Improper authorization control for web services - RDS - Java

Improper authorization control for web services - RDS - Java

Need

Enhancement of authorization controls for web services - RDS

Context

  • Usage of Java for building cross-platform applications
  • Handling of IOException in Java Input/Output operations
  • Usage of javax.servlet.ServletException for handling servlet exceptions
  • Usage of javax.servlet.http.HttpServlet for handling HTTP requests in Java Servlets
  • Usage of javax.servlet.http.HttpServletRequest for handling HTTP requests in Java Servlets
  • Usage of HttpServletResponse for handling HTTP responses in Java Servlets
  • Usage of AWSStaticCredentialsProvider for providing static AWS credentials
  • Usage of BasicAWSCredentials for authenticating AWS services
  • Usage of Amazon RDS for managing and interacting with relational databases in AWS
  • Usage of Amazon RDS Client Builder for interacting with the Amazon RDS service

Description

Non compliant code

        import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import com.amazonaws.auth.AWSStaticCredentialsProvider;
import com.amazonaws.auth.BasicAWSCredentials;
import com.amazonaws.services.rds.AmazonRDS;
import com.amazonaws.services.rds.AmazonRDSClientBuilder;

public class RdsServlet extends HttpServlet {
    private static final long serialVersionUID = 1L;

    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        BasicAWSCredentials awsCreds = new BasicAWSCredentials("access_key_id", "secret_key_id");
        AmazonRDS rds = AmazonRDSClientBuilder.standard()
                .withCredentials(new AWSStaticCredentialsProvider(awsCreds))
                .withRegion("us-west-2")
                .build();
        response.getWriter().append("RDS Connection: ").append(rds.toString());
    }
}

The above Java Servlet code demonstrates a vulnerability due to improper authorization control for Amazon RDS (Relational Database Service) instances.

The doGet method in the RdsServlet class establishes a connection to an Amazon RDS instance. It uses static AWS credentials ( access_key_id and secret_key_id) which are hard-coded directly into the application.

The doGet method is publicly accessible as it's exposed via HTTP GET request and it prints the RDS connection details to the HTTP response. This means that anyone who can send a GET request to the servlet can get the connection details, which is a serious security risk.

The vulnerability here lies in the fact that there are no checks or controls in place to ensure that the user or system making the request is authorized to view or use these credentials. As a result, unauthorized users could potentially gain access to the RDS instance, leading to a compromise of the stored information.

Moreover, hard-coding credentials in the code is a bad practice. If an attacker gains access to the source code, they can easily retrieve these credentials and gain unauthorized access to the RDS instance.

The code should be modified to ensure proper authorization controls are in place. It should also avoid hard-coding sensitive information and instead, use secure methods to store and retrieve such data.

Steps

  • Implement proper authentication and authorization mechanisms for accessing the RDS instance.
  • Ensure that only authorized users or services can access the RDS instance.
  • Avoid hardcoding access key and secret key in the code. Instead, use secure credential storage mechanisms.
  • Consider using IAM roles and policies to control access to the RDS instance.
  • Regularly review and update the access control policies to ensure they are up to date and secure.
  • Implement network security measures such as VPCs, security groups, and network ACLs to restrict access to the RDS instance.
  • Regularly monitor and log access to the RDS instance to detect any unauthorized access attempts.
  • Encrypt sensitive data stored in the RDS instance to protect it from unauthorized access.
  • Regularly update the RDS instance and associated libraries to patch any known vulnerabilities.

Compliant code

        import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import com.amazonaws.auth.DefaultAWSCredentialsProviderChain;
import com.amazonaws.services.rds.AmazonRDS;
import com.amazonaws.services.rds.AmazonRDSClientBuilder;

public class RdsServlet extends HttpServlet {
    private static final long serialVersionUID = 1L;

    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        AmazonRDS rds = AmazonRDSClientBuilder.standard()
                .withCredentials(new DefaultAWSCredentialsProviderChain())
                .withRegion("us-west-2")
                .build();
        response.getWriter().append("RDS Connection: ").append(rds.toString());
    }
}

The updated code now uses DefaultAWSCredentialsProviderChain for AWS credentials instead of hardcoding them. This provider chain will search for AWS credentials in environment variables, system properties, the AWS credentials profile file, and the Amazon EC2 instance profile credentials. This way, we avoid exposing sensitive data such as AWS access keys and secret keys.

The doGet method is used to establish a connection with the Amazon RDS instance. The connection details are then written to the response. Note that the actual connection to the RDS instance should be handled in a secure manner, ensuring that only authorized users or services can access the RDS instance.

Remember to implement proper network security measures such as VPCs, security groups, and network ACLs to restrict access to the RDS instance. Regularly monitor and log access to the RDS instance to detect any unauthorized access attempts. Encrypt sensitive data stored in the RDS instance to protect it from unauthorized access. Regularly update the RDS instance and associated libraries to patch any known vulnerabilities.

References