Need

Implementation of network segmentation and access controls

Context

• Usage of Scala 2.12 for developing applications in the Scala programming language
• Usage of play.api.mvc for handling HTTP requests and responses in Play Framework
• Usage of play.api.libs.json for JSON parsing and manipulation in Play Framework
• Usage of global execution context for Scala concurrent programming
• Usage of slick.jdbc.JdbcProfile for database access and query execution
• Usage of Slick's MySQLProfile API for interacting with MySQL database

Description

Non compliant code

        import play.api.mvc._
import play.api.libs.json._
import scala.concurrent.ExecutionContext.Implicits.global

class ApplicationController extends Controller {

  def accessDatabase() = Action.async { request =>
    val db = Database.forConfig("db")
    db.run(sql"SELECT * FROM users".as[User]).map { users =>
      Ok(Json.toJson(users))
    }
  }
}
        
        

The above code represents a Play Framework controller in Scala that allows unrestricted access to a database.

The accessDatabase method is a public endpoint that executes a SQL query to fetch all users from a database. This method does not require any form of authentication or authorization, meaning that anyone can access this endpoint and retrieve all users from the database.

Moreover, the database configuration in the application.conf file points to a public database server ( public-database-server.com). This means that the database is exposed to the internet and can be accessed from anywhere, not just from within the network.

This unrestricted access between network segments is a serious vulnerability. An attacker could exploit this vulnerability to access sensitive information, manipulate data, or even perform denial of service attacks by overwhelming the database with requests.

Steps

• Implement a network segmentation strategy to restrict access between network segments.
• Configure firewall rules to only allow necessary traffic between network segments.
• Ensure that database servers are not directly accessible from the Internet.
• Implement secure authentication and authorization mechanisms to control access to the database servers.
• Consider implementing a VPN (Virtual Private Network) for secure remote access to the database servers.
• Regularly update and patch the network infrastructure to address any known vulnerabilities.

Compliant code

        import play.api.mvc._
import play.api.libs.json._
import scala.concurrent.ExecutionContext.Implicits.global

class ApplicationController extends Controller {

  def accessDatabase() = Action.async { request =>
    val user = request.session.get("user")
    user match {
      case Some(u) => {
        val db = Database.forConfig("db")
        db.run(sql"SELECT * FROM users WHERE username = $u".as[User]).map { users =>
          Ok(Json.toJson(users))
        }
      }
      case None => Future.successful(Forbidden("You're not authorized to access this resource"))
    }
  }
}
        
        

The original code allowed unrestricted access to the database from any network segment. This is a serious security vulnerability as it could allow unauthorized users to access sensitive data.

The updated code introduces a check to ensure that only authenticated users can access the database. This is done by checking if the user session contains a "user" attribute. If it does, the code proceeds to access the database. If it doesn't, the code returns a "Forbidden" response, indicating that the user is not authorized to access the resource.

This is just one part of the solution. To fully address the vulnerability, you should also implement network segmentation to restrict access between network segments, configure firewall rules to only allow necessary traffic, ensure that database servers are not directly accessible from the Internet, implement secure authentication and authorization mechanisms, consider implementing a VPN for secure remote access, and regularly update and patch your network infrastructure.

References

• 157. Unrestricted access between network segments