Skip to content

Latest commit

 

History

History
90 lines (78 loc) · 9.57 KB

attack-tree.md

File metadata and controls

90 lines (78 loc) · 9.57 KB

Attack Tree Analysis for shopify/liquid

Objective: Execute Arbitrary Code or Access Unauthorized Data via Liquid [CRITICAL]

Attack Tree Visualization

                                  Execute Arbitrary Code or Access Unauthorized Data via Liquid [CRITICAL]
                                                  /                                   \
                                                 /                                     \
         ---------------------------------------------------------         ------------------------------------------------
         |  Bypass Liquid's Sandboxing/Restrictions (RCE-like)  |         |     Abuse Liquid Features for Data Exfiltration     |
         ---------------------------------------------------------         ------------------------------------------------
               /                |                \                                           |
              /                 |                 \                                          |

| Exploit | | Exploit | | Find | | Leaked | | Known | | Unknown | | Undocumented| | Sensitive | | Liquid | | Liquid | | or | | Data in | | Vulner- | | Vulner- | | Poorly | | Context | | abilities | | abilities | | Documented| | (e.g., | | (CVEs) | | (0-days) | | Features | | API Keys) | | [CRITICAL] | | [CRITICAL] | | [CRITICAL] | | [CRITICAL] |

(L:L-M,I:VH, (L:VL,I:VH, (L:L,I:H, (L:H,I:VH, E:L,S:I,D:M) E:VH,S:E,D:VH) E:H,S:A,D:H) E:VL,S:B,D:VE)

--------------- | Abuse | | Tags | | to | | Access | | Restricted| | Data | --------------- (L:M,I:H, E:L,S:I,D:M)

Attack Tree Path: [HIGH-RISK] Leaked Sensitive Data in Context (e.g., API Keys):

  • Description: This is the most critical and likely vulnerability. If sensitive information like API keys, database credentials, or internal URLs are accidentally made available to the Liquid context, an attacker can easily retrieve them. This often happens due to developer error, such as passing entire configuration objects or user data directly to the template.
  • Likelihood: High
  • Impact: Very High (Complete system compromise is likely)
  • Effort: Very Low (Trivial if the data is present)
  • Skill Level: Beginner
  • Detection Difficulty: Very Easy (Once the attacker has access to a rendered template, the secret is exposed. Prevention is key.)
  • Mitigation Strategies:
    • Never expose secrets directly: Do not pass sensitive data to the Liquid context. Use environment variables, secure configuration stores (like HashiCorp Vault), or dedicated secret management services.
    • Strict context control: Carefully define exactly which variables and objects are needed in the template. Avoid passing entire objects when only a few properties are required. Use a whitelist approach.
    • Code reviews: Thoroughly review the code that populates the Liquid context to ensure no secrets are being leaked. This should be a mandatory part of the code review process.
    • Automated scanning: Utilize static analysis tools and secret scanning tools (e.g., git-secrets, truffleHog) to automatically detect potential secret leaks in your codebase and configuration files.
    • Principle of Least Privilege: Ensure the application itself has only the minimum necessary permissions. Even if a secret is leaked, limiting the application's access can reduce the impact.

Attack Tree Path: [HIGH-RISK] Exploit Known Liquid Vulnerabilities (CVEs) -> Bypass Liquid's Sandboxing/Restrictions (RCE-like):

  • Description: This path involves exploiting publicly disclosed vulnerabilities (CVEs) in the Liquid library itself to achieve Remote Code Execution (RCE). While Liquid is designed to be secure, vulnerabilities can be discovered. If the application doesn't apply security updates promptly, it becomes vulnerable.
  • Likelihood: Low-Medium (Depends entirely on patch management practices)
  • Impact: Very High (RCE leads to complete system compromise)
  • Effort: Low (Public exploits are often available for known CVEs)
  • Skill Level: Intermediate (Requires understanding of vulnerability reports and exploit usage)
  • Detection Difficulty: Medium (Intrusion Detection Systems and Web Application Firewalls can often detect known exploit attempts, but not always)
  • Mitigation Strategies:
    • Prompt patching: Implement a robust patch management process. Monitor security advisories related to Liquid and apply updates as soon as they are released.
    • Dependency management: Use dependency management tools (e.g., Bundler for Ruby, npm for Node.js) that can automatically flag outdated versions of libraries, including Liquid.
    • Vulnerability scanning: Regularly scan your application and its dependencies for known vulnerabilities using vulnerability scanners.
    • Web Application Firewall (WAF): A WAF can help block known exploit attempts, providing an additional layer of defense.
    • Intrusion Detection/Prevention System (IDS/IPS): An IDS/IPS can monitor network traffic and system activity for signs of intrusion, including exploit attempts.

Attack Tree Path: [HIGH-RISK] Abuse Tags to Access Restricted Data -> Abuse Liquid Features for Data Exfiltration:

  • Description: This path focuses on misusing Liquid tags, particularly the include tag, to gain access to data the attacker shouldn't have. The most common scenario is Local File Inclusion (LFI), where user input controls the path of a template included via {% include %}.
  • Likelihood: Medium (Depends on how tags are used and if user input influences them)
  • Impact: High (Can lead to LFI and exposure of sensitive files)
  • Effort: Low (Exploiting poorly configured include tags is often straightforward)
  • Skill Level: Intermediate (Requires understanding of LFI and Liquid tag behavior)
  • Detection Difficulty: Medium (Requires monitoring file access patterns and analyzing template inclusion logic)
  • Mitigation Strategies:
    • Whitelist include paths: Never construct template paths directly from user input. Use a strict whitelist of allowed template paths. For example, instead of {% include params[:template] %}, use a predefined mapping: {% include allowed_templates[params[:template]] %}, where allowed_templates is a hardcoded hash.
    • Avoid user-controlled paths: If you absolutely must use user input to determine part of a path, sanitize it extremely carefully. Ensure it only contains allowed characters (e.g., alphanumeric, underscores) and that it cannot traverse directories (e.g., using ../).
    • Sandboxing (if possible): If your environment allows, consider running Liquid in a sandboxed environment with restricted file system access.
    • Code review: Carefully review all uses of the include tag (and other potentially dangerous tags) to ensure they are not vulnerable to user input manipulation.
    • Input validation: Even if you're using a whitelist, validate the user-provided key to ensure it conforms to expected values.

Attack Tree Path: Critical Nodes (Not part of a specific high-risk path, but individually critical):

  • Exploit Unknown Liquid Vulnerabilities (0-days):
    • (Same description, mitigation, and estimations as "Exploit Known Liquid Vulnerabilities," but with a Very Low likelihood and Very Hard detection difficulty.)
  • Find Undocumented or Poorly Documented Features:
    • (Similar to 0-days in terms of mitigation, but focused on in-depth code analysis and experimentation to find exploitable features.)