Input validation and representation problems ares caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input. The issues include: "Buffer Overflows," "Cross-Site Scripting" attacks, "SQL Injection," and many others.
XStream
processing untrusted input.
XStream xstream = new XStream();
String body = IOUtils.toString(request.getInputStream(), "UTF-8");
Contact expl = (Contact) xstream.fromXML(body);
var yamlString = getYAMLFromUser();
// Setup the input
var input = new StringReader(yamlString);
// Load the stream
var yaml = new YamlStream();
yaml.Load(input);
var yaml = require('js-yaml');
var untrusted_yaml = getYAMLFromUser();
yaml.load(untrusted_yaml)
import yaml
yamlString = getYamlFromUser()
yaml.load(yamlString)
Example: The following XML document will instantiate a ProcessBuilder object and will invoke its static start() method to run the windows calculator.
XMLDecoder decoder = new XMLDecoder(new InputSource(new InputStreamReader(request.getInputStream(), "UTF-8")));
Object object = decoder.readObject();
decoder.close();
<java>
<object class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="1" >
<void index="0">
<string>c:\\windows\\system32\\calc.exe</string>
</void>
</array>
<void method="start"/>
</object>
</java>
Example 2: The application uses unvalidated data controlled by the user in a Spring tag that perfoms double SpEL evaluation:
String expression = request.getParameter("input");
SpelExpressionParser parser = new SpelExpressionParser();
SpelExpression expr = parser.parseRaw(expression);
<spring:message text="" code="${param['message']}"></spring:message>
sprintf()
, FormatMessageW()
, or syslog()
.snprintf()
.
int main(int argc, char **argv){
char buf[128];
...
snprintf(buf,128,argv[1]);
}
%x
, than the function takes as arguments to be formatted. (In this example, the function takes no arguments to be formatted.) By using the %n
formatting directive, the attacker may write to the stack, causing snprintf()
to write the number of bytes output thus far to the specified argument (rather than reading a value from the argument, which is the intended behavior). A sophisticated version of this attack will use four staggered writes to completely control the value of a pointer on the stack.
printf("%d %d %1$d %1$d\n", 5, 9);
5 9 5 5
Example 1
.syslog()
function is sometimes used as follows:
...
syslog(LOG_ERR, cmdBuf);
...
syslog()
is a format string, any formatting directives included in cmdBuf
are interpreted as described in Example 1
.syslog()
:
...
syslog(LOG_ERR, "%s", cmdBuf);
...
sprintf()
, FormatMessageW()
, syslog()
, NSLog
, or NSString.stringWithFormat
Example 1: The following code utilizes a command line argument as a format string in NSString.stringWithFormat:
.
int main(int argc, char **argv){
char buf[128];
...
[NSString stringWithFormat:argv[1], argv[2] ];
}
%x
, than the function takes as arguments to be formatted. (In this example, the function takes no arguments to be formatted.)
printf("%d %d %1$d %1$d\n", 5, 9);
5 9 5 5
Example 1
.syslog()
function is sometimes used as follows:
...
syslog(LOG_ERR, cmdBuf);
...
syslog()
is a format string, any formatting directives included in cmdBuf
are interpreted as described in Example 1
.syslog()
:Example 4: Apple core classes provide interesting avenues for exploiting format string vulnerabilities.
...
syslog(LOG_ERR, "%s", cmdBuf);
...
String.stringByAppendingFormat()
function is sometimes used as follows:
...
NSString test = @"Sample Text.";
test = [test stringByAppendingFormat:[MyClass
formatInput:inputControl.text]];
...
stringByAppendingFormat()
:
...
NSString test = @"Sample Text.";
test = [test stringByAppendingFormat:@"%@", [MyClass
formatInput:inputControl.text]];
...
=cmd|'/C calc.exe'!Z0
. If the user who opens the spreadsheet trusts the origin of the document, they might accept all the security prompts presented by the spreadsheet processor and let the payload (in this example, opening the Windows calculator) run on their system.
public void Service()
{
string name = HttpContext.Request["name"];
string data = GenerateCSVFor(name);
HttpContext.Response.Clear();
HttpContext.Response.Buffer = true;
HttpContext.Response.AddHeader("content-disposition", "attachment;filename=file.csv");
HttpContext.Response.Charset = "";
HttpContext.Response.ContentType = "application/csv";
HttpContext.Response.Output.Write(tainted);
HttpContext.Response.Flush();
HttpContext.Response.End();
}
=cmd|'/C calc.exe'!Z0
. If the user who opens the spreadsheet trusts the origin of the document, they might accept all the security prompts presented by the spreadsheet processor and let the payload (in this example, opening the Windows calculator) run on their system.
func someHandler(w http.ResponseWriter, r *http.Request){
r.parseForm()
foo := r.FormValue("foo")
...
w := csv.NewWriter(file)
w.Write(foo)
}
=cmd|'/C calc.exe'!Z0
. If the user who opens the spreadsheet trusts the origin of the document, they might accept all the security prompts presented by the spreadsheet processor and let the payload (in this example, opening the Windows calculator) run on their system.
@RequestMapping(value = "/api/service.csv")
public ResponseEntity<String> service(@RequestParam("name") String name) {
HttpHeaders responseHeaders = new HttpHeaders();
responseHeaders.add("Content-Type", "application/csv; charset=utf-8");
responseHeaders.add("Content-Disposition", "attachment;filename=file.csv");
String data = generateCSVFor(name);
return new ResponseEntity<>(data, responseHeaders, HttpStatus.OK);
}
=cmd|'/C calc.exe'!Z0
. If the user who opens the spreadsheet trusts the origin of the document, they might accept all the security prompts presented by the spreadsheet processor and let the payload (in this example, opening the Windows calculator) run on their system.
@RequestMapping(value = "/api/service.csv")
fun service(@RequestParam("name") name: String): ResponseEntity<String> {
val responseHeaders = HttpHeaders()
responseHeaders.add("Content-Type", "application/csv; charset=utf-8")
responseHeaders.add("Content-Disposition", "attachment;filename=file.csv")
val data: String = generateCSVFor(name)
return ResponseEntity(data, responseHeaders, HttpStatus.OK)
}