界: API Abuse

API 是调用方和被调用方之间的约定。最常见的 API 滥用是由于调用方未能遵守此约定的终止导致的。例如，如果某个程序在调用 chroot() 后未能调用 chdir()，则违反了用于指定如何安全地更改活动根目录的约定。库滥用的另一个典型示例是期望被调用方向调用方返回可信的 DNS 信息。在这种情况下，调用方通过对被调用方行为做出某种假设（返回值可用于身份验证目的）滥用其 API。另一方也可能违反调用方-被调用方约定。例如，如果编码器子类化 SecureRandom 并返回一个非随机值，则将违反此约定。

81 个项目已找到

弱点

Poor Style: Explicit Call to finalize()

Java/JSP

Abstract

方法 finalize() 只能在对象回收后才能由 JVM 进行调用。

Explanation

尽管 Java 语言规范中允许外部终结器调用对象的 finalize() 方法，但这其实并不是一个好办法。例如，直接调用 finalize() 意味着要不止一次地调用 finalize() 方法：第一次将会直接调用，而最后一次调用会在对象回收之后执行。

例 1：以下代码片段直接调用 finalize() 方法：


// time to clean up
widget.finalize();

References

[1] MET12-J. Do not use finalizers CERT

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[6] Standards Mapping - Common Weakness Enumeration CWE ID 586

desc.structural.java.poor_style_explicit_call_to_finalize

React Bad Practices: Dangerously Set InnerHTML

JavaScript/TypeScript

Abstract

dangerouslySetInnerHTML 属性不必要地被设置 HTML from code。

Explanation

虽然 React 中的 dangerouslySetInnerHTML 属性可以替代在浏览器 DOM 中使用 innerHTML，但 API 已重命名以传达使用 innerHTML 的潜在危险。通常情况下，设置 HTML from code 是有风险的，因为它很容易在无意中使您的用户遭受 Cross-Site Scripting (XSS) 攻击。
示例 1：以下代码将 HTML from code 设置为 dangerouslySetInnerHTML 属性：


      function MyComponent(data) {
        return (
          <div
            dangerouslySetInnerHTML={{__html: data.innerHTML}}
          />
        );
      }

References

[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1

[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3

[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3

[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

desc.structural.javascript.react_bad_practices_dangerously_set_innerhtml

SQL Bad Practices: Direct Update

ABAP

Abstract

Open SQL 直接写入操作不可取，应尽量避免。

Explanation

Open SQL 直接写入操作（插入/更新/修改/删除）通常不可取，应尽量避免。它们会破坏系统的完整性和安全性，且不允许这样操作。

此外，Open SQL 直接写入操作很容易出错，并可能会导致意外的系统行为。在 SAP 中需要留意的一些问题包括：

- SAP 建议使用“更新绑定”技巧来保证 SAP LUW（逻辑工作单位）中的数据完整性，其中，数据完整性问题可能会涉及多个数据库 LUW。在不更新绑定的条件下直接修改表条目会导致 SAP 事务不一致。

- Open SQL 直接写入操作仅设置数据库级别锁定，避开 SAP 应用程序锁定。这可能会导致死锁和数据损坏。

- Open SQL 直接写入操作回避开应用程序中的 SAP 授权检查。

- 使用标准机制编写表条目、编辑检查、审计跟踪时，可正确执行相关更新（如更改文档）。使用 Open SQL 直接写入操作时并非如此。

References

[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 4

[2] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 2

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity

[6] Standards Mapping - Common Weakness Enumeration CWE ID 662

[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [22] CWE ID 362

[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [21] CWE ID 362

[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002235

[10] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[11] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000500 CAT II

[12] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000500 CAT II

desc.structural.abap.sql_bad_practices_direct_update

SQL Bad Practices: Underspecified Identifier

PLSQL/TSQL

Abstract

不应在调用程序的权限程序包中使用没有架构的标识符。

Explanation

在调用程序的权限或 AUTHID CURRENT_USER 程序包中，标识符是根据当前用户的架构首先解析的。如果该代码的定义程序未明确表明标识符所属的架构，这可能会导致意外的行为。

示例：下列代码通过在权限表中查找用户来检查该用户是否具有执行相应操作的权限。大多数用户仅具有 SYS.PERMISSIONS 的读取权限，且无法修改已定义的权限。


CREATE or REPLACE FUNCTION check_permissions(
  p_name IN VARCHAR2, p_action IN VARCHAR2)
  RETURN BOOLEAN
  AUTHID CURRENT_USER
IS
  r_count NUMBER;
  perm BOOLEAN := FALSE;
BEGIN
  SELECT count(*) INTO r_count FROM PERMISSIONS
    WHERE name = p_name AND action = p_action;
  IF r_count > 0 THEN
    perm := TRUE;
  END IF;
  RETURN perm;
END check_permissions

如果调用 check_permissions 函数的用户在其架构中定义了一个 PERMISSIONS 表，则该数据库会解析该标识符以引用本地表。该用户将具有对新表的写入权限，并可以对其进行修改以获得在其他情况下不可能拥有的权限。

