DATA: id TYPE i.
...
id = request->get_form_field( 'invoiceID' ).
CONCATENATE `INVOICEID = '` id `'` INTO cl_where.
SELECT *
FROM invoices
INTO CORRESPONDING FIELDS OF TABLE itab_invoices
WHERE (cl_where).
ENDSELECT.
...
ID
. Although the interface generates a list of invoice identifiers that belong to the current user, an attacker might bypass this interface to request any desired invoice. Because the code in this example does not check to ensure that the user has permission to access the requested invoice, it will display any invoice, even if it does not belong to the current user.
...
var params:Object = LoaderInfo(this.root.loaderInfo).parameters;
var id:int = int(Number(params["invoiceID"]));
var query:String = "SELECT * FROM invoices WHERE id = :id";
stmt.sqlConnection = conn;
stmt.text = query;
stmt.parameters[":id"] = id;
stmt.execute();
...
id
. Although the interface generates a list of invoice identifiers that belong to the current user, an attacker might bypass this interface to request any desired invoice. Because the code in this example does not check to ensure that the user has permission to access the requested invoice, it will display any invoice, even if it does not belong to the current user.inputID
value is originated from a pre-defined list, and a bind variable helps to prevent SOQL/SOSL injection.
...
result = [SELECT Name, Phone FROM Contact WHERE (IsDeleted = false AND Id=:inputID)];
...
inputID
. If the attacker is able to bypass the interface and send a request with a different value he will have access to other contact information. Since the code in this example does not check to ensure that the user has permission to access the requested contact, it will display any contact, even if the user is not authorized to see it.
...
int16 id = System.Convert.ToInt16(invoiceID.Text);
var invoice = OrderSystem.getInvoices()
.Where(new Invoice { invoiceID = id });
...
id
. Although the interface generates a list of invoice identifiers that belong to the current user, an attacker might bypass this interface to request any desired invoice. Because the code in this example does not check to ensure that the user has permission to access the requested invoice, it will display any invoice, even if it does not belong to the current user.
...
CMyRecordset rs(&dbms);
rs.PrepareSQL("SELECT * FROM invoices WHERE id = ?");
rs.SetParam_int(0,atoi(r.Lookup("invoiceID").c_str()));
rs.SafeExecuteSQL();
...
id
. Although the interface generates a list of invoice identifiers that belong to the current user, an attacker might bypass this interface to request any desired invoice. Because the code in this example does not check to ensure that the user has permission to access the requested invoice, it will display any invoice, even if it does not belong to the current user.
...
ACCEPT ID.
EXEC SQL
DECLARE C1 CURSOR FOR
SELECT INVNO, INVDATE, INVTOTAL
FROM INVOICES
WHERE INVOICEID = :ID
END-EXEC.
...
ID
. Although the interface generates a list of invoice identifiers that belong to the current user, an attacker might bypass this interface to request any desired invoice. Because the code in this example does not check to ensure that the user has permission to access the requested invoice, it will display any invoice, even if it does not belong to the current user.deleteDatabase
method that contains a user-controlled database name can allow an attacker to delete any database.
...
id := request.FormValue("invoiceID")
query := "SELECT * FROM invoices WHERE id = ?";
rows, err := db.Query(query, id)
...
id
. Although the interface generates a list of invoice identifiers that belong to the current user, an attacker might bypass this interface to request any desired invoice. Because the code in this example does not check to ensure that the user has permission to access the requested invoice, it will display any invoice, even if it does not belong to the current user.
...
id = Integer.decode(request.getParameter("invoiceID"));
String query = "SELECT * FROM invoices WHERE id = ?";
PreparedStatement stmt = conn.prepareStatement(query);
stmt.setInt(1, id);
ResultSet results = stmt.execute();
...
id
. Although the interface generates a list of invoice identifiers that belong to the current user, an attacker might bypass this interface to request any desired invoice. Because the code in this example does not check to ensure that the user has permission to access the requested invoice, it will display any invoice, even if it does not belong to the current user.Example 1
to the Android platform.
...
String id = this.getIntent().getExtras().getString("invoiceID");
String query = "SELECT * FROM invoices WHERE id = ?";
SQLiteDatabase db = this.openOrCreateDatabase("DB", MODE_PRIVATE, null);
Cursor c = db.rawQuery(query, new Object[]{id});
...
...
var id = document.form.invoiceID.value;
var query = "SELECT * FROM invoices WHERE id = ?";
db.transaction(function (tx) {
tx.executeSql(query,[id]);
}
)
...
id
. Although the interface generates a list of invoice identifiers that belong to the current user, an attacker might bypass this interface to request any desired invoice. Because the code in this example does not check to ensure that the user has permission to access the requested invoice, it will display any invoice, even if it does not belong to the current user.
...
NSManagedObjectContext *context = [appDelegate managedObjectContext];
NSEntityDescription *entityDesc = [NSEntityDescription entityForName:@"Invoices" inManagedObjectContext:context];
NSFetchRequest *request = [[NSFetchRequest alloc] init];
[request setEntity:entityDesc];
NSPredicate *pred = [NSPredicate predicateWithFormat:@"(id = %@)", invoiceId.text];
[request setPredicate:pred];
NSManagedObject *matches = nil;
NSError *error;
NSArray *objects = [context executeFetchRequest:request error:&error];
if ([objects count] == 0) {
status.text = @"No records found.";
} else {
matches = [objects objectAtIndex:0];
invoiceReferenceNumber.text = [matches valueForKey:@"invRefNum"];
orderNumber.text = [matches valueForKey:@"orderNumber"];
status.text = [NSString stringWithFormat:@"%d records found", [objects count]];
}
[request release];
...
id
. Although the interface generates a list of invoice identifiers that belong to the current user, an attacker might bypass this interface to request any desired invoice. Because the code in this example does not check to ensure that the user has permission to access the requested invoice, it will display any invoice, even if it does not belong to the current user.
...
$id = $_POST['id'];
$query = "SELECT * FROM invoices WHERE id = ?";
$stmt = $mysqli->prepare($query);
$stmt->bind_param('ss',$id);
$stmt->execute();
...
id
. Although the interface generates a list of invoice identifiers that belong to the current user, an attacker might bypass this interface to request any desired invoice. Because the code in this example does not check to ensure that the user has permission to access the requested invoice, it will display any invoice, even if it does not belong to the current user.
procedure get_item (
itm_cv IN OUT ItmCurTyp,
id in varchar2)
is
open itm_cv for ' SELECT * FROM items WHERE ' ||
'invoiceID = :invid' ||
using id;
end get_item;
id
. Although the interface generates a list of invoice identifiers that belong to the current user, an attacker might bypass this interface to request any desired invoice. Because the code in this example does not check to ensure that the user has permission to access the requested invoice, it will display any invoice, even if it does not belong to the current user.
...
id = request.POST['id']
c = db.cursor()
stmt = c.execute("SELECT * FROM invoices WHERE id = %s", (id,))
...
id
. Although the interface generates a list of invoice identifiers that belong to the current user, an attacker might bypass this interface to request any desired invoice. Because the code in this example does not check to ensure that the user has permission to access the requested invoice, it will display any invoice, even if it does not belong to the current user.
