The mobile application must not have canonical representation vulnerabilities.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35752	SRG-APP-999999-MAPP-00070	SV-47039r1_rule		Medium

Description
Canonical representation issues arise when the name of a resource is used to control resource access. There are multiple methods of representing resource names on a computer system. An application relying solely on a resource name to control access may incorrectly make an access control decision if the name is specified in an unrecognized format. Through this control, DoD can be assured of greater security from inadvertent or malicious use of resources on the device that could, if used, would compromise the device, user and sensitive on-board data. Please refer to CWEs: 22, 73, 94, 98, 99, and 601 for further information. The MAPP SRG Overview contains additional information on the use of CWEs.

Description

Canonical representation issues arise when the name of a resource is used to control resource access. There are multiple methods of representing resource names on a computer system. An application relying solely on a resource name to control access may incorrectly make an access control decision if the name is specified in an unrecognized format. Through this control, DoD can be assured of greater security from inadvertent or malicious use of resources on the device that could, if used, would compromise the device, user and sensitive on-board data. Please refer to CWEs: 22, 73, 94, 98, 99, and 601 for further information. The MAPP SRG Overview contains additional information on the use of CWEs.

STIG	Date
Mobile Application Security Requirements Guide	2013-01-04

Details

Check Text ( C-44096r2_chk )
Review the documentation to assess if the following two issues are documented: - Access control decisions based upon a resource name. - Failure to reduce a resource name to its canonical form before use. If the documentation review is inconclusive, perform a static program analysis to assess if the above two issues hold the potential to manifest. If the documentation review and/or the static analysis reveal canonical representation vulnerabilities are identified, this is a finding. Examples of Canonical Representation vulnerabilities can be obtained from the OWASP website. See https://www.owasp.org.

Check Text ( C-44096r2_chk )

Review the documentation to assess if the following two issues are documented:
- Access control decisions based upon a resource name.
- Failure to reduce a resource name to its canonical form before use.

If the documentation review is inconclusive, perform a static program analysis to assess if the above two issues hold the potential to manifest. If the documentation review and/or the static analysis reveal canonical representation vulnerabilities are identified, this is a finding. Examples of Canonical Representation vulnerabilities can be obtained from the OWASP website. See https://www.owasp.org.

Fix Text (F-40297r2_fix)
Modify code so access to resources is not based solely on the name of the resource. The following measures can be applied as appropriate: In order to minimize canonical representation issues in the application, implement the following procedures: - Do not rely solely on resource names to control access. - If using resource names to control access, validate the names to ensure they are in the proper format; reject all names not fitting the known-good criteria. - Use operating system-based access control mechanisms, such as permissions and ACLs.

Fix Text (F-40297r2_fix)

Modify code so access to resources is not based solely on the name of the resource. The following measures can be applied as appropriate: In order to minimize canonical representation issues in the application, implement the following procedures:
- Do not rely solely on resource names to control access.
- If using resource names to control access, validate the names to ensure they are in the proper format; reject all names not fitting the known-good criteria.
- Use operating system-based access control mechanisms, such as permissions and ACLs.