<uses-permission .../> element of AndroidManifest.xml declares usage of the BODY_SENSORS permission, which enables an application to access data from body or environmental sensors on the device or connected wearables.<uses-permission android:name="android.permission.BODY_SENSORS"/>
number = tm.getCompleteVoiceMailNumber();
FLAG_GRANT_READ_URI_PERMISSION and FLAG_GRANT_WRITE_URI_PERMISSION. If a malicious program is able to intercept this intent, it will then gain permission to read from or write to the specified URI. These can often be more susceptible to being intercepted if the intent is implicit rather than explicit.
myIntent.setFlags(Intent.FLAG_GRANT_WRITE_URI_PERMISSION);
AndroidManifest.xml file via <uses-permission/> tags. If the required permissions are not requested, the operations that require these permissions will fail at runtime. In some cases, a java.lang.SecurityException is thrown back to the application. Other times, operations fail silently without an exception.sms.sendTextMessage(recipient, null, message, PendingIntent.getBroadcast(SmsMessaging.this, 0, new Intent(ACTION_SMS_SENT), 0), null);
android.permission.SEND_SMS permission. If this permission is not requested by the application in the manifest file, the application will fail to send an SMS.AndroidManifest.xml file via <uses-permission/> tags. If the required permissions are not requested, the operations that require these permissions will fail at runtime. In some cases, a java.lang.SecurityException is thrown back to the application. Other times, operations fail silently without an exception.Cursor cursor = getContentResolver().query(ContactsContract.Contacts.CONTENT_URI, null, null, null, null);
android.permission.READ_CONTACTS permission. If this permission is not requested by the application in the manifest file, the application will fail to read contacts information.AndroidManifest.xml file via <uses-permission/> tags. If the required permissions are not requested, the operations that require these permissions will fail at runtime. In some cases, a java.lang.SecurityException is thrown back to the application. Other times, operations fail silently without an exception.android.provider.Telephony.SMS_RECEIVED action.
Intent i = new Intent("android.provider.Telephony.SMS_RECEIVED");
context.sendBroadcast(i);
android.permission.BROADCAST_SMS permission. If this permission is not requested by the application in the manifest file, the application will fail to send the intent.public methods can be called from anywhere in the JVM.public access specifier means that any external code is allowed to call it. Public methods that perform privileged actions can be dangerous when code is shared in libraries or in environments where code can dynamically enter the system (e.g. Code Injection, Dangerous File Inclusion, File Upload, etc).doPrivilegedOpenFile() is declared public and performs a privileged operation.
public static void doPrivilegedOpenFile(final String filePath) {
final BadFileNamePrivilegedAction pa = new BadFileNamePrivilegedAction(filePath);
FileInputStream fis = null;
...
fis = (FileInputStream)AccessController.doPrivileged(pa);
...
}
true to specify that permission was given:
public void onGeolocationPermissionsShowPrompt(String origin, GeolocationPermissions$Callback callback){
super.onGeolocationPermissionsShowPrompt(origin, callback);
callback.invoke(origin, true, false);
}
...
tid = request->get_form_field( 'tid' ).
CALL TRANSACTION tid USING bdcdata MODE 'N'
MESSAGES INTO messtab.
...
APPHOME and then loads a native library based on a relative path from the specified directory.
...
string lib = ConfigurationManager.AppSettings["APPHOME"];
Environment.ExitCode = AppDomain.CurrentDomain.ExecuteAssembly(lib);
...
APPHOME to point to a different path containing a malicious version of LIBNAME. Because the program does not validate the value read from the environment, if attacker can control the value of the system property APPHOME, then they can fool the application into running malicious code and take control of the system.
...
RegQueryValueEx(hkey, "APPHOME",
0, 0, (BYTE*)home, &size);
char* lib=(char*)malloc(strlen(home)+strlen(INITLIB));
if (lib) {
strcpy(lib,home);
strcat(lib,INITCMD);
LoadLibrary(lib);
}
...
INITLIB. Because the program does not validate the value read from the environment, if an attacker can control the value of APPHOME, they can fool the application into running malicious code.liberty.dll, which is intended to be found in a standard system directory.
