Changing a password or creating a new user account usually requires the new password to be provided twice for confirmation purposes. Passing a duplicated password instead of passing it twice prevents the API from making sure that the user did not mistype the password and circumvents the safety mechanism of password confirmation.

Example 1:

    String password=request.getParameter("password");
    ...
    DefaultUser user = (DefaultUser) ESAPI.authenticator().createUser(username, password, password);

Path Manipulation can occur when the paths of resources included in an application are modified by changing the way they are imported. This can happen with to the following conditions:

- Usage of relative paths to import resources
- Ability to overwrite the relative path by manipulating the URL

In some cases, browsers using quirks mode might be required to exploit the underlying vulnerability (this can be triggered by using the HTML meta tag or an older doctype).

While the Java Language Specification allows an object's finalize() method to be called from outside the finalizer, doing so is usually a bad idea. For example, calling finalize() explicitly means that finalize() will be called more than once: the first time will be the explicit call and the last time will be the call that is made after the object is garbage collected.

Example 1: The following code fragment calls finalize() explicitly:

// time to clean up
widget.finalize();

The dangerouslySetInnerHTML attribute in React is replacement for using innerHTML in the browser DOM, but the API has been renamed to convey the potential dangers from using it. In general, setting HTML from code is risky because it's easy to inadvertently expose your users to a cross-site scripting (XSS) attack.
Example 1: The following code sets HTML from code to dangerouslySetInnerHTML attribute:

      function MyComponent(data) {
        return (
          <div
            dangerouslySetInnerHTML={{__html: data.innerHTML}}
          />
        );
      }
    

Within the Foreign Function and Memory API, some methods are considered restricted because using them incorrectly can lead to JVM crashes or memory corruption.

Direct Open SQL write operations (Insert/Update/Modify/Delete) are in general bad practice and should be avoided. They undermine the integrity and security of the system and should not be allowed.



Direct Open SQL write operations are also error prone and can cause unexpected system behavior. Some of the issues to watch out for in SAP include:

- SAP recommends using 'update bundling' techniques to ensure data integrity within an SAP LUW (logical unit of work) that may span multiple database LUWs. Direct modifications to table entries without update bundling may leave the SAP transaction in an inconsistent state.

- Direct Open SQL write operations only set database level locks and bypass the SAP application locks. This may lead to deadlocks and corrupted data.

- Direct Open SQL write operations bypass SAP authorization checks within the application program.

- When standard mechanisms are used to write table entries, edit checks, audit trails, dependent updates (like change documents, for example) are all correctly performed. This is not the case when Direct Open SQL write operations are used.

In an invoker's rights, or AUTHID CURRENT_USER package, identifiers are first resolved against the current user's schema. This can cause unexpected behavior if the definer of the code does not explicitly say which schema an identifier belongs to.

Example 1: The following code checks whether a user has permissions to perform an action by looking up the user in a permissions table. Most users will only have read access to SYS.PERMISSIONS and be unable to modify the defined permissions.

CREATE or REPLACE FUNCTION check_permissions(
  p_name IN VARCHAR2, p_action IN VARCHAR2)
  RETURN BOOLEAN
  AUTHID CURRENT_USER
IS
  r_count NUMBER;
  perm BOOLEAN := FALSE;
BEGIN
  SELECT count(*) INTO r_count FROM PERMISSIONS
    WHERE name = p_name AND action = p_action;
  IF r_count > 0 THEN
    perm := TRUE;
  END IF;
  RETURN perm;
END check_permissions

If the user calling the check_permissions function defines a PERMISSIONS table in their schema, the database will resolve the identifier to refer to the local table. The user would have write access to the new table and could modify it to gain permissions they wouldn't otherwise have.

Apache Struts 2.x included the new Aware interfaces to allow developers to easily inject maps with relevant runtime information into their Actions code. These interfaces include: org.apache.struts2.interceptor.ApplicationtAware, org.apache.struts2.interceptor.SessionAware and org.apache.struts2.interceptor.RequestAware. In order to get any of these data maps injected into their Actions code, developers need to implement the setter specified in the interface (eg: setSession for SessionAware Interface):

public class VulnerableAction extends ActionSupport implements SessionAware {

  protected Map<String, Object> session;

  @Override
  public void setSession(Map<String, Object> session) {
    this.session = session;
  }

On the other hand, Struts 2.x automatically binds the request data coming from the user to the Action's properties through public accessors defined in the Action. As the Aware interfaces require the implementation of the public setter defined in the Aware interface, this setter will also be automatically bound to any request parameter that matches the Aware interface setter name which might allow remote attackers to modify run-time data values via a crafted parameter to an application that implements an affected interface, as demonstrated by the SessionAware, RequestAware, ApplicationAware interfaces.

The following URL will let an attacker overwrite the "roles" attribute in the session map. This can potentially allow the attacker to become an administrator.

http://server/VulnerableAction?session.roles=admin


While these interfaces only require the implementation of the setter accessors, if the corresponding getter is also implemented, the changes to these map collections will be session-scoped persisted, rather than just affect the current request scope.

Struts 2 introduced a feature called "Dynamic Method Invocation" which allow an Action to expose methods other than execute(). The ! (bang) character or the method: prefix can be used in the Action URL to invoke any public method in the Action if "Dynamic Method Invocation" is enabled. Developers that are not aware of this feature can inadvertently expose internal business logic to attackers.

