Insecure service configuration - Container level access policy
Description
Container level policy is not set when generating a service Shared Access Signature (SAS). A container-level access policy can be modified or revoked at any time. It provides greater flexibility and control over the permissions that are granted
Impact
Create IDORs, excessive privileges, or broken authentication vulnerabilities
Recommendation
Specify a valid group policy identifier when generating the service SAS.
Threat
Authenticated attacker from the Internet
Expected Remediation Time
⌚ 50 minutes.
Score
Default score using CVSS 3.1. It may change depending on the context of the src.
Base
- Attack vector: N
- Attack complexity: H
- Privileges required: L
- User interaction: N
- Scope: U
- Confidentiality: L
- Integrity: L
- Availability: N
Temporal
- Exploit code maturity: U
- Remediation level: O
- Report confidence: R
Result
- Vector string: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:R
- Score:
- Base: 4.2
- Temporal: 3.5
- Severity:
- Base: Medium
- Temporal: Low
Score 4.0
Default score using CVSS 4.0. It may change depending on the context of the src.
Base 4.0
- Attack vector: N
- Attack complexity: H
- Attack Requirements: N
- Privileges required: L
- User interaction: N
- Confidentiality (VC): L
- Integrity (VI): L
- Availability (VA): N
- Confidentiality (SC): N
- Integrity (SI): N
- Availability (SA): N
Threat 4.0
- Exploit maturity: U
Result 4.0
- Vector string: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U
- Score:
- CVSS-BT: 0.6
- Severity:
- CVSS-BT: Low
Compliant code
The service SAS is correctly configured with a group policy
var storageAccount = CloudStorageAccount.Parse(connectionString);
var blobClient = storageAccount.CreateCloudBlobClient();
var blobContainer = blobClient.GetContainerReference(containerName);
blobContainer.CreateIfNotExists();
var storedPolicy = new SharedAccessPolicy()
{
SharedAccessExpiryTime = DateTime.UtcNow.AddHours(10),
Permissions = SharedAccessBlobPermissions.Read |
SharedAccessBlobPermissions.Write |
SharedAccessBlobPermissions.List
AccessPolicy = groupPolicy();
};
//Define access permissions before generating the key
var permissions = blobContainer.GetPermissions();
permissions.SharedAccessPolicies.Clear();
permissions.SharedAccessPolicies.Add(policyName, storedPolicy);
blobContainer.SetPermissions(permissions);
var containerSignature = blobContainer.GetSharedAccessSignature(null, policyName);
var uri = blobContainer.Uri + containerSignature;
Non compliant code
The service SAS does not specify any group policy identifier
var storageAccount = CloudStorageAccount.Parse(connectionString);
var blobClient = storageAccount.CreateCloudBlobClient();
var blobContainer = blobClient.GetContainerReference(containerName);
blobContainer.CreateIfNotExists();
var storedPolicy = new SharedAccessPolicy()
{
SharedAccessExpiryTime = DateTime.UtcNow.AddHours(10),
Permissions = SharedAccessBlobPermissions.Read |
SharedAccessBlobPermissions.Write |
SharedAccessBlobPermissions.List
AccessPolicy = defaultPolicy();
};
//Generate SAS
var containerSignature = blobContainer.GetSharedAccessSignature(null, policyName);
var uri = blobContainer.Uri + containerSignature;
Requirements
Fixes
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.