1464 elementos encontrados
Debilidades

Often Misused: Asserting Permissions

Abstract
A continuación, el código confirma a los autores de la llamada que se ha concedido un determinado permiso, lo que permitirá a un usuario malintencionado omitir los controles de seguridad.
Explanation
Los permisos de .NET Framework funcionan avanzando por el árbol de pila (donde el árbol crece hacia abajo), para comprobar si los permisos establecidos son suficientes para acceder a un recurso. Cuando un desarrollador usa Assert() con un permiso concreto, es una forma de decir que el flujo de control actual tiene el permiso especificado. Esto provoca que .NET Framework detenga cualquier comprobación de permisos adicional, siempre y cuando se hayan satisfecho los permisos necesarios, por lo que el código que llama al código que realiza la llamada a Assert() podría no tener el permiso requerido. Usar Assert() es útil en ciertos casos, pero puede dar lugar a vulnerabilidades cuando permite que un usuario malintencionado tome el control de un recurso que no tendría derecho a controlar de otro modo.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 279
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002038, CCI-002039, CCI-002165
[3] Standards Mapping - FIPS200 AC
[4] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), IA-11 Re-Authentication (P0)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, SC-11 Trusted Path
[7] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.4.5 Access Control Architectural Requirements (L2 L3)
[9] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[10] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[11] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[12] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[13] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[14] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[15] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[16] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[29] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001520 CAT II, APSC-DV-001530 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001520 CAT II, APSC-DV-001530 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001520 CAT II, APSC-DV-001530 CAT II
[53] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[54] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.semantic.dotnet.often_misused_asserting_permissions

Often Misused: Authentication

Abstract
Los atacantes pueden reemplazar las entradas DNS. Por motivos de seguridad, no confíe en nombres DNS.
Explanation
Muchos servidores DNS son susceptibles de sufrir ataques, por eso debe suponer que su software se ejecutará alguna vez en un entorno con un servidor DNS afectado. Si los atacantes están autorizados a hacer actualizaciones de DNS (a veces denominado envenenamiento de la caché del DNS), pueden redirigir su tráfico de red a través de sus equipos o hacer que parezca que sus direcciones IP forman parte de su dominio. No base la seguridad de su sistema en nombres DNS.
Ejemplo 1: El siguiente ejemplo de código utiliza una búsqueda DNS para determinar si una solicitud entrante es de un host de confianza o no. Si un atacante es capaz de dañar la caché DNS, puede obtener un estatus de confianza.


 IPAddress hostIPAddress = IPAddress.Parse(RemoteIpAddress);
 IPHostEntry hostInfo = Dns.GetHostByAddress(hostIPAddress);
 if (hostInfo.HostName.EndsWith("trustme.com")) {
   trusted = true;
 }


Las direcciones IP son más confiables que los nombres DNS, pero también se pueden reemplazar. Los atacantes pueden falsificar fácilmente las direcciones IP de origen de los paquetes que envían, aunque los paquetes de respuesta volverán a la dirección IP falsificada. Para ver los paquetes de respuesta, el atacante tiene que examinar el tráfico entre el equipo víctima y la dirección IP falsificada. A fin de completar el examen necesario, los atacantes normalmente intentan ubicarse en la misma subred que el equipo víctima. Los atacantes podrían ser capaces de evitar este requisito empleando enrutamiento de origen, aunque el enrutamiento de origen esté deshabilitado actualmente en gran parte de Internet. En resumen, la verificación de las direcciones IP puede ser una parte útil de un esquema de autenticación, pero no debe ser el único factor necesario para la autenticación.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 247, CWE ID 292, CWE ID 558, CWE ID 807
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000877
[3] Standards Mapping - FIPS200 IA
[4] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-11 Re-Authentication (P0), MA-4 Nonlocal Maintenance (P2), SC-23 Session Authenticity (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 MA-4 Nonlocal Maintenance, SC-11 Trusted Path, SC-23 Session Authenticity
[7] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[8] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[9] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[10] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management
[11] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[12] Standards Mapping - OWASP Top 10 2010 A3 Broken Authentication and Session Management
[13] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[14] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[15] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.3
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[28] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 807
[29] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 807
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3460 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3460 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3460 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3460 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3460 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3460 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3460 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001970 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001970 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001970 CAT II
[40] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authentication (WASC-01)
[41] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.semantic.dotnet.often_misused_authentication
Abstract
La función getlogin() es fácil de reemplazar. Por eso, no confíe en el nombre que devuelva.
Explanation
Se supone que la función getlogin() devuelve una cadena que contiene el nombre del usuario registrado actualmente en el terminal. Sin embargo, un atacante podría hacer que getlogin() devuelva el nombre de todos los usuarios registrado en el equipo. No confíe en el nombre devuelto por getlogin() cuando tome decisiones relacionadas con la seguridad.
Ejemplo 1: el código siguiente se basa en getlogin() para determinar si un usuario es de confianza o no. Es fácil de subvertir.


 pwd = getpwnam(getlogin());
 if (isTrustedGroup(pwd->pw_gid)) {
 allow();
 } else {
 deny();
 }
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 247, CWE ID 292, CWE ID 558, CWE ID 807
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000877
[3] Standards Mapping - FIPS200 IA
[4] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-11 Re-Authentication (P0), MA-4 Nonlocal Maintenance (P2), SC-23 Session Authenticity (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 MA-4 Nonlocal Maintenance, SC-11 Trusted Path, SC-23 Session Authenticity
[7] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[8] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[9] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[10] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management
[11] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[12] Standards Mapping - OWASP Top 10 2010 A3 Broken Authentication and Session Management
[13] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[14] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[15] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.3
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[28] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 807
[29] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 807
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3460 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3460 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3460 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3460 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3460 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3460 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3460 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001970 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001970 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001970 CAT II
[40] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authentication (WASC-01)
[41] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.semantic.cpp.often_misused_authentication.getlogin
Abstract
Los atacantes pueden reemplazar las entradas DNS. Por motivos de seguridad, no confíe en nombres DNS.
Explanation
Muchos servidores DNS son susceptibles de sufrir ataques, por eso debe suponer que su software se ejecutará alguna vez en un entorno con un servidor DNS afectado. Si los atacantes están autorizados a hacer actualizaciones de DNS (a veces denominado envenenamiento de la caché del DNS), pueden redirigir su tráfico de red a través de sus equipos o hacer que parezca que sus direcciones IP forman parte de su dominio. No base la seguridad de su sistema en nombres DNS.
Ejemplo 1: El código siguiente usa una búsqueda DNS para determinar si una solicitud entrante procede de un host confiable. Si un atacante es capaz de dañar la caché DNS, puede obtener un estatus de confianza.


 String ip = request.getRemoteAddr();
 InetAddress addr = InetAddress.getByName(ip);
 if (addr.getCanonicalHostName().endsWith("trustme.com")) {
 trusted = true;
 }


Las direcciones IP son más confiables que los nombres DNS, pero también se pueden reemplazar. Los atacantes pueden falsificar fácilmente las direcciones IP de origen de los paquetes que envían, aunque los paquetes de respuesta volverán a la dirección IP falsificada. Para ver los paquetes de respuesta, el atacante tiene que examinar el tráfico entre el equipo víctima y la dirección IP falsificada. A fin de completar el examen necesario, los atacantes normalmente intentan ubicarse en la misma subred que el equipo víctima. Los atacantes podrían ser capaces de evitar este requisito empleando enrutamiento de origen, aunque el enrutamiento de origen esté deshabilitado actualmente en gran parte de Internet. En resumen, la verificación de las direcciones IP puede ser una parte útil de un esquema de autenticación, pero no debe ser el único factor necesario para la autenticación.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 247, CWE ID 292, CWE ID 558, CWE ID 807
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000877
[3] Standards Mapping - FIPS200 IA
[4] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-11 Re-Authentication (P0), MA-4 Nonlocal Maintenance (P2), SC-23 Session Authenticity (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 MA-4 Nonlocal Maintenance, SC-11 Trusted Path, SC-23 Session Authenticity
[7] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[8] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[9] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[10] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management
[11] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[12] Standards Mapping - OWASP Top 10 2010 A3 Broken Authentication and Session Management
[13] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[14] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[15] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.3
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[28] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 807
[29] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 807
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3460 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3460 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3460 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3460 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3460 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3460 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3460 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001970 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001970 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001970 CAT II
[40] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authentication (WASC-01)
[41] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.semantic.java.often_misused_authentication

Often Misused: Boolean.getBoolean()

Abstract
El método Boolean.getBoolean() se confunde a menudo con las llamadas a métodos Boolean.valueOf() o Boolean.parseBoolean().
Explanation
En la mayoría de los casos, una llamada a Boolean.getBoolean() se usa a menudo incorrectamente, ya que se presupone que devuelve el valor booleano representado por el argumento de cadena especificado. Sin embargo, como se indica en el método Boolean.getBoolean(String) de Javadoc: "Devuelve el valor 'true' solo si existe la propiedad del sistema a la que el argumento ha asignado un nombre y esta es igual a la cadena 'true'".

En la mayoría de los casos, lo que el desarrollador tenía intención de usar era una llamada al método Boolean.valueOf(String) o Boolean.parseBoolean(String).
Ejemplo 1: el siguiente código no presenta el comportamiento previsto. Imprimirá "FALSE", ya que Boolean.getBoolean(String) no convierte un primitivo de cadena, sino únicamente la propiedad del sistema.

 ...
 String isValid = "true";
 if ( Boolean.getBoolean(isValid) ) {
     System.out.println("TRUE");
 }
 else {
     System.out.println("FALSE");
 }
 ...
References
[1] Class Boolean Oracle
[2] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[3] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[4] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[8] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[9] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[10] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
desc.semantic.java.often_misused_boolean_getboolean

Often Misused: Encoding

Abstract
El reemplazo incorrecto de las clases de .NET Framework puede provocar que se ejecute código arbitrario en el servidor, que se abuse de la lógica de la aplicación o que se deniegue el servicio.
Explanation
Independientemente del lenguaje en el que esté escrito un programa, los ataques más devastadores normalmente incluyen la ejecución remota de código, con la cual un atacante consigue ejecutar código malintencionado en el contexto del programa. El método GetChars en las clases Decoder y Encoding, y el método GetBytes en las clases Encoder y Encoding de .NET Framework llevan a cabo aritmética de puntero de forma interna en las matrices de caracteres y bytes para convertir un intervalo de caracteres en un intervalo de bytes y viceversa.
Cuando se realizan operaciones de aritmética de puntero, los desarrolladores suelen sustituir los métodos anteriores incorrectamente e introducen vulnerabilidades como la ejecución de código arbitrario, el abuso de la lógica de la aplicación y la denegación del servicio.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 176
[2] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[3] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.2 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[4] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[5] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
desc.structural.dotnet.often_misused_encoding
Abstract
Este método es difícil de usar correctamente.
Explanation
Es fácil creer que este método de codificación le protegerá contra ataques de inserción; sin embargo, si el método no se usa exactamente en el contexto adecuado, puede ofrecer mucha menos protección de la que merece.

Ejemplo 1: la siguiente llamada de codificación permite a un atacante tener un poco de libertad para insertar JavaScript malintencionado:

    out.println("x = " + encoder.encodeForJavaScript(input) + ";");
References
[1] OWASP ESAPI Secure Coding Guideline
[2] Standards Mapping - Common Weakness Enumeration CWE ID 176
[3] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[4] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.2 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[5] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[6] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
desc.structural.java.often_misused_encoding
Abstract
Es posible que la llamada ajuste perfectamente los caracteres. Los caracteres no admitidos que se transfieren a los métodos de la API de forma predeterminada se pueden asignar con ajuste perfecto a caracteres peligrosos.
Explanation
Cuando los juegos de caracteres entre el sistema operativo y las aplicaciones que se ejecutan en este no coinciden, los caracteres no admitidos que se pasan a los métodos de la API de forma predeterminada pueden asignarse con ajuste perfecto a caracteres peligrosos.

Ejemplo 1:en Objective-C, el ejemplo siguiente convierte un objeto NSString que contiene un carácter UTF-8 a datos ASCII de nuevo:


...
unichar ellipsis = 0x2026;
NSString *myString = [NSString stringWithFormat:@"My Test String%C", ellipsis];
NSData *asciiData = [myString dataUsingEncoding:NSASCIIStringEncoding allowLossyConversion:YES];
NSString *asciiString = [[NSString alloc] initWithData:asciiData encoding:NSASCIIStringEncoding];
NSLog(@"Original: %@ (length %d)", myString, [myString length]);
NSLog(@"Best-fit-mapped: %@ (length %d)", asciiString, [asciiString length]);
// output:
// Original: My Test String... (length 15)
// Best-fit-mapped: My Test String... (length 17)
...


Si examina cuidadosamente el resultado, el carácter "..." se tradujo por tres puntos consecutivos. Si ha medido el búfer de salida basándose en el búfer de entrada, la aplicación podría ser vulnerable al buffer overflow. Se pueden asignar otros caracteres de un carácter a dos. El carácter griego "fi" se asignará a una "f" seguida de una letra "i". Al cargar el búfer con estos caracteres de carga frontal, un usuario malintencionado obtiene un control completo sobre el número de caracteres que se utilizan para provocar el buffer overflow.
References
[1] Apple Secure Coding Guide Apple
[2] String Programming Guide Apple
[3] Standards Mapping - Common Weakness Enumeration CWE ID 176
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.2 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[6] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[7] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
desc.semantic.objc.method_may_best_fit_map_characters
Abstract
Es posible que la llamada ajuste perfectamente los caracteres. Los caracteres no admitidos que se transfieren a los métodos de la API de forma predeterminada se pueden asignar con ajuste perfecto a caracteres peligrosos.
Explanation
Cuando los juegos de caracteres entre el sistema operativo y las aplicaciones que se ejecutan en este no coinciden, los caracteres no admitidos que se pasan a los métodos de la API de forma predeterminada pueden asignarse con ajuste perfecto a caracteres peligrosos.

Ejemplo 1: En Swift, el ejemplo siguiente convierte un objeto NSString que contiene un carácter UTF-8 a datos ASCII de nuevo:


...
let ellipsis = 0x2026;
let myString = NSString(format:"My Test String %C", ellipsis)
let asciiData = myString.dataUsingEncoding(NSASCIIStringEncoding, allowLossyConversion:true)
let asciiString = NSString(data:asciiData!, encoding:NSASCIIStringEncoding)
NSLog("Original: %@ (length %d)", myString, myString.length)
NSLog("Best-fit-mapped: %@ (length %d)", asciiString!, asciiString!.length)

// output:
// Original: My Test String ... (length 16)
// Best-fit-mapped: My Test String ... (length 18)
...


