界: API Abuse

API 就像是呼叫者與被呼叫者之間簽訂的規定。最常見的 API 濫用形式是由呼叫者這一當事方未能遵守此規定所造成的。例如，如果程式在呼叫 chroot() 後無法呼叫 chdir()，即違反規範如何以安全方式變更使用中根目錄的規定。程式庫濫用的另一個好例子是期待被呼叫者向呼叫者傳回值得信賴的 DNS 資訊。在這種情況下，呼叫者是透過對其行為做出某些假設 (傳回值可用於驗證目的) 來濫用被呼叫者 API。另一方也可能違反呼叫者與被呼叫者間的規定。例如，如果編碼器衍生出子類別 SecureRandom 並傳回一個非隨機值，則違反了規定。

81 找到的項目

弱點

Poor Style: Explicit Call to finalize()

Java/JSP

Abstract

finalize() 方法只能在物件回收後才能由 JVM 進行呼叫。

Explanation

儘管 Java 語言規範中允許外部終結器呼叫物件的 finalize() 方法，但是這麼做不是一個好辦法。例如，直接呼叫 finalize() 表示會不只一次呼叫 finalize() 方法：第一次將會直接呼叫，而最後一次呼叫會在物件回收之後執行。

範例 1： 下列的程式碼片段直接呼叫 finalize()：


// time to clean up
widget.finalize();

References

[1] MET12-J. Do not use finalizers CERT

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[6] Standards Mapping - Common Weakness Enumeration CWE ID 586

desc.structural.java.poor_style_explicit_call_to_finalize

React Bad Practices: Dangerously Set InnerHTML

JavaScript/TypeScript

Abstract

dangerouslySetInnerHTML 從程式碼中設定 HTML 屬性是多餘的。

Explanation

React 中的 dangerouslySetInnerHTML 屬性可取代在瀏覽器 DOM 中使用 innerHTML，但 API 已重新命名以傳達使用它的潛在危險。通常，從程式碼設定 HTML 是有風險的，因為它很容易在無意中使您的使用者遭受 Cross-Site Scripting (XSS) 攻擊。
範例 1：以下程式碼從程式碼將 HTML 設為 dangerouslySetInnerHTML 屬性：


      function MyComponent(data) {
        return (
          <div
            dangerouslySetInnerHTML={{__html: data.innerHTML}}
          />
        );
      }

References

[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1

[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3

[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3

[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

desc.structural.javascript.react_bad_practices_dangerously_set_innerhtml

SQL Bad Practices: Direct Update

ABAP

Abstract

Direct Open SQL 寫入操作是不良的作法，應予以避免。

Explanation

一般而言，Direct Open SQL 寫入操作 (插入/更新/修改/刪除) 是不良的作法，應予以避免。這些更新會破壞系統的完整性與安全性，因此應禁止。

Direct Open SQL 寫入操作還容易發生錯誤，可能導致非預期的系統行為。在 SAP 中，需要小心的一些問題包括：

- SAP 建議使用「更新統合」技術確保 SAP LUW (工作的邏輯單元) 中可能跨多個資料庫 LUW 的資料完整性。直接修改表格項目而不更新統合可能使 SAP 交易處於不一致的狀態。

- Direct Open SQL 寫入操作只設定資料庫級別的鎖定，而略過 SAP 應用程式鎖定。這可能導致鎖死和資料損壞。

- Direct Open SQL 寫入操作略過應用程式內的 SAP 授權檢查。

- 在使用標準機制寫入表格項目、編輯檢查、稽核路徑時，相依的更新 (例如變更文件) 全部會正確執行。而使用 Direct Open SQL 寫入操作時不是這樣。

References

[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 4

[2] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 2

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity

[6] Standards Mapping - Common Weakness Enumeration CWE ID 662

[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [22] CWE ID 362

[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [21] CWE ID 362

[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002235

[10] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[11] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000500 CAT II

[12] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000500 CAT II

desc.structural.abap.sql_bad_practices_direct_update

SQL Bad Practices: Underspecified Identifier

PLSQL/TSQL

Abstract

啟動程式的權限封包不應使用沒有結構的識別碼。

Explanation

在啟動程式權限或 AUTHID CURRENT_USER 封包中，識別碼會先針對目前使用者的結構進行解析。如果程式碼的定義碼無法明確說明識別碼屬於哪一種結構，將會造成意外的行為。

範例：下列程式碼會在權限表格中查詢使用者，檢查使用者是否擁有執行操作的權限。大多數使用者只能讀取 SYS.PERMISSIONS，無法修改已定義的權限。


CREATE or REPLACE FUNCTION check_permissions(
  p_name IN VARCHAR2, p_action IN VARCHAR2)
  RETURN BOOLEAN
  AUTHID CURRENT_USER
IS
  r_count NUMBER;
  perm BOOLEAN := FALSE;
BEGIN
  SELECT count(*) INTO r_count FROM PERMISSIONS
    WHERE name = p_name AND action = p_action;
  IF r_count > 0 THEN
    perm := TRUE;
  END IF;
  RETURN perm;
END check_permissions

如果使用者呼叫 check_permissions 函數，並於所在結構中定義一個 PERMISSIONS 表格，資料庫將會解析識別碼以參照本機表格。接著，使用者會擁有新表格的寫入權限，並可修改表格以取得原本沒有的權限。

