<uses-permission .../>
element of AndroidManifest.xml declares usage of the BODY_SENSORS
permission, which enables an application to access data from body or environmental sensors on the device or connected wearables.<uses-permission android:name="android.permission.BODY_SENSORS"/>
number = tm.getCompleteVoiceMailNumber();
FLAG_GRANT_READ_URI_PERMISSION
and FLAG_GRANT_WRITE_URI_PERMISSION
. If a malicious program is able to intercept this intent, it will then gain permission to read from or write to the specified URI. These can often be more susceptible to being intercepted if the intent is implicit rather than explicit.
myIntent.setFlags(Intent.FLAG_GRANT_WRITE_URI_PERMISSION);
AndroidManifest.xml
file via <uses-permission/>
tags. If the required permissions are not requested, the operations that require these permissions will fail at runtime. In some cases, a java.lang.SecurityException
is thrown back to the application. Other times, operations fail silently without an exception.sms.sendTextMessage(recipient, null, message, PendingIntent.getBroadcast(SmsMessaging.this, 0, new Intent(ACTION_SMS_SENT), 0), null);
android.permission.SEND_SMS
permission. If this permission is not requested by the application in the manifest file, the application will fail to send an SMS.AndroidManifest.xml
file via <uses-permission/>
tags. If the required permissions are not requested, the operations that require these permissions will fail at runtime. In some cases, a java.lang.SecurityException
is thrown back to the application. Other times, operations fail silently without an exception.Cursor cursor = getContentResolver().query(ContactsContract.Contacts.CONTENT_URI, null, null, null, null);
android.permission.READ_CONTACTS
permission. If this permission is not requested by the application in the manifest file, the application will fail to read contacts information.AndroidManifest.xml
file via <uses-permission/>
tags. If the required permissions are not requested, the operations that require these permissions will fail at runtime. In some cases, a java.lang.SecurityException
is thrown back to the application. Other times, operations fail silently without an exception.android.provider.Telephony.SMS_RECEIVED
action.
Intent i = new Intent("android.provider.Telephony.SMS_RECEIVED");
context.sendBroadcast(i);
android.permission.BROADCAST_SMS
permission. If this permission is not requested by the application in the manifest file, the application will fail to send the intent.public
methods can be called from anywhere in the JVM.public
access specifier means that any external code is allowed to call it. Public methods that perform privileged actions can be dangerous when code is shared in libraries or in environments where code can dynamically enter the system (e.g. Code Injection, Dangerous File Inclusion, File Upload, etc).doPrivilegedOpenFile()
is declared public
and performs a privileged operation.
public static void doPrivilegedOpenFile(final String filePath) {
final BadFileNamePrivilegedAction pa = new BadFileNamePrivilegedAction(filePath);
FileInputStream fis = null;
...
fis = (FileInputStream)AccessController.doPrivileged(pa);
...
}
true
to specify that permission was given:
public void onGeolocationPermissionsShowPrompt(String origin, GeolocationPermissions$Callback callback){
super.onGeolocationPermissionsShowPrompt(origin, callback);
callback.invoke(origin, true, false);
}
...
tid = request->get_form_field( 'tid' ).
CALL TRANSACTION tid USING bdcdata MODE 'N'
MESSAGES INTO messtab.
...
APPHOME
and then loads a native library based on a relative path from the specified directory.
...
string lib = ConfigurationManager.AppSettings["APPHOME"];
Environment.ExitCode = AppDomain.CurrentDomain.ExecuteAssembly(lib);
...
APPHOME
to point to a different path containing a malicious version of LIBNAME
. Because the program does not validate the value read from the environment, if attacker can control the value of the system property APPHOME
, then they can fool the application into running malicious code and take control of the system.
...
RegQueryValueEx(hkey, "APPHOME",
0, 0, (BYTE*)home, &size);
char* lib=(char*)malloc(strlen(home)+strlen(INITLIB));
if (lib) {
strcpy(lib,home);
strcat(lib,INITCMD);
LoadLibrary(lib);
}
...
INITLIB
. Because the program does not validate the value read from the environment, if an attacker can control the value of APPHOME
, they can fool the application into running malicious code.liberty.dll
, which is intended to be found in a standard system directory.
