...
DSA dsa1 = new DSACryptoServiceProvider(Convert.ToInt32(TextBox1.Text));
...
key_len
, and even then there should be appropriate protection to verify both that it is a numeric value and that it is within a suitable range of values for a key size. For most use cases, this should be a sufficiently high hardcoded number.
...
dsa.GenerateParameters(params, rand.Reader, key_len)
privatekey := new(dsa.PrivateKey)
privatekey.PublicKey.Parameters = *params
dsa.GenerateKey(privatekey, rand.Reader)
...
key_len
. In these cases, you should verify both that it is a numeric value and that it is within a suitable value range for the key size. For most use cases, select a sufficiently large hardcoded key size.
require 'openssl'
...
key_len = io.read.to_i
key = OpenSSL::PKey::DSA.new(key_len)
...
key_len
, and even then there should be appropriate protection to verify both that it is a numeric value and that it is within a suitable range of values for a key size. For most use cases, this should be a sufficiently high hardcoded number.default
service account. For each service account, an API access token is automatically generated and made available in a mounted directory. Attackers can use the access token in any compromised Container to gain access to insufficiently protected and security-sensitive service APIs.automountServiceAccountToken
is not defined or the configuration of the default service account contains the automountServiceAccountToken: true
setting.default
service account of a Pod are automounted if the automountServiceAccountToken
is not defined or is set to true
, as in this example.Example 2: API credentials are automounted for a Pod because there is an
apiVersion: v1
kind: ServiceAccount
metadata:
name: default
namespace: demo-namespace
automountServiceAccountToken: true
...
automountServiceAccountToken: true
setting in the default
service account as in this example.
apiVersion: v1
kind: Pod
...
spec:
automountServiceAccountToken: true
...
APPHOME
to determine the directory in which it is installed and then executes an initialization script based on a relative path from the specified directory.
...
CALL FUNCTION 'REGISTRY_GET'
EXPORTING
KEY = 'APPHOME'
IMPORTING
VALUE = home.
CONCATENATE home INITCMD INTO cmd.
CALL 'SYSTEM' ID 'COMMAND' FIELD cmd ID 'TAB' FIELD TABL[].
...
Example 1
allows an attacker to execute arbitrary commands with the elevated privilege of the application by modifying the registry entry APPHOME
to point to a different path containing a malicious version of INITCMD
. Because the program does not validate the value read from the registry, if an attacker can control the value of the registry key APPHOME
, then they can fool the application into running malicious code and take control of the system.rman
utility and then run a cleanup.bat
script to delete some temporary files. The script rmanDB.bat
accepts a single command line parameter, which specifies the type of backup to perform. Because access to the database is restricted, the application runs the backup as a privileged user.
...
btype = request->get_form_field( 'backuptype' )
CONCATENATE `/K 'c:\\util\\rmanDB.bat ` btype `&&c:\\util\\cleanup.bat'` INTO cmd.
CALL FUNCTION 'SXPG_COMMAND_EXECUTE_LONG'
EXPORTING
commandname = cmd_exe
long_params = cmd_string
EXCEPTIONS
no_permission = 1
command_not_found = 2
parameters_too_long = 3
security_risk = 4
OTHERS = 5.
...
backuptype
parameter read from the user. Typically the function module SXPG_COMMAND_EXECUTE_LONG
will not execute multiple commands, but in this case the program first runs the cmd.exe
shell in order to run multiple commands with a single call to CALL 'SYSTEM'
. After the shell is invoked, it will allow for the execution of multiple commands separated by two ampersands. If an attacker passes a string of the form "&& del c:\\dbms\\*.*"
, then the application will execute this command along with the others specified by the program. Because of the nature of the application, it runs with the privileges necessary to interact with the database, which means whatever command the attacker injects will run with those privileges as well.make
command in the /var/yp
directory.
...
MOVE 'make' to cmd.
CALL 'SYSTEM' ID 'COMMAND' FIELD cmd ID 'TAB' FIELD TABL[].
...
CALL 'SYSTEM'
. If an attacker can modify the $PATH
variable to point to a malicious binary called make
and cause the program to be executed in their environment, then the malicious binary will be loaded instead of the one intended. Because of the nature of the application, it runs with the privileges necessary to perform system operations, which means the attacker's make
will now be run with these privileges, possibly giving the attacker complete control of the system.
