username
and password
to the JSON file located at C:\user_info.json
:
...
StringBuilder sb = new StringBuilder();
StringWriter sw = new StringWriter(sb);
using (JsonWriter writer = new JsonTextWriter(sw))
{
writer.Formatting = Formatting.Indented;
writer.WriteStartObject();
writer.WritePropertyName("role");
writer.WriteRawValue("\"default\"");
writer.WritePropertyName("username");
writer.WriteRawValue("\"" + username + "\"");
writer.WritePropertyName("password");
writer.WriteRawValue("\"" + password + "\"");
writer.WriteEndObject();
}
File.WriteAllText(@"C:\user_info.json", sb.ToString());
JsonWriter.WriteRawValue()
, the untrusted data in username
and password
will not be validated to escape JSON-related special characters. This allows a user to arbitrarily insert JSON keys, possibly changing the structure of the serialized JSON. In this example, if the non-privileged user mallory
with password Evil123!
were to append ","role":"admin
to her username when entering it at the prompt that sets the value of the username
variable, the resulting JSON saved to C:\user_info.json
would be:
{
"role":"default",
"username":"mallory",
"role":"admin",
"password":"Evil123!"
}
Dictionary
object with JsonConvert.DeserializeObject()
as so:
String jsonString = File.ReadAllText(@"C:\user_info.json");
Dictionary<string, string> userInfo = JsonConvert.DeserializeObject<Dictionary<string, strin>>(jsonString);
username
, password
, and role
keys in the Dictionary
object would be mallory
, Evil123!
, and admin
respectively. Without further verification that the deserialized JSON values are valid, the application will incorrectly assign user mallory
"admin" privileges.username
and password
to the JSON file located at ~/user_info.json
:
...
func someHandler(w http.ResponseWriter, r *http.Request){
r.parseForm()
username := r.FormValue("username")
password := r.FormValue("password")
...
jsonString := `{
"username":"` + username + `",
"role":"default"
"password":"` + password + `",
}`
...
f, err := os.Create("~/user_info.json")
defer f.Close()
jsonEncoder := json.NewEncoder(f)
jsonEncoder.Encode(jsonString)
}
username
and password
is not validated to escape JSON-related special characters. This allows a user to arbitrarily insert JSON keys, which can possibly change the serialized JSON structure. In this example, if the non-privileged user mallory
with password Evil123!
appended ","role":"admin
when she entered her username, the resulting JSON saved to ~/user_info.json
would be:
{
"username":"mallory",
"role":"default",
"password":"Evil123!",
"role":"admin"
}
mallory
"admin" privileges.username
and password
to the JSON file located at ~/user_info.json
:
...
JsonFactory jfactory = new JsonFactory();
JsonGenerator jGenerator = jfactory.createJsonGenerator(new File("~/user_info.json"), JsonEncoding.UTF8);
jGenerator.writeStartObject();
jGenerator.writeFieldName("username");
jGenerator.writeRawValue("\"" + username + "\"");
jGenerator.writeFieldName("password");
jGenerator.writeRawValue("\"" + password + "\"");
jGenerator.writeFieldName("role");
jGenerator.writeRawValue("\"default\"");
jGenerator.writeEndObject();
jGenerator.close();
JsonGenerator.writeRawValue()
, the untrusted data in username
and password
will not be validated to escape JSON-related special characters. This allows a user to arbitrarily insert JSON keys, possibly changing the structure of the serialized JSON. In this example, if the non-privileged user mallory
with password Evil123!
were to append ","role":"admin
to her username when entering it at the prompt that sets the value of the username
variable, the resulting JSON saved to ~/user_info.json
would be:
{
"username":"mallory",
"role":"admin",
"password":"Evil123!",
"role":"default"
}
HashMap
object with Jackson's JsonParser
as so:
JsonParser jParser = jfactory.createJsonParser(new File("~/user_info.json"));
while (jParser.nextToken() != JsonToken.END_OBJECT) {
String fieldname = jParser.getCurrentName();
if ("username".equals(fieldname)) {
jParser.nextToken();
userInfo.put(fieldname, jParser.getText());
}
if ("password".equals(fieldname)) {
jParser.nextToken();
userInfo.put(fieldname, jParser.getText());
}
if ("role".equals(fieldname)) {
jParser.nextToken();
userInfo.put(fieldname, jParser.getText());
}
if (userInfo.size() == 3)
break;
}
jParser.close();
username
, password
, and role
keys in the HashMap
object would be mallory
, Evil123!
