Skip to content

Latest commit

 

History

History
136 lines (105 loc) · 10.8 KB

mitigations.md

File metadata and controls

136 lines (105 loc) · 10.8 KB

Mitigation Strategies Analysis for parse-community/parse-server

Mitigation Strategy: Secure Parse Server Configuration

  • Description:

    1. Locate Parse Server Configuration: Identify the configuration file where Parse Server options are defined (e.g., index.js, parse-server-config.json, environment variables).
    2. Disable Dashboard (Recommended) or Secure Dashboard (If Absolutely Necessary for Internal Use): Configure the dashboard option in your Parse Server configuration. Disable it in production or restrict access via IP whitelisting, strong authentication (dashboard.users), and ideally, VPN/internal network access.
    3. Review allowClientClassCreation: Set allowClientClassCreation: false in your ParseServerOptions if clients should not create new Parse Classes.
    4. Review enableAnonymousUsers: Set enableAnonymousUsers: false in your ParseServerOptions if anonymous users are not required.
    5. Configure Default ACLs and CLPs: Explicitly define default Access Control Lists (ACLs) and Class-Level Permissions (CLPs) within ParseServerOptions or through code for new classes and objects.
    6. Disable Unnecessary Features: Review other ParseServerOptions and disable features not used by your application.
    7. Regularly Audit Settings: Periodically review your Parse Server configuration.

    • Threats Mitigated:

      • Unauthorized Access to Backend Administration (High Severity): Via insecure Parse Dashboard.
      • Unauthorized Schema Modifications (Medium Severity): If allowClientClassCreation is enabled unnecessarily.
      • Abuse of Anonymous User Functionality (Medium Severity): If enableAnonymousUsers is enabled when not needed.
      • Data Exposure due to Permissive Defaults (Medium Severity): Overly permissive default ACLs and CLPs.

    • Impact:

      • Unauthorized Access to Backend Administration (High Severity) - Impact: High
      • Unauthorized Schema Modifications (Medium Severity) - Impact: Medium
      • Abuse of Anonymous User Functionality (Medium Severity) - Impact: Medium
      • Data Exposure due to Permissive Defaults (Medium Severity) - Impact: Medium

    • Currently Implemented: Dashboard is disabled in production configuration. allowClientClassCreation is false in production and staging. enableAnonymousUsers is false in production. Default ACLs/CLPs partially configured.

    • Missing Implementation: IP whitelisting/strong auth for staging dashboard. Comprehensive review and hardening of all ParseServerOptions. Refine default ACLs/CLPs to least privilege. Systematically review and disable unused features.

Mitigation Strategy: Control API Keys and Master Key Usage

  • Description:

    1. Restrict Master Key Usage: Use Master Key only for administrative tasks and server-side Cloud Code operations when essential.
    2. Utilize Client Keys and JavaScript Keys: Use Client Keys and JavaScript Keys for client applications instead of Master Key.
    3. Implement Key Rotation: Establish a process for periodically rotating API keys, especially Master Key and Client Keys.
    4. Secure Key Storage: Store API keys and Master Key securely using environment variables, secure config management, or secrets management.
    5. Principle of Least Privilege for Keys: Configure Client Keys/JavaScript Keys with minimum necessary permissions.
    6. Monitor Key Usage (Optional): Implement logging/monitoring of API key usage, especially Master Key.

    • Threats Mitigated:

      • Master Key Compromise (Critical Severity): Full admin control if Master Key is compromised.
      • Unauthorized Data Access and Modification (High Severity): Via compromised/misused API keys.
      • Privilege Escalation (High Severity): Misuse of powerful keys.

    • Impact:

      • Master Key Compromise (Critical Severity) - Impact: High
      • Unauthorized Data Access and Modification (High Severity) - Impact: High
      • Privilege Escalation (High Severity) - Impact: Medium

    • Currently Implemented: Master Key in environment variables. Client Keys used in clients.

    • Missing Implementation: API key rotation. Review and minimize Master Key usage in Cloud Code. Formal least privilege key configuration process.

Mitigation Strategy: Secure Cloud Code

  • Description:

    1. Input Validation in Cloud Code: Thoroughly validate all input parameters in Cloud Code functions. Sanitize data. Use Parse Server's validation mechanisms.
    2. Secure Coding Practices in Cloud Code: Follow secure JavaScript/Node.js coding practices. Avoid insecure deserialization, command injection, path traversal. Code reviews and static analysis.
    3. Principle of Least Privilege in Cloud Code: Grant only necessary permissions to Cloud Code functions. Avoid Master Key unless essential. Use ACLs/CLPs for data access control within Cloud Code.
    4. Dependency Management for Cloud Code: Regularly audit and update npm dependencies in Cloud Code. Scan for vulnerabilities.

