Created
December 17, 2019 07:14
-
-
Save conikeec/f0b0092aa105600199e7dd536e48d02d to your computer and use it in GitHub Desktop.
GitHub's password reset flaw emulation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //define the source function and attacker controlled vector (which is the email address parameter) | |
| val source = cpg.method.fullNameExact("org.baeldung.web.controller.RegistrationController.resetPasswordBad:org.baeldung.web.util.GenericResponse(javax.servlet.http.HttpServletRequest,java.lang.String)").parameter.evalType("java.lang.String") | |
| //define email channel sink function name | |
| val EMAIL_CHANNEL_SINK="org.springframework.mail.javamail.JavaMailSender.send:void(org.springframework.mail.SimpleMailMessage)" | |
| //define the sink function that participates in the data flow | |
| val sink = cpg.method.fullNameExact(EMAIL_CHANNEL_SINK).parameter.evalType("java.lang.String") | |
| // Verify BUSINESS LOGIC FLAW check to determine if attack controller vector (email) is used in emailSend function, rather than the registered user email (determined after fetch from DB in step #1) | |
| sink.reachableBy(source).flows.p | |
| //results | |
| res58: List[String] = List( | |
| """ __________________________________________________________________________________________________________________________________________________________________ | |
| | tracked | lineNumber| method | file | | |
| |=================================================================================================================================================================| | |
| | userEmail | 134 | resetPasswordBad | org/baeldung/web/controller/RegistrationController.java| | |
| | userEmail | 139 | resetPasswordBad | org/baeldung/web/controller/RegistrationController.java| | |
| | userEmail | 198 | constructResetTokenEmailBad| org/baeldung/web/controller/RegistrationController.java| | |
| | userEmail | 201 | constructResetTokenEmailBad| org/baeldung/web/controller/RegistrationController.java| | |
| | userEmail | 213 | constructEmailBad | org/baeldung/web/controller/RegistrationController.java| | |
| | userEmail | 217 | constructEmailBad | org/baeldung/web/controller/RegistrationController.java| | |
| | param0 | N/A | setTo | org/springframework/mail/SimpleMailMessage.java | | |
| | this | N/A | setTo | org/springframework/mail/SimpleMailMessage.java | | |
| | email | 217 | constructEmailBad | org/baeldung/web/controller/RegistrationController.java| | |
| | email | 218 | constructEmailBad | org/baeldung/web/controller/RegistrationController.java| | |
| | this | N/A | setFrom | org/springframework/mail/SimpleMailMessage.java | | |
| | this | N/A | setFrom | org/springframework/mail/SimpleMailMessage.java | | |
| | email | 218 | constructEmailBad | org/baeldung/web/controller/RegistrationController.java| | |
| | email | 219 | constructEmailBad | org/baeldung/web/controller/RegistrationController.java| | |
| | ret | 213 | constructEmailBad | org/baeldung/web/controller/RegistrationController.java| | |
| | this.constructEmailBad("Reset Password",$r11,userEmail) | 201 | constructResetTokenEmailBad| org/baeldung/web/controller/RegistrationController.java| | |
| | param1 | N/A | <operator>.assignment | N/A | | |
| | param0 | N/A | <operator>.assignment | N/A | | |
| | $r12 | 201 | constructResetTokenEmailBad| org/baeldung/web/controller/RegistrationController.java| | |
| | $r12 | 201 | constructResetTokenEmailBad| org/baeldung/web/controller/RegistrationController.java| | |
| | ret | 198 | constructResetTokenEmailBad| org/baeldung/web/controller/RegistrationController.java| | |
| | this.constructResetTokenEmailBad($r9,$r10,token,$l0,userEmail)| 139 | resetPasswordBad | org/baeldung/web/controller/RegistrationController.java| | |
| | param1 | N/A | <operator>.assignment | N/A | | |
| | param0 | N/A | <operator>.assignment | N/A | | |
| | $r12 | 139 | resetPasswordBad | org/baeldung/web/controller/RegistrationController.java| | |
| | $r12 | 139 | resetPasswordBad | org/baeldung/web/controller/RegistrationController.java| | |
| | param0 | N/A | send | org/springframework/mail/javamail/JavaMailSender.java | | |
| """ | |
| ) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment