execute(). The ! (bang) character or the method: prefix can be used in the Action URL to invoke any public method in the Action if "Dynamic Method Invocation" is enabled. In Struts 2 version 2.3.20 the mechanism to invoke the alternative method that was previously based on reflection, was substituted to use OGNL instead which allowed attackers to provide malicious OGNL expressions instead of an alternative method name.debug request parameter:console will pop up an OGNL evaluation console allowing developers to evaluate any arbitrary OGNL expression on the server.command will allow the developers to submit arbitrary OGNL expressions to be evaluated using the request parameter expression.xml will dump the parameters, context, session, and value stack as an XML document.browser will dump the parameters, context, session, and value stack in a browseable HTML document.dest request parameter when a user clicks the link.
...
DATA: str_dest TYPE c.
str_dest = request->get_form_field( 'dest' ).
response->redirect( str_dest ).
...
Example 1 will redirect the browser to "http://www.wilyhacker.com".dest request parameter when a user clicks the link.
...
var params:Object = LoaderInfo(this.root.loaderInfo).parameters;
var strDest:String = String(params["dest"]);
host.updateLocation(strDest);
...
Example 1 will redirect the browser to "http://www.wilyhacker.com".PageReference object consisting of a URL from the dest request parameter.
public PageReference pageAction() {
...
PageReference ref = ApexPages.currentPage();
Map<String,String> params = ref.getParameters();
return new PageReference(params.get('dest'));
}
Example 1 will redirect the browser to "http://www.wilyhacker.com".dest request parameter when a user clicks the link.
String redirect = Request["dest"];
Response.Redirect(redirect);
Example 1 will redirect the browser to "http://www.wilyhacker.com".dest request parameter when a user clicks the link.
...
final server = await HttpServer.bind(host, port);
await for (HttpRequest request in server) {
final response = request.response;
final headers = request.headers;
final strDest = headers.value('strDest');
response.headers.contentType = ContentType.text;
response.redirect(Uri.parse(strDest!));
await response.close();
}
...
Example 1 will redirect the browser to "http://www.wilyhacker.com".dest request parameter when a user clicks the link.
...
strDest := r.Form.Get("dest")
http.Redirect(w, r, strDest, http.StatusSeeOther)
...
Example 1 redirects the browser to "http://www.wilyhacker.com".dest request parameter when a user clicks the link.
<end-state id="redirectView" view="externalRedirect:#{requestParameters.dest}" />
Example 1 will redirect the browser to "http://www.wilyhacker.com".dest request parameter when a user clicks the link.
...
strDest = form.dest.value;
window.open(strDest,"myresults");
...
Example 1 will redirect the browser to "http://www.wilyhacker.com".dest request parameter when a user clicks the link.
<%
...
$strDest = $_GET["dest"];
header("Location: " . $strDest);
...
%>
Example 1 will redirect the browser to "http://www.wilyhacker.com".dest request parameter when a user clicks the link.
...
-- Assume QUERY_STRING looks like dest=http://www.wilyhacker.com
dest := SUBSTR(OWA_UTIL.get_cgi_env('QUERY_STRING'), 6);
OWA_UTIL.redirect_url('dest');
...
Example 1 will redirect the browser to "http://www.wilyhacker.com".dest request parameter when a user clicks the link.
...
strDest = request.field("dest")
redirect(strDest)
...
Example 1 will redirect the browser to "http://www.wilyhacker.com".dest request parameter:
...
str_dest = req.params['dest']
...
res = Rack::Response.new
...
res.redirect("http://#{dest}")
...
Example 1 will redirect the browser to "http://www.wilyhacker.com".dest request parameter.
def myAction = Action { implicit request =>
...
request.getQueryString("dest") match {
case Some(location) => Redirect(location)
case None => Ok("No url found!")
}
...
}
Example 1 will redirect the browser to "http://www.wilyhacker.com".requestToLoad to point to the original URL's "dest" parameter if it exists and to the original URL using the http:// scheme otherwise, and finally loads this request within a WKWebView:
...
let requestToLoad : String
...
func application(app: UIApplication, openURL url: NSURL, options: [String : AnyObject]) -> Bool {
...
if let urlComponents = NSURLComponents(URL: url, resolvingAgainstBaseURL: false) {
if let queryItems = urlComponents.queryItems as? [NSURLQueryItem]{
for queryItem in queryItems {
if queryItem.name == "dest" {
if let value = queryItem.value {
request = NSURLRequest(URL:NSURL(string:value))
requestToLoad = request
break
}
}
}
}
if requestToLoad == nil {
urlComponents.scheme = "http"
requestToLoad = NSURLRequest(URL:urlComponents.URL)
}
}
...
}
...
...
let webView : WKWebView
let appDelegate = UIApplication.sharedApplication().delegate as! AppDelegate
webView.loadRequest(appDelegate.requestToLoad)
...
Example 1 will attempt to request and load "http://www.wilyhacker.com" in the WKWebView.dest request parameter when a user clicks the link.
...
strDest = Request.Form('dest')
HyperLink.NavigateTo strDest
...
Example 1 will redirect the browser to "http://www.wilyhacker.com".Denial of Wallet (DoW) attack can occur if attackers exploit the cost-per-use model of cloud-based AI services by initiating a high volume of requests. This leads to unsustainable financial burdens on the provider. This can result in financial ruin for the provider, as the cost of processing excessive requests becomes unmanageable.max_completion_tokens parameter to None can increase the chances of producing excessive data. This can overwhelm the resources of the LLM server and potentially lead to a Denial of Wallet (DoW) attack.
import os
from openai import OpenAI
client = OpenAI(api_key='OPENAI_API_KEY')
def generate_safe_response(prompt):
completion = client.chat.completions.create(
model="gpt-3.5-turbo",
timeout=10,
max_completion_tokens=None,
messages=[
{"role": "user", "content": prompt}
]
)
return completion.choices[0].message
prompt = "Describe the latest advancements in machine learning."
response = generate_safe_response(prompt)
print(response)
max_completion_tokens parameter limits the length of the output, which helps to ensure that the model does not generate excessively long responses that could cause issues downstream. By controlling the output size, you reduce the risk of generating unintended, potentially harmful content that could lead to security vulnerabilities.security requirements and target servers definitions for an API operation will always override the respective global settings. security requirements and target servers definitions for an API operation will always override the respective global settings. security definition.security definition might enable attackers to interact with sensitive API endpoints and allow them to perform operations that should be restricted to specific user accounts with specific privileges.security definition. APIs that implement this specification might be vulnerable to unauthorized or unauthenticated access to sensitive operations.
{
"openapi" : "3.0.3",
"info" : {
"title" : "My API",
"version" : "1.0.0"
},
"servers" : [ {
"url" : "/"
} ],
"security" : [],
...
}
security definition.security definition might enable attackers to interact with sensitive API endpoints and allow them to perform operations that should be restricted to specific user accounts with specific privileges.security definition. APIs that implement this specification might be vulnerable to unauthorized or unauthenticated access to sensitive operations.
openapi: 3.0.3
info:
title: My API
version: 1.0.0
security:
security definition for an API operation.security definition might enable attackers to interact with sensitive API endpoints and allow them to perform actions that should be restricted to specific user accounts with explicit privileges.security definition for a sensitive operation. This overrides globally defined security requirements and renders the createUsers operation vulnerable to unauthorized and unauthenticated access.
{
"openapi": "3.0.0",
"info": {
...
},
"paths": {
"/users": {
"post": {
"security": [],
"summary": "Create a user",
"operationId": "createUsers",
...
}
...
