界: API Abuse

API 就像是呼叫者與被呼叫者之間簽訂的規定。最常見的 API 濫用形式是由呼叫者這一當事方未能遵守此規定所造成的。例如,如果程式在呼叫 chroot() 後無法呼叫 chdir(),即違反規範如何以安全方式變更使用中根目錄的規定。程式庫濫用的另一個好例子是期待被呼叫者向呼叫者傳回值得信賴的 DNS 資訊。在這種情況下,呼叫者是透過對其行為做出某些假設 (傳回值可用於驗證目的) 來濫用被呼叫者 API。另一方也可能違反呼叫者與被呼叫者間的規定。例如,如果編碼器衍生出子類別 SecureRandom 並傳回一個非隨機值,則違反了規定。

81 找到的項目
弱點

Dangerous Function

Abstract
不應使用無法安全使用的函數。
Explanation
某些函數無論使用方法為何,都有危險性。而且這一類函數的執行通常都沒有經過安全方面的考量。

desc.semantic.cpp.dangerous_function.master
Abstract
不應使用無法安全使用的函數。
Explanation
某些函數無論使用方法為何,都有危險性。而且這一類函數的執行通常都沒有經過安全方面的考量。

desc.semantic.php.dangerous_function.master
Abstract
不應使用無法安全使用的函數。
Explanation
DBMS_UTILITY.EXEC_DDL_STATEMENT 只會執行歸類為資料定義語言 (Data Definition Language) 一部份的指令,並且忽略不受內嵌 SQL 支援的其他指令。使用該程序時,此行為將很難偵測到錯誤。
References
[1] How to write SQL injection proof PL/SQL
desc.semantic.sql.dangerous_function_exec_ddl
Abstract
不應使用無法或很難安全使用的函數。
Explanation
某些函數會以危險或非預期方式執行。而且這一類函數的執行通常都沒有經過安全方面的考量。

desc.structural.ruby.dangerous_function

Dangerous Function: strcpy()

Abstract
不應使用無法安全使用的函數。
Explanation
某些函數無論使用方法為何,都有危險性。而且這一類函數的執行通常都沒有經過安全方面的考量。

References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 2
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[6] Standards Mapping - Common Weakness Enumeration CWE ID 676
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002824
[8] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 18-0-5
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-16 Memory Protection (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-16 Memory Protection
[12] Standards Mapping - OWASP Top 10 2004 A5 Buffer Overflow
[13] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.5
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.2
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.2
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.2
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[26] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 676
[27] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP2060.4 CAT II, APP3590.2 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP2060.4 CAT II, APP3590.2 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP2060.4 CAT II, APP3590.2 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP2060.4 CAT II, APP3590.2 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP2060.4 CAT II, APP3590.2 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP2060.4 CAT II, APP3590.2 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP2060.4 CAT II, APP3590.2 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002590 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002590 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002590 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002590 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002590 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002590 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002590 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002590 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002590 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002590 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002590 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002590 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002590 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002590 CAT I
[48] Standards Mapping - Web Application Security Consortium Version 2.00 Buffer Overflow (WASC-07)
[49] Standards Mapping - Web Application Security Consortium 24 + 2 Buffer Overflow
desc.semantic.cpp.dangerous_function_strcpy

Dangerous Function: Unsafe Regular Expression

Abstract
絕不能使用無法安全使用的函數。
Explanation
某些函數無論使用方法為何,都有危險性。這一類函數的執行通常都沒有經過安全方面的考量。

範例 1:‎根據 URL http://www.example.com/index.php?param=...,以下在 index.php 中的 php 片段會將 URL 參數 param (以取代「...」的方式傳遞) 的值列印至畫面,只要其符合代表「零或多個英數字元」的 POSIX 一般表示式 '^[[:alnum:]]*$'

  <?php
    $pattern = '^[[:alnum:]]*$';
    $string = $_GET['param'];
    if (ereg($pattern, $string)) {
      echo($string);
    }
  ?>