References

[1] Oracle Oracle Database PL/SQL Language Reference

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1

[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial

[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2

[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity

[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

desc.structural.sql.sql_bad_practices_underspecified_identifier

Struts 2 Bad Practices: Application Map Tampering

Java/JSP

Abstract

Struts 2.x 動作實作某類別，攻擊者可藉此透過將任意資料繫結至階段作業、應用程式或要求伺服器端物件，以修改應用程式的業務邏輯。

Explanation

Apache Struts 2.x 包括新的 Aware 介面，開發人員可藉此將對映 (含相關執行階段資訊) 輕鬆注入其動作程式碼。這些介面包括：org.apache.struts2.interceptor.ApplicationtAware、org.apache.struts2.interceptor.SessionAware 和 org.apache.struts2.interceptor.RequestAware。為了將其中任何資料對映注入其動作程式碼，開發人員需要實作介面中指定的 Setter (例如：SessionAware 介面的 setSession)：


public class VulnerableAction extends ActionSupport implements SessionAware {

  protected Map<String, Object> session;

  @Override
  public void setSession(Map<String, Object> session) {
    this.session = session;
  }

另一方面，Struts 2.x 會透過動作中定義的公用存取子，將來自使用者的要求資料自動繫結至動作的屬性。由於 Aware 介面需要實作 Aware 介面中定義的公用 Setter，因此該 Setter 也會自動連結至符合 Aware 介面 Setter 名稱的任意要求參數，遠端攻擊者可能會藉此修改實作受影響介面的應用程式的參數，以修改執行階段資料值，如 SessionAware、RequestAware、ApplicationAware 介面所示。

以下 URL 將允許攻擊者覆寫階段作業對應中的「roles」屬性。這可能會允許攻擊者成為管理員。


http://server/VulnerableAction?session.roles=admin

雖然這些介面僅需要實作 Setter 存取子，但是若同時已實作對應的 Getter，則對這些對應集合的變更將在階段作業範圍內生效，而不僅僅是對目前要求的範圍產生影響。

References

[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3

[2] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 2

[5] Standards Mapping - CIS Google Cloud Computing Platform Benchmark partial

[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity

[7] Standards Mapping - CIS Kubernetes Benchmark partial

[8] Standards Mapping - Common Weakness Enumeration CWE ID 20

[9] Standards Mapping - Common Weakness Enumeration Top 25 2021 [4] CWE ID 020

[10] Standards Mapping - Common Weakness Enumeration Top 25 2022 [4] CWE ID 020

[11] Standards Mapping - Common Weakness Enumeration Top 25 2023 [6] CWE ID 020

[12] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001082, CCI-002754

[13] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[14] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)

[15] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation

[16] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input

[17] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference

[18] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References

[19] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References

[20] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control

[21] Standards Mapping - OWASP Top 10 2021 A03 Injection

[22] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization

[23] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3)

[24] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.2

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1

[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection

[36] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[50] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Process Validation (WASC-40)

desc.structural.java.struts2_bad_practices_application_map_tampering

Struts 2 Bad Practices: Dynamic Method Invocation

Java/JSP

Abstract

Struts 2 動作會洩漏可由一般使用者呼叫的公用方法，該方法會取代動作的 execute() 方法。

Explanation

Struts 2 引入了稱為「動態方法呼叫」的功能，動作可藉此洩漏除 execute() 之外的方法。! (驚嘆號) 字元或 method: 字首可用於動作 URL 中，在啟用「動態方法呼叫」時呼叫動作中的任何公用方法。未發覺此功能的開發人員會不慎向攻擊者洩漏內部業務邏輯。

例如，若動作包含稱為 getUserPassword() 的公用方法，而該方法不使用任何引數，且無法停用「動態方法呼叫」功能，則攻擊者可以利用這一點造訪以下 URL： http://server/app/recoverpassword!getPassword.action

References

[1] Struts 2 Security Vulnerability - Dynamic Method Invocation

[2] Struts 2 - Dynamic Method Invocation

[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2

[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete

[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4

[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity

[8] Standards Mapping - CIS Kubernetes Benchmark partial

[9] Standards Mapping - Common Weakness Enumeration CWE ID 285

[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001764, CCI-001774, CCI-002165

[11] Standards Mapping - FIPS200 AC

[12] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)

[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement

[15] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control

[16] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference

[17] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References

[18] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References

[19] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control

[20] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control

[21] Standards Mapping - OWASP API 2023 API5 Broken Function Level Authorization

[22] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.1.4 Generic Web Service Security Verification Requirements (L2 L3)

[23] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[35] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285

[36] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 285

[37] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 862

[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II

[59] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)

[60] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization

desc.structural.java.struts2_bad_practices_dynamic_method_invocation

Struts 2 Bad Practices: Request Map Tampering

Java/JSP

Abstract

Struts 2.x 動作實作某類別，攻擊者可藉此透過將任意資料繫結至階段作業、應用程式或要求伺服器端物件，以修改應用程式的業務邏輯。

Explanation


public class VulnerableAction extends ActionSupport implements SessionAware {

  protected Map<String, Object> session;

  @Override
  public void setSession(Map<String, Object> session) {
    this.session = session;
  }


http://server/VulnerableAction?session.roles=admin