Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but
these are not necessarily correlated generally with back end programs.
Strict interpretation of HTTP get methods means that these HTTP Get services
should not be used to delete information on the server, but there is no
access control mechanism to back up this logic. This means that unless the
services are properly ACL'd and the application's service implementation are
following these guidelines then an HTTP request can easily execute a delete
or update on the server side.
The attacker identifies a HTTP Get URL such as
http://victimsite/updateOrder, which calls out to a program to update orders
on a database or other resource. The URL is not idempotent so the request
can be submitted multiple times by the attacker, additionally, the attacker
may be able to exploit the URL published as a Get method that actually
performs updates (instead of merely retrieving data). This may result in
malicious or inadvertent altering of data on the server.
Attack Prerequisites
The attacker needs to be able to identify HTTP Get URLs. The Get methods
must be set to call applications that perform operations other than get such
as update and delete.
Typical Likelihood of Exploit
Likelihood: High
Methods of Attack
Injection
Examples-Instances
Description
The HTTP Get method is designed to retrieve resources and not to alter
the state of the application or resources on the server side. However,
developers can easily code programs that accept a HTTP Get request that
do in fact create, update or delete data on the server. Both Flickr
(http://www.flickr.com/services/api/flickr.photosets.delete.html) and
del.icio.us (http://del.icio.us/api/posts/delete) have implemented
delete operations using standard HTTP Get requests. These HTTP Get
methods do delete data on the server side, despite being called from Get
which is not supposed to alter state.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Low
It is relatively straightforward to identify an HTTP Get method that
changes state on the server side and executes against an overprivileged
system interface
Probing Techniques
Attacker may enumerate URLs to identify vulnerable services.
Solutions and Mitigations
Design: Enforce principle of least privilege
Implementation: Ensure that HTTP Get methods only retrieve state and do
not alter state on the server side
Implementation: Ensure that HTTP methods have proper ACLs based on what
the funcitonality they expose
Attack Motivation-Consequences
Data Modification
Privilege Escalation
Injection Vector
Payload delivered through standard communication protocols. In the Flickr and
del.icio.us examples above, this is done through a normal web browser
Payload
Command(s) executed directly on host
Activation Zone
Client machine and client network
Payload Activation Impact
Enables attacker to execute server side code with any commands that the
program owner has privileges to.
Vision and Technical Leadership provided by Cigital, Inc.
This Web site is hosted by The MITRE Corporation.
Copyright 2009, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation.
Description