...
id = req['invoiceID'].respond_to(:to_int)
query = "SELECT * FROM invoices WHERE id=?"
stmt = conn.prepare(query)
stmt.execute(id)
...
id
. Although the interface generates a list of invoice identifiers that belong to the current user, an attacker might bypass this interface to request any desired invoice. Because the code in this example does not check to ensure that the user has permission to access the requested invoice, it will display any invoice, even if it does not belong to the current user.
def searchInvoice(value:String) = Action.async { implicit request =>
val result: Future[Seq[Invoice]] = db.run {
sql"select * from invoices where id=$value".as[Invoice]
}
...
}
id
. Although the interface generates a list of invoice identifiers that belong to the current user, an attacker might bypass this interface to request any desired invoice. Because the code in this example does not check to ensure that the user has permission to access the requested invoice, it will display any invoice, even if it does not belong to the current user.
...
let fetchRequest = NSFetchRequest()
let entity = NSEntityDescription.entityForName("Invoices", inManagedObjectContext: managedContext)
fetchRequest.entity = entity
let pred : NSPredicate = NSPredicate(format:"(id = %@)", invoiceId.text)
fetchRequest.setPredicate = pred
do {
let results = try managedContext.executeFetchRequest(fetchRequest)
let result : NSManagedObject = results.first!
invoiceReferenceNumber.text = result.valueForKey("invRefNum")
orderNumber.text = result.valueForKey("orderNumber")
status.text = "\(results.count) records found"
} catch let error as NSError {
print("Error \(error)")
}
...
id
. Although the interface generates a list of invoice identifiers that belong to the current user, an attacker might bypass this interface to request any desired invoice. Because the code in this example does not check to ensure that the user has permission to access the requested invoice, it will display any invoice, even if it does not belong to the current user.
...
id = Request.Form("invoiceID")
strSQL = "SELECT * FROM invoices WHERE id = ?"
objADOCommand.CommandText = strSQL
objADOCommand.CommandType = adCmdText
set objADOParameter = objADOCommand.CreateParameter("id" , adString, adParamInput, 0, 0)
objADOCommand.Parameters("id") = id
...
id
. Although the interface generates a list of invoice identifiers that belong to the current user, an attacker might bypass this interface to request any desired invoice. Because the code in this example does not check to ensure that the user has permission to access the requested invoice, it will display any invoice, even if it does not belong to the current user.APPHOME
to determine the directory in which it is installed and then executes an initialization script based on a relative path from the specified directory.
...
CALL FUNCTION 'REGISTRY_GET'
EXPORTING
KEY = 'APPHOME'
IMPORTING
VALUE = home.
CONCATENATE home INITCMD INTO cmd.
CALL 'SYSTEM' ID 'COMMAND' FIELD cmd ID 'TAB' FIELD TABL[].
...
Example 1
allows an attacker to execute arbitrary commands with the elevated privilege of the application by modifying the registry entry APPHOME
to point to a different path containing a malicious version of INITCMD
. Because the program does not validate the value read from the registry, if an attacker can control the value of the registry key APPHOME
, then they can fool the application into running malicious code and take control of the system.rman
utility and then run a cleanup.bat
script to delete some temporary files. The script rmanDB.bat
accepts a single command line parameter, which specifies the type of backup to perform. Because access to the database is restricted, the application runs the backup as a privileged user.
...
btype = request->get_form_field( 'backuptype' )
CONCATENATE `/K 'c:\\util\\rmanDB.bat ` btype `&&c:\\util\\cleanup.bat'` INTO cmd.
CALL FUNCTION 'SXPG_COMMAND_EXECUTE_LONG'
EXPORTING
commandname = cmd_exe
long_params = cmd_string
EXCEPTIONS
no_permission = 1
command_not_found = 2
parameters_too_long = 3
security_risk = 4
OTHERS = 5.
...
backuptype
parameter read from the user. Typically the function module SXPG_COMMAND_EXECUTE_LONG
will not execute multiple commands, but in this case the program first runs the cmd.exe
shell in order to run multiple commands with a single call to CALL 'SYSTEM'
. After the shell is invoked, it will allow for the execution of multiple commands separated by two ampersands. If an attacker passes a string of the form "&& del c:\\dbms\\*.*"
, then the application will execute this command along with the others specified by the program. Because of the nature of the application, it runs with the privileges necessary to interact with the database, which means whatever command the attacker injects will run with those privileges as well.make
command in the /var/yp
directory.
...
MOVE 'make' to cmd.
CALL 'SYSTEM' ID 'COMMAND' FIELD cmd ID 'TAB' FIELD TABL[].
...
CALL 'SYSTEM'
. If an attacker can modify the $PATH
variable to point to a malicious binary called make
and cause the program to be executed in their environment, then the malicious binary will be loaded instead of the one intended. Because of the nature of the application, it runs with the privileges necessary to perform system operations, which means the attacker's make
will now be run with these privileges, possibly giving the attacker complete control of the system.
...
var fs:FileStream = new FileStream();
fs.open(new File(String(configStream.readObject())+".txt"), FileMode.READ);
home = String(fs.readObject(home));
var cmd:String = home + INITCMD;
fscommand("exec", cmd);
...
Example 1
allows an attacker to execute arbitrary commands with the elevated privilege of the application by modifying the contents of the configuration file configStream
to point to a different path containing a malicious version of INITCMD
. Because the program does not validate the value read from the file, if an attacker can control that value, then they can fool the application into running malicious code and take control of the system.rman
utility and then run a cleanup.bat
script to delete some temporary files. The script rmanDB.bat
accepts a single command line parameter, which specifies the type of backup to perform. Because access to the database is restricted, the application runs the backup as a privileged user.
...
var params:Object = LoaderInfo(this.root.loaderInfo).parameters;
var btype:String = String(params["backuptype"]);
var cmd:String = "cmd.exe /K \"c:\\util\\rmanDB.bat " + btype + "&&c:\\util\\cleanup.bat\"";
fscommand("exec", cmd);
...
backuptype
parameter read from the user. Typically the fscommand()
function will not execute multiple commands, but in this case the program first runs the cmd.exe
shell in order to run multiple commands with a single call to fscommnd()
. After the shell is invoked, it will allow for the execution of multiple commands separated by two ampersands. If an attacker passes a string of the form "&& del c:\\dbms\\*.*"
, then the application will execute this command along with the others specified by the program. Because of the nature of the application, it runs with the privileges necessary to interact with the database, which means whatever command the attacker injects will run with those privileges as well.make
command in the /var/yp
directory.
...
fscommand("exec", "make");
...
fscommand()
. If an attacker can modify the $PATH
variable to point to a malicious binary called make
and cause the program to be executed in their environment, then the malicious binary will be loaded instead of the one intended. Because of the nature of the application, it runs with the privileges necessary to perform system operations, which means the attacker's make
will now be run with these privileges, possibly giving the attacker complete control of the system.APPHOME
to determine the directory in which it is installed and then executes an initialization script based on a relative path from the specified directory.
...
string val = Environment.GetEnvironmentVariable("APPHOME");
string cmd = val + INITCMD;
ProcessStartInfo startInfo = new ProcessStartInfo(cmd);
Process.Start(startInfo);
...
