CREATE command that is sent to the IMAP server. An attacker may use this parameter to modify the command sent to the server and inject new commands using CRLF characters.
...
final String foldername = request.getParameter("folder");
IMAPFolder folder = (IMAPFolder) store.getFolder("INBOX");
...
folder.doCommand(new IMAPFolder.ProtocolCommand() {
@Override
public Object doCommand(IMAPProtocol imapProtocol) throws ProtocolException {
try {
imapProtocol.simpleCommand("CREATE " + foldername, null);
} catch (Exception e) {
// Handle Exception
}
return null;
}
});
...
USER and PASS command that is sent to the POP3 server. An attacker may use this parameter to modify the command sent to the server and inject new commands using CRLF characters.
...
String username = request.getParameter("username");
String password = request.getParameter("password");
...
POP3SClient pop3 = new POP3SClient(proto, false);
pop3.login(username, password)
...
VRFY command that is sent to the SMTP server. An attacker might use this parameter to modify the command sent to the server and inject new commands using CRLF characters.
...
c, err := smtp.Dial(x)
if err != nil {
log.Fatal(err)
}
user := request.FormValue("USER")
c.Verify(user)
...
VRFY command that is sent to the SMTP server. An attacker may use this parameter to modify the command sent to the server and inject new commands using CRLF characters.
...
String user = request.getParameter("user");
SMTPSSLTransport transport = new SMTPSSLTransport(session,new URLName(Utilities.getProperty("smtp.server")));
transport.connect(Utilities.getProperty("smtp.server"), username, password);
transport.simpleCommand("VRFY " + user);
...
VRFY command that is sent to the SMTP server. An attacker may use this parameter to modify the command sent to the server and inject new commands using CRLF characters.
...
user = request.GET['user']
session = smtplib.SMTP(smtp_server, smtp_tls_port)
session.ehlo()
session.starttls()
session.login(username, password)
session.docmd("VRFY", user)
...
RegisterModel or Details classes:
public ActionResult Register(RegisterModel model)
{
if (ModelState.IsValid)
{
try
{
return RedirectToAction("Index", "Home");
}
catch (MembershipCreateUserException e)
{
ModelState.AddModelError("", "");
}
}
return View(model);
}
RegisterModel class is defined as:
public class RegisterModel
{
[BindRequired]
[Display(Name = "User name")]
public string UserName { get; set; }
[BindRequired]
[DataType(DataType.Password)]
[Display(Name = "Password")]
public string Password { get; set; }
[DataType(DataType.Password)]
[Display(Name = "Confirm password")]
public string ConfirmPassword { get; set; }
public Details Details { get; set; }
public RegisterModel()
{
Details = new Details();
}
}
Details class is defined as:Example 2: When using
public class Details
{
public bool IsAdmin { get; set; }
...
}
TryUpdateModel() or UpdateModel() in ASP.NET MVC or Web API applications, the model binder will automatically try to bind all HTTP request parameters by default:Example 3: In ASP.NET Web Form applications, the model binder will automatically try to bind all HTTP request parameters when using
public ViewResult Register()
{
var model = new RegisterModel();
TryUpdateModel<RegisterModel>(model);
return View("detail", model);
}
TryUpdateModel() or UpdateModel() with IValueProvider interface.
Employee emp = new Employee();
TryUpdateModel(emp, new System.Web.ModelBinding.FormValueProvider(ModelBindingExecutionContext));
if (ModelState.IsValid)
{
db.SaveChanges();
}
Employee class is defined as:
public class Employee
{
public Employee()
{
IsAdmin = false;
IsManager = false;
}
public string Name { get; set; }
public string Email { get; set; }
public bool IsManager { get; set; }
public bool IsAdmin { get; set; }
}
Booking class:
<view-state id="enterBookingDetails" model="booking">
<on-render>
<render fragments="body" />
</on-render>
<transition on="proceed" to="reviewBooking">
</transition>
<transition on="cancel" to="cancel" bind="false" />
</view-state>
Booking class is defined as:
public class Booking implements Serializable {
private Long id;
private User user;
private Hotel hotel;
private Date checkinDate;
private Date checkoutDate;
private String creditCard;
private String creditCardName;
private int creditCardExpiryMonth;
private int creditCardExpiryYear;
private boolean smoking;
private int beds;
private Set<Amenity> amenities;
// Public Getters and Setters
...
}
Order, Customer, and Profile are Microsoft .NET Entity persisted classes.
public class Order {
public string ordered { get; set; }
public List<LineItem> LineItems { get; set; }
pubilc virtual Customer Customer { get; set; }
...
}
public class Customer {
public int CustomerId { get; set; }
...
public virtual Profile Profile { get; set; }
...
