界: API Abuse

API 是调用方和被调用方之间的约定。最常见的 API 滥用是由于调用方未能遵守此约定的终止导致的。例如,如果某个程序在调用 chroot() 后未能调用 chdir(),则违反了用于指定如何安全地更改活动根目录的约定。库滥用的另一个典型示例是期望被调用方向调用方返回可信的 DNS 信息。在这种情况下,调用方通过对被调用方行为做出某种假设(返回值可用于身份验证目的)滥用其 API。另一方也可能违反调用方-被调用方约定。例如,如果编码器子类化 SecureRandom 并返回一个非随机值,则将违反此约定。

81 个项目已找到
弱点

EJB Bad Practices: Use of AWT/Swing

Abstract
程序使用了 AWT/Swing,这违反了企业级 JavaBeans 编程规范。
Explanation
企业级 JavaBeans 编程规范要求每个 bean 提供者都必须遵守一系列编程规范,以确保 bean 在任何 EJB 容器 [1] 中的可移植性与行为的一致性。

在这里,程序违背了以下 EJB 指导原则:

“一个企业级 bean 必须禁止利用 AWT 机制,将信息输出到显示设备,或者通过键盘输入信息。”

制定该规范理由如下:

“大部分服务器都不允许应用程序中的程序与连接至服务器系统上的键盘/显示设备进行直接交互。”
References
[1] The Enterprise JavaBeans 2.1 Specification Sun Microsystems
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 6
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[6] Standards Mapping - Common Weakness Enumeration CWE ID 575
desc.structural.java.ejb_bad_practices_use_of_awt_swing

EJB Bad Practices: Use of Class Loader

Abstract
程序使用了程序类加载器,这违反了企业级 JavaBeans 编程规范。
Explanation
企业级 JavaBeans 编程规范要求每个 bean 提供者都必须遵守一系列编程规范,以确保 bean 在任何 EJB 容器 [1] 中的可移植性与行为的一致性。

在这里,程序违背了以下 EJB 指导原则:

“企业级 bean 必须禁止以下内容:创建类加载器;获取当前类加载器;设置类加载器上下文;设置安全管理器;创建新的安全管理器;停止 JVM 或者篡改输入、输出及错误流。”

制定该规范理由如下:

“这些功能都是为 EJB 容器预留的。允许企业级 bean 使用这些功能会造成一些安全上的漏洞,并使容器无法正确地管理运行时环境。”
References
[1] The Enterprise JavaBeans 2.1 Specification Sun Microsystems
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 6
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[6] Standards Mapping - Common Weakness Enumeration CWE ID 578
desc.structural.java.ejb_bad_practices_use_of_classloader

EJB Bad Practices: Use of java.io

Abstract
程序使用了 java.io 包,这违反了企业级 JavaBeans 编程规范。
Explanation
企业级 JavaBeans 编程规范要求每个 bean 提供者都必须遵守一系列编程规范,以确保 bean 在任何 EJB 容器 [1] 中的可移植性与行为的一致性。

在这里,程序违背了以下 EJB 指导原则:

“一个企业级 bean 必须禁止利用 java.io 包访问 file system 中的文件和目录。”

制定该规范理由如下:

“file system API 不适用于商业组件的数据访问。商业组件应利用资源管理 API(如 JDBC)存储数据。”
References
[1] The Enterprise JavaBeans 2.1 Specification Sun Microsystems
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 6
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[6] Standards Mapping - Common Weakness Enumeration CWE ID 576
desc.structural.java.ejb_bad_practices_use_of_java_io

EJB Bad Practices: Use of Sockets

Abstract
程序使用了 socket 接口,这违反了企业级 JavaBeans 编程规范。
Explanation
企业级 JavaBeans 编程规范要求每个 bean 提供者都必须遵守一系列编程规范,以确保 bean 在任何 EJB 容器 [1] 中的可移植性与行为的一致性。

在这里,程序违背了以下 EJB 指导原则:

“一个企业级 bean 必须禁止监听 Socket 接口、接受 Socket 连接或者使用 Socket 做多点传送。”

制定该规范理由如下:

“EJB 体系结构允许企业级 bean 实例作为网络 Socket 客户端来运行,但禁止其作为网络服务器来运行。而且,允许企业级 bean 实例作为网络服务器来运行与企业级 bean 的基本功能(为 EJB 客户端提供服务)相冲突。”
References
[1] The Enterprise JavaBeans 2.1 Specification Sun Microsystems
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 6
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[6] Standards Mapping - Common Weakness Enumeration CWE ID 577
desc.structural.java.ejb_bad_practices_use_of_sockets

