CWE-386: Symbolic Name not Mapping to Correct Object
Learn about CWE-386 (Symbolic Name not Mapping to Correct Object), its security impact, exploitation methods, and prevention guidelines.
What is Symbolic Name not Mapping to Correct Object?
• Overview: Symbolic Name not Mapping to Correct Object occurs when a program uses a constant symbolic reference to an object, but the reference can change over time to point to a different object, potentially leading to incorrect behavior or security issues.
• Exploitation Methods:
- Attackers can manipulate the mapping of symbolic names to objects to redirect operations to unintended objects.
- Common attack patterns include altering environment variables or configuration settings that define these mappings.
• Security Impact:
- Direct consequences include unauthorized access to data or resources if operations are redirected to sensitive objects.
- Potential cascading effects such as data corruption, denial of service, or privilege escalation.
- Business impact includes loss of data integrity, breaches of confidentiality, and potential legal liabilities.
• Prevention Guidelines:
- Specific code-level fixes include validating the mapping of symbolic names to ensure they point to the correct objects at all times.
- Security best practices involve implementing strict access controls and monitoring changes to configurations that affect symbolic mappings.
- Recommended tools and frameworks include using static analysis tools to identify potential mismappings and employing runtime monitoring to detect anomalous behavior related to object references.
Corgea can automatically detect and fix Symbolic Name not Mapping to Correct Object in your codebase. Try Corgea free today.
Technical Details
Likelihood of Exploit: Not specified
Affected Languages: Not Language-Specific
Affected Technologies: Not specified
Vulnerable Code Example
JavaScript Example
// This example demonstrates a symbolic name vulnerability where a session ID is used
// as a symbolic reference but can resolve to an incorrect session object if guessed.
class SessionManager {
constructor() {
this.sessions = {}; // Stores active sessions
}
// Vulnerable method: uses session ID as a key directly
getSession(sessionId) {
return this.sessions[sessionId];
}
createSession(sessionId, sessionData) {
this.sessions[sessionId] = sessionData;
}
}
const sessionManager = new SessionManager();
sessionManager.createSession("user123", { username: "JohnDoe" });
console.log(sessionManager.getSession("user123")); // Correct session
console.log(sessionManager.getSession("user456")); // Returns undefined, potential for exploitation
Explanation
The vulnerable code directly uses session IDs as keys in a session store. If an attacker can guess or manipulate session IDs, they can potentially access or interfere with another user's session data. This is a common vulnerability when session IDs are predictable or not properly validated.
How to fix Symbolic Name not Mapping to Correct Object?
Fixed Code Example
// Fixed code with added cryptographic validation for session IDs
const crypto = require('crypto');
class SessionManager {
constructor() {
this.sessions = {}; // Stores active sessions
}
// Generates a secure session ID
generateSecureSessionId() {
return crypto.randomBytes(16).toString('hex'); // Secure random session ID
}
// Secure method: validates session ID before accessing
getSession(sessionId) {
if (this.isValidSessionId(sessionId)) {
return this.sessions[sessionId];
}
return null; // Return null for invalid session IDs to prevent misuse
}
// Checks if the session ID is valid
isValidSessionId(sessionId) {
return sessionId in this.sessions; // Check if session ID exists
}
createSession(sessionData) {
const sessionId = this.generateSecureSessionId();
this.sessions[sessionId] = sessionData; // Securely generate new session ID
return sessionId; // Return the new secure session ID to the user
}
}
const sessionManager = new SessionManager();
const sessionId = sessionManager.createSession({ username: "JohnDoe" });
console.log(sessionManager.getSession(sessionId)); // Correct session
console.log(sessionManager.getSession("user456")); // Returns null, secure fallback
Explanation
In the fixed version, session IDs are generated using a cryptographic method to ensure they are unpredictable. The getSession method includes a check to validate session IDs, ensuring that only valid IDs can be used to access session data. These measures prevent unauthorized access and potential exploitation of session data.