As an example, if the Action contains a public method called getUserPassword() that takes no arguments and fails to disable the "Dynamic Method Invocation" feature, an attacker will be able to take advantage of this visiting the following URL: http://server/app/recoverpassword!getPassword.action

Apache Struts 2.x included the new Aware interfaces to allow developers to easily inject maps with relevant runtime information into their Actions code. These interfaces include: org.apache.struts2.interceptor.ApplicationtAware, org.apache.struts2.interceptor.SessionAware and org.apache.struts2.interceptor.RequestAware. In order to get any of these data maps injected into their Actions code, developers need to implement the setter specified in the interface (eg: setSession for SessionAware Interface):

public class VulnerableAction extends ActionSupport implements SessionAware {

  protected Map<String, Object> session;

  @Override
  public void setSession(Map<String, Object> session) {
    this.session = session;
  }

On the other hand, Struts 2.x automatically binds the request data coming from the user to the Action's properties through public accessors defined in the Action. As the Aware interfaces require the implementation of the public setter defined in the Aware interface, this setter will also be automatically bound to any request parameter that matches the Aware interface setter name which might allow remote attackers to modify run-time data values via a crafted parameter to an application that implements an affected interface, as demonstrated by the SessionAware, RequestAware, ApplicationAware interfaces.

The following URL will let an attacker overwrite the "roles" attribute in the session map. This can potentially allow the attacker to become an administrator.

http://server/VulnerableAction?session.roles=admin


While these interfaces only require the implementation of the setter accessors, if the corresponding getter is also implemented, the changes to these map collections will be session-scoped persisted, rather than just affect the current request scope.

Apache Struts 2.x included the new Aware interfaces to allow developers to easily inject maps with relevant runtime information into their Actions code. These interfaces include: org.apache.struts2.interceptor.ApplicationtAware, org.apache.struts2.interceptor.SessionAware and org.apache.struts2.interceptor.RequestAware. In order to get any of these data maps injected into their Actions code, developers need to implement the setter specified in the interface (eg: setSession for SessionAware Interface):

public class VulnerableAction extends ActionSupport implements SessionAware {

  protected Map<String, Object> session;

  @Override
  public void setSession(Map<String, Object> session) {
    this.session = session;
  }

On the other hand, Struts 2.x automatically binds the request data coming from the user to the Action's properties through public accessors defined in the Action. As the Aware interfaces require the implementation of the public setter defined in the Aware interface, this setter will also be automatically bound to any request parameter that matches the Aware interface setter name which might allow remote attackers to modify run-time data values via a crafted parameter to an application that implements an affected interface, as demonstrated by the SessionAware, RequestAware, ApplicationAware interfaces.

The following URL will let an attacker overwrite the "roles" attribute in the session map. This can potentially allow the attacker to become an administrator.

http://server/VulnerableAction?session.roles=admin


While these interfaces only require the implementation of the setter accessors, if the corresponding getter is also implemented, the changes to these map collections will be session-scoped persisted, rather than just affect the current request scope.

ABAP system fields are always available in ABAP programs. The runtime system fills them according to context after starting a program, after sending a screen and after changing the internal mode. They can then be used in programs to query the system status. System fields are variables but should always be treated as though they were constants and be read only. Changing their values can cause the loss of important information necessary for the flow of the program. Only a limited few of these are meant to be changed within customer ABAP programs.


Changing values of system fields that communicate runtime specific information to the ABAP program could cause disruption or unexpected behavior in the ABAP program.

It is not uncommon for Java programmers to misunderstand read() and related methods that are part of many java.io classes. Most errors and unusual events in Java result in an exception being thrown. (This is one of the advantages that Java has over languages like C: Exceptions make it easier for programmers to think about what can go wrong.) But the stream and reader classes do not consider it unusual or exceptional if only a small amount of data becomes available. These classes simply add the small amount of data to the return buffer, and set the return value to the number of bytes or characters read. There is no guarantee that the amount of data returned is equal to the amount of data requested.

This behavior makes it important for programmers to examine the return value from read() and other IO methods to ensure that they receive the amount of data they expect.

Example 1: The following code loops through a set of users, reading a private data file for each user. The programmer assumes that the files are always exactly 1 kilobyte in size and therefore ignores the return value from read(). If an attacker can create a smaller file, the program will recycle the remainder of the data from the previous user and handle it as though it belongs to the attacker.

FileInputStream fis;
byte[] byteArray = new byte[1024];
for (Iterator i=users.iterator(); i.hasNext();) {
    String userName = (String) i.next();
    String pFileName = PFILE_ROOT + "/" + userName;
    FileInputStream fis = new FileInputStream(pFileName);
    fis.read(byteArray); // the file is always 1k bytes
    fis.close();
    processPFile(userName, byteArray);
}

SAP system provides for extensive authorization configuration and access management. System level configuration is also available to restrict permissions based on the system role. Together, these features make user or system dependent programming irrelevant. That is, there cannot be a scenario in a securely configured customer productive system where functionality of a program is dependent on the user executing the program or the system on which the program is being executed. Querying user or system details to influence program flow is therefore a bad practice and can indicate the presence of a possible backdoor.