Si examina cuidadosamente el resultado, el carácter "..." se tradujo por tres puntos consecutivos. Si ha medido el búfer de salida basándose en el búfer de entrada, la aplicación podría ser vulnerable al buffer overflow. Se pueden asignar otros caracteres de un carácter a dos. El carácter griego "fi" se asignará a una "f" seguida de una letra "i". Al cargar el búfer con estos caracteres de carga frontal, un usuario malintencionado obtiene un control completo sobre el número de caracteres que se utilizan para provocar el buffer overflow.
References
[1] Apple Secure Coding Guide Apple
[2] String Programming Guide Apple
[3] Standards Mapping - Common Weakness Enumeration CWE ID 176
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.2 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[6] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[7] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
desc.semantic.swift.method_may_best_fit_map_characters

Often Misused: Exception Handling

Abstract
La función _alloca() puede lanzar una excepción de desbordamiento de pila, que podría ocasionar el bloqueo del programa.
Explanation
La función _alloca() asigna memoria en la pila. Si una solicitud de asignación es demasiado grande para el espacio de pila disponible, _alloca() lanza una excepción. Si la excepción no se detecta, el programa se bloquea, con la posibilidad de que se habilite un ataque por denegación de servicio.
_alloca() está en desuso desde Microsoft Visual Studio 2005(R). Se ha sustituido por _alloca_s(), más seguro.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 248
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[3] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[4] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 1.3
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[9] Standards Mapping - OWASP Top 10 2004 A7 Improper Error Handling
[10] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.7
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.2, Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention, Control Objective B.3.2 - Terminal Software Attack Mitigation
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention, Control Objective B.3.2 - Terminal Software Attack Mitigation
[23] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3120 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3120 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3120 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3120 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3120 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3120 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3120 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002400 CAT II
desc.semantic.cpp.often_misused_exception_handling._alloca

Often Misused: File System

Abstract
Transferir un búfer de salida de un tamaño inadecuado a una función de manipulación de rutas de acceso puede ocasionar un desbordamiento de búfer.
Explanation
Windows proporciona una gran cantidad de funciones de utilidad que manipulan los búferes que contienen nombres de archivos. En la mayoría de los casos, el resultado es devuelto en un búfer que se transfiere como entrada. (Normalmente el nombre de archivo se modifica en su sitio). La mayoría de las funciones requieren que el búfer tenga una longitud mínima de MAX_PATH bytes, aunque debe consultar la documentación de cada función individualmente. Si el búfer no tiene la longitud suficiente como para almacenar el resultado de la manipulación, podría producirse un desbordamiento de búfer.

Ejemplo 1:

char *createOutputDirectory(char *name) {
	char outputDirectoryName[128];
	if (getCurrentDirectory(128, outputDirectoryName) == 0) {
		return null;
	}
	if (!PathAppend(outputDirectoryName, "output")) {
		return null;
	}
	if (!PathAppend(outputDirectoryName, name)) {
		return null;
	}
	if (SHCreateDirectoryEx(NULL, outputDirectoryName, NULL)
        != ERROR_SUCCESS) {
		return null;
	}
	return StrDup(outputDirectoryName);
}


En este ejemplo, la función crea un directorio llamado "output\<name>" en el directorio actual y devuelve una copia de su nombre asignada por montón. Para la mayoría de los valores del directorio actual y el parámetro de nombre, esta función funcionará correctamente. Sin embargo, si el parámetro name es especialmente largo, entonces la segunda llamada a PathAppend() podría provocar el buffer overflow outputDirectoryName, que tiene menos de MAX_PATH bytes.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 249, CWE ID 560
[2] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[3] Standards Mapping - OWASP Top 10 2004 A5 Buffer Overflow
[4] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.5
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.2
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.2
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.2
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.2
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.2
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[16] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3590.1 CAT I
[17] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3590.1 CAT I
[18] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3590.1 CAT I
[19] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3590.1 CAT I
[20] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3590.1 CAT I
[21] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3590.1 CAT I
[22] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3590.1 CAT I
desc.semantic.cpp.often_misused_file_system.windows
Abstract
La máscara especificada por el argumento umask() se confunde habitualmente con el argumento para chmod().
Explanation
La página man de umask() comienza por la instrucción falsa:

"umask sets the umask to mask & 0777"

Aunque este comportamiento se ajustaría más al uso de chmod(), cuando el argumento proporcionado por el usuario especifica los bits para habilitar el archivo concreto, el comportamiento de umask() es precisamente el contrario: umask() establece umask en ~mask & 0777.

La página man de umask() continúa para describir el uso correcto de umask():

"open() utiliza umask para establecer los permisos de archivo iniciales de un archivo recién creado. De forma específica, los permisos de umask se desactivan desde el argumento de modo para open(2) (de esta forma, por ejemplo, el valor predeterminado umask normal de 022 resultados en los archivos que se están creando con permisos 0666 &amp; ~022 = 0644 = rw-r--r-- en el caso habitual donde se encuentra el modo se especifica como 0666)".
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 249, CWE ID 560
[2] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[3] Standards Mapping - OWASP Top 10 2004 A5 Buffer Overflow
[4] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.5
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.2
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.2
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.2
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.2
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.2
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[16] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3590.1 CAT I
[17] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3590.1 CAT I
[18] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3590.1 CAT I
[19] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3590.1 CAT I
[20] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3590.1 CAT I
[21] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3590.1 CAT I
[22] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3590.1 CAT I
desc.semantic.java.often_misused_file_system
Abstract
La llamada identificada utiliza métodos que siguen vínculos simbólicos.
Explanation
Se sabe que determinadas funciones siguen ciegamente los vínculos simbólicos. Cuando esto suceda, la aplicación se abrirá, leerá o escribirá datos en el archivo al que señala el vínculo simbólico en lugar de en la representación del vínculo simbólico. Un atacante puede engañar a la aplicación al escribir en archivos de sistema alternativos o críticos o proporcionar datos expuestos a la aplicación.

Ejemplo 1: el código siguiente utiliza las funciones que siguen los vínculos simbólicos:


...
	struct stat output;
	int ret = stat(aFilePath, &output);
	// error handling omitted for this example
	struct timespec accessTime = output.st_atime;
...
References
[1] Apple Secure Coding Guide Apple
[2] Standards Mapping - Common Weakness Enumeration CWE ID 249, CWE ID 560
[3] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[4] Standards Mapping - OWASP Top 10 2004 A5 Buffer Overflow
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.5
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.2
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.2
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.2
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.2
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.2
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[17] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3590.1 CAT I
[18] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3590.1 CAT I
[19] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3590.1 CAT I
[20] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3590.1 CAT I
[21] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3590.1 CAT I
[22] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3590.1 CAT I
[23] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3590.1 CAT I
desc.semantic.objc.methods_follow_sym_links
Abstract
La máscara especificada por el argumento umask() se confunde habitualmente con el argumento para chmod().
Explanation
La página man de umask() comienza por la instrucción falsa:

"umask establece umask para enmascarar & 0777"

Aunque este comportamiento se ajustaría más al uso de chmod(), cuando el argumento proporcionado por el usuario especifica los bits para habilitar el archivo concreto, el comportamiento de umask() es precisamente el contrario: umask() establece umask en ~mask & 0777.

La página man de umask() continúa para describir el uso correcto de umask():

"Se utiliza umask para establecer los permisos de archivo iniciales de un archivo recién creado. De forma específica, los permisos umask se desactivan desde el argumento de modo (de esta forma, por ejemplo, el valor predeterminado umask normal de 022 da como resultado nuevos archivos que se crean con permisos 0666 & ~022 = 0644 = rw-r--r-- en el caso habitual donde el modo se especifica como 0666)."
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 249, CWE ID 560
[2] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[3] Standards Mapping - OWASP Top 10 2004 A5 Buffer Overflow
[4] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.5
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.2
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.2
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.2
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.2
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.2
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[16] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3590.1 CAT I
[17] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3590.1 CAT I
[18] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3590.1 CAT I
[19] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3590.1 CAT I
[20] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3590.1 CAT I
[21] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3590.1 CAT I
[22] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3590.1 CAT I
desc.semantic.python.often_misused_file_system.umask
Abstract
La llamada utiliza los métodos que escriben en los archivos temporales antes de escribir en el archivo de destino.
Explanation
Muchas API reducirán el riesgo de pérdida de datos al escribir completamente en un archivo temporal y, a continuación, copiar el archivo completo en la ubicación de destino. Asegúrese de que el método identificado no funciona en archivos o rutas de acceso de directorios públicos o temporales ya que un atacante puede reemplazar el archivo temporal de la instantánea antes de escribirlo en el archivo de destino. Esto permite al atacante controlar el contenido de los archivos que la aplicación utiliza en directorios públicos.

Ejemplo 1: el código siguiente escribe el transactionId activo en un archivo temporal del directorio Documentos de la aplicación empleando un método vulnerable:


...
//get the documents directory:
let documentsPath = NSSearchPathForDirectoriesInDomains(.DocumentDirectory, .UserDomainMask, true)[0]
//make a file name to write the data to using the documents directory:
let fileName = NSString(format:"%@/tmp_activeTrans.txt", documentsPath)
// write data to the file
let transactionId = "TransactionId=12341234"
transactionId.writeToFile(fileName, atomically:true)
...
References
[1] Apple Secure Coding Guide Apple
[2] Apple NSString Class Reference Apple
[3] Standards Mapping - Common Weakness Enumeration CWE ID 249, CWE ID 560
[4] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[5] Standards Mapping - OWASP Top 10 2004 A5 Buffer Overflow
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.5
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.2
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.2
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.2
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.2
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.2
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[18] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3590.1 CAT I
[19] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3590.1 CAT I
[20] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3590.1 CAT I
[21] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3590.1 CAT I
[22] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3590.1 CAT I
[23] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3590.1 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3590.1 CAT I
desc.semantic.swift.methods_unsafe_on_public_or_tmp_directories

Often Misused: File Upload

Abstract
Autorizar a los usuarios a que carguen archivos puede permitir a los atacantes introducir contenido peligroso o código malintencionado para que se ejecute en el servidor.
Explanation
Independientemente del lenguaje en el que esté escrito un programa, los usuarios malintencionados más devastadores normalmente incluyen la ejecución remota de código, con la cual un usuario malintencionado consigue ejecutar código malintencionado en el contexto del programa. Si se permite a los atacantes que carguen archivos a un directorio accesible desde la Web que hace que estos archivos se pasen a un intérprete de código (por ejemplo, JSP/ASPX/PHP), los atacantes pueden provocar que el código malintencionado contenido en los archivos se ejecute en el servidor.

El código siguiente recibe un archivo cargado que asigna al objeto posted. FileUpload es del tipo System.Web.UI.HtmlControls.HtmlInputFile.
Ejemplo 1:

HttpPostedFile posted = FileUpload.PostedFile;

Incluso en el caso de un programa que almacene los archivos cargados en un directorio que no sea accesible desde la Web, los atacantes pueden conseguir introducir contenido malintencionado en el entorno del servidor para preparar otros ataques. Si el programa es susceptible a las vulnerabilidades de manipulación de rutas, inserción de comandos o inclusión peligrosa de archivos, un atacante puede cargar un archivo con contenido malintencionado y provocar que el programa lo lea o ejecute aprovechando otra vulnerabilidad.
References
[1] Alla Bezroutchko Secure file upload in PHP web applications
[2] Standards Mapping - Common Weakness Enumeration CWE ID 434
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [16] CWE ID 434
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [15] CWE ID 434
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [10] CWE ID 434
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [10] CWE ID 434
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [10] CWE ID 434
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [10] CWE ID 434
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.2.1 File Integrity Requirements (L2 L3), 12.5.2 File Download Requirements (L1 L2 L3), 13.1.5 Generic Web Service Security Verification Requirements (L2 L3)
[15] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[16] Standards Mapping - OWASP Top 10 2007 A3 Malicious File Execution
[17] Standards Mapping - OWASP Top 10 2010 A1 Injection
[18] Standards Mapping - OWASP Top 10 2013 A1 Injection
[19] Standards Mapping - OWASP Top 10 2017 A1 Injection
[20] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.4 - Web Software Attack Mitigation
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-003300 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-003300 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.semantic.dotnet.often_misused_file_upload
Abstract
El hecho de permitir que los usuarios carguen archivos puede provocar que los atacantes inyecten contenido peligroso o código malintencionado para que se ejecute en el servidor.
Explanation
Independientemente del lenguaje en el que esté escrito un programa, los ataques más devastadores normalmente incluyen la ejecución remota de código, con la cual un atacante consigue ejecutar código malintencionado en el contexto del programa. Si se permite a los atacantes que carguen archivos a un directorio accesible desde la Web que hace que estos archivos se pasen a un intérprete de código (por ejemplo, JSP/ASPX/PHP), los atacantes pueden provocar que el código malintencionado contenido en los archivos se ejecute en el servidor.

Ejemplo 1: La siguiente clase de controlador Spring MVC presenta un parámetro que permite administrar los archivos cargados.

@Controller
public class MyFormController {
    ...
    @RequestMapping("/test")
    public String uploadFile (org.springframework.web.multipart.MultipartFile file) {
       ...
    }    ...
}


Incluso en el caso de un programa que almacene los archivos cargados en un directorio que no sea accesible desde la Web, los atacantes pueden conseguir introducir contenido malintencionado en el entorno del servidor para preparar otros ataques. Si el programa es susceptible a las vulnerabilidades de manipulación de rutas, inserción de comandos o inclusión peligrosa de archivos, un atacante puede cargar un archivo con contenido malintencionado y provocar que el programa lo lea o ejecute aprovechando otra vulnerabilidad.
References
[1] Alla Bezroutchko Secure file upload in PHP web applications
[2] Standards Mapping - Common Weakness Enumeration CWE ID 434
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [16] CWE ID 434
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [15] CWE ID 434
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [10] CWE ID 434
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [10] CWE ID 434
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [10] CWE ID 434
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [10] CWE ID 434
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.2.1 File Integrity Requirements (L2 L3), 12.5.2 File Download Requirements (L1 L2 L3), 13.1.5 Generic Web Service Security Verification Requirements (L2 L3)
[15] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[16] Standards Mapping - OWASP Top 10 2007 A3 Malicious File Execution
[17] Standards Mapping - OWASP Top 10 2010 A1 Injection
[18] Standards Mapping - OWASP Top 10 2013 A1 Injection
[19] Standards Mapping - OWASP Top 10 2017 A1 Injection
[20] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.4 - Web Software Attack Mitigation
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-003300 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-003300 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.structural.java.often_misused_file_upload_spring
Abstract
Autorizar a los usuarios a que carguen archivos puede permitir a los atacantes introducir contenido peligroso o código malintencionado para que se ejecute en el servidor.
Explanation
Independientemente del lenguaje en el que esté escrito un programa, los usuarios malintencionados más devastadores normalmente incluyen la ejecución remota de código, con la cual un usuario malintencionado consigue ejecutar código malintencionado en el contexto del programa. Si se permite a los atacantes que carguen archivos a un directorio accesible desde la Web que hace que estos archivos se pasen al intérprete de PHP, los atacantes pueden provocar que el código malintencionado contenido en los archivos se ejecute en el servidor.