...
var fs:FileStream = new FileStream();
fs.open(new File(String(configStream.readObject())+".txt"), FileMode.READ);
home = String(fs.readObject(home));
var cmd:String = home + INITCMD;
fscommand("exec", cmd);
...
Example 1
allows an attacker to execute arbitrary commands with the elevated privilege of the application by modifying the contents of the configuration file configStream
to point to a different path containing a malicious version of INITCMD
. Because the program does not validate the value read from the file, if an attacker can control that value, then they can fool the application into running malicious code and take control of the system.rman
utility and then run a cleanup.bat
script to delete some temporary files. The script rmanDB.bat
accepts a single command line parameter, which specifies the type of backup to perform. Because access to the database is restricted, the application runs the backup as a privileged user.
...
var params:Object = LoaderInfo(this.root.loaderInfo).parameters;
var btype:String = String(params["backuptype"]);
var cmd:String = "cmd.exe /K \"c:\\util\\rmanDB.bat " + btype + "&&c:\\util\\cleanup.bat\"";
fscommand("exec", cmd);
...
backuptype
parameter read from the user. Typically the fscommand()
function will not execute multiple commands, but in this case the program first runs the cmd.exe
shell in order to run multiple commands with a single call to fscommnd()
. After the shell is invoked, it will allow for the execution of multiple commands separated by two ampersands. If an attacker passes a string of the form "&& del c:\\dbms\\*.*"
, then the application will execute this command along with the others specified by the program. Because of the nature of the application, it runs with the privileges necessary to interact with the database, which means whatever command the attacker injects will run with those privileges as well.make
command in the /var/yp
directory.
...
fscommand("exec", "make");
...
fscommand()
. If an attacker can modify the $PATH
variable to point to a malicious binary called make
and cause the program to be executed in their environment, then the malicious binary will be loaded instead of the one intended. Because of the nature of the application, it runs with the privileges necessary to perform system operations, which means the attacker's make
will now be run with these privileges, possibly giving the attacker complete control of the system.APPHOME
to determine the directory in which it is installed and then executes an initialization script based on a relative path from the specified directory.
...
string val = Environment.GetEnvironmentVariable("APPHOME");
string cmd = val + INITCMD;
ProcessStartInfo startInfo = new ProcessStartInfo(cmd);
Process.Start(startInfo);
...
Example 1
allows an attacker to execute arbitrary commands with the elevated privilege of the application by modifying the system property APPHOME
to point to a different path containing a malicious version of INITCMD
. Because the program does not validate the value read from the environment, if an attacker can control the value of the system property APPHOME
, then they can fool the application into running malicious code and take control of the system.rman
utility and then run a cleanup.bat
script to delete some temporary files. The script rmanDB.bat
accepts a single command line parameter, which specifies the type of backup to perform. Because access to the database is restricted, the application runs the backup as a privileged user.
...
string btype = BackupTypeField.Text;
string cmd = "cmd.exe /K \"c:\\util\\rmanDB.bat"
+ btype + "&&c:\\util\\cleanup.bat\""));
Process.Start(cmd);
...
BackupTypeField
. Typically the Process.Start()
function will not execute multiple commands, but in this case the program first runs the cmd.exe
shell in order to run multiple commands with a single call to Process.Start()
. After the shell is invoked, it will allow for the execution of multiple commands separated by two ampersands. If an attacker passes a string of the form "&& del c:\\dbms\\*.*"
, then the application will execute this command along with the others specified by the program. Because of the nature of the application, it runs with the privileges necessary to interact with the database, which means whatever command the attacker injects will run with those privileges as well.update.exe
command, as follows:
...
Process.Start("update.exe");
...
Process.start()
. If an attacker can modify the $PATH
variable to point to a malicious binary called update.exe
and cause the program to be executed in their environment, then the malicious binary will be loaded instead of the one intended. Because of the nature of the application, it runs with the privileges necessary to perform system operations, which means the attacker's update.exe
will now be run with these privileges, possibly giving the attacker complete control of the system.setuid root
because it is intended for use as a learning tool to allow system administrators in-training to inspect privileged system files without giving them the ability to modify them or damage the system.
int main(char* argc, char** argv) {
char cmd[CMD_MAX] = "/usr/bin/cat ";
strcat(cmd, argv[1]);
system(cmd);
}
root
privileges, the call to system()
also executes with root
privileges. If a user specifies a standard filename, the call works as expected. However, if an attacker passes a string of the form ";rm -rf /"
, then the call to system()
fails to execute cat
due to a lack of arguments and then plows on to recursively delete the contents of the root partition.$APPHOME
to determine the application's installation directory and then executes an initialization script in that directory.