}
}
security definition for an API operation.security definition might enable attackers to interact with sensitive API endpoints and allow them to perform actions that should be restricted to specific user accounts with explicit privileges.security definition for a sensitive operation. This overrides globally defined security requirements and renders the createUsers operation vulnerable to unauthorized and unauthenticated access.
openapi: 3.0.0
info:
...
paths:
/users:
post:
operationId: createUsers
security: []
responses:
'201':
...
security definition.security definition might enable attackers to interact with sensitive API endpoints and allow them to perform operations that should be restricted to specific user accounts with specific privileges.security definition. APIs that implement this specification might be vulnerable to unauthorized or unauthenticated access to sensitive operations.
{
"openapi" : "3.0.3",
"info" : {
"title" : "My API",
"version" : "1.0.0"
},
"servers" : [ {
"url" : "https://example.org"
} ],
...
}
security definition.security definition might enable attackers to interact with sensitive API endpoints and allow them to perform operations that should be restricted to specific user accounts with specific privileges.security definition. APIs that implement this specification might be vulnerable to unauthorized or unauthenticated access to sensitive operations.
openapi: 3.0.3
info:
title: My API
version: 1.0.0
...
security definition for an API operation.security definition might enable attackers to interact with sensitive API endpoints and allow them to perform actions that should be restricted to specific user accounts with explicit privileges.security definition for a sensitive operation. Additionally, without a global security definition, the createUsers operation is vulnerable to unauthorized and unauthenticated access.
{
"openapi": "3.0.0",
"info": {
...
},
"paths": {
"/users": {
"post": {
"summary": "Create a user",
"operationId": "createUsers",
...
}
...
}
}
security definition for an API operation.security definition might enable attackers to interact with sensitive API endpoints and allow them to perform actions that should be restricted to specific user accounts with explicit privileges.security definition for a sensitive operation. Additionally, without a global security definition, the createUsers operation is vulnerable to unauthorized and unauthenticated access.
openapi: 3.0.0
info:
...
paths:
/users:
post:
operationId: createUsers
responses:
'201':
...
securitySchemes definition.securitySchemes definition specifies the security mechanisms that may be used globally or by specific API operations.securitySchemes definition is typically specified under the reusable components object and is referenced globally or by specific operations to dictate security requirements for interaction.securitySchemes definition.
{
"openapi" : "3.0.3",
"info" : {
"title" : "My API",
"version" : "1.0.0"
},
"components": {
"schemas": {
"GeneralError": {
"type": "object",
"properties": {
...
}
}
}
securitySchemes definition.securitySchemes definition specifies the security mechanisms that may be used globally or by specific API operations.securitySchemes definition is typically specified under the reusable components object and is referenced globally or by specific operations to dictate security requirements for interaction.securitySchemes definition.
openapi: 3.0.3
info:
title: My API
version: 1.0.0
components:
schemas:
GeneralError:
type: object
properties:
...
security definition might enable attackers to interact with sensitive API endpoints and allow them to perform operations that should be restricted to specific user accounts with specific privileges.security definition with optional security via the empty {} item. APIs that implement this specification might be vulnerable to unauthorized or unauthenticated access to sensitive operations.
{
"openapi" : "3.0.3",
"info" : {
"title" : "My API",
"version" : "1.0.0"
},
"servers" : [ {
"url" : "/"
} ],
"security" : [ {}, { "oauth_auth" : ["write","read" ]} ],
...
}
security definition might enable attackers to interact with sensitive API endpoints and allow them to perform operations that should be restricted to specific user accounts with specific privileges.security definition with optional security via the empty {} item. APIs that implement this specification might be vulnerable to unauthorized or unauthenticated access to sensitive operations.
openapi: 3.0.3
info:
title: My API
version: 1.0.0
security:
- {}
- oauth_auth:
- write:users
- read:users
{} in the security definition for a sensitive operation. This overrides globally defined security requirements and renders the createUsers operation vulnerable to unauthorized and unauthenticated access.
{
"openapi": "3.0.0",
"info": {
...
