Technical information leak - SourceMap - C-Sharp

Technical information leak - SourceMap - C-Sharp

Need

Protection of sensitive technical information

Context

  • Usage of C# 7.0 for modern language features and enhancements
  • Usage of Microsoft.AspNetCore for building web applications with .NET Core
  • Usage of Microsoft.AspNetCore.Hosting for hosting ASP.NET Core applications
  • Usage of Microsoft.AspNetCore.Builder for configuring the ASP.NET Core application pipeline
  • Usage of Microsoft.AspNetCore.Http for handling HTTP requests and responses in ASP.NET Core applications
  • Usage of Microsoft.AspNetCore.Mvc for building web applications with ASP.NET Core
  • Usage of Microsoft.Extensions.Hosting for building and hosting .NET Core applications
  • Usage of Microsoft.Extensions.DependencyInjection for managing dependency injection in .NET applications

Description

Non compliant code

        public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    if (env.IsDevelopment())
    {
        app.UseDeveloperExceptionPage();
        app.UseBrowserLink();
        app.UseStaticFiles();
    }
    else
    {
        app.UseExceptionHandler("/Home/Error");
        app.UseHsts();
    }

    app.UseHttpsRedirection();
    app.UseStaticFiles();
    app.UseCookiePolicy();

    app.UseRouting();

    app.UseAuthorization();

    app.UseEndpoints(endpoints =>
    {
        endpoints.MapControllerRoute(
            name: "default",
            pattern: "{controller=Home}/{action=Index}/{id?}");
    });
}
        
        

The above code is a typical configuration for an ASP.NET Core application. This is usually found in the Startup.cs file of the application.

The vulnerability in this code is that it serves static files without any restrictions. This means that if there are any .map files (SourceMap files) in the wwwroot folder of the application, they will be served to anyone who requests them.

SourceMap files are usually used in development to map the minified or transpiled code back to the original source code, making it easier to debug. However, in a production environment, these SourceMap files can provide a malicious actor with a lot of information about the application, including the structure of the code and potentially sensitive data.

In the above code, the UseStaticFiles() middleware is used, which enables static file serving for the current request path. This middleware does not include any restrictions on what types of files can be served, meaning that if a .map file is present in the wwwroot folder, it will be served to the client.

The vulnerability is present in both the development and production environments, as the UseStaticFiles() middleware is used in both cases. However, it is especially critical in a production environment, where such information should not be exposed.

Steps

  • Remove the app.UseDeveloperExceptionPage() middleware from the production environment
  • Remove the app.UseBrowserLink() middleware from the production environment
  • Ensure that the .map files are not included in the published output
  • Consider using obfuscation or minification techniques to make it harder for attackers to analyze the application

Compliant code

        public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    if (env.IsDevelopment())
    {
        app.UseDeveloperExceptionPage();
        app.UseBrowserLink();
        app.UseStaticFiles();
    }
    else
    {
        app.UseExceptionHandler("/Home/Error");
        app.UseHsts();
        app.UseHttpsRedirection();
        app.UseStaticFiles();
        app.UseCookiePolicy();
    }

    app.UseRouting();

    app.UseAuthorization();

    app.UseEndpoints(endpoints =>
    {
        endpoints.MapControllerRoute(
            name: "default",
            pattern: "{controller=Home}/{action=Index}/{id?}");
    });
}
        
        

The above code is vulnerable due to the exposure of .map files which can be exploited by a malicious actor to analyze the application. The app.UseDeveloperExceptionPage() and app.UseBrowserLink() middlewares are also exposed in the production environment, which can lead to information leakage.

To fix this vulnerability, the app.UseDeveloperExceptionPage() and app.UseBrowserLink() middlewares should be removed from the production environment. The .map files should not be included in the published output to prevent them from being accessed by unauthorized users.

Additionally, consider using obfuscation or minification techniques to make it harder for attackers to analyze the application. These techniques can help to obscure the code, making it more difficult to understand and exploit.

Here is the fixed code:

                public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    if (env.IsDevelopment())
    {
        app.UseDeveloperExceptionPage();
        app.UseBrowserLink();
        app.UseStaticFiles();
    }
    else
    {
        app.UseExceptionHandler("/Home/Error");
        app.UseHsts();
        app.UseHttpsRedirection();
        app.UseStaticFiles();
        app.UseCookiePolicy();
    }

app.UseRouting();

app.UseAuthorization();

app.UseEndpoints(endpoints => { endpoints.MapControllerRoute( name: "default", pattern: "{controller=Home}/{action=Index}/{id?}"); }); }


In the fixed code, the app.UseDeveloperExceptionPage() and app.UseBrowserLink() middlewares are only used in the development environment. The .map files are not included in the published output, and obfuscation or minification techniques are used to obscure the code.

References