Ejemplo 1: el siguiente código procesa los archivos cargados y los mueve a un directorio de la raíz web. Los atacantes pueden cargar archivos de origen de PHP malintencionados a este programa y, a continuación, solicitarlos del servidor, lo que hará que el intérprete de PHP los ejecute.


<?php
$udir = 'upload/'; // Relative path under Web root
$ufile = $udir . basename($_FILES['userfile']['name']);
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $ufile)) {
    echo "Valid upload received\n";
} else {
    echo "Invalid upload rejected\n";
} ?>


Incluso en el caso de un programa que almacene los archivos cargados en un directorio que no sea accesible desde la Web, los atacantes pueden conseguir introducir contenido malintencionado en el entorno del servidor para preparar otros ataques. Si el programa es susceptible a las vulnerabilidades de manipulación de rutas, inserción de comandos o introducción remota, un atacante puede cargar un archivo con contenido malintencionado y provocar que el programa lo lea o ejecute aprovechando otra vulnerabilidad.
References
[1] M. Achour et al. PHP Manual
[2] Alla Bezroutchko Secure file upload in PHP web applications
[3] Standards Mapping - Common Weakness Enumeration CWE ID 434
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [16] CWE ID 434
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [15] CWE ID 434
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [10] CWE ID 434
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [10] CWE ID 434
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [10] CWE ID 434
[9] Standards Mapping - Common Weakness Enumeration Top 25 2024 [10] CWE ID 434
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[11] Standards Mapping - FIPS200 SI
[12] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.2.1 File Integrity Requirements (L2 L3), 12.5.2 File Download Requirements (L1 L2 L3), 13.1.5 Generic Web Service Security Verification Requirements (L2 L3)
[16] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2007 A3 Malicious File Execution
[18] Standards Mapping - OWASP Top 10 2010 A1 Injection
[19] Standards Mapping - OWASP Top 10 2013 A1 Injection
[20] Standards Mapping - OWASP Top 10 2017 A1 Injection
[21] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.4 - Web Software Attack Mitigation
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-003300 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-003300 CAT II
[56] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.semantic.php.often_misused_file_upload
Abstract
Autorizar a los usuarios a que carguen archivos puede permitir a los atacantes introducir contenido peligroso o código malintencionado para que se ejecute en el servidor.
Explanation
Independientemente del lenguaje en el que esté escrito un programa, los usuarios malintencionados más devastadores normalmente incluyen la ejecución remota de código, con la cual un usuario malintencionado consigue ejecutar código malintencionado en el contexto del programa. Si se permite a los usuarios malintencionados que carguen archivos a un directorio accesible desde la Web que hace que estos archivos se pasen al intérprete de Python, los usuarios malintencionados pueden provocar que el código malintencionado contenido en los archivos se ejecute en el servidor.

Ejemplo 1: el siguiente código procesa los archivos cargados y los mueve a un directorio de la raíz web. Los atacantes podrían cargar archivos malintencionados a este programa y posteriormente solicitarlos desde el servidor.


from django.core.files.storage import default_storage
from django.core.files.base import File
...
def handle_upload(request):
  files = request.FILES
  for f in files.values():
    path = default_storage.save('upload/', File(f))
...


Incluso en el caso de un programa que almacene los archivos cargados en un directorio que no sea accesible desde la Web, los atacantes pueden conseguir introducir contenido malintencionado en el entorno del servidor para preparar otros ataques. Si el programa es susceptible a las vulnerabilidades de manipulación de rutas, inserción de comandos o introducción remota, un atacante puede cargar un archivo con contenido malintencionado y provocar que el programa lo lea o ejecute aprovechando otra vulnerabilidad.
References
[1] Django Foundation File Uploads
[2] Standards Mapping - Common Weakness Enumeration CWE ID 434
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [16] CWE ID 434
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [15] CWE ID 434
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [10] CWE ID 434
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [10] CWE ID 434
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [10] CWE ID 434
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [10] CWE ID 434
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.2.1 File Integrity Requirements (L2 L3), 12.5.2 File Download Requirements (L1 L2 L3), 13.1.5 Generic Web Service Security Verification Requirements (L2 L3)
[15] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[16] Standards Mapping - OWASP Top 10 2007 A3 Malicious File Execution
[17] Standards Mapping - OWASP Top 10 2010 A1 Injection
[18] Standards Mapping - OWASP Top 10 2013 A1 Injection
[19] Standards Mapping - OWASP Top 10 2017 A1 Injection
[20] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.4 - Web Software Attack Mitigation
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-003300 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-003300 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.structural.python.often_misused_file_upload
Abstract
Autorizar a los usuarios a que carguen archivos puede permitir a los atacantes introducir contenido peligroso o código malintencionado para que se ejecute en el servidor.
Explanation
Independientemente del lenguaje en el que esté escrito un programa, los usuarios malintencionados más devastadores normalmente incluyen la ejecución remota de código, con la cual un usuario malintencionado consigue ejecutar código malintencionado en el contexto del programa. Si los atacantes pueden cargar archivos en un directorio ejecutable públicamente, entonces pueden hacer que el código malintencionado que contienen estos archivos se ejecute en el servidor.

Incluso aunque un programa almacene archivos cargados en un directorio que no sea de acceso público, los atacantes podrían seguir siendo capaces de aprovechar la capacidad de introducir contenido malintencionado en el entorno del servidor para elaborar otros ataques. Si el programa es susceptible a las vulnerabilidades de manipulación de rutas, inserción de comandos o introducción remota, un atacante puede cargar un archivo con contenido malintencionado y provocar que el programa lo lea o ejecute aprovechando otra vulnerabilidad.
References
[1] Alla Bezroutchko Secure file upload in PHP web applications
[2] Standards Mapping - Common Weakness Enumeration CWE ID 434
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [16] CWE ID 434
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [15] CWE ID 434
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [10] CWE ID 434
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [10] CWE ID 434
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [10] CWE ID 434
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [10] CWE ID 434
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.2.1 File Integrity Requirements (L2 L3), 12.5.2 File Download Requirements (L1 L2 L3), 13.1.5 Generic Web Service Security Verification Requirements (L2 L3)
[15] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[16] Standards Mapping - OWASP Top 10 2007 A3 Malicious File Execution
[17] Standards Mapping - OWASP Top 10 2010 A1 Injection
[18] Standards Mapping - OWASP Top 10 2013 A1 Injection
[19] Standards Mapping - OWASP Top 10 2017 A1 Injection
[20] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.4 - Web Software Attack Mitigation
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-003300 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-003300 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.structural.ruby.often_misused_file_upload
Abstract
Autorizar a los usuarios a que carguen archivos puede permitir a los atacantes introducir contenido peligroso o código malintencionado para que se ejecute en el servidor.
Explanation
Independientemente del lenguaje en el que esté escrito un programa, los usuarios malintencionados más devastadores normalmente incluyen la ejecución remota de código, con la cual un usuario malintencionado consigue ejecutar código malintencionado en el contexto del programa. Si se permite a los atacantes que carguen archivos a un directorio accesible desde la Web que hace que estos archivos se pasen a un intérprete de código (por ejemplo, JSP/ASPX/PHP), los atacantes pueden provocar que el código malintencionado contenido en los archivos se ejecute en el servidor.
Incluso en el caso de un programa que almacene los archivos cargados en un directorio que no sea accesible desde la Web, los atacantes pueden conseguir introducir contenido malintencionado en el entorno del servidor para preparar otros ataques. Si el programa es susceptible a las vulnerabilidades de manipulación de rutas, inserción de comandos o inclusión peligrosa de archivos, un atacante puede cargar un archivo con contenido malintencionado y provocar que el programa lo lea o ejecute aprovechando otra vulnerabilidad.

Una etiqueta <input> del tipo file indica que el programa acepta la carga de archivos.
Ejemplo 1:

<input type="file">
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 434
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [16] CWE ID 434
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [15] CWE ID 434
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [10] CWE ID 434
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [10] CWE ID 434
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [10] CWE ID 434
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [10] CWE ID 434
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[9] Standards Mapping - FIPS200 SI
[10] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.2.1 File Integrity Requirements (L2 L3), 12.5.2 File Download Requirements (L1 L2 L3), 13.1.5 Generic Web Service Security Verification Requirements (L2 L3)
[14] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[15] Standards Mapping - OWASP Top 10 2007 A3 Malicious File Execution
[16] Standards Mapping - OWASP Top 10 2010 A1 Injection
[17] Standards Mapping - OWASP Top 10 2013 A1 Injection
[18] Standards Mapping - OWASP Top 10 2017 A1 Injection
[19] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.3
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.4 - Web Software Attack Mitigation
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-003300 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-003300 CAT II
[54] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.content.html.often_misused_file_upload

Often Misused: Mixing Template Languages

Abstract
Los idiomas de las plantillas no se deben mezclar para evitar las protecciones de secuencias de comandos en sitios cruzados.
Explanation
Cuando se combinan motores de plantillas, las protecciones que se implementaron anteriormente para una plantilla dejan de funcionar o de ser válidas. En el mejor de los casos, esto puede hacer que la funcionalidad no funcione según lo esperado, pero también puede permitir a los usuarios malintencionados evitar las protecciones en el motor y acabar en vulnerabilidades de scripts entre sitios.

Ejemplo 1: En el siguiente código, se configura un módulo AngularJS para utilizar "[[" y "]]" como delimitadores de expresión en lugar de los valores predeterminados.


myModule.config(function($interpolateProvider){
    $interpolateProvider.startSymbol("[[");
    $interpolateProvider.endSymbol("]]");
});


Esto puede provocar que el otro motor de plantilla que realiza la validación escape las expresiones, que pueden no ser compatibles con las expresiones AngularJS, lo que podría llevar a que los usuarios omitan la validación regular y ejecuten su propio código dentro del explorador.
References
[1] AngularJS $interpolateProvider documentation Google
[2] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[3] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
desc.structural.javascript.often_misused_mixing_template_languages

Often Misused: Privilege Management

Abstract
El incumplimiento del principio de menor privilegio amplifica el riesgo que plantean otras vulnerabilidades.
Explanation
Los programas que se ejecutan con privilegios root han provocado innumerables desastres de seguridad de Unix. Es imprescindible que revise atentamente los programas con privilegios en relación con todos los tipos de problemas de seguridad, pero es igual de importante restablecer los programas con privilegios a un estado sin ellos tan rápido como sea posible a fin de limitar la cantidad de daños que puede provocar una vulnerabilidad que se pasó por alto.


Las funciones de administración de privilegios se pueden comportar de forma algo menos obvias, y presentan diferentes peculiaridades en las distintas plataformas. Estas incoherencias son especialmente pronunciadas al pasar de un usuario que no es root a otro.

Los controladores de señales y los procesos generados se ejecutan en el privilegio del proceso propietario, por lo que si el proceso se está ejecutando como root cuando se desencadena una señal o se ejecuta un subproceso, el controlador de señales funcionará con privilegios raíz. Es posible que un usuario malintencionado aproveche estos privilegios elevados para realizar aún más daño.
References
[1] H. Chen, D. Wagner, and D. Dean. Setuid Demystified. 11th USENIX Security Symposium
[2] B. Chess and J. West, Secure Programming with Static Analysis. Boston, MA: Addison-Wesley, 2007.
[3] Standards Mapping - Common Weakness Enumeration CWE ID 250
[4] Standards Mapping - Common Weakness Enumeration Top 25 2023 [22] CWE ID 269
[5] Standards Mapping - Common Weakness Enumeration Top 25 2024 [15] CWE ID 269
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-000381, CCI-002233, CCI-002235
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1), CM-5 Access Restrictions for Change (P1), CM-7 Least Functionality (P1), IA-5 Authenticator Management (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege, CM-5 Access Restrictions for Change, CM-7 Least Functionality, IA-5 Authenticator Management
[10] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.2.1 Authentication Architectural Requirements (L2 L3), 10.2.2 Malicious Code Search (L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[13] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[15] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 7.1.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 7.1.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 7.1.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 7.1.2
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 7.1.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 7.1.2
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 7.2.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 7.2.2
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[27] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 250
[28] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 250
[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3500 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3500 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3500 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3500 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3500 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3500 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3500 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II, APSC-DV-001795 CAT II, APSC-DV-002960 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II, APSC-DV-001795 CAT II, APSC-DV-002960 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II, APSC-DV-001795 CAT II, APSC-DV-002960 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.semantic.cpp.often_misused_privilege_management.setuid
Abstract
El incumplimiento del principio de privilegios mínimos amplía el riesgo que suponen otras vulnerabilidades.
Explanation
Los programas que funcionan con privilegios de root han causado innumerables desastres de seguridad Unix. Es absolutamente necesario que revise cuidadosamente los programas privilegiados para descubrir cualquier tipo de problema de seguridad, pero es igualmente importante que los programas privilegiados vuelvan a un estado no privilegiado tan pronto como sea posible para limitar el daño total que una vulnerabilidad no detectada pueda causar.


Las funciones de gestión de privilegios pueden realizarse de formas menos que obvias, y tienen diferentes particularidades en las diferentes plataformas. Estas inconsistencias son especialmente evidentes si se cambia de un usuario no root a otro.

