Insufficient data authenticity validation - Front bypass - PHP

Insufficient data authenticity validation - Front bypass - PHP

Need

Enhancement of data authenticity validation to prevent front bypass

Context

  • Usage of PHP for server-side web development
  • Usage of Request for making HTTP requests
  • Usage of the User dependency for user-related functionality

Description

Non compliant code

        // UserController.php

public function update(Request $request, User $user)
{
    $user->password = bcrypt($request->password);
    $user->save();

    return response()->json(['message' => 'Password updated successfully']);
}
        
        

In the above code, the update function in the UserController is responsible for updating the user's password. The issue here is that it directly takes the new password from the request and hashes it using bcrypt before saving it into the database. There is no validation done on the server-side to check if the new password adheres to the security policies such as not being consecutive and/or repeated numbers.

This is a security vulnerability because an attacker can bypass the front-end validation and directly send a request to this endpoint with a weak password that goes against the policies. This can be done by using tools that allow to intercept and modify HTTP requests, or by crafting a custom HTTP request. The application will accept this weak password because it doesn't validate the password on the server-side. This can lead to weak passwords being used which increases the risk of successful password guessing attacks.

Steps

  • Move the password policy validation to the server-side. This should be done in the 'update' function before the password is hashed and saved.
  • Create a function to validate the password according to the policy. This function should check if the password contains consecutive and/or repeated numbers.
  • If the password does not meet the policy, return an error response indicating that the password is not valid according to the policy.
  • Only if the password passes the validation, proceed to hash and save the password.
  • Test the updated function to ensure that it correctly validates passwords according to the policy.

Compliant code

        // UserController.php

public function update(Request $request, User $user)
{
    $password = $request->password;

    // Validate the password according to the policy
    if (!$this->isPasswordValid($password)) {
        return response()->json(['message' => 'Password does not meet the policy']);
    }

    $user->password = bcrypt($password);
    $user->save();

    return response()->json(['message' => 'Password updated successfully']);
}

private function isPasswordValid($password)
{
    // Check if the password contains consecutive and/or repeated numbers
    if (preg_match('/(\\d)\\1+/', $password) || preg_match('/123|234|345|456|567|678|789/', $password)) {
        return false;
    }

    return true;
}
        
        

The updated code includes a server-side password validation. The update function now calls isPasswordValid function before hashing and saving the password. The isPasswordValid function checks if the password contains consecutive and/or repeated numbers. If the password does not meet the policy, the update function returns an error response indicating that the password is not valid according to the policy. Only if the password passes the validation, it is hashed and saved. This ensures that even if the front-end validation is bypassed, the password policy is still enforced on the server-side.

References