...
char* home=getenv("APPHOME");
char* cmd=(char*)malloc(strlen(home)+strlen(INITCMD));
if (cmd) {
strcpy(cmd,home);
strcat(cmd,INITCMD);
execl(cmd, NULL);
}
...
Example 1
, the code in this example allows an attacker to execute arbitrary commands with the elevated privilege of the application. In this example, the attacker may modify the environment variable $APPHOME
to specify a different path containing a malicious version of INITCMD
. Because the program does not validate the value read from the environment, by controlling the environment variable the attacker may fool the application into running malicious code.make
in the /var/yp
directory. Note that since the program updates password records, it has been installed setuid root
.make
as follows:
system("cd /var/yp && make &> /dev/null");
system()
. However, since the program does not specify an absolute path for make
and does not scrub any environment variables prior to invoking the command, the attacker may modify their $PATH
variable to point to a malicious binary named make
and execute the CGI script from a shell prompt. And since the program has been installed setuid root
, the attacker's version of make
now runs with root
privileges.CreateProcess()
either directly or via a call to one of the functions in the _spawn()
family, care must be taken when there is a space in an executable or path.
...
LPTSTR cmdLine = _tcsdup(TEXT("C:\\Program Files\\MyApplication -L -S"));
CreateProcess(NULL, cmdLine, ...);
...
CreateProcess()
parses spaces, the first executable the operating system will try to execute is Program.exe
, not MyApplication.exe
. Therefore, if an attacker is able to install a malicious application called Program.exe
on the system, any program that incorrectly calls CreateProcess()
using the Program Files
directory will run this application instead of the intended one.system()
, exec()
, and CreateProcess()
use the environment of the program that calls them, and therefore attackers have a potential opportunity to influence the behavior of these calls.$PATH
or other aspects of the program's execution environment.make
in the /var/yp
directory. Note that because the program updates password records, it has been installed setuid root
.make
as follows:
MOVE "cd /var/yp && make &> /dev/null" to command-line
CALL "CBL_EXEC_RUN_UNIT" USING command-line
length of command-line
run-unit-id
stack-size
flags
CBL_EXEC_RUN_UNIT
. However, because the program does not specify an absolute path for make
and does not scrub its environment variables prior to invoking the command, the attacker can modify their $PATH
variable to point to a malicious binary named make
and execute the CGI script from a shell prompt. In addition, because the program has been installed setuid root
, the attacker's version of make
now runs with root
privileges.pdfprint
command.
DISPLAY "TEMP" UPON ENVIRONMENT-NAME
ACCEPT ws-temp-dir FROM ENVIRONMENT-VARIABLE
STRING "pdfprint " DELIMITED SIZE
ws-temp-dir DELIMITED SPACE
"/" DELIMITED SIZE
ws-pdf-filename DELIMITED SPACE
x"00" DELIMITED SIZE
INTO cmd-buffer
CALL "SYSTEM" USING cmd-buffer
pdfprint
, the attacker can modify their $PATH
variable to point to a malicious binary. Furthermore, while the DELIMITED SPACE
phrases prevent embedded spaces in ws-temp-dir
and ws-pdf-filename
, there could be shell metacharacters (such as &&
) embedded in either.cmd
request parameter.
...
<cfset var="#url.cmd#">
<cfexecute name = "C:\windows\System32\cmd.exe"
arguments = "/c #var#"
timeout = "1"
variable="mycmd">
</cfexecute>
...
APPHOME
to determine the directory in which it is installed and then executes an initialization script based on a relative path from the specified directory.
...
final cmd = String.fromEnvironment('APPHOME');
await Process.run(cmd);
...
Example 1
allows an attacker to execute arbitrary commands with the elevated privilege of the application by modifying the system property APPHOME
to point to a different path containing a malicious version of INITCMD
. Because the program does not validate the value read from the environment, if an attacker can control the value of the system property APPHOME
, then they can fool the application into running malicious code and take control of the system.
cmdName := request.FormValue("Command")
c := exec.Command(cmdName)
c.Run()
APPHOME
to determine the directory in which it is installed and then executes an initialization script based on a relative path from the specified directory.