Example 1
allows an attacker to execute arbitrary commands with the elevated privilege of the application by modifying the system property APPHOME
to point to a different path containing a malicious version of INITCMD
. Because the program does not validate the value read from the environment, if an attacker can control the value of the system property APPHOME
, then they can fool the application into running malicious code and take control of the system.rman
utility and then run a cleanup.bat
script to delete some temporary files. The script rmanDB.bat
accepts a single command line parameter, which specifies the type of backup to perform. Because access to the database is restricted, the application runs the backup as a privileged user.
...
string btype = BackupTypeField.Text;
string cmd = "cmd.exe /K \"c:\\util\\rmanDB.bat"
+ btype + "&&c:\\util\\cleanup.bat\""));
Process.Start(cmd);
...
BackupTypeField
. Typically the Process.Start()
function will not execute multiple commands, but in this case the program first runs the cmd.exe
shell in order to run multiple commands with a single call to Process.Start()
. After the shell is invoked, it will allow for the execution of multiple commands separated by two ampersands. If an attacker passes a string of the form "&& del c:\\dbms\\*.*"
, then the application will execute this command along with the others specified by the program. Because of the nature of the application, it runs with the privileges necessary to interact with the database, which means whatever command the attacker injects will run with those privileges as well.update.exe
command, as follows:
...
Process.Start("update.exe");
...
Process.start()
. If an attacker can modify the $PATH
variable to point to a malicious binary called update.exe
and cause the program to be executed in their environment, then the malicious binary will be loaded instead of the one intended. Because of the nature of the application, it runs with the privileges necessary to perform system operations, which means the attacker's update.exe
will now be run with these privileges, possibly giving the attacker complete control of the system.setuid root
because it is intended for use as a learning tool to allow system administrators in-training to inspect privileged system files without giving them the ability to modify them or damage the system.
int main(char* argc, char** argv) {
char cmd[CMD_MAX] = "/usr/bin/cat ";
strcat(cmd, argv[1]);
system(cmd);
}
root
privileges, the call to system()
also executes with root
privileges. If a user specifies a standard filename, the call works as expected. However, if an attacker passes a string of the form ";rm -rf /"
, then the call to system()
fails to execute cat
due to a lack of arguments and then plows on to recursively delete the contents of the root partition.$APPHOME
to determine the application's installation directory and then executes an initialization script in that directory.
...
char* home=getenv("APPHOME");
char* cmd=(char*)malloc(strlen(home)+strlen(INITCMD));
if (cmd) {
strcpy(cmd,home);
strcat(cmd,INITCMD);
execl(cmd, NULL);
}
...
Example 1
, the code in this example allows an attacker to execute arbitrary commands with the elevated privilege of the application. In this example, the attacker may modify the environment variable $APPHOME
to specify a different path containing a malicious version of INITCMD
. Because the program does not validate the value read from the environment, by controlling the environment variable the attacker may fool the application into running malicious code.make
in the /var/yp
directory. Note that since the program updates password records, it has been installed setuid root
.make
as follows:
system("cd /var/yp && make &> /dev/null");
system()
. However, since the program does not specify an absolute path for make
and does not scrub any environment variables prior to invoking the command, the attacker may modify their $PATH
variable to point to a malicious binary named make
and execute the CGI script from a shell prompt. And since the program has been installed setuid root
, the attacker's version of make
now runs with root
privileges.CreateProcess()
either directly or via a call to one of the functions in the _spawn()
family, care must be taken when there is a space in an executable or path.
...
LPTSTR cmdLine = _tcsdup(TEXT("C:\\Program Files\\MyApplication -L -S"));
CreateProcess(NULL, cmdLine, ...);
...
CreateProcess()
parses spaces, the first executable the operating system will try to execute is Program.exe
, not MyApplication.exe
. Therefore, if an attacker is able to install a malicious application called Program.exe
on the system, any program that incorrectly calls CreateProcess()
using the Program Files
directory will run this application instead of the intended one.system()
, exec()
, and CreateProcess()
use the environment of the program that calls them, and therefore attackers have a potential opportunity to influence the behavior of these calls.$PATH
or other aspects of the program's execution environment.make
in the /var/yp
directory. Note that because the program updates password records, it has been installed setuid root
.make
as follows:
MOVE "cd /var/yp && make &> /dev/null" to command-line
CALL "CBL_EXEC_RUN_UNIT" USING command-line
length of command-line
run-unit-id
stack-size
flags
CBL_EXEC_RUN_UNIT
. However, because the program does not specify an absolute path for make
and does not scrub its environment variables prior to invoking the command, the attacker can modify their $PATH
variable to point to a malicious binary named make
and execute the CGI script from a shell prompt. In addition, because the program has been installed setuid root
, the attacker's version of make
now runs with root
privileges.pdfprint
command.
DISPLAY "TEMP" UPON ENVIRONMENT-NAME
ACCEPT ws-temp-dir FROM ENVIRONMENT-VARIABLE
STRING "pdfprint " DELIMITED SIZE
ws-temp-dir DELIMITED SPACE
"/" DELIMITED SIZE
ws-pdf-filename DELIMITED SPACE
x"00" DELIMITED SIZE
INTO cmd-buffer
CALL "SYSTEM" USING cmd-buffer
pdfprint
, the attacker can modify their $PATH
variable to point to a malicious binary. Furthermore, while the DELIMITED SPACE
phrases prevent embedded spaces in ws-temp-dir
and ws-pdf-filename
, there could be shell metacharacters (such as &&
) embedded in either.cmd
request parameter.
...
<cfset var="#url.cmd#">
<cfexecute name = "C:\windows\System32\cmd.exe"
arguments = "/c #var#"
timeout = "1"
variable="mycmd">
</cfexecute>
...
APPHOME
to determine the directory in which it is installed and then executes an initialization script based on a relative path from the specified directory.
...
final cmd = String.fromEnvironment('APPHOME');
await Process.run(cmd);
...
Example 1
allows an attacker to execute arbitrary commands with the elevated privilege of the application by modifying the system property APPHOME
to point to a different path containing a malicious version of INITCMD
. Because the program does not validate the value read from the environment, if an attacker can control the value of the system property APPHOME
, then they can fool the application into running malicious code and take control of the system.
cmdName := request.FormValue("Command")
c := exec.Command(cmdName)
c.Run()
APPHOME
to determine the directory in which it is installed and then executes an initialization script based on a relative path from the specified directory.
...
String home = System.getProperty("APPHOME");
String cmd = home + INITCMD;
java.lang.Runtime.getRuntime().exec(cmd);
...
Example 1
allows an attacker to execute arbitrary commands with the elevated privilege of the application by modifying the system property APPHOME
to point to a different path containing a malicious version of INITCMD
. Because the program does not validate the value read from the environment, if an attacker can control the value of the system property APPHOME
, then they can fool the application into running malicious code and take control of the system.rman
utility and then run a cleanup.bat
script to delete some temporary files. The script rmanDB.bat
accepts a single command line parameter, which specifies the type of backup to perform. Because access to the database is restricted, the application runs the backup as a privileged user.
...
String btype = request.getParameter("backuptype");
String cmd = new String("cmd.exe /K
\"c:\\util\\rmanDB.bat "+btype+"&&c:\\util\\cleanup.bat\"")
System.Runtime.getRuntime().exec(cmd);
...
backuptype
parameter read from the user. Typically the Runtime.exec()
function will not execute multiple commands, but in this case the program first runs the cmd.exe
shell in order to run multiple commands with a single call to Runtime.exec()
. After the shell is invoked, it will allow for the execution of multiple commands separated by two ampersands. If an attacker passes a string of the form "&& del c:\\dbms\\*.*"
, then the application will execute this command along with the others specified by the program. Because of the nature of the application, it runs with the privileges necessary to interact with the database, which means whatever command the attacker injects will run with those privileges as well.make
command in the /var/yp
directory.
