github · aydinnyunus · Dec 20, 2023 · Dec 20, 2023 · Dec 20, 2023 · Dec 20, 2023
@@ -0,0 +1,19 @@
+/**
+ * @name Web Cache Deception in Express
+ * @description A caching system has been detected on the application and is vulnerable to web cache deception. By manipulating the URL it is possible to force the application to cache pages that are only accessible by an authenticated user. Once cached, these pages can be accessed by an unauthenticated user.
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 9
+ * @precision medium
+ * @id js/web-cache-deception-express
+ * @tags javascript
+ *       cwe-525
- *       cwe-525
+ *       external/cwe/cwe-525
- *       cwe-525
+ *       external/cwe/cwe-525
+ *       bug
+ */
+
+import javascript
+import WebCacheDeceptionLib
+
+from WebCacheDeception::Sink httpHandleFuncCall
+where httpHandleFuncCall.toString().matches("%*%")
+select httpHandleFuncCall, httpHandleFuncCall + " is used as wildcard endpoint."
@@ -0,0 +1,12 @@
+const express = require('express')
+const app = express()
+port = 3000
+
+app.get('/test*', (req, res) => {
+  res.send('test')
+})
+
+
+app.listen(port, () => {
+  console.log(`Example app listening on port ${port}`)
+})
@@ -0,0 +1,12 @@
+const express = require('express')
+const app = express()
+port = 3000
+
+app.get('/test', (req, res) => {
+  res.send('test')
+})
+
+
+app.listen(port, () => {
+  console.log(`Example app listening on port ${port}`)
+})
@@ -0,0 +1,16 @@
+import javascript
+import StringOps
+
+module WebCacheDeception {
+  abstract class Sink extends DataFlow::Node { }
+
+  private class Express extends Sink {
+    Express() {
+      exists(Import is | is.getImportedModuleNode().getASuccessor().toString() = "express") and
+      exists(DataFlow::CallNode m |
+        m.getAMethodCall().getArgument(0).getStringValue().matches("%*") and
+        this = m.getAMethodCall().getArgument(0)
+      )
+    }
+  }
+}
@@ -0,0 +1 @@
+| WebCacheDeceptionBad.js:5:9:5:16 | '/test*' | '/test*' is used as wildcard endpoint. |
@@ -0,0 +1,35 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+    <overview>
+        <p>
+            Web Cache Deception is a security vulnerability where an attacker tricks a web server into caching sensitive information and then accesses that cached data.
+        </p>
+        <p>
+            This attack exploits certain behaviors in caching mechanisms by requesting URLs that trick the server into thinking that a non-cachable page is cachable. If a user then accesses sensitive information on these pages, it could be cached and later retrieved by the attacker.
+        </p>
+    </overview>
+    <recommendation>
+        <p>
+            To prevent Web Cache Deception attacks, web applications should clearly define cacheable and non-cacheable resources. Implementing strict cache controls and validating requested URLs can mitigate the risk of sensitive data being cached.
+        </p>
+    </recommendation>
+    <example>
+        <p>
+            Vulnerable code example: A web server is configured to cache all responses ending in '.css'. An attacker requests 'profile.css', and the server processes 'profile', a sensitive page, and caches it.
+        </p>
+        <sample src="WebCacheDeceptionBad.js" />
+    </example>
+    <example>
+        <p>
+            Secure code example: The server is configured with strict cache controls and URL validation, preventing caching of dynamic or sensitive pages regardless of their URL pattern.
+        </p>
+        <sample src="WebCacheDeceptionGood.js" />
+    </example>
+    <references>
+        <li>
+            OWASP Web Cache Deception Attack:
+            <a href="https://owasp.org/www-community/attacks/Web_Cache_Deception">Understanding Web Cache Deception Attacks</a>
+        </li>
+        <!-- Additional references can be added here -->
+    </references>
+</qhelp>
@@ -0,0 +1,19 @@
+/**
+ * @name Web Cache Deception in Express
+ * @description A caching system has been detected on the application and is vulnerable to web cache deception. By manipulating the URL it is possible to force the application to cache pages that are only accessible by an authenticated user. Once cached, these pages can be accessed by an unauthenticated user.
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 9
+ * @precision medium
+ * @id js/web-cache-deception-express
+ * @tags javascript
+ *       cwe-525
- *       cwe-525
+ *       external/cwe/cwe-525
- *       cwe-525
+ *       external/cwe/cwe-525
+ *       bug
+ */
+
+import javascript
+import WebCacheDeceptionLib
+
+from WebCacheDeception::Sink httpHandleFuncCall
+where httpHandleFuncCall.toString().matches("%*%")
+select httpHandleFuncCall, httpHandleFuncCall + " is used as wildcard endpoint."
@@ -0,0 +1 @@
+experimental/Security/CWE-525/WebCacheDeception.ql
@@ -0,0 +1,11 @@
+const express = require('express')
+const app = express()
+port = 3000
+
+app.get('/test*', (req, res) => {
+  res.send('test')
+})
+
+app.listen(port, () => {
+  console.log(`Example app listening on port ${port}`)
+})
@@ -0,0 +1,12 @@
+const express = require('express')
+const app = express()
+port = 3000
+
+app.get('/test', (req, res) => {
+  res.send('test')
+})
+
+
+app.listen(port, () => {
+  console.log(`Example app listening on port ${port}`)
+})
@@ -0,0 +1,16 @@
+import javascript
+import StringOps
+
+module WebCacheDeception {
+  abstract class Sink extends DataFlow::Node { }
+
+  private class Express extends Sink {
+    Express() {
+      exists(Import is | is.getImportedModuleNode().getASuccessor().toString() = "express") and
+      exists(DataFlow::CallNode m |
+        m.getAMethodCall().getArgument(0).getStringValue().matches("%*") and
+        this = m.getAMethodCall().getArgument(0)
+      )
+    }
+  }
+}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		\| WebCacheDeceptionBad.js:5:9:5:16 \| '/test' \| '/test' is used as wildcard endpoint. \|
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		experimental/Security/CWE-525/WebCacheDeception.ql