...
String home = System.getProperty("APPHOME");
String cmd = home + INITCMD;
java.lang.Runtime.getRuntime().exec(cmd);
...
Example 1
allows an attacker to execute arbitrary commands with the elevated privilege of the application by modifying the system property APPHOME
to point to a different path containing a malicious version of INITCMD
. Because the program does not validate the value read from the environment, if an attacker can control the value of the system property APPHOME
, then they can fool the application into running malicious code and take control of the system.rman
utility and then run a cleanup.bat
script to delete some temporary files. The script rmanDB.bat
accepts a single command line parameter, which specifies the type of backup to perform. Because access to the database is restricted, the application runs the backup as a privileged user.
...
String btype = request.getParameter("backuptype");
String cmd = new String("cmd.exe /K
\"c:\\util\\rmanDB.bat "+btype+"&&c:\\util\\cleanup.bat\"")
System.Runtime.getRuntime().exec(cmd);
...
backuptype
parameter read from the user. Typically the Runtime.exec()
function will not execute multiple commands, but in this case the program first runs the cmd.exe
shell in order to run multiple commands with a single call to Runtime.exec()
. After the shell is invoked, it will allow for the execution of multiple commands separated by two ampersands. If an attacker passes a string of the form "&& del c:\\dbms\\*.*"
, then the application will execute this command along with the others specified by the program. Because of the nature of the application, it runs with the privileges necessary to interact with the database, which means whatever command the attacker injects will run with those privileges as well.make
command in the /var/yp
directory.
...
System.Runtime.getRuntime().exec("make");
...
Runtime.exec()
. If an attacker can modify the $PATH
variable to point to a malicious binary called make
and cause the program to be executed in their environment, then the malicious binary will be loaded instead of the one intended. Because of the nature of the application, it runs with the privileges necessary to perform system operations, which means the attacker's make
will now be run with these privileges, possibly giving the attacker complete control of the system.
...
String[] cmds = this.getIntent().getStringArrayExtra("commands");
Process p = Runtime.getRuntime().exec("su");
DataOutputStream os = new DataOutputStream(p.getOutputStream());
for (String cmd : cmds) {
os.writeBytes(cmd+"\n");
}
os.writeBytes("exit\n");
os.flush();
...
APPHOME
to determine the directory in which it is installed and then executes an initialization script based on a relative path from the specified directory.
var cp = require('child_process');
...
var home = process.env('APPHOME');
var cmd = home + INITCMD;
child = cp.exec(cmd, function(error, stdout, stderr){
...
});
...
Example 1
allows an attacker to execute arbitrary commands with the elevated privilege of the application by modifying the system property APPHOME
to point to a different path containing a malicious version of INITCMD
. Since the program does not validate the value read from the environment, if an attacker can control the value of the system property APPHOME
, then they can fool the application into running malicious code and take control of the system.rman
utility. The script rmanDB.bat
accepts a single command line parameter, which specifies the type of backup to perform. Because access to the database is restricted, the application runs the backup as a privileged user.
var cp = require('child_process');
var http = require('http');
var url = require('url');
function listener(request, response){
var btype = url.parse(request.url, true)['query']['backuptype'];
if (btype !== undefined){
cmd = "c:\\util\\rmanDB.bat" + btype;
cp.exec(cmd, function(error, stdout, stderr){
...
});
}
...
}
...
http.createServer(listener).listen(8080);
backuptype
parameter read from the user apart from verifying its existence. After the shell is invoked, it may allow for the execution of multiple commands, and due to the nature of the application, it will run with the privileges necessary to interact with the database, which means whatever command the attacker injects will run with those privileges as well.make
command in the /var/yp
directory.
...
require('child_process').exec("make", function(error, stdout, stderr){
...
});
...
make
and fails to clean its environment prior to executing the call to child_process.exec()
. If an attacker can modify the $PATH
variable to point to a malicious binary called make
and cause the program to be executed in their environment, then the malicious binary will be loaded instead of the one intended. Because of the nature of the application, it runs with the privileges necessary to perform system operations, which means the attacker's make
will now be run with these privileges, possibly giving the attacker complete control of the system.APPHOME
to determine the directory in which it is installed and then executes an initialization script based on a relative path from the specified directory.