...
System.Runtime.getRuntime().exec("make");
...
Runtime.exec()
. If an attacker can modify the $PATH
variable to point to a malicious binary called make
and cause the program to be executed in their environment, then the malicious binary will be loaded instead of the one intended. Because of the nature of the application, it runs with the privileges necessary to perform system operations, which means the attacker's make
will now be run with these privileges, possibly giving the attacker complete control of the system.
...
String[] cmds = this.getIntent().getStringArrayExtra("commands");
Process p = Runtime.getRuntime().exec("su");
DataOutputStream os = new DataOutputStream(p.getOutputStream());
for (String cmd : cmds) {
os.writeBytes(cmd+"\n");
}
os.writeBytes("exit\n");
os.flush();
...
APPHOME
to determine the directory in which it is installed and then executes an initialization script based on a relative path from the specified directory.
var cp = require('child_process');
...
var home = process.env('APPHOME');
var cmd = home + INITCMD;
child = cp.exec(cmd, function(error, stdout, stderr){
...
});
...
Example 1
allows an attacker to execute arbitrary commands with the elevated privilege of the application by modifying the system property APPHOME
to point to a different path containing a malicious version of INITCMD
. Since the program does not validate the value read from the environment, if an attacker can control the value of the system property APPHOME
, then they can fool the application into running malicious code and take control of the system.rman
utility. The script rmanDB.bat
accepts a single command line parameter, which specifies the type of backup to perform. Because access to the database is restricted, the application runs the backup as a privileged user.
var cp = require('child_process');
var http = require('http');
var url = require('url');
function listener(request, response){
var btype = url.parse(request.url, true)['query']['backuptype'];
if (btype !== undefined){
cmd = "c:\\util\\rmanDB.bat" + btype;
cp.exec(cmd, function(error, stdout, stderr){
...
});
}
...
}
...
http.createServer(listener).listen(8080);
backuptype
parameter read from the user apart from verifying its existence. After the shell is invoked, it may allow for the execution of multiple commands, and due to the nature of the application, it will run with the privileges necessary to interact with the database, which means whatever command the attacker injects will run with those privileges as well.make
command in the /var/yp
directory.
...
require('child_process').exec("make", function(error, stdout, stderr){
...
});
...
make
and fails to clean its environment prior to executing the call to child_process.exec()
. If an attacker can modify the $PATH
variable to point to a malicious binary called make
and cause the program to be executed in their environment, then the malicious binary will be loaded instead of the one intended. Because of the nature of the application, it runs with the privileges necessary to perform system operations, which means the attacker's make
will now be run with these privileges, possibly giving the attacker complete control of the system.APPHOME
to determine the directory in which it is installed and then executes an initialization script based on a relative path from the specified directory.
...
$home = $_ENV['APPHOME'];
$cmd = $home . $INITCMD;
system(cmd);
...
Example 1
allows an attacker to execute arbitrary commands with the elevated privilege of the application by modifying the system property APPHOME
to point to a different path containing a malicious version of INITCMD
. Because the program does not validate the value read from the environment, if an attacker can control the value of the system property APPHOME
, then they can fool the application into running malicious code and take control of the system.rman
utility and then run a cleanup.bat
script to delete some temporary files. The script rmanDB.bat
accepts a single command line parameter, which specifies the type of backup to perform. Because access to the database is restricted, the application runs the backup as a privileged user.
...
$btype = $_GET['backuptype'];
$cmd = "cmd.exe /K \"c:\\util\\rmanDB.bat " . $btype . "&&c:\\util\\cleanup.bat\"";
system(cmd);
...
backuptype
parameter read from the user. Typically the Runtime.exec()
function will not execute multiple commands, but in this case the program first runs the cmd.exe
shell in order to run multiple commands with a single call to Runtime.exec()
. After the shell is invoked, it will allow for the execution of multiple commands separated by two ampersands. If an attacker passes a string of the form "&& del c:\\dbms\\*.*"
, then the application will execute this command along with the others specified by the program. Because of the nature of the application, it runs with the privileges necessary to interact with the database, which means whatever command the attacker injects will run with those privileges as well.make
command in the /var/yp
directory.
...
$result = shell_exec("make");
...
Runtime.exec()
. If an attacker can modify the $PATH
variable to point to a malicious binary called make
and cause the program to be executed in their environment, then the malicious binary will be loaded instead of the one intended. Because of the nature of the application, it runs with the privileges necessary to perform system operations, which means the attacker's make
will now be run with these privileges, possibly giving the attacker complete control of the system.
...
CREATE PROCEDURE dbo.listFiles (@path NVARCHAR(200))
AS
DECLARE @cmd NVARCHAR(500)
SET @cmd = 'dir ' + @path
exec xp_cmdshell @cmd
GO
...
APPHOME
to determine the directory in which it is installed and then executes an initialization script based on a relative path from the specified directory.
...
home = os.getenv('APPHOME')
cmd = home.join(INITCMD)
os.system(cmd);
...
Example 1
allows an attacker to execute arbitrary commands with the elevated privilege of the application by modifying the system property APPHOME
to point to a different path containing a malicious version of INITCMD
. Because the program does not validate the value read from the environment, if an attacker can control the value of the system property APPHOME
, then they can fool the application into running malicious code and take control of the system.rman
utility and then run a cleanup.bat
script to delete some temporary files. The script rmanDB.bat
accepts a single command line parameter, which specifies the type of backup to perform. Because access to the database is restricted, the application runs the backup as a privileged user.
...
btype = req.field('backuptype')
cmd = "cmd.exe /K \"c:\\util\\rmanDB.bat " + btype + "&&c:\\util\\cleanup.bat\""
os.system(cmd);
...
backuptype
parameter read from the user. Typically the Runtime.exec()
function will not execute multiple commands, but in this case the program first runs the cmd.exe
shell in order to run multiple commands with a single call to Runtime.exec()
. After the shell is invoked, it will allow for the execution of multiple commands separated by two ampersands. If an attacker passes a string of the form "&& del c:\\dbms\\*.*"
, then the application will execute this command along with the others specified by the program. Because of the nature of the application, it runs with the privileges necessary to interact with the database, which means whatever command the attacker injects will run with those privileges as well.make
command in the /var/yp
directory.
...
result = os.system("make");
...
os.system()
. If an attacker can modify the $PATH
variable to point to a malicious binary called make
and cause the program to be executed in their environment, then the malicious binary will be loaded instead of the one intended. Because of the nature of the application, it runs with the privileges necessary to perform system operations, which means the attacker's make
will now be run with these privileges, possibly giving the attacker complete control of the system.APPHOME
to determine the directory in which it is installed and then executes an initialization script based on a relative path from the specified directory.
...
home = ENV['APPHOME']
cmd = home + INITCMD
Process.spawn(cmd)
...
