Input validation and representation problems ares caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input. The issues include: "Buffer Overflows," "Cross-Site Scripting" attacks, "SQL Injection," and many others.
...
CALL FUNCTION 'ENQUE_SLEEP'
EXPORTING
SECONDS = usrInput.
...
HttpRequest.Files
, HttpRequest.Form
, HttpRequest.Cookies
, HttpRequest.QueryString
, HttpRequest.Headers
, HttpRequest.ServerVariables
to 1000, and the size can be increased or decreased using the aspnet:MaxHttpCollectionKeys
setting in the configuration file. However, increasing the size to a higher value increases the probability for a DoS attack.aspnet:MaxHttpCollectionKeys
is set to 2147483647
.
...
<appSettings>
<add key="aspnet:MaxHttpCollectionKeys" value="2147483647" />
</appSettings>
...
unsigned int usrSleepTime = uatoi(usrInput);
sleep(usrSleepTime);
Sleep(url.duration);
Future
function will be executed. By specifying a large number, an attacker may tie up the Future
function indefinitely.
final duration = Platform.environment['DURATION'];
Future.delayed(Duration(seconds: int.parse(duration!)), () => ...);
func test(r *http.Request) {
...
i, _ := strconv.Atoi(r.FormValue("TIME"))
runtime.KeepAlive(i)
...
}
Example 2: The following code reads a String from a zip file. Because it uses the
int usrSleepTime = Integer.parseInt(usrInput);
Thread.sleep(usrSleepTime);
readLine()
method, it will read an unbounded amount of input. An attacker may take advantage of this code to cause an OutOfMemoryException
or to consume a large amount of memory so that the program spends more time performing garbage collection or runs out of memory during some subsequent operation.
InputStream zipInput = zipFile.getInputStream(zipEntry);
Reader zipReader = new InputStreamReader(zipInput);
BufferedReader br = new BufferedReader(zipReader);
String line = br.readLine();
Example 2: The following code writes to a file. Because the file may be continuously written and rewritten until it is deemed closed by the user agent, disk quota, IO bandwidth, and processes that may require analyzing the content of the file are impacted.
var fsync = requestFileSystemSync(0, userInput);
function oninit(fs) {
fs.root.getFile('applog.txt', {create: false}, function(fileEntry) {
fileEntry.createWriter(function(fileWriter) {
fileWriter.seek(fileWriter.length);
var bb = new BlobBuilder();
bb.append('Appending to a file');
fileWriter.write(bb.getBlob('text/plain'));
}, errorHandler);
}, errorHandler);
}
window.requestFileSystem(window.TEMPORARY, 1024*1024, oninit, errorHandler);
procedure go_sleep (
usrSleepTime in NUMBER)
is
dbms_lock.sleep(usrSleepTime);
connect
function. By specifying a large number, an attacker can tie up the connect
function indefinitely.
...
insecure_config_ssl_connection_timeout = {
'user': username,
'password': retrievedPassword,
'host': databaseHost,
'port': "3306",
'connection_timeout': connection_timeout
}
mysql.connector.connect(**insecure_config_ssl_connection_timeout)
...
Example 2: The following code reads a String from a file. Because it uses the
Kernel.sleep(user_input)
readline()
method without specifying a limit, it will read an unbounded amount of input. An attacker may take advantage of this code to cause the process to hang whilst consuming more and more memory, until it may potentially run out of memory entirely.
fd = File.new(myFile)
line = fd.readline
Formatter.format()
.
...
Formatter formatter = new Formatter(Locale.US);
String format = "The customer: %s %s has the balance %4$." + userInput + "f";
formatter.format(format, firstName, lastName, accountNo, balance);
...
java.util.MissingFormatArgumentException
to be thrown, and since this is not within a try block, could lead to application failure.accountNo
to be included within the resulting string.java.lang.Double.parseDouble()
and related methods that can cause the thread to hang when parsing any number in the range [2^(-1022) - 2^(-1075) : 2^(-1022) - 2^(-1076)]
. This defect can be used to execute a Denial of Service (DoS) attack.
Double d = Double.parseDouble(request.getParameter("d"));
d
is a value in the range, such as "0.0222507385850720119e-00306"
, to cause the program to hang while processing the request.
(e+)+
([a-zA-Z]+)*
(e|ee)+
(e+)+
([a-zA-Z]+)*
(e|ee)+
(e+)+
([a-zA-Z]+)*
(e|ee)+
(e+)+
([a-zA-Z]+)*
(e|ee)+
(e+)+
([a-zA-Z]+)*
(e|ee)+
(e+)+
([a-zA-Z]+)*
(e|ee)+
(e+)+
([a-zA-Z]+)*
(e|ee)+
NSString *regex = @"^(e+)+$";
NSPredicate *pred = [NSPRedicate predicateWithFormat:@"SELF MATCHES %@", regex];
if ([pred evaluateWithObject:mystring]) {
//do something
}
(e+)+
([a-zA-Z]+)*
(e|ee)+
(e+)+
([a-zA-Z]+)*
(e|ee)+
(e+)+
([a-zA-Z]+)*
(e+)+
([a-zA-Z]+)*
(e|ee)+
(e+)+
([a-zA-Z]+)*
(e|ee)+
let regex : String = "^(e+)+$"
let pred : NSPredicate = NSPRedicate(format:"SELF MATCHES \(regex)")
if (pred.evaluateWithObject(mystring)) {
//do something
}
Example 1
, if the attacker supplies the match string "eeeeZ" then there are 16 internal evaluations that the regex parser must go through to identify a match. If the attacker provides 16 "e"s ("eeeeeeeeeeeeeeeeZ") as the match string then the regex parser must go through 65536 (2^16) evaluations. The attacker may easily consume computing resources by increasing the number of consecutive match characters. There are no known regular expression implementations that are immune to this vulnerability. All platforms and languages are vulnerable to this attack.routes.Ignore
method in ASP.NET applications. This method allows external input to define routing behaviors. Specifically, the use of wildcards, such as {*allaspx}
, provides attackers with a foothold to manipulate routing actions. The core issue arises when the input controlling these wildcard patterns is not meticulously validated or sanitized.
Marker child = MarkerManager.getMarker("child");
Marker parent = MarkerManager.getMarker("parent");
child.addParents(MarkerManager.getMarker(userInput));
parent.addParents(MarkerManager.getMarker(userInput2));
String toInfinity = child.toString();
child
and parent
to a user-defined marker. If the user inputs the parent of child
to be parent
, and the parent of parent
to be child
, a circular link is created in the Marker data structure. When running the recursive toString
method on the data structure containing the circular link, the program will throw a stack overflow exception and crash. This causes a denial of service through stack exhaustion.