...
$home = $_ENV['APPHOME'];
$cmd = $home . $INITCMD;
system(cmd);
...
Example 1
allows an attacker to execute arbitrary commands with the elevated privilege of the application by modifying the system property APPHOME
to point to a different path containing a malicious version of INITCMD
. Because the program does not validate the value read from the environment, if an attacker can control the value of the system property APPHOME
, then they can fool the application into running malicious code and take control of the system.rman
utility and then run a cleanup.bat
script to delete some temporary files. The script rmanDB.bat
accepts a single command line parameter, which specifies the type of backup to perform. Because access to the database is restricted, the application runs the backup as a privileged user.
...
$btype = $_GET['backuptype'];
$cmd = "cmd.exe /K \"c:\\util\\rmanDB.bat " . $btype . "&&c:\\util\\cleanup.bat\"";
system(cmd);
...
backuptype
parameter read from the user. Typically the Runtime.exec()
function will not execute multiple commands, but in this case the program first runs the cmd.exe
shell in order to run multiple commands with a single call to Runtime.exec()
. After the shell is invoked, it will allow for the execution of multiple commands separated by two ampersands. If an attacker passes a string of the form "&& del c:\\dbms\\*.*"
, then the application will execute this command along with the others specified by the program. Because of the nature of the application, it runs with the privileges necessary to interact with the database, which means whatever command the attacker injects will run with those privileges as well.make
command in the /var/yp
directory.
...
$result = shell_exec("make");
...
Runtime.exec()
. If an attacker can modify the $PATH
variable to point to a malicious binary called make
and cause the program to be executed in their environment, then the malicious binary will be loaded instead of the one intended. Because of the nature of the application, it runs with the privileges necessary to perform system operations, which means the attacker's make
will now be run with these privileges, possibly giving the attacker complete control of the system.
...
CREATE PROCEDURE dbo.listFiles (@path NVARCHAR(200))
AS
DECLARE @cmd NVARCHAR(500)
SET @cmd = 'dir ' + @path
exec xp_cmdshell @cmd
GO
...
APPHOME
to determine the directory in which it is installed and then executes an initialization script based on a relative path from the specified directory.
...
home = os.getenv('APPHOME')
cmd = home.join(INITCMD)
os.system(cmd);
...
Example 1
allows an attacker to execute arbitrary commands with the elevated privilege of the application by modifying the system property APPHOME
to point to a different path containing a malicious version of INITCMD
. Because the program does not validate the value read from the environment, if an attacker can control the value of the system property APPHOME
, then they can fool the application into running malicious code and take control of the system.rman
utility and then run a cleanup.bat
script to delete some temporary files. The script rmanDB.bat
accepts a single command line parameter, which specifies the type of backup to perform. Because access to the database is restricted, the application runs the backup as a privileged user.
...
btype = req.field('backuptype')
cmd = "cmd.exe /K \"c:\\util\\rmanDB.bat " + btype + "&&c:\\util\\cleanup.bat\""
os.system(cmd);
...
backuptype
parameter read from the user. Typically the Runtime.exec()
function will not execute multiple commands, but in this case the program first runs the cmd.exe
shell in order to run multiple commands with a single call to Runtime.exec()
. After the shell is invoked, it will allow for the execution of multiple commands separated by two ampersands. If an attacker passes a string of the form "&& del c:\\dbms\\*.*"
, then the application will execute this command along with the others specified by the program. Because of the nature of the application, it runs with the privileges necessary to interact with the database, which means whatever command the attacker injects will run with those privileges as well.make
command in the /var/yp
directory.
...
result = os.system("make");
...
os.system()
. If an attacker can modify the $PATH
variable to point to a malicious binary called make
and cause the program to be executed in their environment, then the malicious binary will be loaded instead of the one intended. Because of the nature of the application, it runs with the privileges necessary to perform system operations, which means the attacker's make
will now be run with these privileges, possibly giving the attacker complete control of the system.APPHOME
to determine the directory in which it is installed and then executes an initialization script based on a relative path from the specified directory.
...
home = ENV['APPHOME']
cmd = home + INITCMD
Process.spawn(cmd)
...