Example 1
allows an attacker to execute arbitrary commands with the elevated privilege of the application by modifying the system property APPHOME
to point to a different path containing a malicious version of INITCMD
. Because the program does not validate the value read from the environment, if an attacker can control the value of the system property APPHOME
, then they can fool the application into running malicious code and take control of the system.rman
utility and then run a cleanup.bat
script to delete some temporary files. The script rmanDB.bat
accepts a single command line parameter, which specifies the type of backup to perform. Because access to the database is restricted, the application runs the backup as a privileged user.
...
btype = req['backuptype']
cmd = "C:\\util\\rmanDB.bat #{btype} &&C:\\util\\cleanup.bat"
spawn(cmd)
...
backuptype
parameter read from the user. After the shell is invoked via Kernel.spawn
, it will allow for the execution of multiple commands separated by two ampersands. If an attacker passes a string of the form "&& del c:\\dbms\\*.*"
, then the application will execute this command along with the others specified by the program. Because of the nature of the application, it runs with the privileges necessary to interact with the database, which means whatever command the attacker injects will run with those privileges as well.make
command in the /var/yp
directory.
...
system("make")
...
Kernel.system()
. If an attacker can modify the $PATH
variable to point to a malicious binary called make
and cause the program to be executed in their environment, then the malicious binary will be loaded instead of the one intended. Because of the nature of the application, it runs with the privileges necessary to perform system operations, which means the attacker's make
will now be run with these privileges, possibly giving the attacker complete control of the system.
def changePassword(username: String, password: String) = Action { request =>
...
s'echo "${password}" | passwd ${username} --stdin'.!
...
}
APPHOME
to determine the directory in which it is installed and then executes an initialization script based on a relative path from the specified directory.
...
Dim cmd
Dim home
home = Environ$("AppHome")
cmd = home & initCmd
Shell cmd, vbNormalFocus
...
Example 1
allows an attacker to execute arbitrary commands with the elevated privilege of the application by modifying the system property APPHOME
to point to a different path containing a malicious version of INITCMD
. Because the program does not validate the value read from the environment, if an attacker can control the value of the system property APPHOME
, then they can fool the application into running malicious code and take control of the system.rman
utility and then run a cleanup.bat
script to delete some temporary files. The script rmanDB.bat
accepts a single command line parameter, which specifies the type of backup to perform. Because access to the database is restricted, the application runs the backup as a privileged user.
...
btype = Request.Form("backuptype")
cmd = "cmd.exe /K " & Chr(34) & "c:\util\rmanDB.bat " & btype & "&&c:\util\cleanup.bat" & Chr(34) & ";
Shell cmd, vbNormalFocus
...
backuptype
parameter read from the user. After the shell is invoked, it will allow for the execution of multiple commands separated by two ampersands. If an attacker passes a string of the form "&& del c:\\dbms\\*.*"
, then the application will execute this command along with the others specified by the program. Because of the nature of the application, it runs with the privileges necessary to interact with the database, which means whatever command the attacker injects will run with those privileges as well.make
command in the /var/yp
directory.
...
$result = shell_exec("make");
...
Runtime.exec()
. If an attacker can modify the $PATH
variable to point to a malicious binary called make
and cause the program to be executed in their environment, then the malicious binary will be loaded instead of the one intended. Because of the nature of the application, it runs with the privileges necessary to perform system operations, which means the attacker's make
will now be run with these privileges, possibly giving the attacker complete control of the system.isSecure
parameter set to true
.Secure
flag for each cookie. If the flag is set, the browser will only send the cookie over HTTPS. Sending cookies over an unencrypted channel can expose them to network sniffing attacks, and the secure flag helps keep a cookie's value confidential. This is especially important if the cookie contains private data or carries a session identifier.isSecure
parameter to true
.
...
Cookie cookie = new Cookie('emailCookie', emailCookie, path, maxAge, false, 'Strict');
...
isSecure
parameter, cookies sent during an HTTPS request are also sent during subsequent HTTP requests. Sniffing network traffic over unencrypted wireless connections is a trivial task for attackers, and sending cookies (especially those with session IDs) over HTTP can result in application compromise.Secure
flag set to true
.Secure
flag for each cookie. If the flag is set, the browser will only send the cookie over HTTPS. Sending cookies over an unencrypted channel can expose them to network sniffing attacks, so the secure flag helps keep a cookie's value confidential. This is especially important if the cookie contains private data or carries a session identifier.Secure
property.
...
HttpCookie cookie = new HttpCookie("emailCookie", email);
Response.AppendCookie(cookie);
...
Secure
flag, cookies sent during an HTTPS request will also be sent during subsequent HTTP requests. Sniffing network traffic over unencrypted wireless connections is a trivial task for attackers, so sending cookies (especially those with session IDs) over HTTP can result in application compromise.Secure
flag to true
Secure
flag for each cookie. If the flag is set, the browser will only send the cookie over HTTPS. Sending cookies over an unencrypted channel can expose them to network sniffing attacks, so the secure flag helps keep a cookie's value confidential. This is especially important if the cookie contains private data or session identifiers, or carries a CSRF token.Secure
flag.
cookie := http.Cookie{
Name: "emailCookie",
Value: email,
}
http.SetCookie(response, &cookie)
...
Secure
flag, cookies sent during an HTTPS request will also be sent during subsequent HTTP requests. Attackers can then compromise the cookie by sniffing the unencrypted network traffic, which is particularly easy over wireless networks.Secure
flag set to true
.Secure
flag for each cookie. If the flag is set, the browser will only send the cookie over HTTPS. Sending cookies over an unencrypted channel can expose them to network sniffing attacks, so the secure flag helps keep a cookie's value confidential. This is especially important if the cookie contains private data or carries a session identifier.use-secure-cookie
attribute enables the remember-me
cookie to be sent over unencrypted transport.
<http auto-config="true">
...
<remember-me use-secure-cookie="false"/>
</http>
Secure
flag, cookies sent during an HTTPS request will also be sent during subsequent HTTP requests. Sniffing network traffic over unencrypted wireless connections is a trivial task for attackers, so sending cookies (especially those with session IDs) over HTTP can result in application compromise.Secure
flag set to true
.Secure
flag for each cookie. If the flag is set, the browser will only send the cookie over HTTPS. Sending cookies over an unencrypted channel can expose them to network sniffing attacks, so the secure flag helps keep a cookie's value confidential. This is especially important if the cookie contains private data or carries a session identifier.Secure
property to true
.
res.cookie('important_cookie', info, {domain: 'secure.example.com', path: '/admin', httpOnly: true, secure: false});
Secure
flag, cookies sent during an HTTPS request will also be sent during subsequent HTTP requests. Sniffing network traffic over unencrypted wireless connections is a trivial task for attackers, so sending cookies (especially those with session IDs) over HTTP can result in application compromise.NSHTTPCookieSecure
flag set to TRUE
.Secure
flag for each cookie. If the flag is set, the browser will only send the cookie over HTTPS. Sending cookies over an unencrypted channel can expose them to network sniffing attacks, so the secure flag helps keep a cookie's value confidential. This is especially important if the cookie contains private data or carries a session identifier.Secure
flag.
...
NSDictionary *cookieProperties = [NSDictionary dictionary];
...
NSHTTPCookie *cookie = [NSHTTPCookie cookieWithProperties:cookieProperties];
...
