Task #106345
open
Sign extbase __identity field value with HMAC
Added by Torben Hansen 6 days ago.
Updated 5 days ago.
Description
It is documented in the Security Guidelines, that the extbase __identity field can be manipulated. In order to prevent identity field manipulation, a HMAC should be appended to the field value.
- Subject changed from Sign extbase __identity field with HMAC to Sign extbase __identity field value with HMAC
- Status changed from New to Under Review
Here are the reasons, why I think the proposed approach (HMAC) is deceptive:
- Protecting __identity only, leaves all cases where the PersistentObjectConverter converts an object from a string/int unprotected
- HMAC is a fixed value and it is always publicly exposed (that is how it is designed). Once it is leaked, it can be reused an unlimited amount of times.
- HAMC conceptually is not enough to protect from "Broken Object Level Authorization (BOLA)", exactly because of the reasons above. Therefore such change will not allow developers to skip the check for object access permissions
In sum: it is deceptive, because it actually does make manipulation less accessible on the one hand, but still leaves the door wide open for multiple other attack vectors, which can not be fixed with the concept of using a HMAC
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by