LoadLibrary("liberty.dll");
liberty.dll. If an attacker places a malicious library named liberty.dll higher in the search order than the intended file and has a way to execute the program in their environment rather than the web server's environment, then the application will load the malicious library instead of the trusted one. Because this type of application runs with elevated privileges, the contents of the attacker's liberty.dll is now be run with elevated privileges, potentially giving them complete control of the system.LoadLibrary() when an absolute path is not specified. If the current directory is searched before system directories, as was the case up until the most recent versions of Windows, then this type of attack becomes trivial if the attacker may execute the program locally. The search order is operating system version dependent, and is controlled on newer operating systems by the value of this registry key:
HKLM\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode
LoadLibrary() behaves as follows:SafeDllSearchMode is 1, the search order is as follows:PATH environment variable.SafeDllSearchMode is 0, the search order is as follows:PATH environment variable.
...
ACCEPT PROGNAME.
EXEC CICS
LINK PROGRAM(PROGNAME)
COMMAREA(COMA)
LENGTH(LENA)
DATALENGTH(LENI)
SYSID('CONX')
END-EXEC.
...
APPHOME to determine the directory in which it is installed and then loads a native library based on a relative path from the specified directory.
...
String home = System.getProperty("APPHOME");
String lib = home + LIBNAME;
java.lang.Runtime.getRuntime().load(lib);
...
APPHOME to point to a different path containing a malicious version of LIBNAME. Because the program does not validate the value read from the environment, if an attacker can control the value of the system property APPHOME, then they can fool the application into running malicious code and take control of the system.System.loadLibrary() to load code from a native library named library.dll, which is normally found in a standard system directory.
...
System.loadLibrary("library.dll");
...
System.loadLibrary() accepts a library name, not a path, for the library to be loaded. From the Java 1.4.2 API documentation this function behaves as follows [1]:library.dll higher in the search order than file the application intends to load, then the application will load the malicious copy instead of the intended file. Because of the nature of the application, it runs with elevated privileges, which means the contents of the attacker's library.dll will now be run with elevated privileges, possibly giving them complete control of the system.Express to dynamically load a library file. Node.js will then continue to search through its regular library load path for a file or directory containing this library[1].
var express = require('express');
var app = express();
app.get('/', function(req, res, next) {
res.render('tutorial/' + req.params.page);
});
Express, the page passed to Response.render() will load a library of the extension when previously unknown. This is usually fine for input such as "foo.pug", as this will mean loading the pug library, a well known templating engine. However, if an attacker can control the page and thus the extension, then they can choose to load any library within the Node.js module loading paths. Since the program does not validate the information received from the URL parameter, the attacker may fool the application into running malicious code and take control of the system.APPHOME to determine the directory in which it is installed and then loads a native library based on a relative path from the specified directory.
...
$home = getenv("APPHOME");
$lib = $home + $LIBNAME;
dl($lib);
...
APPHOME to point to a different path containing a malicious version of LIBNAME. Because the program does not validate the value read from the environment, if an attacker can control the value of the system property APPHOME, then they can fool the application into running malicious code and take control of the system.dl() to load code from a library named sockets.dll, which can be loaded from various places depending on your installation and configuration.
...
dl("sockets");
...
dl() accepts a library name, not a path, for the library to be loaded.sockets.dll higher in the search order than file the application intends to load, then the application will load the malicious copy instead of the intended file. Because of the nature of the application, it runs with elevated privileges, which means the contents of the attacker's sockets.dll will now be run with elevated privileges, possibly giving them complete control of the system.Kernel.system() to run an executable called program.exe, which is normally found within a standard system directory.
...
system("program.exe")
...