雖然 Example 1 會按照英數輸入如期操作,但是因為不安全的 ereg() 函數會用於驗證受感染的輸入,所以還是可能會透過 null 位元組執行 Cross-site scripting (XSS) 攻擊。藉由傳遞 param 的值,其中包含有效的英數字串,後面依序接著 null 位元組與 <script> 標籤 (例如 "Hello123%00<script>alert("XSS")</script>"),ereg($pattern, $string) 依然會傳回 true,因為 ereg() 函數在讀取輸入字串 (由左到右) 時,會忽略接在 null 位元組字元後面的任何內容。在此範例中,這表示接在 null 位元組後面注入的 <script> 標籤,將會顯示給使用者並接受評估。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 4
[2] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 2
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[6] Standards Mapping - Common Weakness Enumeration CWE ID 676
[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[16] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 676
[17] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP2060.4 CAT II, APP3590.2 CAT I
[18] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP2060.4 CAT II, APP3590.2 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP2060.4 CAT II, APP3590.2 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP2060.4 CAT II, APP3590.2 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP2060.4 CAT II, APP3590.2 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP2060.4 CAT II, APP3590.2 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP2060.4 CAT II, APP3590.2 CAT II
desc.semantic.php.dangerous_function_unsafe_regular_expression

Dangerous Function: xp_cmdshell

Abstract
無法安全地使用 xp_cmdshell 函數。不應使用該函數。
Explanation
某些函數無論使用方法為何,都有危險性。xp_cmdshell 函數會啟動 Windows 指令 shell,以執行提供的指令字串。該指令會在預設系統或提供的代理伺服器環境中執行。但是,沒有方法可以將使用者限制為預先指定的權限操作組合,任何權限授予都會開放使用者執行任何指令字串。
References
[1] xp_cmdshell
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 4
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 4
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[7] Standards Mapping - Common Weakness Enumeration CWE ID 242
[8] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[9] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 7.1.2
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 7.1.2
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 7.1.2
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 7.1.2
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 7.2.2
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control
[18] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 676
[19] Standards Mapping - Web Application Security Consortium Version 2.00 OS Commanding (WASC-31)
[20] Standards Mapping - Web Application Security Consortium 24 + 2 OS Commanding
desc.semantic.sql.dangerous_function_xp_cmdshell

Dangerous Method

Abstract
已將此方法註解為危險。此方法的所有用法都會標記為有問題。
Explanation
FortifyDangerous 註解已套用至此方式。會使用此方式來指出危險,而且應該檢查所有用法的安全性。
desc.structural.java.dangerous_method

Dangerous Type

Abstract
已將此變數的類型註解為危險。
Explanation
FortifyDangerous 註解已套用至此類型。會使用此方式來指出危險,而且應該檢查所有用法的安全性。

desc.structural.java.dangerous_class_variable

Directory Restriction

Abstract
chroot() 系統呼叫的不適當使用會讓攻擊者避開系統的封鎖。
Explanation
chroot() 系統呼叫允許程式修改其 File System 的根目錄含義。在適當地進行 chroot() 呼叫之後,程式無法存取新根目錄所定義的目錄樹狀架構之外的任何檔案。這樣的環境叫作 chroot jail,通常是用來阻止程式被推翻、並用來存取未經授權檔案的可能性。例如,很多 FTP 伺服器在 chroot jail 環境中執行,以便用來防止發現新伺服器弱點的攻擊者有能力下載密碼檔或者其他系統中的敏感檔案。

不適當的使用 chroot() 可能會讓攻擊者避開 chroot jail。因為 chroot() 函數呼叫不會改變程式目前的工作目錄,所以在呼叫 chroot() 之後,相關路徑仍然會參照 chroot jail 之外的 File System 資源。

範例 1:考慮以下來自 (假設的) FTP 伺服器的來源程式碼:


chroot("/var/ftproot");
...
fgets(filename, sizeof(filename), network);
localfile = fopen(filename, "r");
while ((len = fread(buf, 1, sizeof(buf), localfile)) != EOF) {
  fwrite(buf, 1, sizeof(buf), network);
}
fclose(localfile);


這段程式碼負責從網路中讀取一個檔案名稱、在本機端開啟對應的檔案,並將資訊內容傳送到網路上。這段程式碼可以用來執行 FTP 指令 GET。FTP 伺服器在其初始化程式中呼叫 chroot(),以避免存取 /var/ftproot 以外的檔案。但是,因為伺服器沒能藉由呼叫 chdir("/") 來變更目前的工作目錄,所以攻擊者就能要求檔案 "../../../../../etc/passwd",並取得系統密碼檔案的副本。
References
[1] J. Viega, G. McGraw Building Secure Software Addison-Wesley
[2] A. Chuvakin Using Chroot Securely
desc.semantic.cpp.directory_restriction