Example 1
allows an attacker to execute arbitrary commands with the elevated privilege of the application by modifying the system property APPHOME
to point to a different path containing a malicious version of INITCMD
. Because the program does not validate the value read from the environment, if an attacker can control the value of the system property APPHOME
, then they can fool the application into running malicious code and take control of the system.rman
utility and then run a cleanup.bat
script to delete some temporary files. The script rmanDB.bat
accepts a single command line parameter, which specifies the type of backup to perform. Because access to the database is restricted, the application runs the backup as a privileged user.
...
btype = req['backuptype']
cmd = "C:\\util\\rmanDB.bat #{btype} &&C:\\util\\cleanup.bat"
spawn(cmd)
...
backuptype
parameter read from the user. After the shell is invoked via Kernel.spawn
, it will allow for the execution of multiple commands separated by two ampersands. If an attacker passes a string of the form "&& del c:\\dbms\\*.*"
, then the application will execute this command along with the others specified by the program. Because of the nature of the application, it runs with the privileges necessary to interact with the database, which means whatever command the attacker injects will run with those privileges as well.make
command in the /var/yp
directory.
...
system("make")
...
Kernel.system()
. If an attacker can modify the $PATH
variable to point to a malicious binary called make
and cause the program to be executed in their environment, then the malicious binary will be loaded instead of the one intended. Because of the nature of the application, it runs with the privileges necessary to perform system operations, which means the attacker's make
will now be run with these privileges, possibly giving the attacker complete control of the system.
def changePassword(username: String, password: String) = Action { request =>
...
s'echo "${password}" | passwd ${username} --stdin'.!
...
}
APPHOME
to determine the directory in which it is installed and then executes an initialization script based on a relative path from the specified directory.
...
Dim cmd
Dim home
home = Environ$("AppHome")
cmd = home & initCmd
Shell cmd, vbNormalFocus
...
Example 1
allows an attacker to execute arbitrary commands with the elevated privilege of the application by modifying the system property APPHOME
to point to a different path containing a malicious version of INITCMD
. Because the program does not validate the value read from the environment, if an attacker can control the value of the system property APPHOME
, then they can fool the application into running malicious code and take control of the system.rman
utility and then run a cleanup.bat
script to delete some temporary files. The script rmanDB.bat
accepts a single command line parameter, which specifies the type of backup to perform. Because access to the database is restricted, the application runs the backup as a privileged user.
...
btype = Request.Form("backuptype")
cmd = "cmd.exe /K " & Chr(34) & "c:\util\rmanDB.bat " & btype & "&&c:\util\cleanup.bat" & Chr(34) & ";
Shell cmd, vbNormalFocus
...
backuptype
parameter read from the user. After the shell is invoked, it will allow for the execution of multiple commands separated by two ampersands. If an attacker passes a string of the form "&& del c:\\dbms\\*.*"
, then the application will execute this command along with the others specified by the program. Because of the nature of the application, it runs with the privileges necessary to interact with the database, which means whatever command the attacker injects will run with those privileges as well.make
command in the /var/yp
directory.
...
$result = shell_exec("make");
...
Runtime.exec()
. If an attacker can modify the $PATH
variable to point to a malicious binary called make
and cause the program to be executed in their environment, then the malicious binary will be loaded instead of the one intended. Because of the nature of the application, it runs with the privileges necessary to perform system operations, which means the attacker's make
will now be run with these privileges, possibly giving the attacker complete control of the system.WindowsIdentity.Impersonate()
method.
using System.Security.Principal;
...
//Get the identity of the current user
IIdentity contextId = HttpContext.Current.User.Identity;
WindowsIdentity userId = (WindowsIdentity)contextId;
//Temporarily impersonate
WindowsImpersonationContext imp = userId.Impersonate();
//Perform tasks using the caller's security context
DoSecuritySensitiveTasks();
//Clean up and restore our old security context
impersonate.Undo();
Example 1
impersonates the current user's security context and uses it to perform a privileged operation. After calling DoSecuritySensitiveTasks()
, the code attempts to restore the original security context, but if DoSecuritySensitiveTasks()
throws an exception, the Undo()
method will never be called and the program will continue to use the impersonated security context.username
and password
to the JSON file located at C:\user_info.json
:
...