Kernel.system() executes something via a shell. If an attacker can manipulate environment variables RUBYSHELL or COMSPEC, they may be able to point to a malicious executable which will be called with the command given to Kernel.system(). Because of the nature of the application, it runs with the privileges necessary to perform system operations, which means the attacker's program.exe will now be run with these privileges, possibly giving them complete control of the system.Kernel.system(). If an attacker can modify the $PATH variable to point to a malicious binary called program.exe and then execute the application in their environment, the malicious binary will be loaded instead of the one intended. Because of the nature of the application, it runs with the privileges necessary to perform system operations, which means the attacker's program.exe will now be run with these privileges, possibly giving them complete control of the system.InvokerServlet class can allow attackers to invoke any class on the server.InvokerServlet class can be used to invoke any class available to the server's virtual machine. By guessing the fully qualified name of a class, an attacker may load not only Servlet classes, but also POJO classes or any other class available to the JVM.select() query that searches for invoices that match a user-specified product category. The user can also specify the column by which the results are sorted. Assume that the application has already properly authenticated and set the value of customerID prior to this code segment.
...
String customerID = getAuthenticatedCustomerID(customerName, customerCredentials);
...
AmazonSimpleDBClient sdbc = new AmazonSimpleDBClient(appAWSCredentials);
String query = "select * from invoices where productCategory = '"
+ productCategory + "' and customerID = '"
+ customerID + "' order by '"
+ sortColumn + "' asc";
SelectResult sdbResult = sdbc.select(new SelectRequest(query));
...
select * from invoices
where productCategory = 'Fax Machines'
and customerID = '12345678'
order by 'price' asc
productCategory and price do not contain single-quote characters. If, however, an attacker provides the string "Fax Machines' or productCategory = \"" for productCategory, and the string "\" order by 'price" for sortColumn, then the query becomes the following:
select * from invoices
where productCategory = 'Fax Machines' or productCategory = "'
and customerID = '12345678'
order by '" order by 'price' asc
select * from invoices
where productCategory = 'Fax Machines'
or productCategory = "' and customerID = '12345678' order by '"
order by 'price' asc
customerID, and allows the attacker to view invoice records matching 'Fax Machines' for all customers.customerID prior to this code segment.
...
productCategory = this.getIntent().getExtras().getString("productCategory");
sortColumn = this.getIntent().getExtras().getString("sortColumn");
customerID = getAuthenticatedCustomerID(customerName, customerCredentials);
c = invoicesDB.query(Uri.parse(invoices), columns, "productCategory = '" + productCategory + "' and customerID = '" + customerID + "'", null, null, null, "'" + sortColumn + "'asc", null);
...
select * from invoices
where productCategory = 'Fax Machines'
and customerID = '12345678'
order by 'price' asc
productCategory. So the query behaves correctly only if productCategory and sortColumn do not contain single-quote characters. If an attacker provides the string "Fax Machines' or productCategory = \"" for productCategory, and the string "\" order by 'price" for sortColumn, then the query becomes:
select * from invoices
where productCategory = 'Fax Machines' or productCategory = "'
and customerID = '12345678'
order by '" order by 'price' asc
select * from invoices
where productCategory = 'Fax Machines'
or productCategory = "' and customerID = '12345678' order by '"
order by 'price' asc
customerID and allows the attacker to view invoice records matching 'Fax Machines' for all customers.
Intent intent = new Intent(Intent.ACTION_VIEW);
intent.setDataAndType(Uri.fromFile(new File(Environment.getExternalStorageDirectory() + "/download/" + "app.apk")), "application/vnd.android.package-archive");
intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
startActivity(intent);
...
public class Box{
public int area;
public static final int width = 10;
public static final Box box = new Box();
public static final int height = (int) (Math.random() * 100);
public Box(){
area = width * height;
}
...
}
...
Example 1, the developer would expect that box.area would be a random integer that happens to be a multiple of 10, due to width being equal to 10. In reality however, this will always have a hardcoded value of 0. Static final fields declared with a compile-time constant are initialized first, and then each one is executed in order. This means that since height is not a compile-time constant, it is declared after the declaration of box, and therefore the constructor is called prior to the field height being initialized.
...
class Foo{
public static final int f = Bar.b - 1;
...
}
...
class Bar{
public static final int b = Foo.f + 1;
...