Los tratamientos de señales y los procesos generados funcionan sobre el privilegio del proceso de apropiación, de modo que si un proceso está funcionando como root cuando una señal salta o se ejecuta un subproceso, el tratamiento de señales o el subproceso operará con privilegios de origen. Un atacante puede ser capaz de aprovechar estos privilegios avanzados para hacer más daño.
References
[1] H. Chen, D. Wagner, and D. Dean. Setuid Demystified. 11th USENIX Security Symposium
[2] Standards Mapping - Common Weakness Enumeration CWE ID 250
[3] Standards Mapping - Common Weakness Enumeration Top 25 2023 [22] CWE ID 269
[4] Standards Mapping - Common Weakness Enumeration Top 25 2024 [15] CWE ID 269
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-000381, CCI-002233, CCI-002235
[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1), CM-5 Access Restrictions for Change (P1), CM-7 Least Functionality (P1), IA-5 Authenticator Management (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege, CM-5 Access Restrictions for Change, CM-7 Least Functionality, IA-5 Authenticator Management
[9] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.2.1 Authentication Architectural Requirements (L2 L3), 10.2.2 Malicious Code Search (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[12] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[14] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 7.1.1
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 7.1.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 7.1.2
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 7.1.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 7.1.2
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 7.1.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 7.2.2
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 7.2.2
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[26] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 250
[27] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 250
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3500 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3500 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3500 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3500 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3500 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3500 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3500 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II, APSC-DV-001795 CAT II, APSC-DV-002960 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II, APSC-DV-001795 CAT II, APSC-DV-002960 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II, APSC-DV-001795 CAT II, APSC-DV-002960 CAT II
[51] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[52] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.semantic.golang.often_misused_privilege_management
Abstract
El incumplimiento del principio de menor privilegio amplifica el riesgo que plantean otras vulnerabilidades.
Explanation
Los programas que se ejecutan con privilegios root han provocado innumerables desastres de seguridad de Unix. Es imprescindible que revise atentamente los programas con privilegios en relación con todos los tipos de problemas de seguridad, pero es igual de importante restablecer los programas con privilegios a un estado sin ellos tan rápido como sea posible a fin de limitar la cantidad de daños que puede provocar una vulnerabilidad que se pasó por alto.


Las funciones de administración de privilegios se pueden comportar de forma algo menos obvias, y presentan diferentes peculiaridades en las distintas plataformas. Estas incoherencias son especialmente pronunciadas al pasar de un usuario que no es root a otro.

Los controladores de señales y los procesos generados se ejecutan en el privilegio del proceso propietario, por lo que si el proceso se está ejecutando como root cuando se desencadena una señal o se ejecuta un subproceso, el controlador de señales funcionará con privilegios raíz. Es posible que un atacante aproveche estos privilegios elevados para realizar aún más daño.
References
[1] H. Chen, D. Wagner, and D. Dean. Setuid Demystified. 11th USENIX Security Symposium
[2] Standards Mapping - Common Weakness Enumeration CWE ID 250
[3] Standards Mapping - Common Weakness Enumeration Top 25 2023 [22] CWE ID 269
[4] Standards Mapping - Common Weakness Enumeration Top 25 2024 [15] CWE ID 269
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-000381, CCI-002233, CCI-002235
[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1), CM-5 Access Restrictions for Change (P1), CM-7 Least Functionality (P1), IA-5 Authenticator Management (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege, CM-5 Access Restrictions for Change, CM-7 Least Functionality, IA-5 Authenticator Management
[9] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.2.1 Authentication Architectural Requirements (L2 L3), 10.2.2 Malicious Code Search (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[12] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[14] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 7.1.1
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 7.1.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 7.1.2
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 7.1.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 7.1.2
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 7.1.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 7.2.2
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 7.2.2
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[26] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 250
[27] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 250
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3500 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3500 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3500 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3500 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3500 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3500 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3500 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II, APSC-DV-001795 CAT II, APSC-DV-002960 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II, APSC-DV-001795 CAT II, APSC-DV-002960 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II, APSC-DV-001795 CAT II, APSC-DV-002960 CAT II
[51] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[52] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.semantic.java.often_misused_privilege_management
Abstract
El incumplimiento del principio de menor privilegio amplifica el riesgo que plantean otras vulnerabilidades.
Explanation
Los programas que se ejecutan con privilegios root han provocado innumerables desastres de seguridad de Unix. Es imprescindible que revise atentamente los programas con privilegios en relación con todos los tipos de problemas de seguridad, pero es igual de importante restablecer los programas con privilegios a un estado sin ellos tan rápido como sea posible a fin de limitar la cantidad de daños que puede provocar una vulnerabilidad que se pasó por alto.


Las funciones de administración de privilegios se pueden comportar de forma algo menos obvias, y presentan diferentes peculiaridades en las distintas plataformas. Estas incoherencias son especialmente pronunciadas al pasar de un usuario que no es root a otro.

Los controladores de señales y los procesos generados se ejecutan en el privilegio del proceso propietario, por lo que si el proceso se está ejecutando como root cuando se desencadena una señal o se ejecuta un subproceso, el controlador de señales funcionará con privilegios raíz. Es posible que un usuario malintencionado aproveche estos privilegios elevados para realizar aún más daño.
References
[1] H. Chen, D. Wagner, and D. Dean. Setuid Demystified. 11th USENIX Security Symposium
[2] Standards Mapping - Common Weakness Enumeration CWE ID 250
[3] Standards Mapping - Common Weakness Enumeration Top 25 2023 [22] CWE ID 269
[4] Standards Mapping - Common Weakness Enumeration Top 25 2024 [15] CWE ID 269
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-000381, CCI-002233, CCI-002235
[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1), CM-5 Access Restrictions for Change (P1), CM-7 Least Functionality (P1), IA-5 Authenticator Management (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege, CM-5 Access Restrictions for Change, CM-7 Least Functionality, IA-5 Authenticator Management
[9] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.2.1 Authentication Architectural Requirements (L2 L3), 10.2.2 Malicious Code Search (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[12] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[14] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 7.1.1
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 7.1.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 7.1.2
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 7.1.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 7.1.2
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 7.1.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 7.2.2
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 7.2.2
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[26] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 250
[27] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 250
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3500 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3500 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3500 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3500 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3500 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3500 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3500 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II, APSC-DV-001795 CAT II, APSC-DV-002960 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II, APSC-DV-001795 CAT II, APSC-DV-002960 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II, APSC-DV-001795 CAT II, APSC-DV-002960 CAT II
[51] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[52] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.dataflow.python.often_misused_privilege_management

Often Misused: SMS

Abstract
La aplicación realiza operaciones relacionadas con SMS específicas de iOS.
Explanation
No se deben realizar operaciones relacionadas con SMS específicas de iOS a menos que sean necesarias para la funcionalidad esencial de una aplicación. El malware escrito para dispositivos móviles suele aprovecharse de esta funcionalidad para robar dinero y datos a los usuarios.

Ejemplo 1: En los siguientes casos, la aplicación envía un mensaje SMS o lo escribe previamente y lo muestra al usuario, a quien se le solicita que lo envíe o lo cancele:

...
Device.OpenUri("sms:+12345678910");
...
References
[1] Apple UIApplication Class Reference
[2] Apple MFMessageComposeViewController Class Reference
[3] Xamarin Messaging Plugin for Xamarin and Windows
[4] Standards Mapping - Common Weakness Enumeration CWE ID 676
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165
[6] Standards Mapping - FIPS200 AC
[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.5 Configuration Architectural Requirements (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[12] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[14] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[15] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.2, Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.2, Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[28] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285
[29] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 285
[30] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[46] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[47] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.semantic.dotnet.often_misused_sms
Abstract
La aplicación realiza operaciones de relacionadas con SMS.
Explanation
No se deben realizar operaciones relacionadas con SMS a menos que sean necesarias para la funcionalidad esencial de una aplicación. El malware escrito para dispositivos móviles suele aprovecharse de esta funcionalidad para robar dinero y datos a los usuarios.

Ejemplo 1: en los siguientes casos, la aplicación envía un mensaje SMS o lo escribe previamente y lo muestra al usuario, a quien se le solicita que lo envíe o lo cancele.

...
[[CTMessageCenter sharedMessageCenter] sendSMSWithText:@"Hello world!" serviceCenter:nil toAddress:@"+12345678910"];
...

// or

...
[[UIApplication sharedApplication] openURL:[NSURL URLWithString:@"sms:+12345678910"]];
...

// or

...
MFMessageComposeViewController *messageComposerVC = [[MFMessageComposeViewController alloc] init];

[messageComposerVC setMessageComposeDelegate:self];
[messageComposerVC setBody:@"Hello World!"];
[messageComposerVC setRecipients:[NSArray arrayWithObject:@"+12345678910"]];

[self presentViewController:messageComposerVC animated:YES completion:nil];
...
References
[1] Apple UIApplication Class Reference
[2] Apple MFMessageComposeViewController Class Reference
[3] Standards Mapping - Common Weakness Enumeration CWE ID 676
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165
[5] Standards Mapping - FIPS200 AC
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.5 Configuration Architectural Requirements (L2 L3)
[10] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[11] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[12] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[13] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[14] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.2, Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.2, Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[27] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285
[28] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 285
[29] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[45] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[46] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.semantic.objc.often_misused_sms
Abstract
La aplicación realiza operaciones de relacionadas con SMS.
Explanation
No se deben realizar operaciones relacionadas con SMS a menos que sean necesarias para la funcionalidad esencial de una aplicación. El malware escrito para dispositivos móviles suele aprovecharse de esta funcionalidad para robar dinero y datos a los usuarios.

Ejemplo 1: en los siguientes casos, la aplicación envía un mensaje SMS o lo escribe previamente y lo muestra al usuario, a quien se le solicita que lo envíe o lo cancele.


...
UIApplication.sharedApplication().openURL(NSURL(string: "sms:+12345678910"))
...


o


...
let messageComposeVC = MFMessageComposeViewController()
messageComposeVC.messageComposeDelegate = self
messageComposeVC.body = "Hello World!"
messageComposeVC.recipients = ["+12345678910"]

presentViewController(messageComposeVC, animated: true, completion: nil)
...
References
[1] Apple UIApplication Class Reference
[2] Apple MFMessageComposeViewController Class Reference
[3] Standards Mapping - Common Weakness Enumeration CWE ID 676
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165
[5] Standards Mapping - FIPS200 AC
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.5 Configuration Architectural Requirements (L2 L3)
[10] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[11] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[12] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[13] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[14] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.2, Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.2, Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[27] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285
[28] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 285
[29] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[45] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[46] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.structural.swift.often_misused_sms

Often Misused: Spring Remote Service

Abstract
Los servicios remotos se configuran en la aplicación Spring. De forma predeterminada, estos servicios remotos no requieren autenticación y la información transferida hacia este servicio o desde él está en texto sin formato. Esto podría permitir que un atacante acceda a operaciones privilegiadas o exponga datos confidenciales.
Explanation
Spring proporciona un mecanismo sencillo para convertir cualquier bean administrado por Spring en un objeto que se expone externamente a través de los protocolos RMI, HTTP, Burlap, Hessian y JMX. Cualquier método público de spring bean remoto se puede llamar externamente y los datos que se pasan entre el cliente y los objetos remotos están en texto sin formato. El principal problema de estos servicios es que están abiertos de forma predeterminada y no ofrecen garantías de confidencialidad o integridad desde el primer momento.
References
[1] Anirvan Chakraborty , Jessica Ditt , Aleksa Vukotic , Jan Machacek ProSpring 2.5
[2] Gary Mak , Daniel Rubio , Josh Long Spring Recipes
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-000804, CCI-001084, CCI-002165
[4] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), IA-8 Identification and Authentication (Non-Organizational Users) (P1), SC-3 Security Function Isolation (P1), SC-8 Transmission Confidentiality and Integrity (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, IA-8 Identification and Authentication (Non-Organizational Users), SC-3 Security Function Isolation, SC-8 Transmission Confidentiality and Integrity
[7] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[8] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[9] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[10] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[12] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1, Requirement 6.5.10
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4, Requirement 6.5.9
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.4, Requirement 6.5.8
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.4, Requirement 6.5.8
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.4, Requirement 6.5.8
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.4, Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.4, Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control, Control Objective 6.2 - Sensitive Data Protection
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control, Control Objective 6.2 - Sensitive Data Protection
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective 6.2 - Sensitive Data Protection, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.4.1 - Web Software Communications
[25] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3260.1 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3260 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3260 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3260 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3260 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3260 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3260 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[49] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.configuration.java.often_misused_spring_remote_service

Often Misused: Spring Web Service

Abstract
Los servicios web están configurados en la aplicación Spring. De forma predeterminada, estos servicios web no requieren autenticación y la información transferida hacia este servicio o desde el mismo está en texto sin formato. Esto podría permitir que un atacante acceda a operaciones privilegiadas o exponga datos confidenciales.
Explanation
Spring proporciona un mecanismo sencillo para convertir cualquier bean administrado por Spring en servicios web a través de Spring WS o XFire. Cualquier método público del Spring bean remoto se puede llamar externamente y los datos que se pasan entre el cliente y los objetos habilitados para el servicio web están en texto sin formato. El principal problema de estos servicios es que están abiertos de forma predeterminada y no ofrecen garantías de confidencialidad o integridad desde el primer momento.
References
[1] Anirvan Chakraborty , Jessica Ditt , Aleksa Vukotic , Jan Machacek ProSpring 2.5
[2] Gary Mak , Daniel Rubio , Josh Long Spring Recipes
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-000804, CCI-001084, CCI-002165
[4] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), IA-8 Identification and Authentication (Non-Organizational Users) (P1), SC-3 Security Function Isolation (P1), SC-8 Transmission Confidentiality and Integrity (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, IA-8 Identification and Authentication (Non-Organizational Users), SC-3 Security Function Isolation, SC-8 Transmission Confidentiality and Integrity
[7] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[8] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[9] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[10] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[12] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1, Requirement 6.5.10
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4, Requirement 6.5.9
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.4, Requirement 6.5.8
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.4, Requirement 6.5.8
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.4, Requirement 6.5.8
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.4, Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.4, Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control, Control Objective 6.2 - Sensitive Data Protection
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control, Control Objective 6.2 - Sensitive Data Protection
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective 6.2 - Sensitive Data Protection, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.4.1 - Web Software Communications
[25] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3260.1 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3260 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3260 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3260 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3260 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3260 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3260 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[49] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.configuration.java.often_misused_spring_web_service

Often Misused: Strings

Abstract
Las funciones que convierten cadenas de Multibyte a Unicode y viceversa favorecen la aparición de desbordamientos del búfer.
Explanation
Windows proporciona las funciones MultiByteToWideChar(), WideCharToMultiByte(), UnicodeToBytes() y BytesToUnicode() para convertir cadenas de caracteres multibyte (normalmente ANSI) arbitrarias a cadenas Unicode (carácter ancho) y viceversa. Los argumentos de tamaño para estas funciones están especificados en diferentes unidades (una en bytes y la otra en caracteres) y su uso suele llevar a errores. En una cadena de caracteres multibyte, cada carácter ocupa una cantidad variable de bytes; por lo tanto, el tamaño de dichas cadenas se especifica más fácilmente como un número total de bytes. Sin embargo, en Unicode los caracteres siempre tienen un tamaño fijo y la longitud de las cadenas está definida por el número de caracteres que contienen. La especificación incorrecta de las unidades erróneas en un argumento de tamaño podría provocar un buffer overflow.

Ejemplo 1: La función siguiente toma un nombre de usuario especificado como cadena multibyte y un puntero a una estructura para la información de usuario y rellena la estructura con información sobre el usuario especificado. Como la autenticación de Windows utiliza Unicode para los nombres de usuario, el argumento de nombre de usuario se convierte primero desde una cadena multibyte a otra Unicode.


void getUserInfo(char *username, struct _USER_INFO_2 info){
WCHAR unicodeUser[UNLEN+1];
MultiByteToWideChar(CP_ACP, 0, username, -1,
     unicodeUser, sizeof(unicodeUser));
NetUserGetInfo(NULL, unicodeUser, 2, (LPBYTE *)&info);
}


Esta función transfiere de forma incorrecta el tamaño de unicodeUser en bytes en lugar de hacerlo en caracteres. Así pues, la llamada a MultiByteToWideChar() puede escribir hasta (UNLEN+1)*sizeof(WCHAR) caracteres anchos o (UNLEN+1)*sizeof(WCHAR)*sizeof(WCHAR) bytes, en la matriz unicodeUser, que solo tiene (UNLEN+1)*sizeof(WCHAR) bytes asignados. Si la cadena username contiene más de UNLEN caracteres, la llamada a MultiByteToWideChar() desbordará el búfer unicodeUser.
References
[1] Security Considerations: International Features Microsoft
[2] Standards Mapping - Common Weakness Enumeration CWE ID 176
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002824
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-16 Memory Protection (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-16 Memory Protection
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.2 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[11] Standards Mapping - OWASP Top 10 2004 A5 Buffer Overflow
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.5
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.2
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.2
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.2
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.2
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[24] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3590.1 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3590.1 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3590.1 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3590.1 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3590.1 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3590.1 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3590.1 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002590 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002590 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002590 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002590 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002590 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002590 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002590 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002590 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002590 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002590 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002590 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002590 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002590 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002590 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002590 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002590 CAT I
[47] Standards Mapping - Web Application Security Consortium Version 2.00 Buffer Overflow (WASC-07)
[48] Standards Mapping - Web Application Security Consortium 24 + 2 Buffer Overflow
desc.semantic.cpp.often_misused_strings.multibytewidechar

Often Misused: sun.misc.Unsafe

Abstract
La aplicación utiliza la funcionalidad de sun.misc.Unsafe. Las funcionalidades de esta clase son intrínsecamente inseguras y solo se puede acceder a ellas previa reflexión.
Explanation
La clase sun.misc.Unsafe se utiliza para realizar operaciones inseguras de bajo nivel y no está diseñada para que la usen los desarrolladores.
La clase Unsafe solo se puede obtener mediante un código de confianza y normalmente se obtiene a través de la reflexión, ya que se puede usar para corromper el sistema o asignar manualmente memoria en masa que, si no se maneja adecuadamente, podría tener efectos perjudiciales en el sistema. Es absolutamente necesario que toda la funcionalidad alrededor de sun.misc.Unsafe se revise y pruebe cuidadosamente para que no tenga fallos.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 676
[2] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[3] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[4] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[9] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[10] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[11] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[12] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 676
[13] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP2060.4 CAT II, APP3590.2 CAT I
[14] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP2060.4 CAT II, APP3590.2 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP2060.4 CAT II, APP3590.2 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP2060.4 CAT II, APP3590.2 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP2060.4 CAT II, APP3590.2 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP2060.4 CAT II, APP3590.2 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP2060.4 CAT II, APP3590.2 CAT II
desc.structural.java.often_misused_sun_misc_unsafe

OGNL Expression Injection

Abstract
La evaluación de expresiones OGNL no validadas puede llevar a la ejecución remota de código.
Explanation
Object-Graph Navigation Language (OGNL) es un lenguaje de expresiones (EL) de código abierto para Java que permite evaluar expresiones de EL en el contexto de Value Stack de Struts 2. Al permitir que se evalúen expresiones no validadas contrastándolas con la Value Stack, puede permitir que un atacante acceda y modifique variables del sistema o ejecute un código arbitrario.

En el siguiente ejemplo, la aplicación utiliza datos no validados controlados por el usuario para crear y evaluar una expresión OGNL:

OgnlContext ctx = new OgnlContext();
String expression = request.getParameter("input");
Object expr = Ognl.parseExpression(expression);
Object value = Ognl.getValue(expr, ctx, root);
System.out.println("Value: " + value);


Un atacante puede enviar la siguiente expresión para ejecutar código arbitrario en el contexto del servidor de aplicaciones:

(#rt = @java.lang.Runtime@getRuntime(),#rt.exec("calc.exe"))
References
[1] Apache Commons OGNL - Object-Graph Navigation Library
[2] Meder Kydyraliev Milking a horse or executing remote code in modern Java frameworks
[3] Standards Mapping - Common Weakness Enumeration CWE ID 94, CWE ID 95
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [18] CWE ID 094
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [17] CWE ID 094
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [25] CWE ID 094
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [23] CWE ID 094
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [11] CWE ID 094
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.4 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.5 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.8 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[16] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[17] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[18] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[19] Standards Mapping - OWASP Top 10 2010 A1 Injection
[20] Standards Mapping - OWASP Top 10 2013 A1 Injection
[21] Standards Mapping - OWASP Top 10 2017 A1 Injection
[22] Standards Mapping - OWASP Top 10 2021 A03 Injection
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[35] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 094
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[59] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.java.ognl_expression_injection

OGNL Expression Injection: Double Evaluation

Abstract
La evaluación OGNL doble permite a los usuarios malintencionados evaluar expresiones OGNL arbitrarias cuando se controla la salida de la primera evaluación.
Explanation
La aplicación utiliza una expresión OGNL forzada (%{expr}) en una etiqueta Struts que evalúa la expresión OGNL dos veces. Un usuario malintencionado que controlase el resultado de la primera evaluación podría controlar la expresión evaluada en la segunda evaluación OGNL e inyectar expresiones OGNL arbitrarias.

Ejemplo 1: Se sabe que el resultado redirectAction evalúa sus parámetros dos veces. En este caso, un usuario malintencionado podría controlar el resultado de la expresión OGNL forzada en el parámetro actionName mediante un parámetro de solicitud redirect.


    ...
    <action name="index" class="com.acme.MyAction">
        <result type="redirectAction">
            <param name="actionName">${#parameters['redirect']}</param>
            <param name="namespace">/foo</param>
        </result>
    </action>
    ...


El código de Struts 2 evaluará internamente la expresión %{#parameters['redirect']} que devuelve una cadena que controla el usuario como una expresión OGNL, lo que permitiría al usuario malintencionado evaluar expresiones OGNL arbitrarias.
References
[1] Struts 2 - Security Bulletin S2-029 Apache Struts
[2] Struts 2 - Security Bulletin S2-036 Apache Struts
[3] Standards Mapping - Common Weakness Enumeration CWE ID 94, CWE ID 95
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [18] CWE ID 094
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [17] CWE ID 094
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [25] CWE ID 094
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [23] CWE ID 094
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [11] CWE ID 094
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.4 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.5 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.8 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[16] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[17] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[18] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[19] Standards Mapping - OWASP Top 10 2010 A1 Injection
[20] Standards Mapping - OWASP Top 10 2013 A1 Injection
[21] Standards Mapping - OWASP Top 10 2017 A1 Injection
[22] Standards Mapping - OWASP Top 10 2021 A03 Injection
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[35] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 094
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[59] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.configuration.java.ognl_expression_injection_double_evaluation

OGNL Expression Injection: Dynamic Method Invocation

Abstract
La aplicación de Struts 2 permite Dynamic Method Invocation, que se sabe que es vulnerable a los ataques de inyección OGNL en algunas versiones de Struts 2.
Explanation
Struts 2 introdujo una característica llamada "Dynamic Method Invocation" que permite que una acción exponga métodos distintos a execute(). El carácter ! (signo de admiración) o el prefijo method: se pueden usar en la dirección URL de la acción para invocar cualquier método público en la acción si "Dynamic Method Invocation" está habilitada. En la versión 2.3.20 de Struts 2 el mecanismo para invocar el método alternativo que anteriormente se basaba en la reflexión, se sustituyó por OGNL, lo que permitía a los atacantes proporcionar expresiones OGNL malintencionadas en lugar de un nombre de método alternativo.
References
[1] Struts 2 Security Vulnerability - Dynamic Method Invocation
[2] Struts 2 - Dynamic Method Invocation Apache Struts
[3] Struts 2 - Security Bulletin S2-032 Apache Struts
[4] Struts 2 - Security Bulletin S2-033 Apache Struts
[5] Standards Mapping - Common Weakness Enumeration CWE ID 94, CWE ID 95
[6] Standards Mapping - Common Weakness Enumeration Top 25 2019 [18] CWE ID 094
[7] Standards Mapping - Common Weakness Enumeration Top 25 2020 [17] CWE ID 094
[8] Standards Mapping - Common Weakness Enumeration Top 25 2022 [25] CWE ID 094
[9] Standards Mapping - Common Weakness Enumeration Top 25 2023 [23] CWE ID 094
[10] Standards Mapping - Common Weakness Enumeration Top 25 2024 [11] CWE ID 094
[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001764, CCI-001774, CCI-002754
[12] Standards Mapping - FIPS200 SI
[13] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[14] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-7 Least Functionality (P1), SI-2 Flaw Remediation (P1), SI-10 Information Input Validation (P1)
[15] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-7 Least Functionality, SI-2 Flaw Remediation, SI-10 Information Input Validation
[16] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.4 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.5 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.8 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[17] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[18] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[19] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[20] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[21] Standards Mapping - OWASP Top 10 2010 A1 Injection
[22] Standards Mapping - OWASP Top 10 2013 A1 Injection
[23] Standards Mapping - OWASP Top 10 2017 A1 Injection
[24] Standards Mapping - OWASP Top 10 2021 A03 Injection
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[37] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 094
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[61] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.config.java.ognl_expression_injection_dynamic_method_invocation

OGNL Expression Injection: Struts 2

Abstract
La aplicación se implementa en modo de desarrollo (devMode), lo que permite la ejecución de comandos arbitrarios en el servidor y la fuga de información detallada sobre el código de la aplicación.
Explanation
Struts 2 tiene una configuración llamada devMode (modo de desarrollo). Cuando esta configuración está habilitada, Struts 2 proporcionará información adicional de registro y depuración, lo que puede acelerar considerablemente el desarrollo a cambio de un alto impacto en el rendimiento y la seguridad. devMode elevará el nivel de problemas de depuración o que normalmente se omiten a excepciones que normalmente no se lanzarían en modo normal.

devMode también habilita algunas funcionalidades de depuración que permiten a los desarrolladores comprobar las variables almacenadas en la pila de valores. Estas características se pueden activar mediante el parámetro de solicitud debug:
- debug =console mostrará una consola de evaluación OGNL que permite a los desarrolladores evaluar cualquier expresión OGNL arbitraria en el servidor.
- debug =command permitirá a los desarrolladores enviar expresiones OGNL arbitrarias para su evaluación usando el parámetro de solicitudexpression.
- debug=xml volcará los parámetros, el contexto, la sesión y la pila de valores en un documento XML.
- debug=browser volcará los parámetros, el contexto, la sesión y la pila de valores en un documento HTML navegable.
References
[1] Apache Struts 2 Documentation - devMode
[2] Apache Struts 2 Documentation - Debugging
[3] Meder Kydyraliev Milking a horse or executing remote code in modern Java frameworks
[4] Standards Mapping - Common Weakness Enumeration CWE ID 94, CWE ID 95
[5] Standards Mapping - Common Weakness Enumeration Top 25 2019 [18] CWE ID 094
[6] Standards Mapping - Common Weakness Enumeration Top 25 2020 [17] CWE ID 094
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [25] CWE ID 094
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [23] CWE ID 094
[9] Standards Mapping - Common Weakness Enumeration Top 25 2024 [11] CWE ID 094
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[11] Standards Mapping - FIPS200 SI
[12] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.4 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.5 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.8 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[16] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[17] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[18] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[19] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[20] Standards Mapping - OWASP Top 10 2010 A1 Injection
[21] Standards Mapping - OWASP Top 10 2013 A1 Injection
[22] Standards Mapping - OWASP Top 10 2017 A1 Injection
[23] Standards Mapping - OWASP Top 10 2021 A03 Injection
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[36] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 094
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[60] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.config.java.ognl_expression_injection_struts2_devmode

Open Redirect

Abstract
si se permite la entrada sin validar para controlar la dirección URL utilizada en un redireccionamiento, se puede ayudar a los ataques de suplantación de identidad.
Explanation
Los redireccionamientos permiten a las aplicaciones web dirigir a los usuarios a distintas páginas dentro de la misma aplicación o a sitios externos. Las aplicaciones utilizan los redireccionamientos para ayudar con la navegación del sitio y, en algunos casos, para realizar un seguimiento de cómo los usuarios salen del sitio. Las vulnerabilidades de redireccionamiento abierto se producen cuando una aplicación web redirige a los clientes a cualquier dirección URL arbitraria que un usuario malintencionado pueda controlar.

Los atacantes pueden utilizar ataques de redireccionamiento abierto (Open Redirect) para engañar a los usuarios a que visiten una dirección URL en un sitio de confianza y redirigirlos a un sitio malintencionado. Mediante la codificación de la dirección URL, un atacante puede hacer que los usuarios finales tengan mayor dificultad para reconocer el destino malintencionado del redireccionamiento, incluso cuando se pasa como un parámetro de URL al sitio de confianza. A menudo se abusa de los redireccionamientos abiertos como parte de las estafas de suplantación de identidad (phishing) para recopilar datos confidenciales del usuario final.

Ejemplo 1: El siguiente código ABAP indica al explorador del usuario que abra una dirección URL que se analiza desde el parámetro de solicitud de dest cuando un usuario hace clic en el vínculo.


...
DATA: str_dest TYPE c.

str_dest = request->get_form_field( 'dest' ).
response->redirect( str_dest ).
...


Si una víctima recibe un mensaje de correo electrónico indicándole que siga un vínculo a "http://trusted.example.com/ecommerce/redirect.asp?dest=www.wilyhacker.com", el usuario puede hacer clic en el mismo creyendo que se le redireccionará al sitio de confianza. Sin embargo, cuando la víctima haga clic en el vínculo, el código del Example 1 redireccionará el explorador a "http://www.wilyhacker.com".