StringBuilder sb = new StringBuilder();
StringWriter sw = new StringWriter(sb);
using (JsonWriter writer = new JsonTextWriter(sw))
{
writer.Formatting = Formatting.Indented;
writer.WriteStartObject();
writer.WritePropertyName("role");
writer.WriteRawValue("\"default\"");
writer.WritePropertyName("username");
writer.WriteRawValue("\"" + username + "\"");
writer.WritePropertyName("password");
writer.WriteRawValue("\"" + password + "\"");
writer.WriteEndObject();
}
File.WriteAllText(@"C:\user_info.json", sb.ToString());
JsonWriter.WriteRawValue()
, the untrusted data in username
and password
will not be validated to escape JSON-related special characters. This allows a user to arbitrarily insert JSON keys, possibly changing the structure of the serialized JSON. In this example, if the non-privileged user mallory
with password Evil123!
were to append ","role":"admin
to her username when entering it at the prompt that sets the value of the username
variable, the resulting JSON saved to C:\user_info.json
would be:
{
"role":"default",
"username":"mallory",
"role":"admin",
"password":"Evil123!"
}
Dictionary
object with JsonConvert.DeserializeObject()
as so:
String jsonString = File.ReadAllText(@"C:\user_info.json");
Dictionary<string, string> userInfo = JsonConvert.DeserializeObject<Dictionary<string, strin>>(jsonString);
username
, password
, and role
keys in the Dictionary
object would be mallory
, Evil123!
, and admin
respectively. Without further verification that the deserialized JSON values are valid, the application will incorrectly assign user mallory
"admin" privileges.username
and password
to the JSON file located at ~/user_info.json
:
...
func someHandler(w http.ResponseWriter, r *http.Request){
r.parseForm()
username := r.FormValue("username")
password := r.FormValue("password")
...
jsonString := `{
"username":"` + username + `",
"role":"default"
"password":"` + password + `",
}`
...
f, err := os.Create("~/user_info.json")
defer f.Close()
jsonEncoder := json.NewEncoder(f)
jsonEncoder.Encode(jsonString)
}
username
and password
is not validated to escape JSON-related special characters. This allows a user to arbitrarily insert JSON keys, which can possibly change the serialized JSON structure. In this example, if the non-privileged user mallory
with password Evil123!
appended ","role":"admin
when she entered her username, the resulting JSON saved to ~/user_info.json
would be:
{
"username":"mallory",
"role":"default",
"password":"Evil123!",
"role":"admin"
}
mallory
"admin" privileges.username
and password
to the JSON file located at ~/user_info.json
:
...
JsonFactory jfactory = new JsonFactory();
JsonGenerator jGenerator = jfactory.createJsonGenerator(new File("~/user_info.json"), JsonEncoding.UTF8);
jGenerator.writeStartObject();
jGenerator.writeFieldName("username");
jGenerator.writeRawValue("\"" + username + "\"");
jGenerator.writeFieldName("password");
jGenerator.writeRawValue("\"" + password + "\"");
jGenerator.writeFieldName("role");
jGenerator.writeRawValue("\"default\"");
jGenerator.writeEndObject();
jGenerator.close();
JsonGenerator.writeRawValue()
, the untrusted data in username
and password
will not be validated to escape JSON-related special characters. This allows a user to arbitrarily insert JSON keys, possibly changing the structure of the serialized JSON. In this example, if the non-privileged user mallory
with password Evil123!
were to append ","role":"admin
to her username when entering it at the prompt that sets the value of the username
variable, the resulting JSON saved to ~/user_info.json
would be:
{
"username":"mallory",
"role":"admin",
"password":"Evil123!",
"role":"default"
}
HashMap
object with Jackson's JsonParser
as so:
JsonParser jParser = jfactory.createJsonParser(new File("~/user_info.json"));
while (jParser.nextToken() != JsonToken.END_OBJECT) {
String fieldname = jParser.getCurrentName();
if ("username".equals(fieldname)) {
jParser.nextToken();
userInfo.put(fieldname, jParser.getText());
}
if ("password".equals(fieldname)) {
jParser.nextToken();
userInfo.put(fieldname, jParser.getText());
}
if ("role".equals(fieldname)) {
jParser.nextToken();
userInfo.put(fieldname, jParser.getText());
}
if (userInfo.size() == 3)
break;
}
jParser.close();
username
, password
, and role
keys in the HashMap
object would be mallory
, Evil123!
