Input validation and representation problems ares caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input. The issues include: "Buffer Overflows," "Cross-Site Scripting" attacks, "SQL Injection," and many others.
select()
query that searches for invoices that match a user-specified product category. The user can also specify the column by which the results are sorted. Assume that the application has already properly authenticated and set the value of customerID
prior to this code segment.
...
String customerID = getAuthenticatedCustomerID(customerName, customerCredentials);
...
AmazonSimpleDBClient sdbc = new AmazonSimpleDBClient(appAWSCredentials);
String query = "select * from invoices where productCategory = '"
+ productCategory + "' and customerID = '"
+ customerID + "' order by '"
+ sortColumn + "' asc";
SelectResult sdbResult = sdbc.select(new SelectRequest(query));
...
select * from invoices
where productCategory = 'Fax Machines'
and customerID = '12345678'
order by 'price' asc
productCategory
and price
do not contain single-quote characters. If, however, an attacker provides the string "Fax Machines' or productCategory = \"
" for productCategory
, and the string "\" order by 'price
" for sortColumn
, then the query becomes the following:
select * from invoices
where productCategory = 'Fax Machines' or productCategory = "'
and customerID = '12345678'
order by '" order by 'price' asc
select * from invoices
where productCategory = 'Fax Machines'
or productCategory = "' and customerID = '12345678' order by '"
order by 'price' asc
customerID
, and allows the attacker to view invoice records matching 'Fax Machines'
for all customers.customerID
prior to this code segment.
...
productCategory = this.getIntent().getExtras().getString("productCategory");
sortColumn = this.getIntent().getExtras().getString("sortColumn");
customerID = getAuthenticatedCustomerID(customerName, customerCredentials);
c = invoicesDB.query(Uri.parse(invoices), columns, "productCategory = '" + productCategory + "' and customerID = '" + customerID + "'", null, null, null, "'" + sortColumn + "'asc", null);
...
select * from invoices
where productCategory = 'Fax Machines'
and customerID = '12345678'
order by 'price' asc
productCategory
. So the query behaves correctly only if productCategory
and sortColumn
do not contain single-quote characters. If an attacker provides the string "Fax Machines' or productCategory = \"
" for productCategory
, and the string "\" order by 'price
" for sortColumn
, then the query becomes:
select * from invoices
where productCategory = 'Fax Machines' or productCategory = "'
and customerID = '12345678'
order by '" order by 'price' asc
select * from invoices
where productCategory = 'Fax Machines'
or productCategory = "' and customerID = '12345678' order by '"
order by 'price' asc
customerID
and allows the attacker to view invoice records matching 'Fax Machines'
for all customers.$collection->find(array("username" => $_GET['username']))
$collection->find(array("username" => array('$ne' => "foo")))
HttpRequest
class provides programmatic access to variables from the QueryString
, Form
, Cookies
or ServerVariables
collections in the form of an array access (e.g. Request["myParam"]
). When more than one variable exists with the same name, the .NET framework returns the value of the variable that appears first when the collections are searched in the following order: QueryString
, Form
, Cookies
then ServerVariables
. Since QueryString
comes first in the search order, it is possible for QueryString
parameters to supersede values from forms, cookies, and server variables. Similarly, form values can supersede variables in the Cookies
and ServerVariables
collections and variables from the Cookies
collection can supersede those from ServerVariables
.
...
String toAddress = Request["email"]; //Expects cookie value
Double balance = GetBalance(userID);
SendAccountBalance(toAddress, balance);
...
Example 1
is executed when visiting http://www.example.com/GetBalance.aspx
. If an attacker can cause an authenticated user to click a link that requests http://www.example.com/GetBalance.aspx?email=evil%40evil.com
, an email with the user's account balance will be sent to evil@evil.com
.HttpRequest
class provides programmatic access to variables from the QueryString
, Form
, Cookies
or ServerVariables
collections in the form of an array access (e.g. Request["myParam"]
). When more than one variable exists with the same name, the .NET framework returns the value of the variable that appears first when the collections are searched in the following order: QueryString
, Form
, Cookies
then ServerVariables
. Since QueryString
comes first in the search order, it is possible for QueryString
parameters to supersede values from forms, cookies, and server variables. Similarly, form values can supersede variables in the Cookies
and ServerVariables
collections and variables from the Cookies
collection can supersede those from ServerVariables
.www.example.com
before serving content.
...
if (Request["HTTP_REFERER"].StartsWith("http://www.example.com"))
ServeContent();
else
Response.Redirect("http://www.example.com/");
...
Example 1
is executed when visiting http://www.example.com/ProtectedImages.aspx
. If an attacker makes a direct request to the URL, the appropriate referer header will not be set and the request will fail. However, if the attacker submits an artificial HTTP_REFERER
parameter with the necessary value, such as http://www.example.com/ProtectedImages.aspx?HTTP_REFERER=http%3a%2f%2fwww.example.com
, then the lookup will return the value from QueryString
instead of ServerVariables
and the check will succeed.