}
public class Profile {
public int profileId { get; set; }
public string username { get; set; }
public string password { get; set; }
...
}
OrderController is the ASP.NET MVC controller class handling the request:
public class OrderController : Controller{
StoreEntities db = new StoreEntities();
...
public String updateOrder(Order order) {
...
db.Orders.Add(order);
db.SaveChanges();
}
}
Order, Customer, and Profile are Hibernate persisted classes.
public class Order {
String ordered;
List lineItems;
Customer cust;
...
}
public class Customer {
String customerId;
...
Profile p;
...
}
public class Profile {
String profileId;
String username;
String password;
...
}
OrderController is the Spring controller class handling the request:
@Controller
public class OrderController {
...
@RequestMapping("/updateOrder")
public String updateOrder(Order order) {
...
session.save(order);
}
}
Register) is accessed from a web form that asks the users to register an account by providing their name and password:
public ActionResult Register(RegisterModel model)
{
if (ModelState.IsValid)
{
try
{
return RedirectToAction("Index", "Home");
}
catch (MembershipCreateUserException e)
{
ModelState.AddModelError("", "");
}
}
return View(model);
}
RegisterModel class is defined as:
public class RegisterModel
{
[BindRequired]
[Display(Name = "User name")]
public string UserName { get; set; }
[BindRequired]
[DataType(DataType.Password)]
[Display(Name = "Password")]
public string Password { get; set; }
[DataType(DataType.Password)]
[Display(Name = "Confirm password")]
public string ConfirmPassword { get; set; }
public Details Details { get; set; }
public RegisterModel()
{
Details = new Details();
}
}
Details class is defined as:
public class Details
{
public bool IsAdmin { get; set; }
...
}
Example 1, an attacker may be able to explore the application and discover that there is a Details attribute in the RegisterModel model. If this is the case, the attacker may then attempt to overwrite the current values assigned to their attributes.
name=John&password=****&details.is_admin=true
<struts-config>
<form-beans>
<form-bean name="dynaUserForm"
type="org.apache.struts.action.DynaActionForm" >
<form-property name="type" type="java.lang.String" />
<form-property name="user" type="com.acme.common.User" />
</form-bean>
...
User class is defined as:
public class User {
private String name;
private String lastname;
private int age;
private Details details;
// Public Getters and Setters
...
}
Details class is defined as:
public class Details {
private boolean is_admin;
private int id;
private Date login_date;
// Public Getters and Setters
...
}
Example 1, an attacker may be able to explore the application and discover that there is a details attribute in the User model. If this is the case, the attacker may then attempt to overwrite the current values assigned to their attributes.
type=free&user.name=John&user.lastname=Smith&age=22&details.is_admin=true
null.Item property is null before calling the member function Equals(), potentially causing a null dereference.
string itemName = request.Item(ITEM_NAME);
if (itemName.Equals(IMPORTANT_ITEM)) {
...
}
...
null value."null.malloc().
buf = (char*) malloc(req_size);
strncpy(buf, xfer, req_size);
malloc() fail because req_size was too large or because there were too many requests being handled at the same time? Or was it caused by a memory leak that has built up over time? Without handling the error, there is no way to know.null.getParameter() is null before calling the member function compareTo(), potentially causing a null dereference.Example 2:. The following code shows a system property that is set to
String itemName = request.getParameter(ITEM_NAME);
if (itemName.compareTo(IMPORTANT_ITEM)) {
...
}
...
null and later dereferenced by a programmer who mistakenly assumes it will always be defined.
System.clearProperty("os.name");
...
String os = System.getProperty("os.name");
if (os.equalsIgnoreCase("Windows 95") )
System.out.println("Not supported");
null value."null.Object.equals(), Comparable.compareTo(), and Comparator.compare() must return a specified value if their parameters are null. Failing to follow this contract may result in unexpected behavior.equals() method does not compare its parameter with null.
public boolean equals(Object object)
{
return (toString().equals(object.toString()));
}
FormAction which fails to validate the data against the expected requirements:Example 2: The following code defines a Spring WebFlow action state which fails to validate the data against the expected requirements:
<bean id="customerCriteriaAction" class="org.springframework.webflow.action.FormAction">
<property name="formObjectClass"
value="com.acme.domain.CustomerCriteria" />
<property name="propertyEditorRegistrar">
<bean
class="com.acme.web.PropertyEditors" />
</property>
</bean>
<action-state>
<action bean="transferMoneyAction" method="bind" />
</action-state>
def form = Form(
mapping(
"name" -> text,
"age" -> number
)(UserData.apply)(UserData.unapply)
)
clone() method.clone() method is invoked, the constructor for the class being cloned is not invoked. Thus, if a SecurityManager or AccessController check is present in the constructor of a cloneable class, the same check must also be present in the clone method of the class. Otherwise, the security check will be bypassed when the class is cloned.SecurityManager check in the constructor but not in the clone() method.
