Reino: Input Validation and Representation

Los problemas de validación y representación de entradas están causados por metacaracteres, codificaciones alternativas y representaciones numéricas. Los problemas de seguridad surgen de entradas en las que se confía. Estos problemas incluyen: «desbordamientos de búfer», ataques de «scripts de sitios», "SQL injection" y muchas otras acciones.

Fragment Injection

Java/JSP

Abstract

Una actividad Android que amplía PreferenceActivity no puede restringir las clases de fragmento para las que puede crear instancias.

Explanation

Un aplicación maliciosa puede invocar una PreferenceActivity no segura y proporcionarle una intención :android:show_fragment extra para que cargue una clase arbitraria. La aplicación maliciosa puede hacer que PreferenceActivity cargue un Fragment arbitrario de la aplicación vulnerable, el cual que se suele cargar en una actividad no exportada, para exponerlo al atacante.

Ejemplo 1: El código siguiente no implementa una comprobación para verificar que solo se cargan los fragmentos esperados.


@Override
public static boolean isFragmentValid(Fragment paramFragment)
{
    return true;
}

References

[1] Roee Hay A New Vulnerability in the Android Framework: Fragment Injection

[2] Standards Mapping - Common Weakness Enumeration CWE ID 470

[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001764, CCI-001774, CCI-002754

[4] Standards Mapping - FIPS200 SI

[5] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-7 Least Functionality (P1), SI-10 Information Input Validation (P1)

[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-7 Least Functionality, SI-10 Information Input Validation

[8] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection

[9] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation

[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4

[11] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws

[12] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws

[13] Standards Mapping - OWASP Top 10 2010 A1 Injection

[14] Standards Mapping - OWASP Top 10 2013 A1 Injection

[15] Standards Mapping - OWASP Top 10 2017 A1 Injection

[16] Standards Mapping - OWASP Top 10 2021 A03 Injection

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation

[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I

[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I

[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I

[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I

[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I

[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I

[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I

[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I

[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I

[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I

[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I

[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I

[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I

[51] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)

desc.structural.java.fragment_injection