var params:Object = LoaderInfo(this.root.loaderInfo).parameters;
var ctl:String = String(params["ctl"]);
var ao:Worker;
if (ctl == "Add) {
ao = new AddCommand();
} else if (ctl == "Modify") {
ao = new ModifyCommand();
} else {
throw new UnknownActionError();
}
ao.doAction(params);
var params:Object = LoaderInfo(this.root.loaderInfo).parameters;
var ctl:String = String(params["ctl"]);
var ao:Worker;
var cmdClass:Class = getDefinitionByName(ctl + "Command") as Class;
ao = new cmdClass();
ao.doAction(params);
if/else
blocks have been entirely eliminated, and it is now possible to add new command types without modifying the command dispatcher.Worker
interface. If the command dispatcher is still responsible for access control, then whenever programmers create a new class that implements the Worker
interface, they must remember to modify the dispatcher's access control code. If they fail to modify the access control code, then some Worker
classes will not have any access control.Worker
object responsible for performing the access control check. An example of the re-refactored code is as follows:
var params:Object = LoaderInfo(this.root.loaderInfo).parameters;
var ctl:String = String(params["ctl"]);
var ao:Worker;
var cmdClass:Class = getDefinitionByName(ctl + "Command") as Class;
ao = new cmdClass();
ao.checkAccessControl(params);
ao.doAction(params);
Continuation
object could enable attackers to create unexpected control flow paths through the application, potentially bypassing security checks.continuationMethod
property, which determines the name of method to be called when receiving a response.
public Object startRequest() {
Continuation con = new Continuation(40);
Map<String,String> params = ApexPages.currentPage().getParameters();
if (params.containsKey('contMethod')) {
con.continuationMethod = params.get('contMethod');
} else {
con.continuationMethod = 'processResponse';
}
HttpRequest req = new HttpRequest();
req.setMethod('GET');
req.setEndpoint(LONG_RUNNING_SERVICE_URL);
this.requestLabel = con.addHttpRequest(req);
return con;
}
continuationMethod
property to be set by runtime request parameters, which enables attackers to call any function that matches the name.
...
Dim ctl As String
Dim ao As New Worker()
ctl = Request.Form("ctl")
If (String.Compare(ctl,"Add") = 0) Then
ao.DoAddCommand(Request)
Else If (String.Compare(ctl,"Modify") = 0) Then
ao.DoModifyCommand(Request)
Else
App.EventLog("No Action Found", 4)
End If
...
...
Dim ctl As String
Dim ao As New Worker()
ctl = Request.Form("ctl")
CallByName(ao, ctl, vbMethod, Request)
...
if/else
blocks have been entirely eliminated, and it is now possible to add new command types without modifying the command dispatcher.Worker
object. If the command dispatcher is responsible for access control, then whenever programmers create a new method in the Worker
class, they must remember to modify the dispatcher's access control logic. If this access control logic becomes stale, then some Worker
methods will not have any access control.Worker
object responsible for performing the access control check. An example of the re-refactored code is as follows:
...
Dim ctl As String
Dim ao As New Worker()
ctl = Request.Form("ctl")
If (ao.checkAccessControl(ctl,Request) = True) Then
CallByName(ao, "Do" & ctl & "Command", vbMethod, Request)
End If
...
clazz
.
char* ctl = getenv("ctl");
...
jmethodID mid = GetMethodID(clazz, ctl, sig);
status = CallIntMethod(env, clazz, mid, JAVA_ARGS);
...
Example 2: Similar to previous example, the application uses the
...
func beforeExampleCallback(scope *Scope){
input := os.Args[1]
if input{
scope.CallMethod(input)
}
}
...
reflect
package to retrieve the name of a function to be called from a command-line argument.
...
input := os.Args[1]
var worker WokerType
reflect.ValueOf(&worker).MethodByName(input).Call([]reflect.Value{})
...
String ctl = request.getParameter("ctl");
Worker ao = null;
if (ctl.equals("Add")) {
ao = new AddCommand();
} else if (ctl.equals("Modify")) {
ao = new ModifyCommand();
} else {
throw new UnknownActionError();
}
ao.doAction(request);
String ctl = request.getParameter("ctl");
Class cmdClass = Class.forName(ctl + "Command");
Worker ao = (Worker) cmdClass.newInstance();
ao.doAction(request);
if/else
blocks have been entirely eliminated, and it is now possible to add new command types without modifying the command dispatcher.Worker
interface. If the command dispatcher is still responsible for access control, then whenever programmers create a new class that implements the Worker
interface, they must remember to modify the dispatcher's access control code. If they fail to modify the access control code, then some Worker
classes will not have any access control.Worker
object responsible for performing the access control check. An example of the re-refactored code is as follows:
String ctl = request.getParameter("ctl");
Class cmdClass = Class.forName(ctl + "Command");
Worker ao = (Worker) cmdClass.newInstance();
ao.checkAccessControl(request);
ao.doAction(request);
Worker
interface; the default constructor for any object in the system can be invoked. If the object does not implement the Worker
interface, a ClassCastException
will be thrown before the assignment to ao
, but if the constructor performs operations that work in the attacker's favor, the damage will have already been done. Although this scenario is relatively benign in simple applications, in larger applications where complexity grows exponentially it is not unreasonable to assume that an attacker could find a constructor to leverage as part of an attack.performSelector
method which could allow them to create unexpected control flow paths through the application, potentially bypassing security checks.UIApplicationDelegate
class.
...
- (BOOL)application:(UIApplication *)application openURL:(NSURL *)url
sourceApplication:(NSString *)sourceApplication annotation:(id)annotation {
NSString *query = [url query];
NSString *pathExt = [url pathExtension];
[self performSelector:NSSelectorFromString(pathExt) withObject:query];
...
$ctl = $_GET["ctl"];
$ao = null;
if (ctl->equals("Add")) {
$ao = new AddCommand();
} else if ($ctl.equals("Modify")) {
$ao = new ModifyCommand();
} else {
throw new UnknownActionError();
}
$ao->doAction(request);
$ctl = $_GET["ctl"];
$args = $_GET["args"];
$cmdClass = new ReflectionClass(ctl . "Command");
$ao = $cmdClass->newInstance($args);
$ao->doAction(request);
if/else
blocks have been entirely eliminated, and it is now possible to add new command types without modifying the command dispatcher.Worker
interface. If the command dispatcher is still responsible for access control, then whenever programmers create a new class that implements the Worker
interface, they must remember to modify the dispatcher's access control code. If they fail to modify the access control code, then some Worker
classes will not have any access control.Worker
object responsible for performing the access control check. An example of the re-refactored code is as follows:
$ctl = $_GET["ctl"];
$args = $_GET["args"];
$cmdClass = new ReflectionClass(ctl . "Command");
$ao = $cmdClass->newInstance($args);
$ao->checkAccessControl(request);
ao->doAction(request);
Worker
interface; the default constructor for any object in the system can be invoked. If the object does not implement the Worker
interface, a ClassCastException
will be thrown before the assignment to $ao
, but if the constructor performs operations that work in the attacker's favor, the damage will have already been done. Although this scenario is relatively benign in simple applications, in larger applications where complexity grows exponentially it is not unreasonable to assume that an attacker could find a constructor to leverage as part of an attack.
ctl = req['ctl']
if ctl=='add'
addCommand(req)
elsif ctl=='modify'
modifyCommand(req)
else
raise UnknownCommandError.new
end
ctl = req['ctl']
ctl << "Command"
send(ctl)
if/else
blocks have been entirely eliminated, and it is now possible to add new command types without modifying the command dispatcher.define_method()
, or may be called via overriding of missing_method()
. Auditing and keeping track of these and how access control code is used with these is very difficult, and when considering this would also depend on what other library code is loaded may make this this a near insurmountable task to do correctly in this manner.
def exec(ctl: String) = Action { request =>
val cmdClass = Platform.getClassForName(ctl + "Command")
Worker ao = (Worker) cmdClass.newInstance()
ao.doAction(request)
...
}
if/else
blocks have been entirely eliminated, and it is now possible to add new command types without modifying the command dispatcher.Worker
interface. If the command dispatcher is still responsible for access control, then whenever programmers create a new class that implements the Worker
interface, they must remember to modify the dispatcher's access control code. If they fail to modify the access control code, then some Worker
classes will not have any access control.Worker
object responsible for performing the access control check. An example of the re-refactored code is as follows:
def exec(ctl: String) = Action { request =>
val cmdClass = Platform.getClassForName(ctl + "Command")
Worker ao = (Worker) cmdClass.newInstance()
ao.checkAccessControl(request);
ao.doAction(request)
...
}
Worker
interface; the default constructor for any object in the system can be invoked. If the object does not implement the Worker
interface, a ClassCastException
will be thrown before the assignment to ao
, but if the constructor performs operations that work in the attacker's favor, the damage will have already been done. Although this scenario is relatively benign in simple applications, in larger applications where complexity grows exponentially it is not unreasonable to assume that an attacker could find a constructor to leverage as part of an attack.performSelector
method which could allow them to create unexpected control flow paths through the application, potentially bypassing security checks.UIApplicationDelegate
class.
func application(app: UIApplication, openURL url: NSURL, options: [String : AnyObject]) -> Bool {
...
let query = url.query
let pathExt = url.pathExtension
let selector = NSSelectorFromString(pathExt!)
performSelector(selector, withObject:query)
...
}
...
Dim ctl As String
Dim ao As new Worker
ctl = Request.Form("ctl")
If String.Compare(ctl,"Add") = 0 Then
ao.DoAddCommand Request
Else If String.Compare(ctl,"Modify") = 0 Then
ao.DoModifyCommand Request
Else
App.EventLog "No Action Found", 4
End If
...
...
Dim ctl As String
Dim ao As Worker
ctl = Request.Form("ctl")
CallByName ao, ctl, vbMethod, Request
...
if/else
blocks have been entirely eliminated, and it is now possible to add new command types without modifying the command dispatcher.Worker
object. If the command dispatcher is still responsible for access control, then whenever programmers create a new method within the Worker
class, they must remember to modify the dispatcher's access control code. If they fail to modify the access control code, then some Worker
methods will not have any access control.Worker
object responsible for performing the access control check. An example of the re-refactored code is as follows:
...
Dim ctl As String
Dim ao As Worker
ctl = Request.Form("ctl")
If ao.checkAccessControl(ctl,Request) = True Then
CallByName ao, "Do" & ctl & "Command", vbMethod, Request
End If
...
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///c:/winnt/win.ini" >]><foo>&xxe;</foo>
- (void) parseSomeXML: (NSString *) rawXml {
BOOL success;
NSData *rawXmlConvToData = [rawXml dataUsingEncoding:NSUTF8StringEncoding];
NSXMLParser *myParser = [[NSXMLParser alloc] initWithData:rawXmlConvToData];
[myParser setShouldResolveExternalEntities:YES];
[myParser setDelegate:self];
}
rawXml
such that the XML looks like the following:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo>
boot.ini
file.
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///dev/random" >]><foo>&xxe;</foo>
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///dev/random" >]><foo>&xxe;</foo>
- (void) parseSomeXML: (NSString *) rawXml {
BOOL success;
NSData *rawXmlConvToData = [rawXml dataUsingEncoding:NSUTF8StringEncoding];
NSXMLParser *myParser = [[NSXMLParser alloc] initWithData:rawXmlConvToData];
[myParser setShouldResolveExternalEntities:YES];
[myParser setDelegate:self];
}
rawXml
such that the XML looks like the following:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo>
boot.ini
file.
...
<?php
$goodXML = $_GET["key"];
$doc = simplexml_load_string($goodXml);
echo $doc->testing;
?>
...
Example 2
:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo>
boot.ini
file. The attacker may utilize XML elements which are returned to the client to exfiltrate data or obtain information as to the existence of network resources.
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///dev/random" >]><foo>&xxe;</foo>
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>
/etc/passwd
and include them into the document.
def readFile() = Action { request =>
val xml = request.cookies.get("doc")
val doc = XMLLoader.loadString(xml)
...
}
func parseXML(xml: String) {
parser = NSXMLParser(data: rawXml.dataUsingEncoding(NSUTF8StringEncoding)!)
parser.delegate = self
parser.shouldResolveExternalEntities = true
parser.parse()
}
rawXml
contents such that the XML looks like the following:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo>
boot.ini
file.shoes
in following XML.
<order>
<price>100.00</price>
<item>shoes</item>
</order>
shoes
with shoes</item><price>1.00</price><item>shoes
. The new XML would look like:
<order>
<price>100.00</price>
<item>shoes</item><price>1.00</price><item>shoes</item>
</order>
<price>
overrides the value from the first <price>
tag. This allows the attacker to purchase a pair of $100 shoes for $1.shoes
in following XML.