public class BadSecurityCheck implements Cloneable {
private int id;
public BadSecurityCheck() {
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
sm.checkPermission(new BadPermission("BadSecurityCheck"));
}
id = 1;
}
public Object clone() throws CloneNotSupportedException {
BadSecurityCheck bsm = (BadSecurityCheck)super.clone();
return null;
}
}
SecurityManager check in its constructor needs to perform the same check in its readObject() and readObjectNoData methods.readObject() method is invoked, the constructor for the class being deserialized is not invoked. Thus, if a SecurityManager check is present in the constructor of a serializable class, the same SecurityManager check must also be present in the readObject() and readObjectNoData() methods. Otherwise, the security check will be bypassed when the class is deserialized.SecurityManager check in the constructor but not in the readObject() and readObjectNoData() methods.
public class BadSecurityCheck implements Serializable {
private int id;
public BadSecurityCheck() {
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
sm.checkPermission(new BadPermission("BadSecurityCheck"));
}
id = 1;
}
public void readObject(ObjectInputStream in) throws ClassNotFoundException, IOException {
in.defaultReadObject();
}
public void readObjectNoData(ObjectInputStream in) throws ClassNotFoundException, IOException {
in.defaultReadObject();
}
}
...
// "type" parameter expected to be either: "Email" or "Username"
string type = request["type"];
string value = request["value"];
string password = request["password"];
var ddb = new AmazonDynamoDBClient();
var attrValues = new Dictionary<string,AttributeValue>();
attrValues[":value"] = new AttributeValue(value);
attrValues[":password"] = new AttributeValue(password);
var scanRequest = new ScanRequest();
scanRequest.FilterExpression = type + " = :value AND Password = :password";
scanRequest.TableName = "users";
scanRequest.ExpressionAttributeValues = attrValues;
var scanResponse = await ddb.ScanAsync(scanRequest);
...
Email = :value AND Password = :password
Username = :value AND Password = :password
type only contains any of the expected values. If an attacker provides a type value such as :value = :value OR :value, then the query becomes the following::value = :value OR :value = :value AND Password = :password
:value = :value condition causes the where clause to always evaluate to true, so the query returns all entries stored in the users collection, regardless of the email owner.
...
// "type" parameter expected to be either: "Email" or "Username"
String type = request.getParameter("type")
String value = request.getParameter("value")
String password = request.getParameter("password")
DynamoDbClient ddb = DynamoDbClient.create();
HashMap<String, AttributeValue> attrValues = new HashMap<String,AttributeValue>();
attrValues.put(":value", AttributeValue.builder().s(value).build());
attrValues.put(":password", AttributeValue.builder().s(password).build());
ScanRequest queryReq = ScanRequest.builder()
.filterExpression(type + " = :value AND Password = :password")
.tableName("users")
.expressionAttributeValues(attrValues)
.build();
ScanResponse response = ddb.scan(queryReq);
...
Email = :value AND Password = :password
Username = :value AND Password = :password
type only contains any of the expected values. If an attacker provides a type value such as :value = :value OR :value, then the query becomes the following::value = :value OR :value = :value AND Password = :password
:value = :value condition causes the where clause to always evaluate to true, so the query returns all entries stored in the users collection, regardless of the email owner.
...
String userName = User.Identity.Name;
String emailId = request["emailId"];
var coll = mongoClient.GetDatabase("MyDB").GetCollection<BsonDocument>("emails");
var docs = coll.Find(new BsonDocument("$where", "this.name == '" + name + "'")).ToList();
...
this.owner == "<userName>" && this.emailId == "<emailId>"
emailId does not contain a single-quote character. If an attacker with the user name wiley enters the string "123' || '4' != '5" for emailId, then the query becomes the following:
this.owner == 'wiley' && this.emailId == '123' || '4' != '5'
|| '4' != '5' condition causes the where clause to always evaluate to true, so the query returns all entries stored in the emails collection, regardless of the email owner.
...
String userName = ctx.getAuthenticatedUserName();
String emailId = request.getParameter("emailId")
MongoCollection<Document> col = mongoClient.getDatabase("MyDB").getCollection("emails");
BasicDBObject Query = new BasicDBObject();
Query.put("$where", "this.owner == \"" + userName + "\" && this.emailId == \"" + emailId + "\"");
FindIterable<Document> find= col.find(Query);
...
this.owner == "<userName>" && this.emailId == "<emailId>"
emailId does not contain a double-quote character. If an attacker with the user name wiley enters the string 123" || "4" != "5 for emailId, then the query becomes the following:
this.owner == "wiley" && this.emailId == "123" || "4" != "5"
|| "4" != "5" condition causes the where clause to always evaluate to true, so the query returns all entries stored in the emails collection, regardless of the email owner.
