[JS]: Web Cache Deception

[aydinnyunus]

Query PR

github/codeql#15180

Language

Javascript

CVE(s) ID list

• CVE-2021-42015
• CVE-2021-27577
• CVE-2022-3292

CWE

CWE-525: Use of Web Browser Cache Containing Sensitive Information

Report

I created a new CodeQL query to detect potential Web Cache Deception vulnerabilities in web applications. Web Cache Deception is a security vulnerability where attackers trick a server into caching sensitive information, which they can later access. This query aims to identify code patterns that might make an application susceptible to this type of attack.

Steps To Reproduce:

• codeql database create wcd --language=javascript --source-root "ql/src/Security/CWE-525/"
• In VSCode, Run the following query

/**
 * @name Web Cache Deception in Express
 * @description A caching system has been detected on the application and is vulnerable to web cache deception. By manipulating the URL it is possible to force the application to cache pages that are only accessible by an authenticated user. Once cached, these pages can be accessed by an unauthenticated user.
 * @kind problem
 * @problem.severity error
 * @security-severity 9
 * @precision medium
 * @id js/web-cache-deception-express
 * @tags javascript
 *       cwe-525
 *       bug
 */

import javascript
import WebCacheDeceptionLib

from WebCacheDeception::Sink httpHandleFuncCall
where httpHandleFuncCall.toString().matches("%*%")
select httpHandleFuncCall, httpHandleFuncCall + " is used as wildcard endpoint."

Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).

• Yes
• No

Blog post link

No response

[ghsecuritylab]

Your submission is now in status Final decision.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

[xcorail]

Thanks for the submission!

Similarly to your other web cache deception submission, we have internally assessed the query and its findings, and we have determined these query additions and the web cache deception vulnerability class in general do not fulfill the criteria to be included into the CodeQL query suites. We don't deny that the vulnerabilities this query tries to cover can occur in reality. However, it might be hard to properly identify this vulnerability class with a query as it depends on other factors whether a finding is a vulnerability (e.g. the intention of the developers or in the case of an attack via CDN the configuration of the CDN itself.).

Therefore it's not eligible for a reward under the Bug Bounty program, as our goal is to scale vulnerability detection with a low false positive rate. For queries such as this please consider making a PR to the CodeQL-Community-Packs where we also accept queries for vulnerabilities that don't manifest themselves in code only.

Looking forward to your other submissions!

[ghsecuritylab]

Your submission is now in status Closed.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed