Kingdom: API Abuse
An API is a contract between a caller and a callee. The most common forms of API abuse are caused by the caller failing to honor its end of this contract. For example, if a program fails to call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller abuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated.
Often Misused: Encoding
Abstract
Improper overriding of the classes in the .NET Framework, may lead to arbitrary code execution on the server, abuse of application logic or denial of service.
Explanation
Regardless of the language a program is written in, the most devastating attacks often involve remote code execution, whereby an attacker succeeds in executing malicious code in the program's context. The
When performing pointer arithmetic operations, developers often override the preceding methods in a bad fashion and introduce vulnerabilities such as arbitrary code execution, application logic abuse and denial of service.
GetChars method in Decoder & Encoding classes and the GetBytes method in Encoder & Encoding classes in the .NET Framework internally performs pointer arithmetic on the char & byte arrays to convert range of character into range of bytes and vice versa. When performing pointer arithmetic operations, developers often override the preceding methods in a bad fashion and introduce vulnerabilities such as arbitrary code execution, application logic abuse and denial of service.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 176
[2] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[3] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.2 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[4] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[5] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
desc.structural.dotnet.often_misused_encoding
Abstract
This method is difficult to use correctly.
Explanation
It is easy to believe that this encoding method will protect against injection attacks, but if the method is not used in exactly the right context, it can offer much less protection than it advertises.
Example 1: The following encoding call allows an attacker quite a bit of latitude for inserting malicious JavaScript:
Example 1: The following encoding call allows an attacker quite a bit of latitude for inserting malicious JavaScript:
out.println("x = " + encoder.encodeForJavaScript(input) + ";");
References
[1] OWASP ESAPI Secure Coding Guideline
[2] Standards Mapping - Common Weakness Enumeration CWE ID 176
[3] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[4] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.2 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[5] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[6] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
desc.structural.java.often_misused_encoding
Abstract
The identified call may best-fit characters. Unsupported characters passed to default API methods can be best-fit mapped to dangerous characters.
Explanation
When character sets are mismatched between the operating system and applications running on the operating system, unsupported characters passed to default API methods can be best-fit mapped to dangerous characters.
Example 1: In Objective-C, the following example converts an NSString object containing a UTF-8 character to ASCII data then back:
If you look at the output carefully, the "..." character was translated to three consecutive periods. If you had sized your output buffer based on the input buffer your application could be vulnerable to buffer overflow. Other characters can get mapped from one character to two. The Greek "fi" character will get mapped to an "f" followed by an "i". By front loading the buffer with these characters an attacker gains complete control over the number of characters used to overflow the buffer.
Example 1: In Objective-C, the following example converts an NSString object containing a UTF-8 character to ASCII data then back:
...
unichar ellipsis = 0x2026;
NSString *myString = [NSString stringWithFormat:@"My Test String%C", ellipsis];
NSData *asciiData = [myString dataUsingEncoding:NSASCIIStringEncoding allowLossyConversion:YES];
NSString *asciiString = [[NSString alloc] initWithData:asciiData encoding:NSASCIIStringEncoding];
NSLog(@"Original: %@ (length %d)", myString, [myString length]);
NSLog(@"Best-fit-mapped: %@ (length %d)", asciiString, [asciiString length]);
// output:
// Original: My Test String... (length 15)
// Best-fit-mapped: My Test String... (length 17)
...
If you look at the output carefully, the "..." character was translated to three consecutive periods. If you had sized your output buffer based on the input buffer your application could be vulnerable to buffer overflow. Other characters can get mapped from one character to two. The Greek "fi" character will get mapped to an "f" followed by an "i". By front loading the buffer with these characters an attacker gains complete control over the number of characters used to overflow the buffer.
References
[1] Apple Secure Coding Guide Apple
[2] String Programming Guide Apple
[3] Standards Mapping - Common Weakness Enumeration CWE ID 176
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.2 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[6] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[7] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
desc.semantic.objc.method_may_best_fit_map_characters
Abstract
The identified call may best-fit characters. Unsupported characters passed to default API methods can be best-fit mapped to dangerous characters.
Explanation
When character sets are mismatched between the operating system and applications running on the operating system, unsupported characters passed to default API methods can be best-fit mapped to dangerous characters.
Example 1: In Swift, the following example converts an NSString object containing a UTF-8 character to ASCII data then back:
If you look at the output carefully, the "..." character was translated to three consecutive periods. If you had sized your output buffer based on the input buffer your application could be vulnerable to buffer overflow. Other characters can get mapped from one character to two. The Greek "fi" character will get mapped to an "f" followed by an "i". By front loading the buffer with these characters an attacker gains complete control over the number of characters used to overflow the buffer.
Example 1: In Swift, the following example converts an NSString object containing a UTF-8 character to ASCII data then back:
...
let ellipsis = 0x2026;
let myString = NSString(format:"My Test String %C", ellipsis)
let asciiData = myString.dataUsingEncoding(NSASCIIStringEncoding, allowLossyConversion:true)
let asciiString = NSString(data:asciiData!, encoding:NSASCIIStringEncoding)
NSLog("Original: %@ (length %d)", myString, myString.length)
NSLog("Best-fit-mapped: %@ (length %d)", asciiString!, asciiString!.length)
// output:
// Original: My Test String ... (length 16)
// Best-fit-mapped: My Test String ... (length 18)
...
If you look at the output carefully, the "..." character was translated to three consecutive periods. If you had sized your output buffer based on the input buffer your application could be vulnerable to buffer overflow. Other characters can get mapped from one character to two. The Greek "fi" character will get mapped to an "f" followed by an "i". By front loading the buffer with these characters an attacker gains complete control over the number of characters used to overflow the buffer.
References
[1] Apple Secure Coding Guide Apple
[2] String Programming Guide Apple
[3] Standards Mapping - Common Weakness Enumeration CWE ID 176
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.2 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[6] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[7] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
desc.semantic.swift.method_may_best_fit_map_characters