Clarify reasoning behind 13.2.5 #2472
Comments
tghosth
added
1) Discussion ongoing
|
Please also provide an explanation, what security risk the requirement solves outside of CORS context. |
|
Ok, the CWE is 436 "Interpretation Conflict". Based on the CWE it seems like the original intention of the requirement was to ensure that content which is received is processed by the correct interpreter and potentially also an expected interpreter. Tracing back, it comes from ASVS 3.0, see this training slide: There are various frameworks which will seamlessly handle a variety of incoming content types. If assumptions have been made that incoming content will be of a certain type, sending content of a different type may bypass controls which rely on those assumptions. I think if nothing else the age of the requirement probably indicates that it was not intended to be related to CORS :) |
|
If it is such a generous problem, why is the requirement limited to REST services and precisely mentioning 2 certain content-types? |
How does it make sense or how is the assumption a security requirement? If you make a request and change the content-type to mismatch with the content, it will reach the functionality anyway. Basically, you are saying, that for file upload we need to validate the file mime-type/content-type, and then it's ok to process it further? Take a look at requirement 12.2.1 to validate your idea for this interpretation. |
Fair question and should potentially be wider
These are examples, not a closed list
No, the point is that if it expects to receive json and it receives xml or formurlencoded then it will reject the request. If it expects to receive multiple types then it needs to be capable of validating the content.
This is not about file upload, this is about a regular web request where the web server is processing the content |
It's called input validation. Checking the content-type header does not serve the goal. I think you did not take parallel with file-upload seriously. I reached my facepalm limit for this year. |
|
I was thinking about this a little more @elarlang. Maybe if we refine it to: "Verify that REST services explicitly process received data based on the incoming Content-Type and will only accept expected content types. For example, a JSON API should not accept a request with an application/xml content type nor should it process a request with a text/plain content type as JSON." |
|
What problem it solves outside of CORS? If the service expects JSON content and gets a valid JSON content but with the If the service is accepting different contents and |
|
Ok so you think this should be merged into input validation or just removed as redundant? |
|
From CORS point of view it gets merged into "CSRF" requirement. For standard input validation I don't see specific problem or vector to solve that is not covered by general input validation requirements. |
|
Opened #2483 |
tghosth
added
6) PR awaiting review
and removed
1) Discussion ongoing
|
It gets merged into V50.4.1, will be solved with #2481 |
elarlang
added
4a) Waiting for another
|
Please note that CORS is not always a CSRF protection mechanism. There are no preflight’s with a simple cross origin request. So GET based endpoints, which might be state changing and more, do not necessarily get CSRF protection. My opinion is that all sensitive API endpoints should not depend on CORS for CSRf protection.
Please disregard this or delete this comment if it’s redundant, I’m admittedly on my cell phone.
|
#876 (comment)
#876 (comment)
We should clarify the reason for 13.2.5
The text was updated successfully, but these errors were encountered: