Reino: API Abuse

Un API es un contrato entre un autor de llamada y un receptor de llamada. Las formas de abuso de API más comunes los produce el autor de llamada cuando no consigue atender su fin de este contrato. Por ejemplo, si un programa no consigue llamar chdir() después de llamar chroot(), se viola el contrato que especifica cómo cambiar el directorio de origen activo de una forma segura. Otro buen ejemplo de un abuso de manual es esperar que el receptor devuelva una información de DNS de confianza al autor de llamada. En este caso, el autor de llamada abusa el API del receptor haciendo determinadas suposiciones sobre su comportamiento (que el valor de retorno se puede usar con fines de autenticación). También se puede violar el contrato entre el autor de llamada y el receptor desde el otro lado. Por ejemplo, si un codificador envía SecureRandom y devuelve un valor no aleatorio, se viola el contrato.

Often Misused: File Upload

Abstract
Autorizar a los usuarios a que carguen archivos puede permitir a los atacantes introducir contenido peligroso o código malintencionado para que se ejecute en el servidor.
Explanation
Independientemente del lenguaje en el que esté escrito un programa, los usuarios malintencionados más devastadores normalmente incluyen la ejecución remota de código, con la cual un usuario malintencionado consigue ejecutar código malintencionado en el contexto del programa. Si se permite a los atacantes que carguen archivos a un directorio accesible desde la Web que hace que estos archivos se pasen a un intérprete de código (por ejemplo, JSP/ASPX/PHP), los atacantes pueden provocar que el código malintencionado contenido en los archivos se ejecute en el servidor.

El código siguiente recibe un archivo cargado que asigna al objeto posted. FileUpload es del tipo System.Web.UI.HtmlControls.HtmlInputFile.
Ejemplo 1:

HttpPostedFile posted = FileUpload.PostedFile;

Incluso en el caso de un programa que almacene los archivos cargados en un directorio que no sea accesible desde la Web, los atacantes pueden conseguir introducir contenido malintencionado en el entorno del servidor para preparar otros ataques. Si el programa es susceptible a las vulnerabilidades de manipulación de rutas, inserción de comandos o inclusión peligrosa de archivos, un atacante puede cargar un archivo con contenido malintencionado y provocar que el programa lo lea o ejecute aprovechando otra vulnerabilidad.
References
[1] Alla Bezroutchko Secure file upload in PHP web applications
[2] Standards Mapping - Common Weakness Enumeration CWE ID 434
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [16] CWE ID 434
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [15] CWE ID 434
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [10] CWE ID 434
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [10] CWE ID 434
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [10] CWE ID 434
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [10] CWE ID 434
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.2.1 File Integrity Requirements (L2 L3), 12.5.2 File Download Requirements (L1 L2 L3), 13.1.5 Generic Web Service Security Verification Requirements (L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[16] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2007 A3 Malicious File Execution
[18] Standards Mapping - OWASP Top 10 2010 A1 Injection
[19] Standards Mapping - OWASP Top 10 2013 A1 Injection
[20] Standards Mapping - OWASP Top 10 2017 A1 Injection
[21] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.4 - Web Software Attack Mitigation
[34] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 434
[35] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 434
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-003300 CAT II
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.semantic.dotnet.often_misused_file_upload
Abstract
El hecho de permitir que los usuarios carguen archivos puede provocar que los atacantes inyecten contenido peligroso o código malintencionado para que se ejecute en el servidor.
Explanation
Independientemente del lenguaje en el que esté escrito un programa, los ataques más devastadores normalmente incluyen la ejecución remota de código, con la cual un atacante consigue ejecutar código malintencionado en el contexto del programa. Si se permite a los atacantes que carguen archivos a un directorio accesible desde la Web que hace que estos archivos se pasen a un intérprete de código (por ejemplo, JSP/ASPX/PHP), los atacantes pueden provocar que el código malintencionado contenido en los archivos se ejecute en el servidor.

Ejemplo 1: La siguiente clase de controlador Spring MVC presenta un parámetro que permite administrar los archivos cargados.

@Controller
public class MyFormController {
    ...
    @RequestMapping("/test")
    public String uploadFile (org.springframework.web.multipart.MultipartFile file) {
       ...
    }    ...
}


Incluso en el caso de un programa que almacene los archivos cargados en un directorio que no sea accesible desde la Web, los atacantes pueden conseguir introducir contenido malintencionado en el entorno del servidor para preparar otros ataques. Si el programa es susceptible a las vulnerabilidades de manipulación de rutas, inserción de comandos o inclusión peligrosa de archivos, un atacante puede cargar un archivo con contenido malintencionado y provocar que el programa lo lea o ejecute aprovechando otra vulnerabilidad.
References
[1] Alla Bezroutchko Secure file upload in PHP web applications
[2] Standards Mapping - Common Weakness Enumeration CWE ID 434
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [16] CWE ID 434
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [15] CWE ID 434
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [10] CWE ID 434
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [10] CWE ID 434
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [10] CWE ID 434
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [10] CWE ID 434
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.2.1 File Integrity Requirements (L2 L3), 12.5.2 File Download Requirements (L1 L2 L3), 13.1.5 Generic Web Service Security Verification Requirements (L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[16] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2007 A3 Malicious File Execution
[18] Standards Mapping - OWASP Top 10 2010 A1 Injection
[19] Standards Mapping - OWASP Top 10 2013 A1 Injection
[20] Standards Mapping - OWASP Top 10 2017 A1 Injection
[21] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.4 - Web Software Attack Mitigation
[34] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 434
[35] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 434
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-003300 CAT II
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.structural.java.often_misused_file_upload_spring
Abstract
Autorizar a los usuarios a que carguen archivos puede permitir a los atacantes introducir contenido peligroso o código malintencionado para que se ejecute en el servidor.
Explanation
Independientemente del lenguaje en el que esté escrito un programa, los usuarios malintencionados más devastadores normalmente incluyen la ejecución remota de código, con la cual un usuario malintencionado consigue ejecutar código malintencionado en el contexto del programa. Si se permite a los atacantes que carguen archivos a un directorio accesible desde la Web que hace que estos archivos se pasen al intérprete de PHP, los atacantes pueden provocar que el código malintencionado contenido en los archivos se ejecute en el servidor.

Ejemplo 1: el siguiente código procesa los archivos cargados y los mueve a un directorio de la raíz web. Los atacantes pueden cargar archivos de origen de PHP malintencionados a este programa y, a continuación, solicitarlos del servidor, lo que hará que el intérprete de PHP los ejecute.


<?php
$udir = 'upload/'; // Relative path under Web root
$ufile = $udir . basename($_FILES['userfile']['name']);
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $ufile)) {
    echo "Valid upload received\n";
} else {
    echo "Invalid upload rejected\n";
} ?>


Incluso en el caso de un programa que almacene los archivos cargados en un directorio que no sea accesible desde la Web, los atacantes pueden conseguir introducir contenido malintencionado en el entorno del servidor para preparar otros ataques. Si el programa es susceptible a las vulnerabilidades de manipulación de rutas, inserción de comandos o introducción remota, un atacante puede cargar un archivo con contenido malintencionado y provocar que el programa lo lea o ejecute aprovechando otra vulnerabilidad.
References
[1] M. Achour et al. PHP Manual
[2] Alla Bezroutchko Secure file upload in PHP web applications
[3] Standards Mapping - Common Weakness Enumeration CWE ID 434
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [16] CWE ID 434
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [15] CWE ID 434
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [10] CWE ID 434
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [10] CWE ID 434
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [10] CWE ID 434
[9] Standards Mapping - Common Weakness Enumeration Top 25 2024 [10] CWE ID 434
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[11] Standards Mapping - FIPS200 SI
[12] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.2.1 File Integrity Requirements (L2 L3), 12.5.2 File Download Requirements (L1 L2 L3), 13.1.5 Generic Web Service Security Verification Requirements (L2 L3)
[16] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[17] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[18] Standards Mapping - OWASP Top 10 2007 A3 Malicious File Execution
[19] Standards Mapping - OWASP Top 10 2010 A1 Injection
[20] Standards Mapping - OWASP Top 10 2013 A1 Injection
[21] Standards Mapping - OWASP Top 10 2017 A1 Injection
[22] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.4 - Web Software Attack Mitigation
[35] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 434
[36] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 434
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-003300 CAT II
[59] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.semantic.php.often_misused_file_upload
Abstract
Autorizar a los usuarios a que carguen archivos puede permitir a los atacantes introducir contenido peligroso o código malintencionado para que se ejecute en el servidor.
Explanation
Independientemente del lenguaje en el que esté escrito un programa, los usuarios malintencionados más devastadores normalmente incluyen la ejecución remota de código, con la cual un usuario malintencionado consigue ejecutar código malintencionado en el contexto del programa. Si se permite a los usuarios malintencionados que carguen archivos a un directorio accesible desde la Web que hace que estos archivos se pasen al intérprete de Python, los usuarios malintencionados pueden provocar que el código malintencionado contenido en los archivos se ejecute en el servidor.

Ejemplo 1: el siguiente código procesa los archivos cargados y los mueve a un directorio de la raíz web. Los atacantes podrían cargar archivos malintencionados a este programa y posteriormente solicitarlos desde el servidor.


from django.core.files.storage import default_storage
from django.core.files.base import File
...
def handle_upload(request):
  files = request.FILES
  for f in files.values():
    path = default_storage.save('upload/', File(f))
...


Incluso en el caso de un programa que almacene los archivos cargados en un directorio que no sea accesible desde la Web, los atacantes pueden conseguir introducir contenido malintencionado en el entorno del servidor para preparar otros ataques. Si el programa es susceptible a las vulnerabilidades de manipulación de rutas, inserción de comandos o introducción remota, un atacante puede cargar un archivo con contenido malintencionado y provocar que el programa lo lea o ejecute aprovechando otra vulnerabilidad.
References
[1] Django Foundation File Uploads
[2] Standards Mapping - Common Weakness Enumeration CWE ID 434
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [16] CWE ID 434
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [15] CWE ID 434
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [10] CWE ID 434
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [10] CWE ID 434
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [10] CWE ID 434
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [10] CWE ID 434
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.2.1 File Integrity Requirements (L2 L3), 12.5.2 File Download Requirements (L1 L2 L3), 13.1.5 Generic Web Service Security Verification Requirements (L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[16] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2007 A3 Malicious File Execution
[18] Standards Mapping - OWASP Top 10 2010 A1 Injection
[19] Standards Mapping - OWASP Top 10 2013 A1 Injection
[20] Standards Mapping - OWASP Top 10 2017 A1 Injection
[21] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.4 - Web Software Attack Mitigation
[34] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 434
[35] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 434
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-003300 CAT II
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.structural.python.often_misused_file_upload
Abstract
Autorizar a los usuarios a que carguen archivos puede permitir a los atacantes introducir contenido peligroso o código malintencionado para que se ejecute en el servidor.
Explanation
Independientemente del lenguaje en el que esté escrito un programa, los usuarios malintencionados más devastadores normalmente incluyen la ejecución remota de código, con la cual un usuario malintencionado consigue ejecutar código malintencionado en el contexto del programa. Si los atacantes pueden cargar archivos en un directorio ejecutable públicamente, entonces pueden hacer que el código malintencionado que contienen estos archivos se ejecute en el servidor.

Incluso aunque un programa almacene archivos cargados en un directorio que no sea de acceso público, los atacantes podrían seguir siendo capaces de aprovechar la capacidad de introducir contenido malintencionado en el entorno del servidor para elaborar otros ataques. Si el programa es susceptible a las vulnerabilidades de manipulación de rutas, inserción de comandos o introducción remota, un atacante puede cargar un archivo con contenido malintencionado y provocar que el programa lo lea o ejecute aprovechando otra vulnerabilidad.
References
[1] Alla Bezroutchko Secure file upload in PHP web applications
[2] Standards Mapping - Common Weakness Enumeration CWE ID 434
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [16] CWE ID 434
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [15] CWE ID 434
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [10] CWE ID 434
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [10] CWE ID 434
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [10] CWE ID 434
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [10] CWE ID 434
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.2.1 File Integrity Requirements (L2 L3), 12.5.2 File Download Requirements (L1 L2 L3), 13.1.5 Generic Web Service Security Verification Requirements (L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[16] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2007 A3 Malicious File Execution
[18] Standards Mapping - OWASP Top 10 2010 A1 Injection
[19] Standards Mapping - OWASP Top 10 2013 A1 Injection
[20] Standards Mapping - OWASP Top 10 2017 A1 Injection
[21] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.4 - Web Software Attack Mitigation
[34] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 434
[35] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 434
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-003300 CAT II
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.structural.ruby.often_misused_file_upload
Abstract
Autorizar a los usuarios a que carguen archivos puede permitir a los atacantes introducir contenido peligroso o código malintencionado para que se ejecute en el servidor.
Explanation
Independientemente del lenguaje en el que esté escrito un programa, los usuarios malintencionados más devastadores normalmente incluyen la ejecución remota de código, con la cual un usuario malintencionado consigue ejecutar código malintencionado en el contexto del programa. Si se permite a los atacantes que carguen archivos a un directorio accesible desde la Web que hace que estos archivos se pasen a un intérprete de código (por ejemplo, JSP/ASPX/PHP), los atacantes pueden provocar que el código malintencionado contenido en los archivos se ejecute en el servidor.
Incluso en el caso de un programa que almacene los archivos cargados en un directorio que no sea accesible desde la Web, los atacantes pueden conseguir introducir contenido malintencionado en el entorno del servidor para preparar otros ataques. Si el programa es susceptible a las vulnerabilidades de manipulación de rutas, inserción de comandos o inclusión peligrosa de archivos, un atacante puede cargar un archivo con contenido malintencionado y provocar que el programa lo lea o ejecute aprovechando otra vulnerabilidad.

Una etiqueta <input> del tipo file indica que el programa acepta la carga de archivos.
Ejemplo 1:

<input type="file">
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 434
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [16] CWE ID 434
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [15] CWE ID 434
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [10] CWE ID 434
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [10] CWE ID 434
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [10] CWE ID 434
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [10] CWE ID 434
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[9] Standards Mapping - FIPS200 SI
[10] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.2.1 File Integrity Requirements (L2 L3), 12.5.2 File Download Requirements (L1 L2 L3), 13.1.5 Generic Web Service Security Verification Requirements (L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[15] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[16] Standards Mapping - OWASP Top 10 2007 A3 Malicious File Execution
[17] Standards Mapping - OWASP Top 10 2010 A1 Injection
[18] Standards Mapping - OWASP Top 10 2013 A1 Injection
[19] Standards Mapping - OWASP Top 10 2017 A1 Injection
[20] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.4 - Web Software Attack Mitigation
[33] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 434
[34] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 434
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-003300 CAT II
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.content.html.often_misused_file_upload