Remove 943.1 from alpha checks
What does this MR do?
- Removes 943.1 from alpha checks
- Disables ZAP check 40033
What are the relevant issue numbers?
gitlab-org/gitlab#425025 (closed)
Verification
OWASP NodeGoat
Confirmation of vulnerability from source : https://github.com/OWASP/NodeGoat/blob/master/app/data/allocations-dao.js#L65
Configuration
$ docker run --rm -v $PWD/output:/output
--env DAST_BROWSER_SCAN=true
--env DAST_USERNAME=admin
--env DAST_PASSWORD=Admin_123
--env DAST_AUTH_URL='http://host.docker.internal:4000/login'
--env DAST_FULL_SCAN_ENABLED=true
--env DAST_ONLY_INCLUDE_RULES="943.1"
--env DAST_BROWSER_NUMBER_OF_BROWSERS=1
--env DAST_BROWSER_MAX_ACTIONS=100
--env DAST_DEBUG=1
--env DAST_ZAP_LOG_CONFIGURATION="rootLogger.level=debug"
dast:release-check-943.1 /analyze -t 'http://host.docker.internal:4000/allocations/1?threshold=test'
DAST Log Output
Since timing attacks don't have a log indicating when the attack was successful, only the log from when the check was registered is shown
# Check Registered
2023-10-23T05:14:57.306 INF VLDFN registered vulnerability check type="active" vulnerability_check="943.1 Improper neutralization of special elements in data query logic" details="943.1.1
Report Excerpt
{
"description": "The application generates a query intended to interact with MongoDB, \nbut it does not neutralize or incorrectly neutralizes special elements \nthat can modify the intended logic of the query. ",
"details": {
"discovered_at": {
"name": "Discovered at",
"type": "text",
"value": "2023-10-23T05:29:59.450"
}
},
"evidence": {
"request": {
"headers": [],
"method": "GET",
"url": "http://host.docker.internal:4000/allocations/1?threshold=test%27%3Bv%3Dversion%28%29%3Bsleep%281000%29%3Bthrow%28v%29%3Bvar+v+%3D+%27"
},
"response": {
"headers": [],
"reason_phrase": "500 Internal Server Error",
"status_code": 500
},
"summary": "value for query parameter threshold with injection test';v=version();sleep(15000);throw(v);var v = ', continue if response time is >=15s"
},
"id": "354658f3-7165-11ee-a883-0242ac110003",
"identifiers": [
{
"name": "Improper neutralization of special elements in data query logic",
"type": "browserker",
"url": "https://docs.gitlab.com/ee/user/application_security/dast/checks/943.1.html",
"value": "943.1"
},
{
"name": "CWE-943",
"type": "CWE",
"url": "https://cwe.mitre.org/data/definitions/943.html",
"value": "943"
}
],
"links": [
{
"name": "CWE",
"url": "https://cwe.mitre.org/data/definitions/943.html"
},
{
"name": "Disabling MongoDB Server Side JS",
"url": "https://www.mongodb.com/docs/manual/core/server-side-javascript/#std-label-disable-server-side-js"
}
],
"location": {
"hostname": "http://host.docker.internal:4000",
"method": "GET",
"param": "value for query parameter threshold with injection test';v=version();sleep(15000);throw(v);var v = ', continue if response time is >=15s",
"path": "/allocations/1"
},
"name": "Improper neutralization of special elements in data query logic",
"severity": "High",
"solution": "We recommend refactoring find or search queries to use standard\nfiltering operators such as `$gt` or `$in` instead of broad operators such\nas `$where`. If possible, it is recommended that the MongoDB JavaScript interface\nbe disabled entirely."
}
Browserker Fixture
Configuration
$ docker run --rm -v $PWD/output:/output
--env DAST_BROWSER_SCAN=true
--env DAST_FULL_SCAN_ENABLED=true
--env DAST_ONLY_INCLUDE_RULES="943.1"
--env DAST_BROWSER_NUMBER_OF_BROWSERS=1
--env DAST_BROWSER_MAX_ACTIONS=100
--env DAST_DEBUG=1
dast:release-check-943.1 /analyze -t 'http://host.docker.internal:8098?filter_by=Hugh'
Report Excerpt
{
"remediations": [],
"version": "15.0.6",
"vulnerabilities": [
{
"description": "The application generates a query intended to interact with MongoDB, \nbut it does not neutralize or incorrectly neutralizes special elements \nthat can modify the intended logic of the query. ",
"details": {
"discovered_at": {
"name": "Discovered at",
"type": "text",
"value": "2023-10-20T14:43:15.127"
}
},
"evidence": {
"request": {
"headers": [],
"method": "GET",
"url": "http://host.docker.internal:8098/?filter_by=Hugh%27%3Bv%3Dversion%28%29%3Bsleep%281000%29%3Bthrow%28v%29%3Bvar+v+%3D+%27"
},
"response": {
"headers": [],
"reason_phrase": "500 Internal Server Error",
"status_code": 500
},
"summary": "value for query parameter filter_by with injection Hugh';v=version();sleep(15000);throw(v);var v = ', continue if response time is >=15s"
},
"id": "00336861-6f57-11ee-aacc-0242ac110003",
"identifiers": [
{
"name": "Improper neutralization of special elements in data query logic",
"type": "browserker",
"url": "https://docs.gitlab.com/ee/user/application_security/dast/checks/943.1.html",
"value": "943.1"
},
{
"name": "CWE-943",
"type": "CWE",
"url": "https://cwe.mitre.org/data/definitions/943.html",
"value": "943"
}
],
"links": [
{
"name": "CWE",
"url": "https://cwe.mitre.org/data/definitions/943.html"
},
{
"name": "Disabling MongoDB Server Side JS",
"url": "https://www.mongodb.com/docs/manual/core/server-side-javascript/#std-label-disable-server-side-js"
}
],
"location": {
"hostname": "http://host.docker.internal:8098",
"method": "GET",
"param": "value for query parameter filter_by with injection Hugh';v=version();sleep(15000);throw(v);var v = ', continue if response time is >=15s",
"path": "/"
},
"name": "Improper neutralization of special elements in data query logic",
"severity": "High",
"solution": "We recommend refactoring find or search queries to use standard\nfiltering operators such as `$gt` or `$in` instead of broad operators such\nas `$where`. If possible, it is recommended that the MongoDB JavaScript interface\nbe disabled entirely."
}
],
"scan": {
"analyzer": {
"id": "gitlab-dast",
"name": "GitLab DAST",
"vendor": {
"name": "GitLab"
},
"version": "4.0.13"
},
"end_time": "2023-10-20T14:43:20",
"messages": [],
"options": [
{
"name": "auth_url",
"value": false
},
{
"name": "full_scan",
"value": true
}
],
"scanned_resources": [
{
"method": "GET",
"type": "url",
"url": "http://host.docker.internal:8098/?filter_by=Hugh"
}
],
"scanner": {
"id": "zaproxy-browser-based-dast",
"name": "OWASP Zed Attack Proxy (ZAP) and Browser-based DAST",
"url": "https://www.zaproxy.org",
"version": "2.12.0",
"vendor": {
"name": "GitLab"
}
},
"start_time": "2023-10-20T14:42:19",
"status": "success",
"type": "dast"
}
}
GitLab Docs MR
Closes #425025
Edited by Arpit Gogia