SV.AUTH.BYPASS.MUST

不正确的身份验证

在某些用例中可能会检查 loggedIn Cookie 以验证用户是否已经登录。如果未登录,代码会通过用户提供的用户名和密码进行身份验证。如果成功,它会设置 loggedIn 和用户 Cookies 以“记住”用户已经登录。SV.AUTH.BYPASS.MUST 检查器会验证用户身份验证方法是否足够并且未被绕过。

如果“userName”和“password”在主体中与 .getParameter() 或 .get() 一起使用,则此检查器会报告缺陷。

漏洞与风险

当参与者要求具有指定的身份,而软件未证明或未充分证明该要求正确时,此弱点可导致资源或功能暴露给意外的参与者。此弱点可能会向攻击者提供敏感信息,甚至使攻击者能够执行任意代码。

漏洞代码示例 1

复制 
  public void doGet(HttpServletRequest request, HttpServletResponse response)
           throws ServletException, IOException {
          Map<String, String> result = new HashMap<>()
       Cookie[] cookies = request.getCookies();
           if (cookies != null) {
           for (Cookie cookie : cookies) {
               result.put(cookie.getName(), cookie.getValue());
           }
           }          
      if (result.isEmpty() || ! (result.get("loggedIn") != null && "true".equals(result.get("loggedIn")))) {
                  if (! AuthenticateUser(request.getParameter("userName"), request.getParameter("password"))) { //both username and password
                      System.out.error("Error: you need to log in first");
                  }
                  else {
                      // Set loggedin and user cookies.
                      Cookie loggedIn = new Cookie("loggedIn", "true");
                      Cookie userName = new Cookie("userName", request.getParameter("userName"));
                  }
      }
  }

在此示例中,Klocwork 在第 10 行报告了 SV.AUTH.BYPASS.MUST 缺陷,这表示“使用 Cookie loggedIn 可导致身份验证绕过”。

修正代码示例 1

复制 
  public void doGet(HttpServletRequest request, HttpServletResponse response)
    throws ServletException, IOException {
      if (! AuthenticateUser(request.getParameter("userName"), request.getParameter("password"))) { //both username and password
        System.out.error("Error: you need to log in first");
      }
      else {
        // Set loggedin and user cookies.
        Cookie loggedIn = new Cookie("loggedIn", "true");
        Cookie userName = new Cookie("userName", request.getParameter("userName"));
     }
 }

在修正代码示例中,Klocwork 不再报告缺陷,因为未使用可用来绕过身份验证的 Cookie。

漏洞代码示例 2

复制 
  public void doGet(HttpServletRequest request, HttpServletResponse response)
           throws ServletException, IOException {
          Map<String, String> result = new HashMap<>()
       Cookie[] cookies = request.getCookies();
           if (cookies != null) {
           for (Cookie cookie : cookies) {
               result.put(cookie.getName(), cookie.getValue());
           }
           }          
      if (result.isEmpty() || ! (result.get("loggedIn") != null && "true".equals(result.get("loggedIn")))) {
                  if (! checkUser(request.getParameter("userName"))) { //only username
                      System.out.error("Error: you need to log in first");
                  }
                 
     }
    
 }

在此示例中,Klocwork 在第 10 行报告了 SV.AUTH.BYPASS.MUST 缺陷,这表示“使用 Cookie loggedIn 可导致身份验证绕过”。

修正代码示例 2

复制 
 public void doGet(HttpServletRequest request, HttpServletResponse response)
          throws ServletException, IOException {
 
                   if (! checkUser(request.getParameter("userName"))) { //both username and password
                       System.out.error("Error: you need to log in first");
                   }
                   else {
                       // Set loggedin and user cookies.
                       Cookie loggedIn = new Cookie("loggedIn", "true");
                      Cookie userName = new Cookie("userName", request.getParameter("userName"));
                  }
  }

在此修正代码示例中,Klocwork 不再报告缺陷,因为未使用可用来绕过身份验证的 Cookie。

相关检查器

安全培训

应用程序安全培训材料由 Secure Code Warrior 提供。