, and admin
respectively. Without further verification that the deserialized JSON values are valid, the application will incorrectly assign user mallory
"admin" privileges.
var str = document.URL;
var url_check = str.indexOf('name=');
var name = null;
if (url_check > -1) {
name = decodeURIComponent(str.substring((url_check+5), str.length));
}
$(document).ready(function(){
if (name !== null){
var obj = jQuery.parseJSON('{"role": "user", "name" : "' + name + '"}');
...
}
...
});
name
will not be validated to escape JSON-related special characters. This allows a user to arbitrarily insert JSON keys, possibly changing the structure of the serialized JSON. In this example, if the non-privileged user mallory
were to append ","role":"admin
to the name parameter in the URL, the JSON would become:
{
"role":"user",
"username":"mallory",
"role":"admin"
}
jQuery.parseJSON()
and set to a plain object, meaning that obj.role
would now return "admin" instead of "user"_usernameField
and _passwordField
:
...
NSString * const jsonString = [NSString stringWithFormat: @"{\"username\":\"%@\",\"password\":\"%@\",\"role\":\"default\"}" _usernameField.text, _passwordField.text];
NSString.stringWithFormat:
, the untrusted data in _usernameField
and _passwordField
will not be validated to escape JSON-related special characters. This allows a user to arbitrarily insert JSON keys, possibly changing the structure of the serialized JSON. In this example, if the non-privileged user mallory
with password Evil123!
were to append ","role":"admin
to her username when entering it into the _usernameField
field, the resulting JSON would be:
{
"username":"mallory",
"role":"admin",
"password":"Evil123!",
"role":"default"
}
NSDictionary
object with NSJSONSerialization.JSONObjectWithData:
as so:
NSError *error;
NSDictionary *jsonData = [NSJSONSerialization JSONObjectWithData:[jsonString dataUsingEncoding:NSUTF8StringEncoding] options:NSJSONReadingAllowFragments error:&error];
username
, password
, and role
in the NSDictionary
object would be mallory
, Evil123!
, and admin
respectively. Without further verification that the deserialized JSON values are valid, the application will incorrectly assign user mallory
"admin" privileges.
import json
import requests
from urllib.parse import urlparse
from urllib.parse import parse_qs
url = 'https://www.example.com/some_path?name=some_value'
parsed_url = urlparse(url)
untrusted_values = parse_qs(parsed_url.query)['name'][0]
with open('data.json', 'r') as json_File:
data = json.load(json_File)
data['name']= untrusted_values
with open('data.json', 'w') as json_File:
json.dump(data, json_File)
...
name
will not be validated to escape JSON-related special characters. This allows a user to arbitrarily insert JSON keys, possibly changing the structure of the serialized JSON. In this example, if the non-privileged user mallory
were to append ","role":"admin
to the name parameter in the URL, the JSON would become:
{
"role":"user",
"username":"mallory",
"role":"admin"
}
usernameField
and passwordField
:
...
let jsonString : String = "{\"username\":\"\(usernameField.text)\",\"password\":\"\(passwordField.text)\",\"role\":\"default\"}"
usernameField
and passwordField
will not be validated to escape JSON-related special characters. This allows a user to arbitrarily insert JSON keys, possibly changing the structure of the serialized JSON. In this example, if the non-privileged user mallory
with password Evil123!
were to append ","role":"admin
to her username when entering it into the usernameField
field, the resulting JSON would be:
{
"username":"mallory",
"role":"admin",
"password":"Evil123!",
"role":"default"
}
NSDictionary
object with NSJSONSerialization.JSONObjectWithData:
as so:
var error: NSError?
var jsonData : NSDictionary = NSJSONSerialization.JSONObjectWithData(jsonString.dataUsingEncoding(NSUTF8StringEncoding), options: NSJSONReadingOptions.MutableContainers, error: &error) as NSDictionary
username
, password
, and role
in the NSDictionary
object would be mallory
, Evil123!