EJB Bad Practices: Use of Synchronization Primitives

Abstract
程序使用了多线程同步,这违反了企业级 JavaBeans 编程规范。
Explanation
企业级 JavaBeans 编程规范要求每个 bean 提供者都必须遵守一系列编程规范,以确保 bean 在任何 EJB 容器 [1] 中的可移植性与行为的一致性。

在这里,程序违背了以下 EJB 指导原则:

“一个企业级 bean 必须禁止利用线程同步机制来同步执行多个实例。”

制定该规范理由如下:

“这一规则要求确保一致的运行时语义,因为一些 EJB 容器可能会使用单个 JVM 来执行所有 bean 实例,而其他一些可能会跨多个 JVM 分布各个 bean 实例。”
References
[1] The Enterprise JavaBeans 2.1 Specification Sun Microsystems
[2] THI01-J. Do not invoke ThreadGroup methods CERT
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 6
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[7] Standards Mapping - Common Weakness Enumeration CWE ID 574
desc.structural.java.ejb_bad_practices_use_of_synchronization_primitives

File Disclosure: Django

Abstract
通过用户输入构建 FileResponse 实例可允许攻击者下载应用程序二进制码,或者查看受保护目录下的任意文件。
Explanation
在以下情况下,会发生文件泄露:
1. 数据从一个不可信赖的数据源进入程序。


2. 数据用于动态地构造一个路径。

例 1:以下代码接收不可信的数据并使用它打开返回给用户的文件。


from django.http import FileResponse
...
def file_disclosure(request):
    path = request.GET['returnURL']
    return FileResponse(open(path, 'rb'))
...


如果攻击者使用请求参数提供与某个敏感文件位置相匹配的 URL,他们将能够查看该文件。例如,使用 "http://www.yourcorp.com/webApp/logic?returnURL=settings.py" 将能够查看该应用程序的“settings.py”。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 4
[2] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.1
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[6] Standards Mapping - CIS Kubernetes Benchmark partial
[7] Standards Mapping - Common Weakness Enumeration CWE ID 552
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[9] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[12] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[13] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[14] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[15] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[16] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[17] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[18] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.12.1 Secure File Upload Architectural Requirements (L2 L3), 12.5.1 File Download Requirements (L1 L2 L3)
[20] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[32] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 073
[33] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002560 CAT I
[47] Standards Mapping - Web Application Security Consortium Version 2.00 URL Redirector Abuse (WASC-38)
desc.dataflow.python.file_disclosure_django

File Disclosure: J2EE

Abstract
若通过用户输入构造服务器端重定向路径,攻击者便能够下载应用程序二进制码(包括应用程序的类或 jar 文件)或者查看受保护的目录下的任意文件。
Explanation
在以下情况下,会发生文件泄露:
1. 数据从一个不可信赖的数据源进入程序。


2. 数据用于动态地构造一个路径。

例 1:下面的代码会接受不可信赖的数据,并使用其构造服务器端转发所使用的路径。


...
String returnURL = request.getParameter("returnURL");
	RequestDispatcher rd = request.getRequestDispatcher(returnURL);
	rd.forward();
...
例 2:下面的代码会接受不可信赖的数据,并使用其构造服务器端转发所使用的路径。


...
	<% String returnURL = request.getParameter("returnURL"); %>
	<jsp:include page="<%=returnURL%>" />
	...



如果攻击者使用请求参数提供与某个敏感文件位置相匹配的 URL,他们将能够查看该文件。例如,使用 "http://www.yourcorp.com/webApp/logic?returnURL=WEB-INF/applicationContext.xml" 将能够查看该应用程序的 applicationContext.xml 文件。
在攻击者掌握 applicationContext.xml 的信息之后,他们就能够定位和下载 applicationContext.xml 中引用的其他配置文件,甚至类文件或 jar 文件。这样一来,攻击者将能够获得与应用程序有关的敏感信息,并以之为目标发动其他类型的攻击。
References
[1] Ryan Berg and Dinis Cruz Two Security Vulnerabilities in the Spring Framework's MVC
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 4
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.1
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark partial
[8] Standards Mapping - Common Weakness Enumeration CWE ID 552
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[13] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[14] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[15] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[16] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[18] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[19] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.12.1 Secure File Upload Architectural Requirements (L2 L3), 12.5.1 File Download Requirements (L1 L2 L3)
[21] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[33] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 073
[34] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002560 CAT I
[48] Standards Mapping - Web Application Security Consortium Version 2.00 URL Redirector Abuse (WASC-38)
desc.dataflow.java.file_disclosure_j2ee