LoadLibrary("liberty.dll");
liberty.dll
. If an attacker places a malicious library named liberty.dll
higher in the search order than the intended file and has a way to execute the program in their environment rather than the web server's environment, then the application will load the malicious library instead of the trusted one. Because this type of application runs with elevated privileges, the contents of the attacker's liberty.dll
is now be run with elevated privileges, potentially giving them complete control of the system.LoadLibrary()
when an absolute path is not specified. If the current directory is searched before system directories, as was the case up until the most recent versions of Windows, then this type of attack becomes trivial if the attacker may execute the program locally. The search order is operating system version dependent, and is controlled on newer operating systems by the value of this registry key:
HKLM\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode
LoadLibrary()
behaves as follows:SafeDllSearchMode
is 1, the search order is as follows:PATH
environment variable.SafeDllSearchMode
is 0, the search order is as follows:PATH
environment variable.
...
ACCEPT PROGNAME.
EXEC CICS
LINK PROGRAM(PROGNAME)
COMMAREA(COMA)
LENGTH(LENA)
DATALENGTH(LENI)
SYSID('CONX')
END-EXEC.
...
APPHOME
to determine the directory in which it is installed and then loads a native library based on a relative path from the specified directory.
...
String home = System.getProperty("APPHOME");
String lib = home + LIBNAME;
java.lang.Runtime.getRuntime().load(lib);
...
APPHOME
to point to a different path containing a malicious version of LIBNAME
. Because the program does not validate the value read from the environment, if an attacker can control the value of the system property APPHOME
, then they can fool the application into running malicious code and take control of the system.System.loadLibrary()
to load code from a native library named library.dll
, which is normally found in a standard system directory.
...
System.loadLibrary("library.dll");
...
System.loadLibrary()
accepts a library name, not a path, for the library to be loaded. From the Java 1.4.2 API documentation this function behaves as follows [1]:library.dll
higher in the search order than file the application intends to load, then the application will load the malicious copy instead of the intended file. Because of the nature of the application, it runs with elevated privileges, which means the contents of the attacker's library.dll
will now be run with elevated privileges, possibly giving them complete control of the system.Express
to dynamically load a library file. Node.js
will then continue to search through its regular library load path for a file or directory containing this library[1].
var express = require('express');
var app = express();
app.get('/', function(req, res, next) {
res.render('tutorial/' + req.params.page);
});
Express
, the page passed to Response.render()
will load a library of the extension when previously unknown. This is usually fine for input such as "foo.pug", as this will mean loading the pug
library, a well known templating engine. However, if an attacker can control the page and thus the extension, then they can choose to load any library within the Node.js
module loading paths. Since the program does not validate the information received from the URL parameter, the attacker may fool the application into running malicious code and take control of the system.APPHOME
to determine the directory in which it is installed and then loads a native library based on a relative path from the specified directory.
...
$home = getenv("APPHOME");
$lib = $home + $LIBNAME;
dl($lib);
...
APPHOME
to point to a different path containing a malicious version of LIBNAME
. Because the program does not validate the value read from the environment, if an attacker can control the value of the system property APPHOME
, then they can fool the application into running malicious code and take control of the system.dl()
to load code from a library named sockets.dll
, which can be loaded from various places depending on your installation and configuration.
...
dl("sockets");
...
dl()
accepts a library name, not a path, for the library to be loaded.sockets.dll
higher in the search order than file the application intends to load, then the application will load the malicious copy instead of the intended file. Because of the nature of the application, it runs with elevated privileges, which means the contents of the attacker's sockets.dll
will now be run with elevated privileges, possibly giving them complete control of the system.Kernel.system()
to run an executable called program.exe
, which is normally found within a standard system directory.
...
system("program.exe")
...