}
This example is perhaps easier to identify, but would be dependent on which class is loaded first by the JVM. In this exampleFoo.fcould be either -1 or 0, andBar.bcould be either 0 or 1.
parse() and format() in java.text.Format contain a design flaw that can cause one user to see another user's data.parse() and format() in java.text.Format contains a race condition that can cause one user to see another user's data.
public class Common {
private static SimpleDateFormat dateFormat;
...
public String format(Date date) {
return dateFormat.format(date);
}
...
final OtherClass dateFormatAccess=new OtherClass();
...
public void function_running_in_thread1(){
System.out.println("Time in thread 1 should be 12/31/69 4:00 PM, found: "+ dateFormatAccess.format(new Date(0)));
}
public void function_running_in_thread2(){
System.out.println("Time in thread 2 should be around 12/29/09 6:26 AM, found: "+ dateFormatAccess.format(new Date(System.currentTimeMillis())));
}
}
format().
public class GuestBook extends HttpServlet {
String name;
protected void doPost (HttpServletRequest req, HttpServletResponse res) {
name = req.getParameter("name");
...
out.println(name + ", thanks for visiting!");
}
}
Dick" to nameJane" to nameJane, thanks for visiting!"Jane, thanks for visiting!"
public class ConnectionManager {
private static Connection conn = initDbConn();
...
}
null before checking if the pointer is null. Dereference-after-check errors occur when a program makes an explicit check for null, but proceeds to dereference the pointer when it is known to be null. Errors of this type are often the result of a typo or programmer oversight. A dereference-after-store error occurs when a program explicitly sets a pointer to null and dereferences it later. This error is often the result of a programmer initializing a variable to null when it is declared.foo is null and subsequently dereferences it erroneously. If foo is null when it is checked in the if statement, then a null dereference occurs, which causes a null-pointer exception.Example 2: In the following code, the programmer assumes that the variable
if (foo is null) {
foo.SetBar(val);
...
}
foo is not null and confirms this assumption by dereferencing the object. However, the programmer later contradicts the assumption by checking foo against null. If foo can be null when it is checked in the if statement then it can also be null when it is dereferenced and might cause a null-pointer exception. Either the dereference is unsafe or the subsequent check is unnecessary.Example 3: In the following code, the programmer explicitly sets the variable
foo.SetBar(val);
...
if (foo is not null) {
...
}
foo to null. Later, the programmer dereferences foo before checking the object for a null value.
Foo foo = null;
...
foo.SetBar(val);
...
}
null before checking if the pointer is null. Dereference-after-check errors occur when a program makes an explicit check for null, but proceeds to dereference the pointer when it is known to be null. Errors of this type are often the result of a typo or programmer oversight. A dereference-after-store error occurs when a program explicitly sets a pointer to null and dereferences it later. This error is often the result of a programmer initializing a variable to null when it is declared.ptr is not NULL. That assumption is made explicit when the programmer dereferences the pointer. This assumption is later contradicted when the programmer checks ptr against NULL. If ptr can be NULL when it is checked in the if statement then it can also be NULL when it dereferenced and may cause a segmentation fault.Example 2: In the following code, the programmer confirms that the variable
ptr->field = val;
...
if (ptr != NULL) {
...
}
ptr is NULL and subsequently dereferences it erroneously. If ptr is NULL when it is checked in the if statement, then a null dereference will occur, thereby causing a segmentation fault.Example 3: In the following code, the programmer forgets that the string
if (ptr == null) {
ptr->field = val;
...
}
'\0' is actually 0 or NULL, thereby dereferencing a null-pointer and causing a segmentation fault.Example 4: In the following code, the programmer explicitly sets the variable
if (ptr == '\0') {
*ptr = val;
...
}
ptr to NULL. Later, the programmer dereferences ptr before checking the object for a null value.
*ptr = NULL;
...
ptr->field = val;
...
}
null, but proceeds to dereference the object when it is known to be null. Errors of this type are often the result of a typo or programmer oversight.foo is null and subsequently dereferences it erroneously. If foo is null when it is checked in the if statement, then a null dereference will occur, thereby causing a null-pointer exception.
if (foo == null) {
foo.setBar(val);
...
}