Trust Boundary Violation

ID

java.trust_boundary_violation

Severity

high

Resource

Information Leak

Language

Java

Tags

CWE:501, NIST.SP.800-53, OWASP:2021:A4, PCI-DSS:6.5.1

Description

Trust boundary violation occurs when the application improperly validates or trusts data crossing from an untrusted to a trusted domain.

This may involve inadequate checks on data from sources like user inputs or external systems, allowing malformed or malicious data to affect the application.

Rationale

Data often traverses from untrusted sources such as user inputs, external APIs, or network connections to the more trusted internals of the application.

A trust boundary violation arises when this transition allows unvalidated or improperly sanitized data to impact the application’s operations or security.

Here is a simplistic example:

import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class TrustBoundaryViolation extends HttpServlet {

  @Override
  public void doPost(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {

    String userInput = request.getParameter("user_input");

    request.getSession().putValue("user_input", userInput); // FLAW
  }
}

In the above example, the program takes input directly from the user and converts it into an integer without proper validation. If the user provides a non-integer input, it could lead to exceptions or misinterpretation, crossing the intended trust boundary with invalid or potentially harmful data.

Inadequate handling of trust boundaries can lead to various attacks, including injection attacks, data integrity violations, and unauthorized access to sensitive data or system resources.

Remediation

To mitigate the risks of trust boundary violations, implement the following practices for secure handling of data across trust boundaries:

1. Input Validation: Ensure all inputs from untrusted sources are rigorously validated and sanitized before use. Implement input constraints like length checks, pattern matching, or using whitelists to enforce valid data formats.

2. Use Security Libraries: Leverage existing libraries that offer strong validation routines and error handling measures (e.g., Apache Commons Validator or OWASP Java Validator projects).

3. Error Handling: Implement robust error handling to gracefully handle and log exceptions caused by unexpected input, reducing exposure of error messages or stack traces that could provide insights to an attacker.

4. Principle of Least Privilege: Apply access controls and execute code with the least privileges necessary. Enforce stringent role-based access controls to minimize risk.

5. Static Analysis Tools: Utilize SAST tools to automate the detection of potential trust boundary vulnerabilities and integrate them into your continuous integration pipelines.

Configuration

The detector has the following configurable parameters:

  • sources, that indicates the source kinds to check.

  • neutralizations, that indicates the neutralization kinds to check.

Unless you need to change the default behavior, you typically do not need to configure this detector.

References

  • CWE-501 : Trust Boundary Violation.