Hard-to-Exploit ESAPI Vulnerability Offers Best Practice Lessons
The Open Web Application Security Project (OWASP) has fixed a vulnerability in its Enterprise Security API (ESAPI) which, if not resolved, could have been abused to run Crossroad attacks.
The issue, which involved the ESAPI validator interface and had a security rating of 7.5 out of 10, can be resolved by applying the patched version 18.104.22.168.
OWASP ESAPI offers a utility that can help enterprise software developers write more secure code by providing an interface that flags potential coding errors.
Although the vulnerable component would be difficult to exploit, an update is recommended as the potential impact is high, as an advisory from OWASP explains:
The default implementation of may incorrectly treat the tested input string as a child of the specified parent directory. This could potentially allow control flow bypass checks to be bypassed if an attack can specify the full string representing the “input” path.
OWASP ESAPI project co-lead Kevin Wall said the daily drink that “most applications using the ESAPI probably won’t even use the affected method”, so the potential impact of the vulnerability is application-specific.
“With all the library vulnerabilities, it’s hard to gauge how exposed a generic application is to exploiting a vulnerability in a library.”
Wall added: “Even when used within an app, that doesn’t mean it’s exploitable within its own app. You really have to look at it on a case-by-case basis.”
Read more about the latest news on secure development
According to Wall, in most use cases, the vulnerable ESAPI would be used in conjunction with a web application firewall (WAF) or intrusion detection software, factors that further limit the scope of the damage.
On the issue of severity, the software developer concluded: “I don’t think this is really a ‘high’ vulnerability, but that’s what we’re looking for because that’s what CVSSv3.1 spits out.”
lessons to learn
While the vulnerability in play is unlikely to be exploited, and even less likely to cause much damage, the bug does offer lessons for software developers, according to Wall.
On the one hand, application developers using libraries must use a software composition analysis (SCA) tool and be aware of its limits.
“Some SCA tools only find reported vulnerabilities in direct dependencies, not transitive dependencies,” Wall explained.
“And if you decide not to patch, you need to do some deep analysis to see exactly how the vulnerability in some library affects your application and what types of mitigation controls you can put in place (for example, perhaps ‘virtual patching’ via a WAF) to reduce the risk.”
DON’T FORGET TO READ Reputation of NPM developers could be exploited to legitimize malware
The flaw can also be instructive for library developers because it illustrates the usefulness of static application security testing (SAST) tools.
“For library developers, run SAST tools of some kind and review the results, but also try to have adequate test coverage and at least do manual code reviews of ‘git diffs’ when PRs are submitted but before merge them,” Wall advised. .
Although coding errors made in the development of the ESAPI caused the failure, these were understandable errors, according to Wall.
He concluded: “I think that the place where ESAPI dropped the ball is that there was no specific evidence that would have caught our attention and that is our fault, although I think that in our defense, it was above all the ignorance of all those who touched previously. . that code that acts differently when a value for a directory doesn’t end with ‘/’. I think that’s a little unintuitive.”
RECOMMENDED A security bug in VMWare Workspace ONE could allow access to internal cloud networks