},
"paths": {
"/users": {
"post": {
"security": [
{},
{
"my_auth": [
"write:users"
]
}
],
"summary": "Create a user",
"operationId": "createUsers",
...
}
...
}
}
{} in the security definition for a sensitive operation. This overrides globally defined security requirements and renders the createUsers operation vulnerable to unauthorized and unauthenticated access.
openapi: 3.0.0
info:
...
paths:
/users:
post:
operationId: createUsers
security:
- {}
- oauth_auth:
- write:users
- read:users
responses:
'201':
...
strncpy(), can cause vulnerabilities when used incorrectly. The combination of memory manipulation and mistaken assumptions about the size or makeup of a piece of data is the root cause of most buffer overflows.memcpy() reads memory from outside the allocated bounds of cArray, which contains MAX elements of type char, while iArray contains MAX elements of type int.Example 2: The following short program uses an untrusted command line argument as the search buffer in a call to
void MemFuncs() {
char array1[MAX];
int array2[MAX];
memcpy(array2, array1, sizeof(array2));
}
memchr() with a constant number of bytes to be analyzed.
int main(int argc, char** argv) {
char* ret = memchr(argv[0], 'x', MAX_PATH);
printf("%s\n", ret);
}
argv[0], by searching the argv[0] data up to a constant number of bytes. However, as the (constant) number of bytes might be larger than the data allocated for argv[0], the search might go on beyond the data allocated for argv[0]. This will be the case when x is not found in argv[0].strncpy(), can cause vulnerabilities when used incorrectly. The combination of memory manipulation and mistaken assumptions about the size or makeup of a piece of data is the root cause of most buffer overflows.char, with the last reference introducing an off-by-one error.
char Read() {
char buf[5];
return 0
+ buf[0]
+ buf[1]
+ buf[2]
+ buf[3]
+ buf[4]
+ buf[5];
}
strncpy(), can cause vulnerabilities when used incorrectly. The combination of memory manipulation and mistaken assumptions about the size or makeup of a piece of data is the root cause of most buffer overflows.getInputLength() is less than the size of the destination buffer output. However, because the comparison between len and MAX is signed, if len is negative, it will be become a very large positive number when it is converted to an unsigned argument to memcpy().
void TypeConvert() {
char input[MAX];
char output[MAX];
fillBuffer(input);
int len = getInputLength();
if (len <= MAX) {
memcpy(output, input, len);
}
...
}
...
var fs:FileStream = new FileStream();
fs.open(new File("config.properties"), FileMode.READ);
var password:String = fs.readMultiByte(fs.bytesAvailable, File.systemCharset);
URLRequestDefaults.setLoginCredentialsForHost(hostname, usr, password);
...
password. Any devious employee with access to this information can use it to break into the system.
...
string password = regKey.GetValue(passKey).ToString());
NetworkCredential netCred =
new NetworkCredential(username,password,domain);
...
password. Any devious employee with access to this information can use it to break into the system.
...
RegQueryValueEx(hkey,TEXT(.SQLPWD.),NULL,
NULL,(LPBYTE)password, &size);
rc = SQLConnect(*hdbc, server, SQL_NTS, uid,
SQL_NTS, password, SQL_NTS);
...
password. Any devious employee with access to this information can use it to break into the system.
...
01 RECORD.
05 UID PIC X(10).
05 PASSWORD PIC X(10).
...
EXEC CICS
READ
FILE('CFG')
INTO(RECORD)
RIDFLD(ACCTNO)
...
END-EXEC.
EXEC SQL
CONNECT :UID
IDENTIFIED BY :PASSWORD
AT :MYCONN
USING :MYSERVER
END-EXEC.
...
CFG can read the value of password. Any devious employee with access to this information can use it to break into the system.
<cfquery name = "GetCredentials" dataSource = "master">
SELECT Username, Password
FROM Credentials
WHERE DataSource="users"
</cfquery>
...