Kernel.system()
executes something via a shell. If an attacker can manipulate environment variables RUBYSHELL
or COMSPEC
, they may be able to point to a malicious executable which will be called with the command given to Kernel.system()
. Because of the nature of the application, it runs with the privileges necessary to perform system operations, which means the attacker's program.exe
will now be run with these privileges, possibly giving them complete control of the system.Kernel.system()
. If an attacker can modify the $PATH
variable to point to a malicious binary called program.exe
and then execute the application in their environment, the malicious binary will be loaded instead of the one intended. Because of the nature of the application, it runs with the privileges necessary to perform system operations, which means the attacker's program.exe
will now be run with these privileges, possibly giving them complete control of the system.InvokerServlet
class can allow attackers to invoke any class on the server.InvokerServlet
class can be used to invoke any class available to the server's virtual machine. By guessing the fully qualified name of a class, an attacker may load not only Servlet classes, but also POJO classes or any other class available to the JVM.select()
query that searches for invoices that match a user-specified product category. The user can also specify the column by which the results are sorted. Assume that the application has already properly authenticated and set the value of customerID
prior to this code segment.
...
String customerID = getAuthenticatedCustomerID(customerName, customerCredentials);
...
AmazonSimpleDBClient sdbc = new AmazonSimpleDBClient(appAWSCredentials);
String query = "select * from invoices where productCategory = '"
+ productCategory + "' and customerID = '"
+ customerID + "' order by '"
+ sortColumn + "' asc";
SelectResult sdbResult = sdbc.select(new SelectRequest(query));
...
select * from invoices
where productCategory = 'Fax Machines'
and customerID = '12345678'
order by 'price' asc
productCategory
and price
do not contain single-quote characters. If, however, an attacker provides the string "Fax Machines' or productCategory = \"
" for productCategory
, and the string "\" order by 'price
" for sortColumn
, then the query becomes the following:
select * from invoices
where productCategory = 'Fax Machines' or productCategory = "'
and customerID = '12345678'
order by '" order by 'price' asc
select * from invoices
where productCategory = 'Fax Machines'
or productCategory = "' and customerID = '12345678' order by '"
order by 'price' asc
customerID
, and allows the attacker to view invoice records matching 'Fax Machines'
for all customers.customerID
prior to this code segment.
...
productCategory = this.getIntent().getExtras().getString("productCategory");
sortColumn = this.getIntent().getExtras().getString("sortColumn");
customerID = getAuthenticatedCustomerID(customerName, customerCredentials);
c = invoicesDB.query(Uri.parse(invoices), columns, "productCategory = '" + productCategory + "' and customerID = '" + customerID + "'", null, null, null, "'" + sortColumn + "'asc", null);
...
select * from invoices
where productCategory = 'Fax Machines'
and customerID = '12345678'
order by 'price' asc
productCategory
. So the query behaves correctly only if productCategory
and sortColumn
do not contain single-quote characters. If an attacker provides the string "Fax Machines' or productCategory = \"
" for productCategory
, and the string "\" order by 'price
" for sortColumn
, then the query becomes:
select * from invoices
where productCategory = 'Fax Machines' or productCategory = "'
and customerID = '12345678'
order by '" order by 'price' asc
select * from invoices
where productCategory = 'Fax Machines'
or productCategory = "' and customerID = '12345678' order by '"
order by 'price' asc
customerID
and allows the attacker to view invoice records matching 'Fax Machines'
for all customers.
Intent intent = new Intent(Intent.ACTION_VIEW);
intent.setDataAndType(Uri.fromFile(new File(Environment.getExternalStorageDirectory() + "/download/" + "app.apk")), "application/vnd.android.package-archive");
intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
startActivity(intent);
...
public class Box{
public int area;
public static final int width = 10;
public static final Box box = new Box();
public static final int height = (int) (Math.random() * 100);
public Box(){
area = width * height;
}
...
}
...
Example 1
, the developer would expect that box.area
would be a random integer that happens to be a multiple of 10, due to width
being equal to 10. In reality however, this will always have a hardcoded value of 0. Static final fields declared with a compile-time constant are initialized first, and then each one is executed in order. This means that since height
is not a compile-time constant, it is declared after the declaration of box
, and therefore the constructor is called prior to the field height
being initialized.
...
class Foo{
public static final int f = Bar.b - 1;
...
}
...
class Bar{
public static final int b = Foo.f + 1;
...