, and admin
respectively. Without further verification that the deserialized JSON values are valid, the application will incorrectly assign user mallory
"admin" privileges.
def searchUserDetails(key:String) = Action.async { implicit request =>
val user_json = getUserDataFor(user)
val value = (user_json \ key).get.as[String]
...
}
key
is user-controllable, a malicious user can leverage this to access the user's passwords, and any other private data that may be contained within the JSON document.
def form = Form(
mapping(
"name" -> text,
"age" -> number
)(UserData.apply)(UserData.unapply)
)
FormAction
which fails to validate the data against the expected requirements:Example 2: The following code defines a Spring WebFlow action state which fails to validate the data against the expected requirements:
<bean id="customerCriteriaAction" class="org.springframework.webflow.action.FormAction">
<property name="formObjectClass"
value="com.acme.domain.CustomerCriteria" />
<property name="propertyEditorRegistrar">
<bean
class="com.acme.web.PropertyEditors" />
</property>
</bean>
<action-state>
<action bean="transferMoneyAction" method="bind" />
</action-state>
def form = Form(
mapping(
"name" -> text,
"age" -> number
)(UserData.apply)(UserData.unapply)
)
dest
request parameter when a user clicks the link.
...
DATA: str_dest TYPE c.
str_dest = request->get_form_field( 'dest' ).
response->redirect( str_dest ).
...
Example 1
will redirect the browser to "http://www.wilyhacker.com".dest
request parameter when a user clicks the link.
...
var params:Object = LoaderInfo(this.root.loaderInfo).parameters;
var strDest:String = String(params["dest"]);
host.updateLocation(strDest);
...
Example 1
will redirect the browser to "http://www.wilyhacker.com".PageReference
object consisting of a URL from the dest
request parameter.
public PageReference pageAction() {
...
PageReference ref = ApexPages.currentPage();
Map<String,String> params = ref.getParameters();
return new PageReference(params.get('dest'));
}
Example 1
will redirect the browser to "http://www.wilyhacker.com".aspnet:AllowRelaxedRelativeUrl
setting to allow unrestricted URL redirection. An attacker who successfully exploited this vulnerability would be able to redirect a user to a website of the attacker's choosing without the user's consent. The attacker could then perform a phishing attack to gain information from the user they did not intend to disclose.aspnet:AllowRelaxedRelativeUrl
is set to true
.
...
<appSettings>
<add key="aspnet:AllowRelaxedRelativeUrl" value="true" />
</appSettings>
...
dest
request parameter when a user clicks the link.
...
final server = await HttpServer.bind(host, port);
await for (HttpRequest request in server) {
final response = request.response;
final headers = request.headers;
final strDest = headers.value('strDest');
response.headers.contentType = ContentType.text;
response.redirect(Uri.parse(strDest!));
await response.close();
}
...
Example 1
will redirect the browser to "http://www.wilyhacker.com".dest
request parameter when a user clicks the link.
...
strDest := r.Form.Get("dest")
http.Redirect(w, r, strDest, http.StatusSeeOther)
...
Example 1
redirects the browser to "http://www.wilyhacker.com".dest
request parameter when a user clicks the link.
<end-state id="redirectView" view="externalRedirect:#{requestParameters.dest}" />
Example 1
will redirect the browser to "http://www.wilyhacker.com".dest
request parameter when a user clicks the link.
...
strDest = form.dest.value;
window.open(strDest,"myresults");
...
Example 1
will redirect the browser to "http://www.wilyhacker.com".dest
request parameter when a user clicks the link.
<%
...
$strDest = $_GET["dest"];
header("Location: " . $strDest);
...
%>
Example 1
will redirect the browser to "http://www.wilyhacker.com".dest
request parameter when a user clicks the link.
...
-- Assume QUERY_STRING looks like dest=http://www.wilyhacker.com
dest := SUBSTR(OWA_UTIL.get_cgi_env('QUERY_STRING'), 6);
OWA_UTIL.redirect_url('dest');
...
Example 1
will redirect the browser to "http://www.wilyhacker.com".dest
request parameter when a user clicks the link.