    • Threats Mitigated:

      • Injection Attacks (High Severity): NoSQL injection, command injection, XSS if Cloud Code generates client-rendered output.
      • Data Integrity Issues (Medium Severity): Invalid input causing data corruption.
      • Application Logic Errors (Medium Severity): Errors from processing invalid input.
      • Cross-Site Scripting (XSS) (Medium to High Severity): Insecure output handling in Cloud Code.
      • Command Injection (High Severity): Insecure coding in Cloud Code interacting with OS.
      • Path Traversal (Medium Severity): Improper file handling in Cloud Code.
      • Insecure Deserialization (Medium Severity): If Cloud Code handles serialized data.
      • Vulnerable Dependencies (Medium to High Severity): Vulnerable npm packages.

    • Impact:

      • Injection Attacks (High Severity) - Impact: High
      • Data Integrity Issues (Medium Severity) - Impact: High
      • Application Logic Errors (Medium Severity) - Impact: Medium
      • Cross-Site Scripting (XSS) (Medium to High Severity) - Impact: Medium
      • Command Injection (High Severity) - Impact: Medium
      • Path Traversal (Medium Severity) - Impact: Medium
      • Insecure Deserialization (Medium Severity) - Impact: Medium
      • Vulnerable Dependencies (Medium to High Severity) - Impact: Medium

    • Currently Implemented: Basic input validation in some Cloud Code. Code reviews for major Cloud Code changes. Basic secure coding practices generally followed.

    • Missing Implementation: Comprehensive input validation across all Cloud Code. Robust validation rules, sanitization. Formal secure coding guidelines. Static analysis tools for Cloud Code. Regular dependency vulnerability scanning. Security testing for Cloud Code vulnerabilities.

Mitigation Strategy: Parse Files Security

  • Description:

    1. File Type Validation and Restrictions: Implement server-side file type validation in Cloud Code. Whitelist allowed file extensions and MIME types.
    2. File Size Limits: Enforce file size limits for uploads in Parse Server or Cloud Code.
    3. Secure File Storage: Configure secure storage for Parse Files (e.g., encrypted cloud storage). Configure access controls on storage location.
    4. Antivirus Scanning (Optional but Recommended): Integrate antivirus scanning for uploaded files in Cloud Code.

    • Threats Mitigated:

      • Malware Upload and Distribution (Medium to High Severity): Via malicious file uploads.
      • Cross-Site Scripting (XSS) via File Uploads (Medium Severity): Uploading HTML/SVG files with malicious scripts.
      • Denial-of-Service (DoS) via File Uploads (Medium Severity): Uploading excessively large files.
      • Data Breach of Stored Files (Critical Severity): Insecure file storage leading to data exposure.
      • Data Tampering (Medium Severity): Unauthorized modification of stored files.
      • Data Loss (Medium Severity): Insecure/unreliable storage causing data loss.

    • Impact:

      • Malware Upload and Distribution (Medium to High Severity) - Impact: Medium
      • Cross-Site Scripting (XSS) via File Uploads (Medium Severity) - Impact: Medium
      • Denial-of-Service (DoS) via File Uploads (Medium Severity) - Impact: Low
      • Data Breach of Stored Files (Critical Severity) - Impact: High
      • Data Tampering (Medium Severity) - Impact: Medium
      • Data Loss (Medium Severity) - Impact: Medium

    • Currently Implemented: Basic file extension validation in Cloud Code for some uploads. File size limits partially implemented. Parse Files stored in AWS S3. HTTPS for file transfers.

    • Missing Implementation: Comprehensive server-side file type validation (extension & MIME). MIME type sniffing prevention. Whitelist of allowed file types. Consistent file size limits across all uploads. Review and document S3 encryption config. Refine S3 access control policies. Regular S3 security audits. Antivirus scanning not implemented.

Mitigation Strategy: Access Control Lists (ACLs) and Class-Level Permissions (CLPs)

  • Description:

    1. Understand ACLs and CLPs: Learn how ACLs and CLPs control access in Parse Server.
    2. Principle of Least Privilege for ACLs/CLPs: Grant minimum necessary permissions.
    3. Explicitly Define ACLs/CLPs: Avoid relying on defaults. Define ACLs/CLPs for each class and object.
    4. Regularly Audit ACL/CLP Configurations: Review and audit configurations for misconfigurations.
    5. Testing ACL/CLP Enforcement: Test access control enforcement.

    • Threats Mitigated:

      • Unauthorized Data Access (High Severity): Misconfigured ACLs/CLPs.
      • Unauthorized Data Modification (High Severity): Permissive ACLs/CLPs.
      • Privilege Escalation (Medium Severity): Exploiting ACL/CLP misconfigurations.

    • Impact:

      • Unauthorized Data Access (High Severity) - Impact: High
      • Unauthorized Data Modification (High Severity) - Impact: High
      • Privilege Escalation (Medium Severity) - Impact: Medium

    • Currently Implemented: ACLs/CLPs used for data access control. Basic configurations for most classes.

    • Missing Implementation: Comprehensive ACL/CLP review and audit. Ensure least privilege. Formal documentation of ACL/CLP policies. Automated testing of ACL/CLP enforcement.