Skip to content

Rejected bounty submission - Telerik repeated encryption key #28

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
s0 merged 1 commit into from
Jan 23, 2020
+60 −0
Merged

Rejected bounty submission - Telerik repeated encryption key #28

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 40 additions & 0 deletions CodeQL_Queries/csharp/TelerikRepeatedEncryptionKey/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@

# Weak (duplicated) encryption keys for ASP.NET Telerik

## Overview

ASP.NET Telerik upload allows developers to easily
manage file uploads. The transmission between the client and the
server must be encrypted and impossible to decode, so the data cannot
be used by a malicious entity in an attack against the server. The
main security recommendation for Telerik is setting custom unique
strong random values for `Telerik.AsyncUpload.ConfigurationEncryptionKey`
and `Telerik.Upload.ConfigurationHashKey`.

The CodeQL query detects applications that are using the same key
for both fields while they should have been unique

## Recommendation
Set a custom unique strong random value for
`Telerik.AsyncUpload.ConfigurationEncryptionKey`.

Set a custom unique strong random value for
`Telerik.Upload.ConfigurationHashKey`.

## Example

The following example shows a secure configuration for Telerik Upload
in the file `Web.config`.
```
<appSettings>
<add key="Telerik.AsyncUpload.ConfigurationEncryptionKey" value="YOUR-FIRST-UNIQUE-STRONG-RANDOM-VALUE-UNIQUE-TO-YOUR-APP" />
<add key="Telerik.Upload.ConfigurationHashKey" value="YOUR-SECOND-UNIQUE-STRONG-RANDOM-VALUE-UNIQUE-TO-YOUR-APP" />
<add key="Telerik.Upload.AllowedCustomMetaDataTypes" value="Telerik.Web.UI.AsyncUploadConfiguration" />
</appSettings>
```

## References
- Telerik: [Security Recommendations](https://docs.telerik.com/devtools/aspnet-ajax/controls/asyncupload/security).
- Telerik: [Cryptographic Weakness](https://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness).
- Exploitation: [Pwning Web Applications via Telerik WebUI](https://captmeelo.com/pentest/2018/08/03/pwning-with-telerik.html).

20 changes: 20 additions & 0 deletions CodeQL_Queries/csharp/TelerikRepeatedEncryptionKey/TelerikRepeatedEncryptionKey.ql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
/**
* @name Non unique encryption keys in Telerik Upload in ASP.NET
* @description Setting a weak encryption key for ASP.NET Telerik Upload may allow attacks against
* the application.
* @kind problem
*/

import csharp

from XMLAttribute a, XMLAttribute b
where
a.getName() = "key" and
a.getValue() = "Telerik.AsyncUpload.ConfigurationEncryptionKey" and
b.getName() = "key" and
b.getValue() = "Telerik.Upload.ConfigurationHashKey" and
a.getElement().getAttributeValue("value") = b.getElement().getAttributeValue("value")
select a,
"Non unique (duplicated) Telerik Upload encryption key (" +
a.getElement().getAttributeValue("value").toString() + ")."