Automatic information enumeration - Corporate information - PHP

Automatic information enumeration - Corporate information - PHP

Need

Protection of corporate information from automatic enumeration

Context

  • Usage of PHP 7.0 for server-side scripting and web development
  • Usage of Finding for efficient searching and filtering of data

Description

Non compliant code

        public function getFinding($id)
{
    $finding = Finding::find($id);
    if($finding){
        return response()->json(['message' => 'Finding found', 'data' => $finding]);
    }
    else{
        return response()->json(['message' => 'Finding not found']);
    }
}
        
        

The above code is a function named getFinding which accepts an argument $id. This function is used to search for a "finding" in the system based on the provided $id.

The vulnerability lies in the way the function handles the search results. If the Finding::find($id) call is successful and returns a result, the function returns a JSON response with a message "Finding found" along with the data of the finding. If the Finding::find($id) call does not find any result, the function returns a JSON response with a different message "Finding not found".

This difference in response messages can be exploited by an attacker to enumerate the system's information. By sending a series of requests with different id values, an attacker can differentiate between existing and non-existing IDs based on the response message.

Steps

  • First, you need to standardize the response messages. The system should not provide different messages for existing and non-existing IDs. This can be achieved by returning a generic message regardless of whether the ID exists or not.
  • Second, limit the number of requests a user can make within a certain time period. This can help prevent automated scripts from rapidly cycling through potential IDs.
  • Third, consider implementing a CAPTCHA system to ensure that the requests are made by humans and not by automated scripts.
  • Lastly, consider using non-sequential and non-predictable IDs. This makes it harder for an attacker to guess the IDs.

Compliant code

        public function getFinding($id)
{
    $finding = Finding::find($id);
    if($finding){
        return response()->json(['message' => 'Request processed', 'data' => $finding]);
    }
    else{
        return response()->json(['message' => 'Request processed']);
    }
}
        
        

The above code is a revised version of the original function that was vulnerable to automatic information enumeration. The vulnerability was due to the system providing different messages for existing and non-existing IDs, which could potentially allow an attacker to enumerate system information.

In the revised code, the response message has been standardized. Regardless of whether the ID exists or not, the system will return a generic message 'Request processed'. This prevents an attacker from being able to determine whether an ID exists based on the response message.

However, this code revision alone is not enough to fully mitigate the vulnerability. Additional measures should be taken:

- Limit the number of requests a user can make within a certain time period. This can help prevent automated scripts from rapidly cycling through potential IDs.
- Implement a CAPTCHA system to ensure that the requests are made by humans and not by automated scripts.
- Consider using non-sequential and non-predictable IDs. This makes it harder for an attacker to guess the IDs.

By implementing these measures, you can significantly reduce the risk of automatic information enumeration.

References