Se ha educado a muchos usuarios a que analicen siempre las direcciones URL que reciben en mensajes de correo electrónico para asegurarse de que el vínculo especifica un sitio de confianza que conocen. Sin embargo, si el usuario malintencionado codifica la dirección URL de destino mediante Hex como se indica a continuación:
"http://trusted.example.com/ecommerce/redirect.asp?dest=%77%69%6C%79%68%61%63%6B%65%72%2E%63%6F%6D"

, incluso un usuario final más experimentado puede ser engañado en el vínculo.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 601
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.5 Input Validation Requirements (L1 L2 L3)
[8] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[9] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[10] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[11] Standards Mapping - OWASP Top 10 2010 A10 Unvalidated Redirects and Forwards
[12] Standards Mapping - OWASP Top 10 2013 A10 Unvalidated Redirects and Forwards
[13] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[26] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 601
[27] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 601
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Web Application Security Consortium Version 2.00 URL Redirector Abuse (WASC-38)
[52] Standards Mapping - Web Application Security Consortium 24 + 2 Content Spoofing
desc.dataflow.abap.open_redirect
Abstract
si se permite la entrada sin validar para controlar la dirección URL utilizada en un redireccionamiento, se puede ayudar a los ataques de suplantación de identidad.
Explanation
Los redireccionamientos permiten a las aplicaciones web dirigir a los usuarios a distintas páginas dentro de la misma aplicación o a sitios externos. Las aplicaciones utilizan los redireccionamientos para ayudar con la navegación del sitio y, en algunos casos, para realizar un seguimiento de cómo los usuarios salen del sitio. Las vulnerabilidades de redireccionamiento abierto se producen cuando una aplicación web redirige a los clientes a cualquier dirección URL arbitraria que un usuario malintencionado pueda controlar.

Los atacantes pueden utilizar ataques de redireccionamiento abierto (Open Redirect) para engañar a los usuarios a que visiten una dirección URL en un sitio de confianza y redirigirlos a un sitio malintencionado. Mediante la codificación de la dirección URL, un atacante puede hacer que los usuarios finales tengan mayor dificultad para reconocer el destino malintencionado del redireccionamiento, incluso cuando se pasa como un parámetro de URL al sitio de confianza. A menudo se abusa de los redireccionamientos abiertos como parte de las estafas de suplantación de identidad (phishing) para recopilar datos confidenciales del usuario final.

Ejemplo 1: el siguiente código ActionScript indica al explorador del usuario que abra una dirección URL leída desde el parámetro de solicitud dest cuando un usuario hace clic en el vínculo.


        ...
        var params:Object = LoaderInfo(this.root.loaderInfo).parameters;
        var strDest:String = String(params["dest"]);
        host.updateLocation(strDest);
        ...


Si una víctima recibe un mensaje de correo electrónico indicándole que siga un vínculo a "http://trusted.example.com/ecommerce/redirect.asp?dest=www.wilyhacker.com", el usuario puede hacer clic en el mismo creyendo que se le redireccionará al sitio de confianza. Sin embargo, cuando la víctima haga clic en el vínculo, el código del Example 1 redireccionará el explorador a "http://www.wilyhacker.com".

Se ha educado a muchos usuarios a que analicen siempre las direcciones URL que reciben en mensajes de correo electrónico para asegurarse de que el vínculo especifica un sitio de confianza que conocen. Sin embargo, si el usuario malintencionado codifica la dirección URL de destino mediante Hex como se indica a continuación:
"http://trusted.example.com/ecommerce/redirect.asp?dest=%77%69%6C%79%68%61%63%6B%65%72%2E%63%6F%6D"

, incluso un usuario final más experimentado puede ser engañado en el vínculo.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 601
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.5 Input Validation Requirements (L1 L2 L3)
[8] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[9] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[10] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[11] Standards Mapping - OWASP Top 10 2010 A10 Unvalidated Redirects and Forwards
[12] Standards Mapping - OWASP Top 10 2013 A10 Unvalidated Redirects and Forwards
[13] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[26] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 601
[27] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 601
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Web Application Security Consortium Version 2.00 URL Redirector Abuse (WASC-38)
[52] Standards Mapping - Web Application Security Consortium 24 + 2 Content Spoofing
desc.dataflow.actionscript.open_redirect
Abstract
Un archivo pasa datos sin validar a un redireccionamiento de HTTP.
Explanation
si se permite la entrada sin validar para controlar la dirección URL utilizada en un redireccionamiento, se puede ayudar a los ataques de suplantación de identidad. Los redireccionamientos permiten a las aplicaciones web dirigir a los usuarios a distintas páginas dentro de la misma aplicación o a sitios externos. Las aplicaciones utilizan los redireccionamientos para ayudar con la navegación del sitio y, en algunos casos, para realizar un seguimiento de cómo los usuarios salen del sitio. Las vulnerabilidades Open Redirect se producen cuando una aplicación web redirige a los clientes a una dirección URL arbitraria que pueda estar controlada por un atacante.

Los atacantes pueden utilizar ataques de redireccionamiento abierto (Open Redirect) para engañar a los usuarios a que visiten una dirección URL en un sitio de confianza y redirigirlos a un sitio malintencionado. Mediante la codificación de la dirección URL, un atacante puede hacer que los usuarios finales tengan mayor dificultad para reconocer el destino malintencionado del redireccionamiento, incluso cuando se pasa como un parámetro de URL al sitio de confianza. A menudo se abusa de los redireccionamientos abiertos como parte de las estafas de suplantación de identidad (phishing) para recopilar datos confidenciales del usuario final.

Ejemplo 1: El siguiente método de acción de Visualforce devuelve un objeto PageReference que consiste en una URL del parámetro de solicitud dest.


public PageReference pageAction() {
    ...
    PageReference ref = ApexPages.currentPage();
    Map<String,String> params = ref.getParameters();
    return new PageReference(params.get('dest'));
}


Si una víctima recibe un mensaje de correo electrónico indicándole que siga un vínculo a "http://trusted.vf.force.com/apex/vfpage?dest=www.wilyhacker.com", el usuario puede hacer clic en el mismo creyendo que se le redireccionará al sitio de confianza. Sin embargo, cuando la víctima haga clic en el vínculo, el código del Example 1 redireccionará el explorador a "http://www.wilyhacker.com".

Se ha educado a muchos usuarios para que analicen siempre las direcciones URL que reciben en mensajes de correo electrónico y se aseguren de que el vínculo especifique un sitio de confianza que conocen. Sin embargo, si el atacante codifica la dirección URL de destino de la siguiente manera:
"http://trusted.example.com/ecommerce/redirect.asp?dest=%77%69%6C%79%68%61%63%6B%65%72%2E%63%6F%6D"

es posible que incluso un usuario final experimentado caiga en la trampa y siga el vínculo.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 601
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.5 Input Validation Requirements (L1 L2 L3)
[8] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[9] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[10] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[11] Standards Mapping - OWASP Top 10 2010 A10 Unvalidated Redirects and Forwards
[12] Standards Mapping - OWASP Top 10 2013 A10 Unvalidated Redirects and Forwards
[13] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[26] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 601
[27] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 601
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Web Application Security Consortium Version 2.00 URL Redirector Abuse (WASC-38)
[52] Standards Mapping - Web Application Security Consortium 24 + 2 Content Spoofing
desc.dataflow.apex.open_redirect
Abstract
si se permite la entrada sin validar para controlar la dirección URL utilizada en un redireccionamiento, se puede ayudar a los ataques de suplantación de identidad.
Explanation
Los redireccionamientos permiten a las aplicaciones web dirigir a los usuarios a distintas páginas dentro de la misma aplicación o a sitios externos. Las aplicaciones utilizan los redireccionamientos para ayudar con la navegación del sitio y, en algunos casos, para realizar un seguimiento de cómo los usuarios salen del sitio. Las vulnerabilidades de redireccionamiento abierto se producen cuando una aplicación web redirige a los clientes a cualquier dirección URL arbitraria que un usuario malintencionado pueda controlar.

Los atacantes pueden utilizar ataques de redireccionamiento abierto (Open Redirect) para engañar a los usuarios a que visiten una dirección URL en un sitio de confianza y redirigirlos a un sitio malintencionado. Mediante la codificación de la dirección URL, un atacante puede hacer que los usuarios finales tengan mayor dificultad para reconocer el destino malintencionado del redireccionamiento, incluso cuando se pasa como un parámetro de URL al sitio de confianza. A menudo se abusa de los redireccionamientos abiertos como parte de las estafas de suplantación de identidad (phishing) para recopilar datos confidenciales del usuario final.

Ejemplo 1: el siguiente código indica al navegador del usuario que abra una URL analizada desde el parámetro de solicitud dest cuando un usuario hace clic en el vínculo.


    String redirect = Request["dest"];
    Response.Redirect(redirect);


Si una víctima recibe un mensaje de correo electrónico indicándole que siga un vínculo a "http://trusted.example.com/ecommerce/redirect.asp?dest=www.wilyhacker.com", el usuario puede hacer clic en el mismo creyendo que se le redireccionará al sitio de confianza. Sin embargo, cuando la víctima haga clic en el vínculo, el código del Example 1 redireccionará el explorador a "http://www.wilyhacker.com".

Se ha educado a muchos usuarios a que analicen siempre las direcciones URL que reciben en mensajes de correo electrónico para asegurarse de que el vínculo especifica un sitio de confianza que conocen. Sin embargo, si el usuario malintencionado ha codificado la URL de destino de la siguiente forma:
"http://trusted.example.com/ecommerce/redirect.asp?dest=%77%69%6C%79%68%61%63%6B%65%72%2E%63%6F%6D"

, incluso un usuario final más experimentado puede ser engañado en el vínculo.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 601
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.5 Input Validation Requirements (L1 L2 L3)
[8] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[9] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[10] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[11] Standards Mapping - OWASP Top 10 2010 A10 Unvalidated Redirects and Forwards
[12] Standards Mapping - OWASP Top 10 2013 A10 Unvalidated Redirects and Forwards
[13] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[26] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 601
[27] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 601
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Web Application Security Consortium Version 2.00 URL Redirector Abuse (WASC-38)
[52] Standards Mapping - Web Application Security Consortium 24 + 2 Content Spoofing
desc.dataflow.dotnet.open_redirect
Abstract
si se permite la entrada sin validar para controlar la dirección URL utilizada en un redireccionamiento, se puede ayudar a los ataques de suplantación de identidad.
Explanation
Los redireccionamientos permiten a las aplicaciones web dirigir a los usuarios a distintas páginas dentro de la misma aplicación o a sitios externos. Las aplicaciones utilizan los redireccionamientos para ayudar con la navegación del sitio y, en algunos casos, para realizar un seguimiento de cómo los usuarios salen del sitio. Las vulnerabilidades de redireccionamiento abierto (Open Redirect) se producen cuando una aplicación web redirige a los clientes a una dirección URL arbitraria que puede estar controlada por un atacante.

Los atacantes pueden utilizar ataques de redireccionamiento abierto (Open Redirect) para engañar a los usuarios a que visiten una dirección URL en un sitio de confianza y redirigirlos a un sitio malintencionado. Mediante la codificación de la dirección URL, un atacante puede hacer que los usuarios finales tengan mayor dificultad para reconocer el destino malintencionado del redireccionamiento, incluso cuando se pasa como un parámetro de URL al sitio de confianza. A menudo se abusa de los redireccionamientos abiertos como parte de las estafas de suplantación de identidad (phishing) para recopilar datos confidenciales del usuario final.

Ejemplo 1: El siguiente código JSP indica al explorador del usuario que abra una dirección URL analizada desde el parámetro de solicitud dest cuando un usuario hace clic en el vínculo.


    ...
    final server = await HttpServer.bind(host, port);
      await for (HttpRequest request in server) {
        final response = request.response;
        final headers = request.headers;
        final strDest = headers.value('strDest');
        response.headers.contentType = ContentType.text;
        response.redirect(Uri.parse(strDest!));
        await response.close();
      }
    ...


Si una víctima recibe un mensaje de correo electrónico indicándole que siga un vínculo a "http://trusted.example.com/ecommerce/redirect.asp?dest=www.wilyhacker.com", el usuario puede hacer clic en el mismo creyendo que se le redireccionará al sitio de confianza. Sin embargo, cuando la víctima haga clic en el vínculo, el código del Example 1 redireccionará el explorador a "http://www.wilyhacker.com".

Se ha educado a muchos usuarios a que analicen siempre las direcciones URL que reciben en mensajes de correo electrónico para asegurarse de que el vínculo especifique un sitio de confianza que conocen. Sin embargo, si el atacante codifica la dirección URL de destino mediante Hex de la siguiente manera:
"http://trusted.example.com/ecommerce/redirect.asp?dest=%77%69%6C%79%68%61%63%6B%65%72%2E%63%6F%6D",

es posible que incluso un usuario final experimentado caiga en la trampa y siga el vínculo.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 601
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.5 Input Validation Requirements (L1 L2 L3)
[8] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[9] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[10] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[11] Standards Mapping - OWASP Top 10 2010 A10 Unvalidated Redirects and Forwards
[12] Standards Mapping - OWASP Top 10 2013 A10 Unvalidated Redirects and Forwards
[13] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[26] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 601
[27] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 601
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Web Application Security Consortium Version 2.00 URL Redirector Abuse (WASC-38)
[52] Standards Mapping - Web Application Security Consortium 24 + 2 Content Spoofing
desc.dataflow.dart.open_redirect
Abstract
si se permite la entrada sin validar para controlar la dirección URL utilizada en un redireccionamiento, se puede ayudar a los ataques de suplantación de identidad.
Explanation
Los redireccionamientos permiten a las aplicaciones web dirigir a los usuarios a distintas páginas dentro de la misma aplicación o a sitios externos. Las aplicaciones utilizan los redireccionamientos para ayudar con la navegación del sitio y, en algunos casos, para realizar un seguimiento de cómo los usuarios salen del sitio. Las vulnerabilidades Open Redirect se producen cuando una aplicación web redirige a los clientes a una dirección URL arbitraria que pueda estar controlada por un atacante.

Los atacantes pueden utilizar ataques Open Redirect para engañar a los usuarios a que visiten una dirección URL en un sitio de confianza y redirigirlos a un sitio malintencionado. Mediante la codificación de la dirección URL, un atacante puede hacer que los usuarios finales tengan mayor dificultad para reconocer el destino malintencionado del redireccionamiento, incluso cuando se pasa como un parámetro de URL al sitio de confianza. A menudo se abusa de los redireccionamientos abiertos como parte de las estafas de suplantación de identidad (phishing) para recopilar datos confidenciales del usuario final.

Ejemplo 1: El siguiente código indica al explorador del usuario que abra una dirección URL analizada desde el parámetro de solicitud dest cuando un usuario hace clic en el vínculo.


