search cancel

Vulnerability - dot-dot-slash

book

Article ID: 200429

calendar_today

Updated On:

Products

CA API Gateway API SECURITY CA API Gateway Precision API Monitoring Module for API Gateway (Layer 7) CA API Gateway Enterprise Service Manager (Layer 7) STARTER PACK-7 CA Microgateway

Issue/Introduction

When using any API, for example, /pix/qrcode/*, the gateway allows and sends dot-dot-slash paths to the location of API, allowing access to all the server resources, if the server accepts.

Environment

Release : 10.0

Component : API GATEWAY

Resolution

The use case involve a wildcard service.


So if you publish an api with URI: /dotdotslash*, then you can send requests to:

/dotdotslash/foo/bar/../foo/bar
/dotdotslash/bar
etc.

doing quick test. Yes it's possible to send requests to URIs with ../ to a wildcard service.
but it's also possible to prevent that via policy by using a regex that checks request.url for sequence ../

see example policy attached : dotdotslash-policy.xml

to use wildcard is fine if you have a common business logic that you need to do regardless of whether they go /b or /c. But you have some options to make it more secure :
- you can add checks that make sure you're only routing to specific URLs
- you can add checks that blacklists certain URL patterns

Attachments

1658851071000__dotdotslash-policy.xml get_app