A malicious application can invoke an insecure PreferenceActivity and supply it with an :android:show_fragment Intent extra in order to make it load an arbitrary class. The malicious app can make the PreferenceActivity load an arbitrary Fragment of the vulnerable app, which is normally loaded inside a non-exported Activity, exposing it to the attacker.

Example 1: The following code fails to implements a check to verify that only expected fragments are loaded.

@Override
public static boolean isFragmentValid(Fragment paramFragment)
{
    return true;
}

Frame Spoofing vulnerabilities occur when:

1. Data enters a web application through an untrusted source.

2. The data is used as an iframe URL without being validated.

This way, an attacker may be able to control what is rendered into the inline frame. By modifying the frame URL to point to a malicious site, phishing attacks may be performed in an attempt to steal user information, including credentials or other sensitive data. Given that the base domain is trusted - Salesforce.com, the victim will trust the page and provide all of the requested information.

Example 1: In the following code example, the iframesrc URL parameter is directly used as the apex:iframe target URL.

<apex:page>
<apex:iframe src="{!$CurrentPage.parameters.iframesrc}"></apex:iframe>
</apex:page>

This way, if an attacker provides a victim with the iframesrc parameter set to a malicious website, the frame will be rendered with the content of the malicious website.

<iframe src="http://evildomain.com/">

The Metadata class is often used to house header data for an underlying protocol used by Google Remote Procedure Call (gRPC). When the underlying protocol is HTTP, control of the data in a Metadata object can make the system vulnerable to HTTP Header Manipulation. Other attack vectors are possible and are primarily based on the underlying protocol.

Example 1: The following code shows user controllable data used as input to a gRPC Metadata object.

...
String badData = getUserInput();
Metadata headers = new Metadata();
headers.put(Metadata.Key.of("sample", Metadata.ASCII_STRING_MARSHALLER), badData);
...

Hadoop cluster control errors occur when:

- Data enters a program from an untrusted source.

- The data is consumed by Hadoop cluster core components such as NameNode, DataNode, JobTraker to change the state of the cluster.

Hadoop clusters are a hostile environment. When security configurations from protecting unauthorized access to cluster nodes are not set properly, an attack may be able to take control the infrastructure. This leads to the possibility that any data that is provided by the Hadoop cluster to be tampered.

Example 1: The following code shows a Job submission in a typical client application which takes inputs from command line on Hadoop cluster master machine:

  public static void run(String args[]) throws IOException {

    String path = "/path/to/a/file";
    DFSclient client = new DFSClient(arg[1], new Configuration());
    ClientProtocol nNode = client.getNameNode();

    /* This sets the ownership of a file pointed by the path to a user identified
     * by command line arguments.
     */
    nNode.setOwner(path, args[2], args[3]);
    ...
  }

Hadoop job manipulation errors occur when:

- Data enters a program from an untrusted source.

- The data is used to specify a value of the JobConf that controls a client job.

Hadoop clusters are a hostile environment. When security configurations from protecting unauthorized access to HDFS on cluster machines are not set properly, an attack may be able to take control. This leads to the possibility that any data that is provided by the Hadoop cluster is tampered.

Example 1: The following code shows a Job submission in a typical client application which takes inputs from command line on Hadoop cluster master machine:

  public void run(String args[]) throws IOException {

    String inputDir = args[0];
    String outputDir = args[1];

    // Untrusted command line argument
    int numOfReducers = Integer.parseInt(args[3]);
    Class mapper = getClassByName(args[4]);
    Class reducer = getClassByName(args[5]);

    Configuration defaults = new Configuration();
    JobConf job = new JobConf(defaults, OptimizedDataJoinJob.class);
    job.setNumMapTasks(1);
    // An attacker may set random values that exceed the range of acceptable number of reducers
    job.setNumReduceTasks(numOfReducers);

    return job;
  }

Example 2: The following code shows a case where an attacker controls the running job to be killed through command line arguments:

  public static void main(String[] args) throws Exception {

    JobID id = JobID.forName(args[0]);
    JobConf conf = new JobConf(WordCount.class);
    // configure this JobConf instance
    ...
    JobClient.runJob(conf);
    RunningJob job = JobClient.getJob(id);
    job.killJob();

  }

The default escaping performed in Handlebars templates helps protect the application from attackers. This can prevent many attack vectors across different types of vulnerabilites. The most prominent protection is against certain types of cross-site scripting attacks. In this application, this protection mechanism is specifically disabled.

Example 1: The following example shows Handlebars template escaping disabled.

  let template = Handlebars.compile('{{foo}}', { noEscape: true })

Handlebars templates cannot access an object's prototypes as it makes the application susceptible to Prototype Pollution attacks.

Prototype Pollution attacks occur when a malicious user can control functions or properties on the prototypes of objects. Controlling the prototypes of an object that is passed into a template allows many vulnerabilities, including Dynamic Code Evaluation, Cross-Site Scripting, and Remote Code Execution.

Example 1: In the following example configuring Handlebars templates, prototype methods are allowed by default, as well as the special __defineGetter__ function.

let template2 = Handlebars.compile('{{foo}}')
console.log(template2({ foo: argument }, {
    allowProtoMethodsByDefault: true,
    allowedProtoMethods: {
        __defineGetter__: true
    }
}))