Secure
flag, cookies sent during an HTTPS request will also be sent during subsequent HTTP requests. Sniffing network traffic over unencrypted wireless connections is a trivial task for attackers, so sending cookies (especially those with session IDs) over HTTP can result in application compromise.Secure
flag to true
Secure
flag for each cookie. If the flag is set, the browser will only send the cookie over HTTPS. Sending cookies over an unencrypted channel can expose them to network sniffing attacks, so the secure flag helps keep a cookie's value confidential. This is especially important if the cookie contains private data or carries a session identifier.Secure
flag.
...
setcookie("emailCookie", $email, 0, "/", "www.example.com");
...
Secure
flag, cookies sent during an HTTPS request will also be sent during subsequent HTTP requests. Attackers may then compromise the cookie by sniffing the unencrypted network traffic, which is particularly easy over wireless networks.Secure
flag to True
Secure
flag for each cookie. If the flag is set, the browser will only send the cookie over HTTPS. Sending cookies over an unencrypted channel can expose them to network sniffing attacks, so the secure flag helps keep a cookie's value confidential. This is especially important if the cookie contains private data or session identifiers, or carries a CSRF token.Secure
flag.
from django.http.response import HttpResponse
...
def view_method(request):
res = HttpResponse()
res.set_cookie("emailCookie", email)
return res
...
Secure
flag, cookies sent during an HTTPS request will also be sent during subsequent HTTP requests. Attackers may then compromise the cookie by sniffing the unencrypted network traffic, which is particularly easy over wireless networks.Secure
flag set to true
.Secure
flag for each cookie. If the flag is set, the browser will only send the cookie over HTTPS. Sending cookies over an unencrypted channel can expose them to network sniffing attacks, so the secure flag helps keep a cookie's value confidential. This is especially important if the cookie contains private data or carries a session identifier.Secure
flag.
Ok(Html(command)).withCookies(Cookie("sessionID", sessionID, secure = false))
Secure
flag, cookies sent during an HTTPS request will also be sent during subsequent HTTP requests. Sniffing network traffic over unencrypted wireless connections is a trivial task for attackers, so sending cookies (especially those with session IDs) over HTTP can result in application compromise.NSHTTPCookieSecure
flag set to TRUE
.Secure
flag for each cookie. If the flag is set, the browser will only send the cookie over HTTPS. Sending cookies over an unencrypted channel can expose them to network sniffing attacks, so the secure flag helps keep a cookie's value confidential. This is especially important if the cookie contains private data or carries a session identifier.Secure
flag.
...
let properties = [
NSHTTPCookieDomain: "www.example.com",
NSHTTPCookiePath: "/service",
NSHTTPCookieName: "foo",
NSHTTPCookieValue: "bar"
]
let cookie : NSHTTPCookie? = NSHTTPCookie(properties:properties)
...
Secure
flag, cookies sent during an HTTPS request will also be sent during subsequent HTTP requests. Sniffing network traffic over unencrypted wireless connections is a trivial task for attackers, so sending cookies (especially those with session IDs) over HTTP can result in application compromise.HttpOnly
flag to true
.HttpOnly
cookie property that prevents client-side scripts from accessing the cookie. Cross-site scripting attacks often access cookies in an attempt to steal session identifiers or authentication tokens. Without HttpOnly
enabled, attackers have easier access to user cookies.HttpOnly
property.
HttpCookie cookie = new HttpCookie("emailCookie", email);
Response.AppendCookie(cookie);
HttpOnly
flag to true
.HttpOnly
cookie property that prevents client-side scripts from accessing the cookie. Cross-site scripting attacks often access cookies in an attempt to steal session identifiers or authentication tokens. Without HttpOnly
enabled, attackers have easier access to user cookies.HttpOnly
property.
cookie := http.Cookie{
Name: "emailCookie",
Value: email,
}
...
HttpOnly
flag to true
.HttpOnly
cookie property that prevents client-side scripts from accessing the cookie. Cross-site scripting attacks often access cookies in an attempt to steal session identifiers or authentication tokens. Without HttpOnly
enabled, attackers have easier access to user cookies.HttpOnly
property.
javax.servlet.http.Cookie cookie = new javax.servlet.http.Cookie("emailCookie", email);
// Missing a call to: cookie.setHttpOnly(true);
HttpOnly
flag to true
.HttpOnly
cookie property that prevents client-side scripts from accessing the cookie. Cross-site scripting attacks often access cookies in an attempt to steal session identifiers or authentication tokens. Without HttpOnly
enabled, attackers have easier access to user cookies.httpOnly
property.
res.cookie('important_cookie', info, {domain: 'secure.example.com', path: '/admin'});
HttpOnly
flag to true
.HttpOnly
cookie property that prevents client-side scripts from accessing the cookie. Cross-site scripting attacks often access cookies in an attempt to steal session identifiers or authentication tokens. Without HttpOnly
enabled, attackers have easier access to user cookies.HttpOnly
property.
setcookie("emailCookie", $email, 0, "/", "www.example.com", TRUE); //Missing 7th parameter to set HttpOnly
HttpOnly
flag to True
.HttpOnly
cookie property that prevents client-side scripts from accessing the cookie. Cross-site scripting attacks often access cookies in an attempt to steal session identifiers or authentication tokens. Without HttpOnly
enabled, attackers have easier access to user cookies.HttpOnly
property.
from django.http.response import HttpResponse
...
def view_method(request):
res = HttpResponse()
res.set_cookie("emailCookie", email)
return res
...
HttpOnly
flag to true
.HttpOnly
cookie property that prevents client-side scripts from accessing the cookie. Cross-site scripting attacks often access cookies in an attempt to steal session identifiers or authentication tokens. Without HttpOnly
enabled, attackers have easier access to user cookies.HttpOnly
property.
Ok(Html(command)).withCookies(Cookie("sessionID", sessionID, httpOnly = false))
.example.com
". This exposes the cookie to all web applications on the base domain and any sub-domains. Because cookies often carry sensitive information such as session identifiers, sharing cookies across applications can cause a vulnerability in one application to compromise another application.http://secure.example.com/
, and the application sets a session ID cookie with domain ".example.com
" when a user logs in.
HttpCookie cookie = new HttpCookie("sessionID", sessionID);
cookie.Domain = ".example.com";
http://insecure.example.com/
and it contains a cross-site scripting vulnerability. Any user authenticated to http://secure.example.com
that browses to http://insecure.example.com
risks exposing their session cookie from http://secure.example.com
.insecure.example.com
to create its own overly broad cookie that overwrites the cookie from secure.example.com
..example.com
". This exposes the cookie to all web applications on the base domain and any sub-domains. Because cookies often carry sensitive information such as session identifiers, sharing cookies across applications can cause a vulnerability in one application to compromise another application.http://secure.example.com/
and the application sets a session ID cookie with domain ".example.com
" when a user logs in.
cookie := http.Cookie{
Name: "sessionID",
Value: getSessionID(),
Domain: ".example.com",
}
...
http://insecure.example.com/
, and it contains a cross-site scripting vulnerability. Any user authenticated to http://secure.example.com
that browses to http://insecure.example.com
risks exposing their session cookie from http://secure.example.com
.insecure.example.com
to create its own overly broad cookie that overwrites the cookie from Secure.example.com
..example.com
". This exposes the cookie to all web applications on the base domain and any sub-domains. Because cookies often carry sensitive information such as session identifiers, sharing cookies across applications can cause a vulnerability in one application to compromise another application.http://secure.example.com/
and the application sets a session ID cookie with domain ".example.com
" when a user logs in.