References

[1] Oracle Oracle Database PL/SQL Language Reference

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1

[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial

[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2

[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity

[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

desc.structural.sql.sql_bad_practices_underspecified_identifier

Struts 2 Bad Practices: Application Map Tampering

Java/JSP

Abstract

Struts 2.x Action 实施类，使攻击者有机会通过将任意数据绑定到会话、应用程序或请求服务器端对象，修改应用程序的业务逻辑。

Explanation

Apache Struts 2.x 包含新的 Aware 接口，允许开发人员使用相关运行时信息，轻松将映射注入到其 Actions 代码中。这些接口包括：org.apache.struts2.interceptor.ApplicationtAware、org.apache.struts2.interceptor.SessionAware 和 org.apache.struts2.interceptor.RequestAware。为了将这些数据映射中的任意内容注入到其 Actions 代码中，开发人员需要实现接口中指定的 setter（例如：setSession，适用于 SessionAware 接口）：


public class VulnerableAction extends ActionSupport implements SessionAware {

  protected Map<String, Object> session;

  @Override
  public void setSession(Map<String, Object> session) {
    this.session = session;
  }

另一方面，Struts 2.x 会自动通过 Action 中定义的 public accessors 将来自用户的请求数据绑定到 Action 的属性。由于 Aware 接口要求实现 Aware 接口中定义的 public setter，因此这一 setter 也将自动绑定到与 Aware 接口 setter 名称相匹配的任意请求参数，这可允许远程攻击者通过伪造的参数修改应用程序的运行时数据值，使其实现的接口受到影响，如 SessionAware、RequestAware、ApplicationAware 接口所示。

下面的 URL 将允许攻击者重写会话映射中的“roles”属性。这可能会使攻击者成为管理员。


http://server/VulnerableAction?session.roles=admin

当这些接口仅要求实现 setter accessors 时，如果同时也实现相应的 getter，则对这些映射集合的更改将在会话范围内持续，而不是仅影响当前的请求范围。

References

[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3

[2] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 2

[5] Standards Mapping - CIS Google Cloud Computing Platform Benchmark partial

[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity

[7] Standards Mapping - CIS Kubernetes Benchmark partial

[8] Standards Mapping - Common Weakness Enumeration CWE ID 20

[9] Standards Mapping - Common Weakness Enumeration Top 25 2021 [4] CWE ID 020

[10] Standards Mapping - Common Weakness Enumeration Top 25 2022 [4] CWE ID 020

[11] Standards Mapping - Common Weakness Enumeration Top 25 2023 [6] CWE ID 020

[12] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001082, CCI-002754

[13] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[14] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)

[15] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation

[16] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input

[17] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference

[18] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References

[19] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References

[20] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control

[21] Standards Mapping - OWASP Top 10 2021 A03 Injection

[22] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization

[23] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3)

[24] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.2

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1

[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection

[36] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[50] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Process Validation (WASC-40)

desc.structural.java.struts2_bad_practices_application_map_tampering

Struts 2 Bad Practices: Dynamic Method Invocation

Java/JSP

Abstract

Struts 2 Action 暴露了可由最终用户调用的公共方法，从而覆盖 Action 的 execute() 方法。

Explanation

Struts 2 引入了一种称为“动态方法调用”的功能，该功能允许 Action 暴露方法而非 execute()。!（感叹号）字符或 method: 前缀可用于 Action URL，在启用“动态方法调用”的情况下，可调用 Action 中的任何公共方法。没有意识到此功能的开发者可能会无意中将内部业务逻辑暴露给攻击者。

例如，如果 Action 包含一种称为 getUserPassword() 的公共方法，该方法没有采用参数且未禁用“动态方法调用”功能，则攻击者可以利用这点访问以下 URL： http://server/app/recoverpassword!getPassword.action

References

[1] Struts 2 Security Vulnerability - Dynamic Method Invocation

[2] Struts 2 - Dynamic Method Invocation

[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2

[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete

[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4

[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity

[8] Standards Mapping - CIS Kubernetes Benchmark partial

[9] Standards Mapping - Common Weakness Enumeration CWE ID 285

[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001764, CCI-001774, CCI-002165

[11] Standards Mapping - FIPS200 AC

[12] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)

[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement

[15] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control

[16] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference

[17] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References

[18] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References

[19] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control

[20] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control

[21] Standards Mapping - OWASP API 2023 API5 Broken Function Level Authorization

[22] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.1.4 Generic Web Service Security Verification Requirements (L2 L3)

[23] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[35] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285

[36] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 285

[37] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 862

[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[59] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)

[60] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization

desc.structural.java.struts2_bad_practices_dynamic_method_invocation

Struts 2 Bad Practices: Request Map Tampering

Java/JSP

Abstract

Struts 2.x Action 实施类，使攻击者有机会通过将任意数据绑定到会话、应用程序或请求服务器端对象，修改应用程序的业务逻辑。

Explanation


public class VulnerableAction extends ActionSupport implements SessionAware {

  protected Map<String, Object> session;

  @Override
  public void setSession(Map<String, Object> session) {
    this.session = session;
  }


http://server/VulnerableAction?session.roles=admin