    ...
    strDest := r.Form.Get("dest")
    http.Redirect(w, r, strDest, http.StatusSeeOther)
    ...


Si una víctima recibe un mensaje de correo electrónico indicándole que siga un vínculo a "http://trusted.example.com/ecommerce/redirect.asp?dest=www.wilyhacker.com", el usuario puede hacer clic en el mismo creyendo que será transferido al sitio de confianza. Sin embargo, cuando la víctima hace clic en el vínculo, el código del Example 1 redirecciona el explorador a "http://www.wilyhacker.com".

Se ha educado a muchos usuarios a que analicen siempre las direcciones URL que reciben en mensajes de correo electrónico para asegurarse de que el vínculo especifique un sitio de confianza que conocen. Sin embargo, si el atacante codifica la dirección URL de destino mediante Hex de la siguiente manera:
"http://trusted.example.com/ecommerce/redirect.asp?dest=%77%69%6C%79%68%61%63%6B%65%72%2E%63%6F%6D",

es posible que incluso un usuario final experimentado caiga en la trampa y siga el vínculo.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 601
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.5 Input Validation Requirements (L1 L2 L3)
[8] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[9] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[10] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[11] Standards Mapping - OWASP Top 10 2010 A10 Unvalidated Redirects and Forwards
[12] Standards Mapping - OWASP Top 10 2013 A10 Unvalidated Redirects and Forwards
[13] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[26] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 601
[27] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 601
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Web Application Security Consortium Version 2.00 URL Redirector Abuse (WASC-38)
[52] Standards Mapping - Web Application Security Consortium 24 + 2 Content Spoofing
desc.dataflow.golang.open_redirect
Abstract
si se permite la entrada sin validar para controlar la dirección URL utilizada en un redireccionamiento, se puede ayudar a los ataques de suplantación de identidad.
Explanation
Los redireccionamientos permiten a las aplicaciones web dirigir a los usuarios a distintas páginas dentro de la misma aplicación o a sitios externos. Las aplicaciones utilizan los redireccionamientos para ayudar con la navegación del sitio y, en algunos casos, para realizar un seguimiento de cómo los usuarios salen del sitio. Las vulnerabilidades de redireccionamiento abierto (Open Redirect) se producen cuando una aplicación web redirige a los clientes a una dirección URL arbitraria que puede estar controlada por un atacante.

Los atacantes pueden utilizar ataques de redireccionamiento abierto (Open Redirect) para engañar a los usuarios a que visiten una dirección URL en un sitio de confianza y redirigirlos a un sitio malintencionado. Mediante la codificación de la dirección URL, un atacante puede hacer que los usuarios finales tengan mayor dificultad para reconocer el destino malintencionado del redireccionamiento, incluso cuando se pasa como un parámetro de URL al sitio de confianza. A menudo se abusa de los redireccionamientos abiertos como parte de las estafas de suplantación de identidad (phishing) para recopilar datos confidenciales del usuario final.

Ejemplo 1: La siguiente definición de estado de flujo de Spring WebFlow indica al explorador del usuario que abra una dirección URL analizada desde el parámetro de solicitud dest cuando un usuario hace clic en el vínculo.


    <end-state id="redirectView" view="externalRedirect:#{requestParameters.dest}" />


Si una víctima recibe un mensaje de correo electrónico indicándole que siga un vínculo a "http://trusted.example.com/ecommerce/redirect?dest=www.wilyhacker.com", el usuario puede hacer clic en el mismo creyendo que se le redireccionará al sitio de confianza. Sin embargo, cuando la víctima haga clic en el vínculo, el código del Example 1 redireccionará el explorador a "http://www.wilyhacker.com".

Se ha educado a muchos usuarios a que analicen siempre las direcciones URL que reciben en mensajes de correo electrónico para asegurarse de que el vínculo especifique un sitio de confianza que conocen. Sin embargo, si el atacante codifica la dirección URL de destino mediante Hex de la siguiente manera:
"http://trusted.example.com/ecommerce/redirect?dest=%77%69%6C%79%68%61%63%6B%65%72%2E%63%6F%6D"

es posible que incluso un usuario final experimentado caiga en la trampa y siga el vínculo.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 601
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.5 Input Validation Requirements (L1 L2 L3)
[8] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[9] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[10] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[11] Standards Mapping - OWASP Top 10 2010 A10 Unvalidated Redirects and Forwards
[12] Standards Mapping - OWASP Top 10 2013 A10 Unvalidated Redirects and Forwards
[13] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[26] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 601
[27] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 601
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Web Application Security Consortium Version 2.00 URL Redirector Abuse (WASC-38)
[52] Standards Mapping - Web Application Security Consortium 24 + 2 Content Spoofing
desc.configuration.java.open_redirect
Abstract
si se permite la entrada sin validar para controlar la dirección URL utilizada en un redireccionamiento, se puede ayudar a los ataques de suplantación de identidad.
Explanation
Los redireccionamientos permiten a las aplicaciones web dirigir a los usuarios a distintas páginas dentro de la misma aplicación o a sitios externos. Las aplicaciones utilizan los redireccionamientos para ayudar con la navegación del sitio y, en algunos casos, para realizar un seguimiento de cómo los usuarios salen del sitio. Las vulnerabilidades de redireccionamiento abierto se producen cuando una aplicación web redirige a los clientes a cualquier dirección URL arbitraria que un usuario malintencionado pueda controlar.

Los atacantes pueden utilizar ataques de redireccionamiento abierto (Open Redirect) para engañar a los usuarios a que visiten una dirección URL en un sitio de confianza y redirigirlos a un sitio malintencionado. Mediante la codificación de la dirección URL, un atacante puede hacer que los usuarios finales tengan mayor dificultad para reconocer el destino malintencionado del redireccionamiento, incluso cuando se pasa como un parámetro de URL al sitio de confianza. A menudo se abusa de los redireccionamientos abiertos como parte de las estafas de suplantación de identidad (phishing) para recopilar datos confidenciales del usuario final.

Ejemplo 1: el código JavaScript siguiente proporciona instrucciones al explorador del usuario para que abra una lectura de URL desde el parámetro de solicitud dest cuando un usuario hace clic en el enlace.


	...
	strDest = form.dest.value;
	window.open(strDest,"myresults");
	...


Si una víctima recibe un mensaje de correo electrónico indicándole que siga un vínculo a "http://trusted.example.com/ecommerce/redirect.asp?dest=www.wilyhacker.com", el usuario puede hacer clic en el mismo creyendo que se le redireccionará al sitio de confianza. Sin embargo, cuando la víctima haga clic en el vínculo, el código del Example 1 redireccionará el explorador a "http://www.wilyhacker.com".

Se ha educado a muchos usuarios a que analicen siempre las direcciones URL que reciben en mensajes de correo electrónico para asegurarse de que el vínculo especifica un sitio de confianza que conocen. Sin embargo, si el usuario malintencionado codifica la dirección URL de destino mediante Hex como se indica a continuación:
"http://trusted.example.com/ecommerce/redirect.asp?dest=%77%69%6C%79%68%61%63%6B%65%72%2E%63%6F%6D"

, incluso un usuario final más experimentado puede ser engañado en el vínculo.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 601
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.5 Input Validation Requirements (L1 L2 L3)
[8] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[9] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[10] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[11] Standards Mapping - OWASP Top 10 2010 A10 Unvalidated Redirects and Forwards
[12] Standards Mapping - OWASP Top 10 2013 A10 Unvalidated Redirects and Forwards
[13] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[26] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 601
[27] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 601
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Web Application Security Consortium Version 2.00 URL Redirector Abuse (WASC-38)
[52] Standards Mapping - Web Application Security Consortium 24 + 2 Content Spoofing
desc.dataflow.javascript.open_redirect
Abstract
si se permite la entrada sin validar para controlar la dirección URL utilizada en un redireccionamiento, se puede ayudar a los ataques de suplantación de identidad.
Explanation
Los redireccionamientos permiten a las aplicaciones web dirigir a los usuarios a distintas páginas dentro de la misma aplicación o a sitios externos. Las aplicaciones utilizan los redireccionamientos para ayudar con la navegación del sitio y, en algunos casos, para realizar un seguimiento de cómo los usuarios salen del sitio. Las vulnerabilidades de redireccionamiento abierto se producen cuando una aplicación web redirige a los clientes a cualquier dirección URL arbitraria que un usuario malintencionado pueda controlar.

Los atacantes pueden utilizar ataques de redireccionamiento abierto (Open Redirect) para engañar a los usuarios a que visiten una dirección URL en un sitio de confianza y redirigirlos a un sitio malintencionado. Mediante la codificación de la dirección URL, un atacante puede hacer que los usuarios finales tengan mayor dificultad para reconocer el destino malintencionado del redireccionamiento, incluso cuando se pasa como un parámetro de URL al sitio de confianza. A menudo se abusa de los redireccionamientos abiertos como parte de las estafas de suplantación de identidad (phishing) para recopilar datos confidenciales del usuario final.

Ejemplo 1: el siguiente código PHP indica al explorador del usuario que abra una dirección URL analizada desde el parámetro de solicitud dest cuando un usuario hace clic en el vínculo.


    <%
        ...
        $strDest = $_GET["dest"];
        header("Location: " . $strDest);
        ...
    %>


Si una víctima recibe un correo electrónico que le indica que siga un vínculo a "http://trusted.example.com/ecommerce/redirect.php?dest=www.wilyhacker.com", es probable que haga clic creyendo que el vínculo le transferirá al sitio de confianza. Sin embargo, cuando la víctima haga clic en el vínculo, el código del Example 1 redireccionará el explorador a "http://www.wilyhacker.com".

Se ha educado a muchos usuarios a que analicen siempre las direcciones URL que reciben en mensajes de correo electrónico para asegurarse de que el vínculo especifica un sitio de confianza que conocen. Sin embargo, si el usuario malintencionado codifica la dirección URL de destino mediante Hex como se indica a continuación:
"http://trusted.example.com/ecommerce/redirect.php?dest=%77%69%6C%79%68%61%63%6B%65%72%2E%63%6F%6D"

, incluso un usuario final más experimentado puede ser engañado en el vínculo.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 601
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.5 Input Validation Requirements (L1 L2 L3)
[8] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[9] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[10] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[11] Standards Mapping - OWASP Top 10 2010 A10 Unvalidated Redirects and Forwards
[12] Standards Mapping - OWASP Top 10 2013 A10 Unvalidated Redirects and Forwards
[13] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[26] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 601
[27] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 601
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Web Application Security Consortium Version 2.00 URL Redirector Abuse (WASC-38)
[52] Standards Mapping - Web Application Security Consortium 24 + 2 Content Spoofing
desc.dataflow.php.open_redirect
Abstract
si se permite la entrada sin validar para controlar la dirección URL utilizada en un redireccionamiento, se puede ayudar a los ataques de suplantación de identidad.
Explanation
Los redireccionamientos permiten a las aplicaciones web dirigir a los usuarios a distintas páginas dentro de la misma aplicación o a sitios externos. Las aplicaciones utilizan los redireccionamientos para ayudar con la navegación del sitio y, en algunos casos, para realizar un seguimiento de cómo los usuarios salen del sitio. Las vulnerabilidades de redireccionamiento abierto se producen cuando una aplicación web redirige a los clientes a cualquier dirección URL arbitraria que un usuario malintencionado pueda controlar.

Los atacantes pueden utilizar ataques de redireccionamiento abierto (Open Redirect) para engañar a los usuarios a que visiten una dirección URL en un sitio de confianza y redirigirlos a un sitio malintencionado. Mediante la codificación de la dirección URL, un atacante puede hacer que los usuarios finales tengan mayor dificultad para reconocer el destino malintencionado del redireccionamiento, incluso cuando se pasa como un parámetro de URL al sitio de confianza. A menudo se abusa de los redireccionamientos abiertos como parte de las estafas de suplantación de identidad (phishing) para recopilar datos confidenciales del usuario final.

Ejemplo 1: El siguiente procedimiento indica al navegador del usuario que abra una dirección URL analizada desde el parámetro de solicitud dest cuando un usuario hace clic en el vínculo.


      ...
      -- Assume QUERY_STRING looks like dest=http://www.wilyhacker.com
      dest := SUBSTR(OWA_UTIL.get_cgi_env('QUERY_STRING'), 6);
      OWA_UTIL.redirect_url('dest');
      ...


Si una víctima recibe un correo electrónico que le indica que siga un vínculo a "http://trusted.example.com/pls/hr/showemps?dest=www.wilyhacker.com", es probable que haga clic creyendo que el vínculo le transferirá al sitio de confianza. Sin embargo, cuando la víctima haga clic en el vínculo, el código del Example 1 redireccionará el explorador a "http://www.wilyhacker.com".

Se ha educado a muchos usuarios a que analicen siempre las direcciones URL que reciben en mensajes de correo electrónico para asegurarse de que el vínculo especifica un sitio de confianza que conocen. Sin embargo, si el usuario malintencionado codifica la dirección URL de destino mediante Hex como se indica a continuación:
"http://trusted.example.com/pls/hr/showemps?dest=%77%69%6C%79%68%61%63%6B%65%72%2E%63%6F%6D"

, incluso un usuario final más experimentado puede ser engañado en el vínculo.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 601
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.5 Input Validation Requirements (L1 L2 L3)
[8] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[9] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[10] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[11] Standards Mapping - OWASP Top 10 2010 A10 Unvalidated Redirects and Forwards
[12] Standards Mapping - OWASP Top 10 2013 A10 Unvalidated Redirects and Forwards
[13] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[26] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 601
[27] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 601
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Web Application Security Consortium Version 2.00 URL Redirector Abuse (WASC-38)
[52] Standards Mapping - Web Application Security Consortium 24 + 2 Content Spoofing
desc.dataflow.sql.open_redirect
Abstract
si se permite la entrada sin validar para controlar la dirección URL utilizada en un redireccionamiento, se puede ayudar a los ataques de suplantación de identidad.
Explanation
Los redireccionamientos permiten a las aplicaciones web dirigir a los usuarios a distintas páginas dentro de la misma aplicación o a sitios externos. Las aplicaciones utilizan los redireccionamientos para ayudar con la navegación del sitio y, en algunos casos, para realizar un seguimiento de cómo los usuarios salen del sitio. Las vulnerabilidades de redireccionamiento abierto se producen cuando una aplicación web redirige a los clientes a cualquier dirección URL arbitraria que un usuario malintencionado pueda controlar.

