[Go]: Web Cache Deception - Fiber / GoChi / HTTPRouter
aydinnyunus opened this issue · 6 comments
Query PR
Language
GoLang
CVE(s) ID list
CWE
CWE-525: Use of Web Browser Cache Containing Sensitive Information
Report
Description
I created a new CodeQL query to detect potential Web Cache Deception vulnerabilities in web applications. Web Cache Deception is a security vulnerability where attackers trick a server into caching sensitive information, which they can later access. This query aims to identify code patterns that might make an application susceptible to this type of attack.
Steps To Reproduce:
codeql database create wcd --language=go --source-root "codeql/go/ql/src/Security/CWE-525/examples"- In VSCode, Run the following QL files.
codeql/go/ql/src/Security/CWE-525/WebCacheDeceptionFiber.qlcodeql/go/ql/src/Security/CWE-525/WebCacheDeceptionGoChi.ql
Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).
- Yes
- No
Blog post link
No response
Your submission is now in status Final decision.
For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed
Thanks for the submission! We have reviewed your report and validated your findings. After internally assessing the findings and the query we have determined these query additions do not fulfill the criteria to be included into the CodeQL query suites. We don't deny that the vulnerabilities this query tries to cover can occur in reality. However, it might be hard to properly identify this vulnerability class with a query as it depends on other factors whether a finding is a vulnerability (e.g. the intention of the developers or in the case of an attack via CDN the configuration of the CDN itself.).
Even though we accepted a similar query submission from you before, we've now looked into this one with more scrutiny and found that it doesn't meet the severity criteria as the actual severity of the submission is not rated the same as the severity of the linked CVE.
Per our rules:
The severity assignment of a CVE looks at the maximum impact, but our assessment considers the most likely impact instead. For example, a query that looks for a vulnerability pattern that may result in serious security issue, but only under special circumstances, could be scored with a lower severity than the submission’s CVE.
Therefore it's not eligible for a reward under the Bug Bounty program, as our goal is to scale vulnerability detection with a low false positive rate. For queries such as this please consider making a PR to the CodeQL-Community-Packs where we also accept queries for vulnerabilities that don't manifest themselves in code only.
Looking forward to other submissions!
Your submission is now in status Closed.
For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed
Hi,
Yes you are right I can not control the all cache mechanism with CDN's or Firewall. How about checking through the response headers like I did before ? It can matches some specific scenarios.
Hi 👋
Yes you are right I can not control the all cache mechanism with CDN's or Firewall. How about checking through the response headers like I did before ? It can matches some specific scenarios.
We have considered that as well, but it wouldn't help for the severity/likelihood to be high enough. (And as you said it also depends on factors we cannot assess with a query)
Thank you for your explanation 🙏