Cookie cookie = new Cookie("sessionID", sessionID);
cookie.setDomain(".example.com");
http://insecure.example.com/
, and it contains a cross-site scripting vulnerability. Any user authenticated to http://secure.example.com
that browses to http://insecure.example.com
risks exposing their session cookie from http://secure.example.com
.insecure.example.com
to create its own overly broad cookie that overwrites the cookie from secure.example.com
..example.com
". This exposes the cookie to all web applications on the base domain and any sub-domains. Because cookies often carry sensitive information such as session identifiers, sharing cookies across applications can cause a vulnerability in one application to compromise another application.http://secure.example.com/
and the application sets a session ID cookie with domain ".example.com
" when a user logs in.
cookie_options = {};
cookie_options.domain = '.example.com';
...
res.cookie('important_cookie', info, cookie_options);
http://insecure.example.com/
, and it contains a cross-site scripting vulnerability. Any user authenticated to http://secure.example.com
that browses to http://insecure.example.com
risks exposing their session cookie from http://secure.example.com
.insecure.example.com
to create its own overly broad cookie that overwrites the cookie from secure.example.com
..example.com
". This exposes the cookie to all web applications on the base domain and any sub-domains. Because cookies often carry sensitive information such as session identifiers, sharing cookies across applications can cause a vulnerability in one application to compromise another application.http://secure.example.com/
and the application sets a session ID cookie with domain ".example.com
" when a user logs in.
...
NSDictionary *cookieProperties = [NSDictionary dictionary];
...
[cookieProperties setValue:@".example.com" forKey:NSHTTPCookieDomain];
...
NSHTTPCookie *cookie = [NSHTTPCookie cookieWithProperties:cookieProperties];
...
http://insecure.example.com/
, and it contains a cross-site scripting vulnerability. Any user authenticated to http://secure.example.com
that browses to http://insecure.example.com
risks exposing their session cookie from http://secure.example.com
.insecure.example.com
to create its own overly broad cookie that overwrites the cookie from secure.example.com
..example.com
". This exposes the cookie to all web applications on the base domain and any sub-domains. Because cookies often carry sensitive information such as session identifiers, sharing cookies across applications can cause a vulnerability in one application to compromise another application.http://secure.example.com/
and the application sets a session ID cookie with domain ".example.com
" when a user logs in.
setcookie("mySessionId", getSessionID(), 0, "/", ".example.com", true, true);
http://insecure.example.com/
, and it contains a cross-site scripting vulnerability. Any user authenticated to http://secure.example.com
that browses to http://insecure.example.com
risks exposing their session cookie from http://secure.example.com
.insecure.example.com
to create its own overly broad cookie that overwrites the cookie from secure.example.com
..example.com
". This exposes the cookie to all web applications on the base domain and any sub-domains. Because cookies often carry sensitive information such as session identifiers, sharing cookies across applications can cause a vulnerability in one application to compromise another application.http://secure.example.com/
and the application sets a session ID cookie with domain ".example.com
" when a user logs in.
from django.http.response import HttpResponse
...
def view_method(request):
res = HttpResponse()
res.set_cookie("mySessionId", getSessionID(), domain=".example.com")
return res
...
http://insecure.example.com/
, and it contains a cross-site scripting vulnerability. Any user authenticated to http://secure.example.com
that browses to http://insecure.example.com
risks exposing their session cookie from http://secure.example.com
.insecure.example.com
to create its own overly broad cookie that overwrites the cookie from secure.example.com
..example.com
". This exposes the cookie to all web applications on the base domain and any sub-domains. Because cookies often carry sensitive information such as session identifiers, sharing cookies across applications can cause a vulnerability in one application to compromise another application.http://secure.example.com/
and the application sets a session ID cookie with domain ".example.com
" when a user logs in.
Ok(Html(command)).withCookies(Cookie("sessionID", sessionID, domain = Some(".example.com")))
http://insecure.example.com/
, and it contains a cross-site scripting vulnerability. Any user authenticated to http://secure.example.com
that browses to http://insecure.example.com
risks exposing their session cookie from http://secure.example.com
.insecure.example.com
to create its own overly broad cookie that overwrites the cookie from secure.example.com
..example.com
". This exposes the cookie to all web applications on the base domain and any sub-domains. Because cookies often carry sensitive information such as session identifiers, sharing cookies across applications can cause a vulnerability in one application to compromise another application.http://secure.example.com/
and the application sets a session ID cookie with domain ".example.com
" when a user logs in.
...
let properties = [
NSHTTPCookieDomain: ".example.com",
NSHTTPCookiePath: "/service",
NSHTTPCookieName: "foo",
NSHTTPCookieValue: "bar",
NSHTTPCookieSecure: true
]
let cookie : NSHTTPCookie? = NSHTTPCookie(properties:properties)
...
http://insecure.example.com/
, and it contains a cross-site scripting vulnerability. Any user authenticated to http://secure.example.com
that browses to http://insecure.example.com
risks exposing their session cookie from http://secure.example.com
.insecure.example.com
to create its own overly broad cookie that overwrites the cookie from secure.example.com
./
"). This exposes the cookie to all web applications on the domain. Because cookies often carry sensitive information such as session identifiers, sharing cookies across applications can cause a vulnerability in one application to compromise another application.http://communitypages.example.com/MyForum
and the application sets a session ID cookie with path "/
" when users log in to the forum. For example:
...
String path = '/';
Cookie cookie = new Cookie('sessionID', sessionID, path, maxAge, true, 'Strict');
...
http://communitypages.example.com/EvilSite
and posts a link to this site on the forum. When a user of the forum clicks this link, the browser will send the cookie set by /MyForum
to the application running at /EvilSite
. By stealing the session ID, the attacker can compromise the account of any forum user that browsed to /EvilSite
./EvilSite
to create its own overly broad cookie that overwrites the cookie from /MyForum
./
", however, doing so exposes the cookie to all web applications on the same domain name. Because cookies often carry sensitive information such as session identifiers, sharing cookies across applications can cause a vulnerability in one application to compromise another application.http://communitypages.example.com/MyForum
and the application sets a session ID cookie with path "/
" when users log in to the forum.
HttpCookie cookie = new HttpCookie("sessionID", sessionID);
cookie.Path = "/";
http://communitypages.example.com/EvilSite
and posts a link to this site on the forum. When a user of the forum clicks this link, the browser will send the cookie set by /MyForum
to the application running at /EvilSite
. By stealing the session ID, the attacker can compromise the account of any forum user that browsed to /EvilSite
./EvilSite
to create its own overly broad cookie that overwrites the cookie from /MyForum
./
"). This exposes the cookie to all web applications on the domain. Because cookies often carry sensitive information such as session identifiers, sharing cookies across applications can cause a vulnerability in one application to compromise another application.http://communitypages.example.com/MyForum
and the application sets a session ID cookie with path "/
" when users log in to the forum.
cookie := http.Cookie{
Name: "sessionID",
Value: sID,
Expires: time.Now().AddDate(0, 0, 1),
Path: "/",
}
...
http://communitypages.example.com/EvilSite
and posts a link to this site on the forum. When a forum user clicks this link, the browser sends the cookie set by /MyForum
to the application running at /EvilSite
. By stealing the session ID, the attacker can compromise the account of any forum user that browsed to /EvilSite
./EvilSite
to create its own overly broad cookie that overwrites the cookie from /MyForum
./
"). This exposes the cookie to all web applications on the domain. Because cookies often carry sensitive information such as session identifiers, sharing cookies across applications can cause a vulnerability in one application to compromise another application.http://communitypages.example.com/MyForum
and the application sets a session ID cookie with path "/
" when users log in to the forum.