...
userName = req.field('userName')
emailId = req.field('emaiId')
results = db.emails.find({"$where", "this.owner == \"" + userName + "\" && this.emailId == \"" + emailId + "\""});
...
this.owner == "<userName>" && this.emailId == "<emailId>"
emailId does not contain a double-quote character. If an attacker with the user name wiley enters the string 123" || "4" != "5 for emailId, then the query becomes the following:
this.owner == "wiley" && this.emailId == "123" || "4" != "5"
|| "4" != "5" condition causes the where clause to always evaluate to true, so the query returns all entries stored in the emails collection, regardless of the email owner.NullException.cmd" defined. If an attacker can control the program's environment so that "cmd" is not defined, the program throws a null-pointer exception when it attempts to call the Trim() method.
string cmd = null;
...
cmd = Environment.GetEnvironmentVariable("cmd");
cmd = cmd.Trim();
null before checking if the pointer is null. Dereference-after-check errors occur when a program makes an explicit check for null, but proceeds to dereference the pointer when it is known to be null. Errors of this type are often the result of a typo or programmer oversight. A dereference-after-store error occurs when a program explicitly sets a pointer to null and dereferences it later. This error is often the result of a programmer initializing a variable to null when it is declared.ptr is not NULL. That assumption is made explicit when the programmer dereferences the pointer. This assumption is later contradicted when the programmer checks ptr against NULL. If ptr can be NULL when it is checked in the if statement then it can also be NULL when it dereferenced and may cause a segmentation fault.Example 2: In the following code, the programmer confirms that the variable
ptr->field = val;
...
if (ptr != NULL) {
...
}
ptr is NULL and subsequently dereferences it erroneously. If ptr is NULL when it is checked in the if statement, then a null dereference will occur, thereby causing a segmentation fault.Example 3: In the following code, the programmer forgets that the string
if (ptr == null) {
ptr->field = val;
...
}
'\0' is actually 0 or NULL, thereby dereferencing a null-pointer and causing a segmentation fault.Example 4: In the following code, the programmer explicitly sets the variable
if (ptr == '\0') {
*ptr = val;
...
}
ptr to NULL. Later, the programmer dereferences ptr before checking the object for a null value.
*ptr = NULL;
...
ptr->field = val;
...
}
NullPointerException.cmd" defined. If an attacker can control the program's environment so that "cmd" is not defined, the program throws a null-pointer exception when it attempts to call the trim() method.
String val = null;
...
cmd = System.getProperty("cmd");
if (cmd)
val = util.translateCommand(cmd);
...
cmd = val.trim();
password grant, which insecurely exposes the credentials of the resource owner to the client and unnecessarily increases the attack surface.application.properties configuration file uses the OAuth2 password grant.
...
spring.security.oauth2.client.registration.clientID.authorization-grant-type=password
...
password grant which insecurely exposes the credentials of the resource owner to the client and unnecessarily increases the attack surface.application.yml configuration file uses the OAuth2 password grant.
spring:
security:
oauth2:
client:
registration:
okta:
...
authorization-grant-type: password
...
clone() method should call super.clone() to obtain the new object.clone() should obtain the new object by calling super.clone(). If a class fails to follow this convention, a subclass's clone() method will return an object of the wrong type.super.clone(). Because of the way Kibitzer implements clone(), FancyKibitzer's clone method will return an object of type Kibitzer instead of FancyKibitzer.
public class Kibitzer implements Cloneable {
public Object clone() throws CloneNotSupportedException {
Object returnMe = new Kibitzer();
...
}
}
public class FancyKibitzer extends Kibitzer
implements Cloneable {
public Object clone() throws CloneNotSupportedException {
Object returnMe = super.clone();
...
}
}
equals() and hashCode().a.equals(b) == true then a.hashCode() == b.hashCode().equals() but not hashCode().
public class halfway() {
public boolean equals(Object obj) {
...
}
}
saveState() and restoreState().saveState(javax.faces.context.FacesContext) and restoreState(javax.faces.context.FacesContext, java.lang.Object) or implement neither of them. Because these two methods have a tightly coupled relationship, it is not permissible to have the saveState(javax.faces.context.FacesContext) and restoreState(javax.faces.context.FacesContext, java.lang.Object) methods reside at different levels of the inheritance hierarchy.saveState() and not restoreState(), so it is always in error no matter what any class that extends
public class KibitzState implements StateHolder {
public Object saveState(FacesContext fc) {
...
}
}