AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

Insecure Reflection

Attackers can control the flow of the software and cause various possible manipulations such as bypassing authorization controls

Severity

Medium

Fix Cost

Low

Trust Level

High

Reflection is a mechanism used for obtaining type information of an existing object, invoking its methods or access its fields and properties or creating an instances of a type at runtime.

It’s a powerful API and most of the MVC frameworks make use of reflection in order to ease the load of the developer, such as taking a path part from the URL, take it as an action and execute a custom code prepared for that action. Through MVC this is automatically done with the frameworks and this helps better modularization of the software.

However, if this ability is implemented by the developer with custom code, then reflection can be used as the code below shows;

                                     
using System.Reflection;

...
string action = Request["action"];
MethodInfo method = MyController.GetType().GetMethod(action);
return method.Invoke(service, new object[] { Request });
                   
            

Here, the client side send the targeted action through the HTTP parameters and dynamically MyController class’s related method is executed. However this provides a nice flexibility, an attacker now can call any callable method that MyController has without checking any access controls through action parameter.

Reflection is a mechanism used for obtaining type information of an existing object, invoking its methods or access its fields and properties or creating an instances of a type at runtime.

It’s a powerful API and most of the MVC frameworks make use of reflection in order to ease the load of the developer, such as taking a path part from the URL, take it as an action and execute a custom code prepared for that action. Through MVC this is automatically done with the frameworks and this helps better modularization of the software.

However, if this ability is implemented by the developer with custom code, then reflection can be used as the code below shows;


String actionMethod = request.getParameter("action");

Method method;

try
{
  method = MyController.getClass().getMethod(actionMethod);
  method.invoke(obj, request);
}
catch (SecurityException e)
{
  // handle error
}
catch (NoSuchMethodException e)
{
  // handle error
}
    

Here, the client side send the targeted action through the HTTP parameters and dynamically MyController class’s related method is executed. However this provides a nice flexibility, an attacker now can call any callable method that MyController has without checking any access controls through action parameter.

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!