1

We have an application which is already in production where an IDOR vulnerability was detected in an endpoint "CustomerKey". This contains customer ID which when used brute force allowed for session take over in our app.

Now we can't encrypt this as it might make the app slow as the CustomerKey is being used many times in the JS as well as backend. Our app allows many users to login at the same time we are using signalR in the app as well.

Some sample backend code where this CustomerKey is being used :

[HttpPost]
[AllowAnonymous]
public JsonResult UpLoadLog(string CustomerKey, string message)
            {
                try
                {
                    var log = message.Split(new string[] { "\r\n" }, 
                    StringSplitOptions.RemoveEmptyEntries);
                    foreach (string s in log)
                    {
                        Logger.Write(LogType.Info, this.GetType(), "UpLoadLog", CustomerKey + ": " 
                        + s.TrimStart('\r', '\n'), null);
                    }
                }
                catch (Exception ex)
                {
                    Logger.Write(LogType.Fatal, this.GetType(), "UpLoadLog", ex.Message, ex);
                }
                HttpContext.Response.StatusCode = (int)System.Net.HttpStatusCode.OK;
                return null;
            } 
[AuthorizeUser]
public ActionResult Customer(string CustomerKey, string FeedData, string FeedInfo)
        {
            if (string.IsNullOrEmpty(CustomerKey))
            {

                var owinContext = Request.GetOwinContext();

                CustomerKey = owinContext.Get<string>("CustomerKey");
                FeedData = owinContext.Get<string>("FeedData");
                FeedInfo = owinContext.Get<string>("FeedInfo");
            }
                ViewBag.CustomerKey = CustomerKey;
                ViewBag.FeedData = FeedData;
                ViewBag.FeedInfo = FeedInfo;
                ViewBag.UseSignalR = true;
                ViewBag.isOffline = true;
                return View("Offline", "CustomerLayout");


        }

Sample js code where CustomerKey is being used:

var UpLoadLog = function (log, isAsync) {
        if (isAsync== null || isAsync== undefined)
            isAsync= true;   
        jQuery.ajax({
            type: "POST",
            async: isAsync,
            contentType: "application/json;charset=utf-8",
            url: rooturl + "Authentication/UpLoadLog",
            data: JSON.stringify({ CustomerKey: jQuery("#customerKey").val(), message: "\r\n\r\n" + log + "\r\n\r\n" }),
            dataType: "json",
            success: function (response, status, jqXHR) {           
            },
            error: function (jqXHR, status, error) {

            }
        });
  
        LogMessages = "\r\n\r\n";
    };

The app also contains a hidden field in the layout where the value of CustomerKey is being used

<input type="hidden" id="customerkey" value="@ViewBag.CustomerKey"/>

What I need help is how can I resolve this vulnerability without making huge changes in the application?

halfer
  • 19,824
  • 17
  • 99
  • 186
IntelligentCancer
  • 59
  • 1
  • 1
  • 15

2 Answers2

0

If I understood the problem correctly, then it lies in the fact that anyone can send a request with any CustomerKey, and get a response by CustomerKey, even if they are not authorized to receive such information. If the information about the CustomerKey is associated with authorization filters (AuthorizeUser), then, in my opinion, the least time-consuming way to solve the problem would be to compare the CustomerKey with the corresponding property of the authorized user. And if the keys don't match, throw an exception. To talk about specific lines of code, I need, in fact, to work with the project and have access to all the source code.

Valeriy Tito
  • 71
  • 6
0

You could enter a third parameter which is the md5() of the CustomerKey parameter. This way when the method is contacted, it checks if the md5 parameter is really the md5 of the CustomerKey parameter, if so it writes the log. It is a sort of checksum made on the first parameter which guarantees that only those who know this rule can save logs. This can be an example of the new method signature

[HttpPost]
[AllowAnonymous]
public JsonResult UpLoadLog(string CustomerKey, string message, string md5)

This instead a way to calculate md5:

using (System.Security.Cryptography.MD5 md5 = System.Security.Cryptography.MD5.Create())
{
    byte[] inputBytes = System.Text.Encoding.ASCII.GetBytes(input);
    byte[] hashBytes = md5.ComputeHash(inputBytes);
    string calculatedMd5 = Convert.ToHexString(hashBytes);
}
tartarismo
  • 194
  • 1
  • 10