, and admin
respectively. Without further verification that the deserialized JSON values are valid, the application will incorrectly assign user mallory
"admin" privileges.
var str = document.URL;
var url_check = str.indexOf('name=');
var name = null;
if (url_check > -1) {
name = decodeURIComponent(str.substring((url_check+5), str.length));
}
$(document).ready(function(){
if (name !== null){
var obj = jQuery.parseJSON('{"role": "user", "name" : "' + name + '"}');
...
}
...
});
name
will not be validated to escape JSON-related special characters. This allows a user to arbitrarily insert JSON keys, possibly changing the structure of the serialized JSON. In this example, if the non-privileged user mallory
were to append ","role":"admin
to the name parameter in the URL, the JSON would become:
{
"role":"user",
"username":"mallory",
"role":"admin"
}
jQuery.parseJSON()
and set to a plain object, meaning that obj.role
would now return "admin" instead of "user"_usernameField
and _passwordField
:
...
NSString * const jsonString = [NSString stringWithFormat: @"{\"username\":\"%@\",\"password\":\"%@\",\"role\":\"default\"}" _usernameField.text, _passwordField.text];
NSString.stringWithFormat:
, the untrusted data in _usernameField
and _passwordField
will not be validated to escape JSON-related special characters. This allows a user to arbitrarily insert JSON keys, possibly changing the structure of the serialized JSON. In this example, if the non-privileged user mallory
with password Evil123!
were to append ","role":"admin
to her username when entering it into the _usernameField
field, the resulting JSON would be:
{
"username":"mallory",
"role":"admin",
"password":"Evil123!",
"role":"default"
}
NSDictionary
object with NSJSONSerialization.JSONObjectWithData:
as so:
NSError *error;
NSDictionary *jsonData = [NSJSONSerialization JSONObjectWithData:[jsonString dataUsingEncoding:NSUTF8StringEncoding] options:NSJSONReadingAllowFragments error:&error];
username
, password
, and role
in the NSDictionary
object would be mallory
, Evil123!
, and admin
respectively. Without further verification that the deserialized JSON values are valid, the application will incorrectly assign user mallory
"admin" privileges.
import json
import requests
from urllib.parse import urlparse
from urllib.parse import parse_qs
url = 'https://www.example.com/some_path?name=some_value'
parsed_url = urlparse(url)
untrusted_values = parse_qs(parsed_url.query)['name'][0]
with open('data.json', 'r') as json_File:
data = json.load(json_File)
data['name']= untrusted_values
with open('data.json', 'w') as json_File:
json.dump(data, json_File)
...
name
will not be validated to escape JSON-related special characters. This allows a user to arbitrarily insert JSON keys, possibly changing the structure of the serialized JSON. In this example, if the non-privileged user mallory
were to append ","role":"admin
to the name parameter in the URL, the JSON would become:
{
"role":"user",
"username":"mallory",
"role":"admin"
}
usernameField
and passwordField
:
...
let jsonString : String = "{\"username\":\"\(usernameField.text)\",\"password\":\"\(passwordField.text)\",\"role\":\"default\"}"
usernameField
and passwordField
will not be validated to escape JSON-related special characters. This allows a user to arbitrarily insert JSON keys, possibly changing the structure of the serialized JSON. In this example, if the non-privileged user mallory
with password Evil123!
were to append ","role":"admin
to her username when entering it into the usernameField
field, the resulting JSON would be:
{
"username":"mallory",
"role":"admin",
"password":"Evil123!",
"role":"default"
}
NSDictionary
object with NSJSONSerialization.JSONObjectWithData:
as so:
var error: NSError?
var jsonData : NSDictionary = NSJSONSerialization.JSONObjectWithData(jsonString.dataUsingEncoding(NSUTF8StringEncoding), options: NSJSONReadingOptions.MutableContainers, error: &error) as NSDictionary
username
, password
, and role
in the NSDictionary
object would be mallory
, Evil123!
, and admin
respectively. Without further verification that the deserialized JSON values are valid, the application will incorrectly assign user mallory
"admin" privileges.issue_client_certificate
to true
in the master_auth
block.
resource "google_container_cluster" "container_cluster_demo" {
...
master_auth {
client_certificate_config {
issue_client_certificate = true
...
}
...
}
...
}