...
strDest = request.field("dest")
redirect(strDest)
...
Example 1
will redirect the browser to "http://www.wilyhacker.com".dest
request parameter:
...
str_dest = req.params['dest']
...
res = Rack::Response.new
...
res.redirect("http://#{dest}")
...
Example 1
will redirect the browser to "http://www.wilyhacker.com".dest
request parameter.
def myAction = Action { implicit request =>
...
request.getQueryString("dest") match {
case Some(location) => Redirect(location)
case None => Ok("No url found!")
}
...
}
Example 1
will redirect the browser to "http://www.wilyhacker.com".dest
request parameter when a user clicks the link.
...
strDest = Request.Form('dest')
HyperLink.NavigateTo strDest
...
Example 1
will redirect the browser to "http://www.wilyhacker.com".
...
var fs:FileStream = new FileStream();
fs.open(new File("config.properties"), FileMode.READ);
var password:String = fs.readMultiByte(fs.bytesAvailable, File.systemCharset);
URLRequestDefaults.setLoginCredentialsForHost(hostname, usr, password);
...
password
. Any devious employee with access to this information can use it to break into the system.
...
string password = regKey.GetValue(passKey).ToString());
NetworkCredential netCred =
new NetworkCredential(username,password,domain);
...
password
. Any devious employee with access to this information can use it to break into the system.
...
RegQueryValueEx(hkey,TEXT(.SQLPWD.),NULL,
NULL,(LPBYTE)password, &size);
rc = SQLConnect(*hdbc, server, SQL_NTS, uid,
SQL_NTS, password, SQL_NTS);
...
password
. Any devious employee with access to this information can use it to break into the system.
...
01 RECORD.
05 UID PIC X(10).
05 PASSWORD PIC X(10).
...
EXEC CICS
READ
FILE('CFG')
INTO(RECORD)
RIDFLD(ACCTNO)
...
END-EXEC.
EXEC SQL
CONNECT :UID
IDENTIFIED BY :PASSWORD
AT :MYCONN
USING :MYSERVER
END-EXEC.
...
CFG
can read the value of password. Any devious employee with access to this information can use it to break into the system.
<cfquery name = "GetCredentials" dataSource = "master">
SELECT Username, Password
FROM Credentials
WHERE DataSource="users"
</cfquery>
...
<cfquery name = "GetSSNs" dataSource = "users"
username = "#Username#" password = "#Password#">
SELECT SSN
FROM Users
</cfquery>
...
master
can read the value of Username
and Password
. Any devious employee with access to this information can use it to break into the system.
...
file, _ := os.Open("config.json")
decoder := json.NewDecoder(file)
decoder.Decode(&values)
request.SetBasicAuth(values.Username, values.Password)
...
values.Password
. Any devious employee with access to this information can use it to break into the system.
...
Properties prop = new Properties();
prop.load(new FileInputStream("config.properties"));
String password = prop.getProperty("password");
DriverManager.getConnection(url, usr, password);
...
password
. Any devious employee with access to this information can use it to break into the system.
...
webview.setWebViewClient(new WebViewClient() {
public void onReceivedHttpAuthRequest(WebView view,
HttpAuthHandler handler, String host, String realm) {
String[] credentials = view.getHttpAuthUsernamePassword(host, realm);
String username = credentials[0];
String password = credentials[1];
handler.proceed(username, password);
}
});
...
...
obj = new XMLHttpRequest();
obj.open('GET','/fetchusers.jsp?id='+form.id.value,'true','scott','tiger');
...
plist
file and uses it to unzip a password-protected file.
...
NSDictionary *dict= [NSDictionary dictionaryWithContentsOfFile:[[NSBundle mainBundle] pathForResource:@"Config" ofType:@"plist"]];
NSString *password = [dict valueForKey:@"password"];
[SSZipArchive unzipFileAtPath:zipPath toDestination:destPath overwrite:TRUE password:password error:&error];
...
...
$props = file('config.properties', FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
$password = $props[0];
$link = mysql_connect($url, $usr, $password);
if (!$link) {
die('Could not connect: ' . mysql_error());
}
...
password
. Any devious employee with access to this information can use it to break into the system.