<cfquery name = "GetSSNs" dataSource = "users"
username = "#Username#" password = "#Password#">
SELECT SSN
FROM Users
</cfquery>
...
master can read the value of Username and Password. Any devious employee with access to this information can use it to break into the system.
...
file, _ := os.Open("config.json")
decoder := json.NewDecoder(file)
decoder.Decode(&values)
request.SetBasicAuth(values.Username, values.Password)
...
values.Password. Any devious employee with access to this information can use it to break into the system.
...
Properties prop = new Properties();
prop.load(new FileInputStream("config.properties"));
String password = prop.getProperty("password");
DriverManager.getConnection(url, usr, password);
...
password. Any devious employee with access to this information can use it to break into the system.
...
webview.setWebViewClient(new WebViewClient() {
public void onReceivedHttpAuthRequest(WebView view,
HttpAuthHandler handler, String host, String realm) {
String[] credentials = view.getHttpAuthUsernamePassword(host, realm);
String username = credentials[0];
String password = credentials[1];
handler.proceed(username, password);
}
});
...
...
obj = new XMLHttpRequest();
obj.open('GET','/fetchusers.jsp?id='+form.id.value,'true','scott','tiger');
...
plist file and uses it to unzip a password-protected file.
...
NSDictionary *dict= [NSDictionary dictionaryWithContentsOfFile:[[NSBundle mainBundle] pathForResource:@"Config" ofType:@"plist"]];
NSString *password = [dict valueForKey:@"password"];
[SSZipArchive unzipFileAtPath:zipPath toDestination:destPath overwrite:TRUE password:password error:&error];
...
...
$props = file('config.properties', FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
$password = $props[0];
$link = mysql_connect($url, $usr, $password);
if (!$link) {
die('Could not connect: ' . mysql_error());
}
...
password. Any devious employee with access to this information can use it to break into the system.
...
ip_address := OWA_SEC.get_client_ip;
IF ((OWA_SEC.get_user_id = 'scott') AND
(OWA_SEC.get_password = 'tiger') AND
(ip_address(1) = 144) and (ip_address(2) = 25)) THEN
RETURN TRUE;
ELSE
RETURN FALSE;
END IF;
...
...
props = os.open('config.properties')
password = props[0]
link = MySQLdb.connect (host = "localhost",
user = "testuser",
passwd = password,
db = "test")
...
password. Any devious employee with access to this information can use it to break into the system.
require 'pg'
...
passwd = ENV['PASSWD']
...
conn = PG::Connection.new(:dbname => "myApp_production", :user => username, :password => passwd, :sslmode => 'require')
PASSWD. Any devious employee with access to this information can use it to break into the system.
...
val prop = new Properties()
prop.load(new FileInputStream("config.properties"))
val password = prop.getProperty("password")
DriverManager.getConnection(url, usr, password)
...
config.properties can read the value of password. Any devious employee with access to this information can use it to break into the system.plist file and uses it to unzip a password-protected file.
...
var myDict: NSDictionary?
if let path = NSBundle.mainBundle().pathForResource("Config", ofType: "plist") {
myDict = NSDictionary(contentsOfFile: path)
}
if let dict = myDict {
zipArchive.unzipOpenFile(zipPath, password:dict["password"])
}
...
...
Private Declare Function GetPrivateProfileString _
Lib "kernel32" Alias "GetPrivateProfileStringA" _
(ByVal lpApplicationName As String, _
ByVal lpKeyName As Any, ByVal lpDefault As String, _
ByVal lpReturnedString As String, ByVal nSize As Long, _
ByVal lpFileName As String) As Long
...
Dim password As String
...
password = GetPrivateProfileString("MyApp", "Password", _
"", value, Len(value), _
App.Path & "\" & "Config.ini")
...
con.ConnectionString = "Driver={Microsoft ODBC for Oracle};Server=OracleServer.world;Uid=scott;Passwd=" & password &";"
...
password. Any devious employee with access to this information can use it to break into the system.