界: API Abuse

API 就像是呼叫者與被呼叫者之間簽訂的規定。最常見的 API 濫用形式是由呼叫者這一當事方未能遵守此規定所造成的。例如，如果程式在呼叫 chroot() 後無法呼叫 chdir()，即違反規範如何以安全方式變更使用中根目錄的規定。程式庫濫用的另一個好例子是期待被呼叫者向呼叫者傳回值得信賴的 DNS 資訊。在這種情況下，呼叫者是透過對其行為做出某些假設 (傳回值可用於驗證目的) 來濫用被呼叫者 API。另一方也可能違反呼叫者與被呼叫者間的規定。例如，如果編碼器衍生出子類別 SecureRandom 並傳回一個非隨機值，則違反了規定。

81 找到的項目

弱點

EJB Bad Practices: Use of AWT/Swing

Java/JSP

Abstract

程式使用了 AWT/Swing，這違反了企業級 JavaBean 規格。

Explanation

企業級 JavaBeans 編程規範中說明每一個 bean 的提供者必須遵守一系列編程規範，來確保 bean 在 EJB 容器 [1] 中的可移植性和運作方式一致。

在此案例中，程式違背了以下 EJB 規範：

「企業級 bean 禁止使用 AWT 功能來嘗試將資訊輸出至顯示器，或者從鍵盤輸入資訊。」

制定此規範的理由如下所示：

「大部分的伺服器都不允許應用程式中的程式與伺服器系統上的鍵盤與顯示器進行直接互動。」

References

[1] The Enterprise JavaBeans 2.1 Specification Sun Microsystems

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 6

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[6] Standards Mapping - Common Weakness Enumeration CWE ID 575

desc.structural.java.ejb_bad_practices_use_of_awt_swing

EJB Bad Practices: Use of Class Loader

Java/JSP

Abstract

程式使用類別載入器，因此違反了企業級 JavaBeans 規格。

Explanation

企業級 JavaBeans 編程規範中說明每一個 bean 的提供者必須遵守一系列編程規範，來確保 bean 在 EJB 容器 [1] 中的可移植性和運作方式一致。

在此案例中，程式違背了以下 EJB 規範：

「企業級 bean 禁止以下內容：嘗試建立類別載入器、取得目前的類別載入器、設定類別載入器的環境、設定安全管理員、建立新的安全管理員、停止 JVM 或者變更輸入、輸出與錯誤串流。」

制定此規範的理由如下所示：

「這些功能是為 EJB 容器保留的。允許企業級 bean 使用這些功能會造成一些安全上的問題，並且使得容器無法正確管理執行期間環境。」

References

[1] The Enterprise JavaBeans 2.1 Specification Sun Microsystems

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 6

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[6] Standards Mapping - Common Weakness Enumeration CWE ID 578

desc.structural.java.ejb_bad_practices_use_of_classloader

EJB Bad Practices: Use of java.io

Java/JSP

Abstract

程式使用 java.io 套件，因此違反了企業級 JavaBeans 規格。

Explanation

企業級 JavaBeans 編程規範中說明每一個 bean 的提供者必須遵守一系列編程規範，來確保 bean 在 EJB 容器 [1] 中的可移植性和運作方式一致。

在此案例中，程式違背了以下 EJB 規範：

「企業級 bean 禁止使用 java.io 封包來嘗試直接存取 File System 中的檔案與目錄。」

制定此規範的理由如下所示：

「File System API 並不適合讓商用元件來存取資料。商用元件應使用資源管理員 API (例如 JDBC) 來儲存資料。」

References

[1] The Enterprise JavaBeans 2.1 Specification Sun Microsystems

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 6

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[6] Standards Mapping - Common Weakness Enumeration CWE ID 576

desc.structural.java.ejb_bad_practices_use_of_java_io

EJB Bad Practices: Use of Sockets

Java/JSP

Abstract

程式使用通訊端，因此違反了企業級 JavaBeans 規格。

Explanation

企業級 JavaBeans 編程規範中說明每一個 bean 的提供者必須遵守一系列編程規範，來確保 bean 在 EJB 容器 [1] 中的可移植性和運作方式一致。

在此案例中，程式違背了以下 EJB 規範：

「企業級的 bean 禁止嘗試監聽通訊端、接受通訊端上的連線或使用通訊端來做多點傳送。」

制定此規範的理由如下所示：

「EJB 架構允許企業級的 bean 實例做為網路通訊端用戶端來運作，但是不允許它做為網路伺服器來運作。允許企業級 bean 實例做為網路伺服器會與企業級 bean 的基本功能 (為 EJB 用戶端提供服務) 相抵觸。」

References

[1] The Enterprise JavaBeans 2.1 Specification Sun Microsystems

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 6

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[6] Standards Mapping - Common Weakness Enumeration CWE ID 577

desc.structural.java.ejb_bad_practices_use_of_sockets

EJB Bad Practices: Use of Synchronization Primitives

Java/JSP

Abstract

程式使用了多執行緒同步處理，因此違反了企業級 JavaBean 規格。

Explanation

企業級 JavaBeans 編程規範中說明每一個 bean 的提供者必須遵守一系列編程規範，來確保 bean 在 EJB 容器 [1] 中的可移植性和運作方式一致。