<order>
<price>100.00</price>
<item>shoes</item>
</order>
shoes
with shoes</item><price>1.00</price><item>shoes
. The new XML would look like:
<order>
<price>100.00</price>
<item>shoes</item><price>1.00</price><item>shoes</item>
</order>
<price>
overrides the value from the first <price>
tag. This allows the attacker to purchase a pair of $100 shoes for $1.shoes
in following XML:
<order>
<price>100.00</price>
<item>shoes</item>
</order>
shoes
with shoes</item><price>1.00</price><item>shoes
. The new XML would look like:
<order>
<price>100.00</price>
<item>shoes</item><price>1.00</price><item>shoes</item>
</order>
<price>
overrides the value from the first <price>
tag. This allows the attacker to purchase a pair of $100 shoes for $1.shoes
in following XML.
<order>
<price>100.00</price>
<item>shoes</item>
</order>
shoes
with shoes</item><price>1.00</price><item>shoes
. The new XML would look like:
<order>
<price>100.00</price>
<item>shoes</item><price>1.00</price><item>shoes</item>
</order>
<price>
overrides the value from the first <price>
tag. This allows the attacker to purchase a pair of $100 shoes for $1.shoes
in the following XML.
<order>
<price>100.00</price>
<item>shoes</item>
</order>
shoes
with shoes</item><price>1.00</price><item>shoes
. The new XML would look like:
<order>
<price>100.00</price>
<item>shoes</item><price>1.00</price><item>shoes</item>
</order>
shoes
in following XML.
<order>
<price>100.00</price>
<item>shoes</item>
</order>
shoes
with shoes</item><price>1.00</price><item>shoes
. The new XML would look like:
<order>
<price>100.00</price>
<item>shoes</item><price>1.00</price><item>shoes</item>
</order>
<price>
overrides the value from the first <price>
tag. This allows the attacker to purchase a pair of $100 shoes for $1.shoes
in following XML.
<order>
<price>100.00</price>
<item>shoes</item>
</order>
shoes
with shoes</item><price>1.00</price><item>shoes
. The new XML would look like:
<order>
<price>100.00</price>
<item>shoes</item><price>1.00</price><item>shoes</item>
</order>
<price>
overrides the value from the first <price>
tag. This allows the attacker to purchase a pair of $100 shoes for $1.
...
<?php
$goodXML = $_GET["key"];
$doc = simplexml_load_string($goodXml);
echo $doc->testing;
?>
...
Example 2
:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo>
boot.ini
file. The attacker may utilize XML elements which are returned to the client to exfiltrate data or obtain information as to the existence of network resources.shoes
in following XML.
<order>
<price>100.00</price>
<item>shoes</item>
</order>
shoes
with shoes</item><price>1.00</price><item>shoes
. The new XML would look like:
<order>
<price>100.00</price>
<item>shoes</item><price>1.00</price><item>shoes</item>
</order>
<price>
overrides the value from the first <price>
tag. This allows the attacker to purchase a pair of $100 shoes for $1.shoes
in following XML.
<order>
<price>100.00</price>
<item>shoes</item>
</order>
shoes
with shoes</item><price>1.00</price><item>shoes
. The new XML would look like:
<order>
<price>100.00</price>
<item>shoes</item><price>1.00</price><item>shoes</item>
</order>
<price>
overrides the value from the first <price>
tag. This allows the attacker to purchase a pair of $100 shoes for $1.shoes
in following XML.
<order>
<price>100.00</price>
<item>shoes</item>
</order>
shoes
with shoes</item><price>1.00</price><item>shoes
. The new XML would look like:
<order>
<price>100.00</price>
<item>shoes</item><price>1.00</price><item>shoes</item>
</order>
<price>
overrides the value from the first <price>
tag. This allows the attacker to purchase a pair of $100 shoes for $1.shoes
in the following XML.
<order>
<price>100.00</price>
<item>shoes</item>
</order>
shoes
with shoes</item><price>1.00</price><item>shoes
. The new XML would look like:
<order>
<price>100.00</price>
<item>shoes</item><price>1.00</price><item>shoes</item>
</order>
<price>
overrides the value from the first <price>
tag. This allows the attacker to purchase a pair of $100 shoes for $1.