}
This example is perhaps easier to identify, but would be dependent on which class is loaded first by the JVM. In this exampleFoo.f
could be either -1 or 0, andBar.b
could be either 0 or 1.
parse()
and format()
in java.text.Format
contain a design flaw that can cause one user to see another user's data.parse()
and format()
in java.text.Format
contains a race condition that can cause one user to see another user's data.
public class Common {
private static SimpleDateFormat dateFormat;
...
public String format(Date date) {
return dateFormat.format(date);
}
...
final OtherClass dateFormatAccess=new OtherClass();
...
public void function_running_in_thread1(){
System.out.println("Time in thread 1 should be 12/31/69 4:00 PM, found: "+ dateFormatAccess.format(new Date(0)));
}
public void function_running_in_thread2(){
System.out.println("Time in thread 2 should be around 12/29/09 6:26 AM, found: "+ dateFormatAccess.format(new Date(System.currentTimeMillis())));
}
}
format()
.
public class GuestBook extends HttpServlet {
String name;
protected void doPost (HttpServletRequest req, HttpServletResponse res) {
name = req.getParameter("name");
...
out.println(name + ", thanks for visiting!");
}
}
Dick
" to name
Jane
" to name
Jane, thanks for visiting!
"Jane, thanks for visiting!
"
public class ConnectionManager {
private static Connection conn = initDbConn();
...
}
null
before checking if the pointer is null
. Dereference-after-check errors occur when a program makes an explicit check for null
, but proceeds to dereference the pointer when it is known to be null
. Errors of this type are often the result of a typo or programmer oversight. A dereference-after-store error occurs when a program explicitly sets a pointer to null
and dereferences it later. This error is often the result of a programmer initializing a variable to null
when it is declared.foo
is null
and subsequently dereferences it erroneously. If foo
is null
when it is checked in the if
statement, then a null
dereference occurs, which causes a null-pointer exception.Example 2: In the following code, the programmer assumes that the variable
if (foo is null) {
foo.SetBar(val);
...
}
foo
is not null
and confirms this assumption by dereferencing the object. However, the programmer later contradicts the assumption by checking foo
against null
. If foo
can be null
when it is checked in the if
statement then it can also be null
when it is dereferenced and might cause a null-pointer exception. Either the dereference is unsafe or the subsequent check is unnecessary.Example 3: In the following code, the programmer explicitly sets the variable
foo.SetBar(val);
...
if (foo is not null) {
...
}
foo
to null
. Later, the programmer dereferences foo
before checking the object for a null
value.
Foo foo = null;
...
foo.SetBar(val);
...
}
null
before checking if the pointer is null
. Dereference-after-check errors occur when a program makes an explicit check for null
, but proceeds to dereference the pointer when it is known to be null
. Errors of this type are often the result of a typo or programmer oversight. A dereference-after-store error occurs when a program explicitly sets a pointer to null
and dereferences it later. This error is often the result of a programmer initializing a variable to null
when it is declared.ptr
is not NULL
. That assumption is made explicit when the programmer dereferences the pointer. This assumption is later contradicted when the programmer checks ptr
against NULL
. If ptr
can be NULL
when it is checked in the if
statement then it can also be NULL
when it dereferenced and may cause a segmentation fault.Example 2: In the following code, the programmer confirms that the variable
ptr->field = val;
...
if (ptr != NULL) {
...
}
ptr
is NULL
and subsequently dereferences it erroneously. If ptr
is NULL
when it is checked in the if
statement, then a null
dereference will occur, thereby causing a segmentation fault.Example 3: In the following code, the programmer forgets that the string
if (ptr == null) {
ptr->field = val;
...
}
'\0'
is actually 0 or NULL
, thereby dereferencing a null-pointer and causing a segmentation fault.Example 4: In the following code, the programmer explicitly sets the variable
if (ptr == '\0') {
*ptr = val;
...
}
ptr
to NULL
. Later, the programmer dereferences ptr
before checking the object for a null
value.
*ptr = NULL;
...
ptr->field = val;
...
}
null
, but proceeds to dereference the object when it is known to be null
. Errors of this type are often the result of a typo or programmer oversight.foo
is null
and subsequently dereferences it erroneously. If foo
is null
when it is checked in the if
statement, then a null
dereference will occur, thereby causing a null-pointer exception.
if (foo == null) {
foo.setBar(val);
...
}