Skip to content

JS: Web Cache Deception Express #15180

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 6 commits into
base: main
Choose a base branch
from
Draft

JS: Web Cache Deception Express #15180

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
2e04655
add rule and example code for express
krakendio Dec 20, 2023
8a3018e
add rule and example code for express
krakendio Dec 20, 2023
bacde7f
update example code
krakendio Dec 20, 2023
3ec7ac5
update example code
krakendio Dec 20, 2023
c830a04
add missing files
krakendio Dec 20, 2023
f8ad494
fix formatting
krakendio Dec 20, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions javascript/ql/src/experimental/Security/CWE-525/WebCacheDeception.ql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
/**
* @name Web Cache Deception in Express
* @description A caching system has been detected on the application and is vulnerable to web cache deception. By manipulating the URL it is possible to force the application to cache pages that are only accessible by an authenticated user. Once cached, these pages can be accessed by an unauthenticated user.
* @kind problem
* @problem.severity error
* @security-severity 9
* @precision medium
* @id js/web-cache-deception-express
* @tags javascript
* cwe-525
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This tag is wrong.

Suggested change
* cwe-525
* external/cwe/cwe-525

* bug
*/

import javascript
import WebCacheDeceptionLib

from WebCacheDeception::Sink httpHandleFuncCall
where httpHandleFuncCall.toString().matches("%*%")

Check warning

Code scanning / CodeQL

Using 'toString' in query logic

Query logic depends on implementation of 'toString'.
select httpHandleFuncCall, httpHandleFuncCall + " is used as wildcard endpoint."
12 changes: 12 additions & 0 deletions javascript/ql/src/experimental/Security/CWE-525/WebCacheDeceptionBad.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
const express = require('express')
const app = express()
port = 3000

app.get('/test*', (req, res) => {
res.send('test')
})


app.listen(port, () => {
console.log(`Example app listening on port ${port}`)
})
12 changes: 12 additions & 0 deletions javascript/ql/src/experimental/Security/CWE-525/WebCacheDeceptionGood.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
const express = require('express')
const app = express()
port = 3000

app.get('/test', (req, res) => {
res.send('test')
})


app.listen(port, () => {
console.log(`Example app listening on port ${port}`)
})
16 changes: 16 additions & 0 deletions javascript/ql/src/experimental/Security/CWE-525/WebCacheDeceptionLib.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
import javascript
import StringOps

module WebCacheDeception {
abstract class Sink extends DataFlow::Node { }

private class Express extends Sink {
Express() {
exists(Import is | is.getImportedModuleNode().getASuccessor().toString() = "express") and
exists(DataFlow::CallNode m |
m.getAMethodCall().getArgument(0).getStringValue().matches("%*") and
this = m.getAMethodCall().getArgument(0)
)
}
}
}
1 change: 1 addition & 0 deletions javascript/ql/test/experimental/Security/CWE-525/WebCacheDeception.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
| WebCacheDeceptionBad.js:5:9:5:16 | '/test*' | '/test*' is used as wildcard endpoint. |
35 changes: 35 additions & 0 deletions javascript/ql/test/experimental/Security/CWE-525/WebCacheDeception.qhelp
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
<qhelp>
<overview>
<p>
Web Cache Deception is a security vulnerability where an attacker tricks a web server into caching sensitive information and then accesses that cached data.
</p>
<p>
This attack exploits certain behaviors in caching mechanisms by requesting URLs that trick the server into thinking that a non-cachable page is cachable. If a user then accesses sensitive information on these pages, it could be cached and later retrieved by the attacker.
</p>
</overview>
<recommendation>
<p>
To prevent Web Cache Deception attacks, web applications should clearly define cacheable and non-cacheable resources. Implementing strict cache controls and validating requested URLs can mitigate the risk of sensitive data being cached.
</p>
</recommendation>
<example>
<p>
Vulnerable code example: A web server is configured to cache all responses ending in '.css'. An attacker requests 'profile.css', and the server processes 'profile', a sensitive page, and caches it.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Where in the sample code is the "server is configured to cache all responses ending in '.css'."?

</p>
<sample src="WebCacheDeceptionBad.js" />
</example>
<example>
<p>
Secure code example: The server is configured with strict cache controls and URL validation, preventing caching of dynamic or sensitive pages regardless of their URL pattern.
</p>
<sample src="WebCacheDeceptionGood.js" />
</example>
<references>
<li>
OWASP Web Cache Deception Attack:
<a href="https://owasp.org/www-community/attacks/Web_Cache_Deception">Understanding Web Cache Deception Attacks</a>
</li>
<!-- Additional references can be added here -->
</references>
</qhelp>
1 change: 1 addition & 0 deletions javascript/ql/test/experimental/Security/CWE-525/WebCacheDeception.qlref
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
experimental/Security/CWE-525/WebCacheDeception.ql
11 changes: 11 additions & 0 deletions javascript/ql/test/experimental/Security/CWE-525/WebCacheDeceptionBad.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
const express = require('express')
const app = express()
port = 3000

app.get('/test*', (req, res) => {
res.send('test')
})

app.listen(port, () => {
console.log(`Example app listening on port ${port}`)
})
12 changes: 12 additions & 0 deletions javascript/ql/test/experimental/Security/CWE-525/WebCacheDeceptionGood.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
const express = require('express')
const app = express()
port = 3000

app.get('/test', (req, res) => {
res.send('test')
})


app.listen(port, () => {
console.log(`Example app listening on port ${port}`)
})