Kingdom: API Abuse
An API is a contract between a caller and a callee. The most common forms of API abuse are caused by the caller failing to honor its end of this contract. For example, if a program fails to call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion. Another good example of library abuse is expecting the callee to return trustworthy DNS information to the caller. In this case, the caller abuses the callee API by making certain assumptions about its behavior (that the return value can be used for authentication purposes). One can also violate the caller-callee contract from the other side. For example, if a coder subclasses SecureRandom and returns a non-random value, the contract is violated.
Path Manipulation: Relative Path Overwrite
Abstract
Anomalous handling of relative paths by an application server can enable attackers to bypass existing protections for vulnerabilities such as cross-site scripting and provide new ways to attack the application.
Explanation
Path Manipulation can occur when the paths of resources included in an application are modified by changing the way they are imported. This can happen with to the following conditions:
- Usage of relative paths to import resources
- Ability to overwrite the relative path by manipulating the URL
In some cases, browsers using quirks mode might be required to exploit the underlying vulnerability (this can be triggered by using the HTML meta tag or an older doctype).
- Usage of relative paths to import resources
- Ability to overwrite the relative path by manipulating the URL
In some cases, browsers using quirks mode might be required to exploit the underlying vulnerability (this can be triggered by using the HTML meta tag or an older doctype).
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 22
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [10] CWE ID 022
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [12] CWE ID 022
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [8] CWE ID 022
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [8] CWE ID 022
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [8] CWE ID 022
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [5] CWE ID 022
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-002754
[9] Standards Mapping - FIPS200 AC, SI
[10] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, SI-10 Information Input Validation
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.3.1 File Execution Requirements (L1 L2 L3)
[14] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[15] Standards Mapping - OWASP Top 10 2010 A8 Failure to Restrict URL Access
[16] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[18] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.10
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[30] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3460 CAT I, APP3600 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3460 CAT I, APP3600 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3460 CAT I, APP3600 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3460 CAT I, APP3600 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3460 CAT I, APP3600 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3460 CAT I, APP3600 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3460 CAT I, APP3600 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[53] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)
[54] Standards Mapping - Web Application Security Consortium 24 + 2 Path Traversal
desc.dynamic.xtended_preview.path_manipulation_relative_path_overwrite