...
ip_address := OWA_SEC.get_client_ip;
IF ((OWA_SEC.get_user_id = 'scott') AND
(OWA_SEC.get_password = 'tiger') AND
(ip_address(1) = 144) and (ip_address(2) = 25)) THEN
RETURN TRUE;
ELSE
RETURN FALSE;
END IF;
...
...
props = os.open('config.properties')
password = props[0]
link = MySQLdb.connect (host = "localhost",
user = "testuser",
passwd = password,
db = "test")
...
password
. Any devious employee with access to this information can use it to break into the system.
require 'pg'
...
passwd = ENV['PASSWD']
...
conn = PG::Connection.new(:dbname => "myApp_production", :user => username, :password => passwd, :sslmode => 'require')
PASSWD
. Any devious employee with access to this information can use it to break into the system.
...
val prop = new Properties()
prop.load(new FileInputStream("config.properties"))
val password = prop.getProperty("password")
DriverManager.getConnection(url, usr, password)
...
config.properties
can read the value of password
. Any devious employee with access to this information can use it to break into the system.plist
file and uses it to unzip a password-protected file.
...
var myDict: NSDictionary?
if let path = NSBundle.mainBundle().pathForResource("Config", ofType: "plist") {
myDict = NSDictionary(contentsOfFile: path)
}
if let dict = myDict {
zipArchive.unzipOpenFile(zipPath, password:dict["password"])
}
...
...
Private Declare Function GetPrivateProfileString _
Lib "kernel32" Alias "GetPrivateProfileStringA" _
(ByVal lpApplicationName As String, _
ByVal lpKeyName As Any, ByVal lpDefault As String, _
ByVal lpReturnedString As String, ByVal nSize As Long, _
ByVal lpFileName As String) As Long
...
Dim password As String
...
password = GetPrivateProfileString("MyApp", "Password", _
"", value, Len(value), _
App.Path & "\" & "Config.ini")
...
con.ConnectionString = "Driver={Microsoft ODBC for Oracle};Server=OracleServer.world;Uid=scott;Passwd=" & password &";"
...
password
. Any devious employee with access to this information can use it to break into the system.
...
password = ''.
...
...
URLRequestDefaults.setLoginCredentialsForHost(hostname, "scott", "");
...
Example 1
indicates that the user account "scott" is configured with an empty password, which an attacker can easily guess. After the program ships, updating the account to use a non-empty password will require a code change.
...
var storedPassword:String = "";
var temp:String;
if ((temp = readPassword()) != null) {
storedPassword = temp;
}
if(storedPassword.equals(userPassword))
// Access protected resources
...
}
...
readPassword()
fails to retrieve the stored password due to a database error or another problem, then an attacker could trivially bypass the password check by providing an empty string for userPassword
.
...
HttpRequest req = new HttpRequest();
req.setClientCertificate('mycert', '');
...
...
NetworkCredential netCred = new NetworkCredential("scott", "", domain);
...
Example 1
succeeds, it indicates that the network credential login "scott" is configured with an empty password, which an attacker can easily guess. After the program ships, updating the account to use a non-empty password will require a code change.
...
string storedPassword = "";
string temp;
if ((temp = ReadPassword(storedPassword)) != null) {
storedPassword = temp;
}
if(storedPassword.Equals(userPassword))
// Access protected resources
...
}
...
readPassword()
fails to retrieve the stored password due to a database error or another problem, then an attacker could trivially bypass the password check by providing an empty string for userPassword
.
...
rc = SQLConnect(*hdbc, server, SQL_NTS, "scott", SQL_NTS, "", SQL_NTS);
...
Example 1
succeeds, it indicates that the database user account "scott" is configured with an empty password, which an attacker can easily guess. After the program ships, updating the account to use a non-empty password will require a code change.
...
char *stored_password = "";
readPassword(stored_password);
if(safe_strcmp(stored_password, user_password))
// Access protected resources
...
}
...
readPassword()
fails to retrieve the stored password due to a database error or another problem, then an attacker could trivially bypass the password check by providing an empty string for user_password
.
...
