.Request.Cookies["adminCookie"];
// BAD: login may happen once or twice
if (adminCookie.Value == "false")
login(user, password);
else
{
// do something else
}
login(user, password);
}
public static void Test3(HttpContext ctx, String user, String password)
{
HttpCookie adminCookie = ctx.Request.Cookies["adminCookie"];
if (adminCookie.Value == "false")
login(user, password);
else
{
// do something else
// BAD: login may not happen
return;
}
}
public static void Test4(HttpContext ctx, String user, String password)
{
HttpCookie adminCookie = ctx.Request.Cookies["adminCookie"];
// GOOD: login always happens
if (adminCookie.Value == "false")
{
login(user, password);
return;
}
// do other things
login(user, password);
return;
}
public static void login(String user, String password)
{
// login
}
public static void reCheckAuth(String user, String password)
{
// login
}
public static void doIt() { }
public static void doReallyImportantSecurityWork()
{
// login, authenticate, everything
}
public bool IsReusable
{
get
{
return true;
}
}
}