在此案例中，程式違背了以下 EJB 規範：

「一個企業級 bean 禁止使用執行緒同步處理來同步執行多個實例。」

制定此規範的理由如下所示：

「這個規則需要確保一致的執行期間語義，因為一些 EJB 容器可能會使用單一 JVM 來執行所有的 bean 實例，其他則可能會跨多個 JVM 來分配實例。」

References

[1] The Enterprise JavaBeans 2.1 Specification Sun Microsystems

[2] THI01-J. Do not invoke ThreadGroup methods CERT

[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1

[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2

[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 6

[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[7] Standards Mapping - Common Weakness Enumeration CWE ID 574

desc.structural.java.ejb_bad_practices_use_of_synchronization_primitives

File Disclosure: Django

Python

Abstract

以使用者輸入建構 FileResponse 實例讓攻擊者能夠下載受保護目錄內的應用程式二位元程式碼，或是檢視其中的任何檔案。

Explanation

以下狀況都會導致檔案洩漏：
1. 資料從一個不可信賴的來源進入程式。

2. 此資料將用於動態地建構路徑。

範例 1：以下程式碼採用不可信賴的資料，並使用該資料來開啟檔案，該檔案隨後會回傳給使用者。


from django.http import FileResponse
...
def file_disclosure(request):
    path = request.GET['returnURL']
    return FileResponse(open(path, 'rb'))
...

如果攻擊者所提供 URL 的要求參數符合敏感檔案位置，他們也會能夠檢視該檔案。例如，"http://www.yourcorp.com/webApp/logic?returnURL=settings.py" 可讓他們檢視應用程式的 "settings.py"。

References

[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 4

[2] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.1

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[6] Standards Mapping - CIS Kubernetes Benchmark partial

[7] Standards Mapping - Common Weakness Enumeration CWE ID 552

[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754

[9] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)

[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation

[12] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input

[13] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference

[14] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References

[15] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References

[16] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control

[17] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control

[18] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization

[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.12.1 Secure File Upload Architectural Requirements (L2 L3), 12.5.1 File Download Requirements (L1 L2 L3)

[20] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[32] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 073

[33] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I

[34] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I

[35] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I

[36] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I

[37] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002560 CAT I

[47] Standards Mapping - Web Application Security Consortium Version 2.00 URL Redirector Abuse (WASC-38)

desc.dataflow.python.file_disclosure_django

File Disclosure: J2EE

Java/JSP

Abstract

以使用者輸入來建構伺服器端重新導向路徑，便可能讓攻擊者下載應用程式二位元程式碼 (包括應用程式類別或 jar 檔案)，或是檢視受保護目錄內的任何檔案。

Explanation

以下狀況都可能導致檔案洩露：
1. 資料從一個不可信賴的來源進入程式。

2. 此資料將用於動態地建構路徑。

範例 1：以下程式碼採用不可信賴的資料，並使用該資料來建立在伺服器端轉送中使用的路徑。


...
String returnURL = request.getParameter("returnURL");
	RequestDispatcher rd = request.getRequestDispatcher(returnURL);
	rd.forward();
...

範例 2：以下程式碼採用不可信賴的資料，並使用該資料來建立在伺服器端轉送中使用的路徑。


...
	<% String returnURL = request.getParameter("returnURL"); %>
	<jsp:include page="<%=returnURL%>" />
	...

如果攻擊者所提供 URL 的要求參數符合敏感檔案位置，他們也會能夠檢視該檔案。例如，"http://www.yourcorp.com/webApp/logic?returnURL=WEB-INF/applicationContext.xml" 會讓他們能夠檢視應用程式的 applicationContext.xml。
攻擊者在擁有 applicationContext.xml 之後，便可找到並下載 applicationContext.xml 中所參照的配置檔案，甚至也可能下載類別或 jar 檔案。這讓攻擊者能夠取得應用程式的相關敏感資訊，並使其成為其他類型攻擊的目標。

References

[1] Ryan Berg and Dinis Cruz Two Security Vulnerabilities in the Spring Framework's MVC

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 4

[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete

[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.1

[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[7] Standards Mapping - CIS Kubernetes Benchmark partial

[8] Standards Mapping - Common Weakness Enumeration CWE ID 552

[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754

[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)

[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation

[13] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input

[14] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference

[15] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References

[16] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References

[17] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control

[18] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control

[19] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization

[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.12.1 Secure File Upload Architectural Requirements (L2 L3), 12.5.1 File Download Requirements (L1 L2 L3)

[21] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[33] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 073

[34] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I

[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I

[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I

[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I

[47] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002560 CAT I

[48] Standards Mapping - Web Application Security Consortium Version 2.00 URL Redirector Abuse (WASC-38)

desc.dataflow.java.file_disclosure_j2ee