<cfquery name = "GetSSNs" dataSource = "users"
username = "scott" password = "">
SELECT SSN
FROM Users
</cfquery>
...
Example 1
succeeds, it indicates that the database user account "scott" is configured with an empty password, which an attacker can easily guess. After the program ships, updating the account to use a non-empty password will require a code change.
...
var password = "";
var temp;
if ((temp = readPassword()) != null) {
password = temp;
}
if(password == userPassword()) {
// Access protected resources
...
}
...
readPassword()
fails to retrieve the stored password due to a database error or another problem, then an attacker could trivially bypass the password check by providing an empty string for userPassword
.
...
response.SetBasicAuth(usrName, "")
...
...
DriverManager.getConnection(url, "scott", "");
...
Example 1
succeeds, it indicates that the database user account "scott" is configured with an empty password, which an attacker can easily guess. After the program ships, updating the account to use a non-empty password will require a code change.
...
String storedPassword = "";
String temp;
if ((temp = readPassword()) != null) {
storedPassword = temp;
}
if(storedPassword.equals(userPassword))
// Access protected resources
...
}
...
readPassword()
fails to retrieve the stored password due to a database error or another problem, then an attacker could trivially bypass the password check by providing an empty string for userPassword
.
...
webview.setWebViewClient(new WebViewClient() {
public void onReceivedHttpAuthRequest(WebView view,
HttpAuthHandler handler, String host, String realm) {
String username = "";
String password = "";
if (handler.useHttpAuthUsernamePassword()) {
String[] credentials = view.getHttpAuthUsernamePassword(host, realm);
username = credentials[0];
password = credentials[1];
}
handler.proceed(username, password);
}
});
...
Example 2
, if useHttpAuthUsernamePassword()
returns false
, an attacker will be able to view protected pages by supplying an empty password.
...
obj = new XMLHttpRequest();
obj.open('GET','/fetchusers.jsp?id='+form.id.value,'true','scott','');
...
{
...
"password" : ""
...
}
...
rc = SQLConnect(*hdbc, server, SQL_NTS, "scott", SQL_NTS, "", SQL_NTS);
...
Example 1
succeeds, it indicates that the database user account "scott" is configured with an empty password, which an attacker can easily guess. After the program ships, updating the account to use a non-empty password will require a code change.
...
NSString *stored_password = "";
readPassword(stored_password);
if(safe_strcmp(stored_password, user_password)) {
// Access protected resources
...
}
...
readPassword()
fails to retrieve the stored password due to a database error or another problem, then an attacker could trivially bypass the password check by providing an empty string for user_password
.
<?php
...
$connection = mysql_connect($host, 'scott', '');
...
?>
DECLARE
password VARCHAR(20);
BEGIN
password := "";
END;
...
db = mysql.connect("localhost","scott","","mydb")
...
...
conn = Mysql.new(database_host, "scott", "", databasename);
...
Example 1
succeeds, it indicates that the database user account "scott" is configured with an empty password, which an attacker can easily guess. After the program ships, updating the account to use a non-empty password will require a code change.""
as a default value when none is specified. In this case you also need to make sure that the correct number of arguments are specified in order to make sure a password is passed to the function.
...
ws.url(url).withAuth("john", "", WSAuthScheme.BASIC)
...
...
let password = ""
let username = "scott"
let con = DBConnect(username, password)
...
Example 1
succeeds, it indicates that the database user account "scott" is configured with an empty password, which an attacker can easily guess. After the program ships, updating the account to use a non-empty password will require a code change.
...
var stored_password = ""
readPassword(stored_password)
if(stored_password == user_password) {
// Access protected resources
...
}
...
readPassword()
fails to retrieve the stored password due to a database error or another problem, then an attacker could trivially bypass the password check by providing an empty string for user_password
.
...
Dim con As New ADODB.Connection
Dim cmd As New ADODB.Command
Dim rst As New ADODB.Recordset
con.ConnectionString = "Driver={Microsoft ODBC for Oracle};Server=OracleServer.world;Uid=scott;Passwd=;"
...
Example 1
succeeds, it indicates that the database user account "scott" is configured with an empty password, which an attacker can easily guess. After the program ships, updating the account to use a non-empty password will require a code change.