Cookie cookie = new Cookie("sessionID", sessionID);
cookie.setPath("/");
http://communitypages.example.com/EvilSite
and posts a link to this site on the forum. When a user of the forum clicks this link, the browser will send the cookie set by /MyForum
to the application running at /EvilSite
. By stealing the session ID, the attacker can compromise the account of any forum user that browsed to /EvilSite
./EvilSite
to create its own overly broad cookie that overwrites the cookie from /MyForum
./
"). This exposes the cookie to all web applications on the domain. Because cookies often carry sensitive information such as session identifiers, sharing cookies across applications can cause a vulnerability in one application to compromise another application.http://communitypages.example.com/MyForum
and the application sets a session ID cookie with path "/
" when users log in to the forum.
cookie_options = {};
cookie_options.path = '/';
...
res.cookie('important_cookie', info, cookie_options);
http://communitypages.example.com/EvilSite
and posts a link to this site on the forum. When a user of the forum clicks this link, the browser will send the cookie set by /MyForum
to the application running at /EvilSite
. By stealing the session ID, the attacker can compromise the account of any forum user that browsed to /EvilSite
./EvilSite
to create its own overly broad cookie that overwrites the cookie from /MyForum
./
"). This exposes the cookie to all web applications on the domain. Because cookies often carry sensitive information such as session identifiers, sharing cookies across applications can cause a vulnerability in one application to compromise another application.http://communitypages.example.com/MyForum
and the application sets a session ID cookie with path "/
" when users log in to the forum.
...
NSDictionary *cookieProperties = [NSDictionary dictionary];
...
[cookieProperties setValue:@"/" forKey:NSHTTPCookiePath];
...
NSHTTPCookie *cookie = [NSHTTPCookie cookieWithProperties:cookieProperties];
...
http://communitypages.example.com/EvilSite
and posts a link to this site on the forum. When a user of the forum clicks this link, the browser will send the cookie set by /MyForum
to the application running at /EvilSite
. By stealing the session ID, the attacker can compromise the account of any forum user that browsed to /EvilSite
./EvilSite
to create its own overly broad cookie that overwrites the cookie from /MyForum
./
"). This exposes the cookie to all web applications on the domain. Because cookies often carry sensitive information such as session identifiers, sharing cookies across applications can cause a vulnerability in one application to compromise another application.http://communitypages.example.com/MyForum
and the application sets a session ID cookie with path "/
" when users log in to the forum.
setcookie("mySessionId", getSessionID(), 0, "/", "communitypages.example.com", true, true);
http://communitypages.example.com/EvilSite
and posts a link to this site on the forum. When a user of the forum clicks this link, the browser will send the cookie set by /MyForum
to the application running at /EvilSite
. By stealing the session ID, the attacker can compromise the account of any forum user that browsed to /EvilSite
./EvilSite
to create its own overly broad cookie that overwrites the cookie from /MyForum
./
"). This exposes the cookie to all web applications on the domain. Because cookies often carry sensitive information such as session identifiers, sharing cookies across applications can cause a vulnerability in one application to compromise another application.http://communitypages.example.com/MyForum
and the application sets a session ID cookie with path "/
" when users log in to the forum.
from django.http.response import HttpResponse
...
def view_method(request):
res = HttpResponse()
res.set_cookie("sessionid", value) # Path defaults to "/"
return res
...
http://communitypages.example.com/EvilSite
and posts a link to this site on the forum. When a user of the forum clicks this link, the browser will send the cookie set by /MyForum
to the application running at /EvilSite
. By stealing the session ID, the attacker can compromise the account of any forum user that browsed to /EvilSite
./EvilSite
to create its own overly broad cookie that overwrites the cookie from /MyForum
./
"). This exposes the cookie to all web applications on the domain. Because cookies often carry sensitive information such as session identifiers, sharing cookies across applications can cause a vulnerability in one application to compromise another application.http://communitypages.example.com/MyForum
and the application sets a session ID cookie with path "/
" when users log in to the forum.
Ok(Html(command)).withCookies(Cookie("sessionID", sessionID, path = "/"))
http://communitypages.example.com/EvilSite
and posts a link to this site on the forum. When a user of the forum clicks this link, the browser will send the cookie set by /MyForum
to the application running at /EvilSite
. By stealing the session ID, the attacker can compromise the account of any forum user that browsed to /EvilSite
./EvilSite
to create its own overly broad cookie that overwrites the cookie from /MyForum
./
"). This exposes the cookie to all web applications on the domain. Because cookies often carry sensitive information such as session identifiers, sharing cookies across applications can cause a vulnerability in one application to compromise another application.http://communitypages.example.com/MyForum
and the application sets a session ID cookie with path "/
" when users log in to the forum.
...
let properties = [
NSHTTPCookieDomain: "www.example.com",
NSHTTPCookiePath: "/",
NSHTTPCookieName: "foo",
NSHTTPCookieValue: "bar",
NSHTTPCookieSecure: true
]
let cookie : NSHTTPCookie? = NSHTTPCookie(properties:properties)
...
http://communitypages.example.com/EvilSite
and posts a link to this site on the forum. When a user of the forum clicks this link, the browser will send the cookie set by /MyForum
to the application running at /EvilSite
. By stealing the session ID, the attacker can compromise the account of any forum user that browsed to /EvilSite
./EvilSite
to create its own overly broad cookie that overwrites the cookie from /MyForum
.
...
Integer maxAge = 60*60*24*365*10;
Cookie cookie = new Cookie('emailCookie', emailCookie, path, maxAge, true, 'Strict');
...
HttpCookie cookie = new HttpCookie("emailCookie", email);
cookie.Expires = DateTime.Now.AddYears(10);;
Cookie cookie = new Cookie("emailCookie", email);
cookie.setMaxAge(60*60*24*365*10);
...
NSDictionary *cookieProperties = [NSDictionary dictionary];
...
[cookieProperties setValue:[[NSDate date] dateByAddingTimeInterval:(60*60*24*365*10)] forKey:NSHTTPCookieExpires];
...
NSHTTPCookie *cookie = [NSHTTPCookie cookieWithProperties:cookieProperties];
...
setcookie("emailCookie", $email, time()+60*60*24*365*10);
from django.http.response import HttpResponse
...
def view_method(request):
res = HttpResponse()
res.set_cookie("emailCookie", email, expires=time()+60*60*24*365*10, secure=True, httponly=True)
return res
...
Ok(Html(command)).withCookies(Cookie("sessionID", sessionID, maxAge = Some(60*60*24*365*10)))
...
let properties = [
NSHTTPCookieDomain: "www.example.com",
NSHTTPCookiePath: "/service",
NSHTTPCookieName: "foo",
NSHTTPCookieValue: "bar",
NSHTTPCookieSecure: true,
NSHTTPCookieExpires : NSDate(timeIntervalSinceNow: (60*60*24*365*10))
]
let cookie : NSHTTPCookie? = NSHTTPCookie(properties:properties)
...