Los atacantes pueden utilizar ataques de redireccionamiento abierto (Open Redirect) para engañar a los usuarios a que visiten una dirección URL en un sitio de confianza y redirigirlos a un sitio malintencionado. Mediante la codificación de la dirección URL, un atacante puede hacer que los usuarios finales tengan mayor dificultad para reconocer el destino malintencionado del redireccionamiento, incluso cuando se pasa como un parámetro de URL al sitio de confianza. A menudo se abusa de los redireccionamientos abiertos como parte de las estafas de suplantación de identidad (phishing) para recopilar datos confidenciales del usuario final.

Ejemplo 1: El siguiente código Python indica al explorador del usuario que abra una dirección URL que se analiza desde el parámetro de solicitud dest cuando un usuario haga clic en el vínculo.


        ...
        strDest = request.field("dest")
        redirect(strDest)
        ...


Si una víctima recibe un mensaje de correo electrónico indicándole que siga un vínculo a "http://trusted.example.com/ecommerce/redirect.asp?dest=www.wilyhacker.com", el usuario puede hacer clic en el mismo creyendo que se le redireccionará al sitio de confianza. Sin embargo, cuando la víctima haga clic en el vínculo, el código del Example 1 redireccionará el explorador a "http://www.wilyhacker.com".

Se ha educado a muchos usuarios a que analicen siempre las direcciones URL que reciben en mensajes de correo electrónico para asegurarse de que el vínculo especifica un sitio de confianza que conocen. Sin embargo, si el usuario malintencionado codifica la dirección URL de destino mediante Hex como se indica a continuación:
"http://trusted.example.com/ecommerce/redirect.asp?dest=%77%69%6C%79%68%61%63%6B%65%72%2E%63%6F%6D"

, incluso un usuario final más experimentado puede ser engañado en el vínculo.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 601
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.5 Input Validation Requirements (L1 L2 L3)
[8] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[9] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[10] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[11] Standards Mapping - OWASP Top 10 2010 A10 Unvalidated Redirects and Forwards
[12] Standards Mapping - OWASP Top 10 2013 A10 Unvalidated Redirects and Forwards
[13] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[26] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 601
[27] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 601
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Web Application Security Consortium Version 2.00 URL Redirector Abuse (WASC-38)
[52] Standards Mapping - Web Application Security Consortium 24 + 2 Content Spoofing
desc.dataflow.python.open_redirect
Abstract
si se permite la entrada sin validar para controlar la dirección URL utilizada en un redireccionamiento, se puede ayudar a los ataques de suplantación de identidad.
Explanation
Los redireccionamientos permiten a las aplicaciones web dirigir a los usuarios a distintas páginas dentro de la misma aplicación o a sitios externos. Las aplicaciones utilizan los redireccionamientos para ayudar con la navegación del sitio y, en algunos casos, para realizar un seguimiento de cómo los usuarios salen del sitio. Las vulnerabilidades de redireccionamiento abierto se producen cuando una aplicación web redirige a los clientes a cualquier dirección URL arbitraria que un usuario malintencionado pueda controlar.

Los atacantes pueden utilizar ataques de redireccionamiento abierto (Open Redirect) para engañar a los usuarios a que visiten una dirección URL en un sitio de confianza y redirigirlos a un sitio malintencionado. Mediante la codificación de la dirección URL, un atacante puede hacer que los usuarios finales tengan mayor dificultad para reconocer el destino malintencionado del redireccionamiento, incluso cuando se pasa como un parámetro de URL al sitio de confianza. A menudo se abusa de los redireccionamientos abiertos como parte de las estafas de suplantación de identidad (phishing) para recopilar datos confidenciales del usuario final.

Ejemplo 1: El código de Ruby siguiente indica al explorador del usuario que abra una dirección URL analizada desde el parámetro de solicitud dest.


...
str_dest = req.params['dest']
...
res = Rack::Response.new
...
res.redirect("http://#{dest}")
...


Si una víctima recibe un mensaje de correo electrónico indicándole que siga un vínculo a "http://trusted.example.com/ecommerce/redirect.asp?dest=www.wilyhacker.com", el usuario puede hacer clic en el mismo creyendo que se le redireccionará al sitio de confianza. Sin embargo, cuando la víctima haga clic en el vínculo, el código del Example 1 redireccionará el explorador a "http://www.wilyhacker.com".

Se ha educado a muchos usuarios a que analicen siempre las direcciones URL que reciben en mensajes de correo electrónico para asegurarse de que el vínculo especifica un sitio de confianza que conocen. Sin embargo, si el usuario malintencionado codifica la dirección URL de destino mediante Hex como se indica a continuación:
"http://trusted.example.com/ecommerce/redirect.asp?dest=%77%69%6C%79%68%61%63%6B%65%72%2E%63%6F%6D"

, incluso un usuario final más experimentado puede ser engañado en el vínculo.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 601
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.5 Input Validation Requirements (L1 L2 L3)
[8] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[9] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[10] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[11] Standards Mapping - OWASP Top 10 2010 A10 Unvalidated Redirects and Forwards
[12] Standards Mapping - OWASP Top 10 2013 A10 Unvalidated Redirects and Forwards
[13] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[26] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 601
[27] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 601
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Web Application Security Consortium Version 2.00 URL Redirector Abuse (WASC-38)
[52] Standards Mapping - Web Application Security Consortium 24 + 2 Content Spoofing
desc.dataflow.ruby.open_redirect
Abstract
si se permite la entrada sin validar para controlar la dirección URL utilizada en un redireccionamiento, se puede ayudar a los ataques de suplantación de identidad.
Explanation
Los redireccionamientos permiten a las aplicaciones web dirigir a los usuarios a distintas páginas dentro de la misma aplicación o a sitios externos. Las aplicaciones utilizan los redireccionamientos para ayudar con la navegación del sitio y, en algunos casos, para realizar un seguimiento de cómo los usuarios salen del sitio. Las vulnerabilidades de redireccionamiento abierto se producen cuando una aplicación web redirige a los clientes a cualquier dirección URL arbitraria que un usuario malintencionado pueda controlar.

Los atacantes pueden utilizar ataques de redireccionamiento abierto (Open Redirect) para engañar a los usuarios a que visiten una dirección URL en un sitio de confianza y redirigirlos a un sitio malintencionado. Mediante la codificación de la dirección URL, un atacante puede hacer que los usuarios finales tengan mayor dificultad para reconocer el destino malintencionado del redireccionamiento, incluso cuando se pasa como un parámetro de URL al sitio de confianza. A menudo se abusa de los redireccionamientos abiertos como parte de las estafas de suplantación de identidad (phishing) para recopilar datos confidenciales del usuario final.

Ejemplo 1: El siguiente método de controlador de reproducción indica al explorador del usuario que abra una dirección URL analizada desde el parámetro de solicitud dest.


  def myAction = Action { implicit request =>
    ...
    request.getQueryString("dest") match {
      case Some(location) => Redirect(location)
      case None => Ok("No url found!")
    }
    ...
  }


Si una víctima recibe un mensaje de correo electrónico indicándole que siga un vínculo a "http://trusted.example.com/ecommerce/redirect.asp?dest=www.wilyhacker.com", el usuario puede hacer clic en el mismo creyendo que se le redireccionará al sitio de confianza. Sin embargo, cuando la víctima haga clic en el vínculo, el código del Example 1 redireccionará el explorador a "http://www.wilyhacker.com".

Se ha educado a muchos usuarios a que analicen siempre las direcciones URL que reciben en mensajes de correo electrónico para asegurarse de que el vínculo especifica un sitio de confianza que conocen. Sin embargo, si el usuario malintencionado codifica la dirección URL de destino mediante Hex como se indica a continuación:
"http://trusted.example.com/ecommerce/redirect.asp?dest=%77%69%6C%79%68%61%63%6B%65%72%2E%63%6F%6D",

incluso un usuario final más experimentado puede ser engañado en el vínculo.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 601
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.5 Input Validation Requirements (L1 L2 L3)
[8] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[9] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[10] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[11] Standards Mapping - OWASP Top 10 2010 A10 Unvalidated Redirects and Forwards
[12] Standards Mapping - OWASP Top 10 2013 A10 Unvalidated Redirects and Forwards
[13] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[26] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 601
[27] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 601
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Web Application Security Consortium Version 2.00 URL Redirector Abuse (WASC-38)
[52] Standards Mapping - Web Application Security Consortium 24 + 2 Content Spoofing
desc.dataflow.scala.open_redirect
Abstract
si se permite la entrada sin validar para controlar la dirección URL utilizada en un redireccionamiento, se puede ayudar a los ataques de suplantación de identidad.
Explanation
Los redireccionamientos permiten a las aplicaciones web dirigir a los usuarios a distintas páginas dentro de la misma aplicación o a sitios externos. Las aplicaciones utilizan los redireccionamientos para ayudar con la navegación del sitio y, en algunos casos, para realizar un seguimiento de cómo los usuarios salen del sitio. Las vulnerabilidades de redireccionamiento abierto se producen cuando una aplicación web redirige a los clientes a cualquier dirección URL arbitraria que pueda estar controlada por un usuario malintencionado.

Los atacantes pueden utilizar ataques de redireccionamiento abierto (Open Redirect) para engañar a los usuarios a que visiten una dirección URL en un sitio de confianza y redirigirlos a un sitio malintencionado. Mediante la codificación de la dirección URL, un atacante puede hacer que los usuarios finales tengan mayor dificultad para reconocer el destino malintencionado del redireccionamiento, incluso cuando se pasa como un parámetro de URL al sitio de confianza. A menudo se abusa de los redireccionamientos abiertos como parte de las estafas de suplantación de identidad (phishing) para recopilar datos confidenciales del usuario final.

Ejemplo 1: el siguiente código controla las solicitudes que usan el esquema de URL personalizado de la aplicación, establece requestToLoad para que señale al parámetro "dest" de la URL original, si existe, y a la URL original que usa el esquema http://, y finalmente carga esta solicitud en una WKWebView:

AppDelegate.swift:

...
let requestToLoad : String
...
func application(app: UIApplication, openURL url: NSURL, options: [String : AnyObject]) -> Bool {
  ...
  if let urlComponents = NSURLComponents(URL: url, resolvingAgainstBaseURL: false) {
    if let queryItems = urlComponents.queryItems as? [NSURLQueryItem]{
      for queryItem in queryItems {
        if queryItem.name == "dest" {
          if let value = queryItem.value {
            request = NSURLRequest(URL:NSURL(string:value))
            requestToLoad = request
            break
          }
        }
      }
    }
    if requestToLoad == nil {
        urlComponents.scheme = "http"
        requestToLoad = NSURLRequest(URL:urlComponents.URL)
    }
  }
  ...
}
...


ViewController.swift

...
let webView : WKWebView
let appDelegate = UIApplication.sharedApplication().delegate as! AppDelegate
webView.loadRequest(appDelegate.requestToLoad)
...


Si una víctima recibe un correo electrónico que indica al usuario que siga un vínculo a "custom_url_scheme://innocent_url?dest=www.wilyhacker.com", es probable que el usuario haga clic creyendo que es una acción inofensiva. Sin embargo, cuando la víctima haga clic en el vínculo, el código en el Example 1 intentará solicitar y cargar "http://www.wilyhacker.com" en WKWebView.

Se ha educado a muchos usuarios a que analicen siempre las direcciones URL que reciben en mensajes de correo electrónico para asegurarse de que el vínculo especifica un sitio de confianza que conocen. Sin embargo, si el usuario malintencionado codifica la dirección URL de destino mediante Hex como se indica a continuación:

"custom_url_scheme://innocent_url?dest=%77%69%6C%79%68%61%63%6B%65%72%2E%63%6F%6D"

, incluso un usuario final más experimentado puede ser engañado en el vínculo.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 601
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.5 Input Validation Requirements (L1 L2 L3)
[8] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[9] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[10] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[11] Standards Mapping - OWASP Top 10 2010 A10 Unvalidated Redirects and Forwards
[12] Standards Mapping - OWASP Top 10 2013 A10 Unvalidated Redirects and Forwards
[13] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[26] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 601
[27] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 601
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Web Application Security Consortium Version 2.00 URL Redirector Abuse (WASC-38)
[52] Standards Mapping - Web Application Security Consortium 24 + 2 Content Spoofing
desc.dataflow.swift.open_redirect
Abstract
si se permite la entrada sin validar para controlar la dirección URL utilizada en un redireccionamiento, se puede ayudar a los ataques de suplantación de identidad.
Explanation
Los redireccionamientos permiten a las aplicaciones web dirigir a los usuarios a distintas páginas dentro de la misma aplicación o a sitios externos. Las aplicaciones utilizan los redireccionamientos para ayudar con la navegación del sitio y, en algunos casos, para realizar un seguimiento de cómo los usuarios salen del sitio. Las vulnerabilidades de redireccionamiento abierto se producen cuando una aplicación web redirige a los clientes a cualquier dirección URL arbitraria que un usuario malintencionado pueda controlar.

Los atacantes pueden utilizar ataques de redireccionamiento abierto (Open Redirect) para engañar a los usuarios a que visiten una dirección URL en un sitio de confianza y redirigirlos a un sitio malintencionado. Mediante la codificación de la dirección URL, un atacante puede hacer que los usuarios finales tengan mayor dificultad para reconocer el destino malintencionado del redireccionamiento, incluso cuando se pasa como un parámetro de URL al sitio de confianza. A menudo se abusa de los redireccionamientos abiertos como parte de las estafas de suplantación de identidad (phishing) para recopilar datos confidenciales del usuario final.

Ejemplo 1: el código VB siguiente proporciona instrucciones al explorador del usuario para que abra una URL analizada desde el parámetro de solicitud dest cuando un usuario hace clic en el vínculo.


	...
	strDest = Request.Form('dest')
	HyperLink.NavigateTo strDest
	...


Si una víctima recibe un correo electrónico que le indica que siga un vínculo a "http://www.trustedsite.com/ecommerce/redirect.asp?dest=www.wilyhacker.com", es probable que haga clic creyendo que el vínculo le transferirá al sitio de confianza. Sin embargo, cuando la víctima haga clic en el vínculo, el código del Example 1 redireccionará el explorador a "http://www.wilyhacker.com".

Se ha educado a muchos usuarios a que analicen siempre las direcciones URL que reciben en mensajes de correo electrónico para asegurarse de que el vínculo especifica un sitio de confianza que conocen. Sin embargo, si el usuario malintencionado codifica la dirección URL de destino mediante Hex como se indica a continuación:
"http://www.trustedsite.com/ecommerce/redirect.asp?dest=%77%69%6C%79%68%61%63%6B%65%72%2E%63%6F%6D"

, incluso un usuario final más experimentado puede ser engañado en el vínculo.
References
[1] Phishers use IRS tax refund as bait CNet News
[2] Standards Mapping - Common Weakness Enumeration CWE ID 601
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[4] Standards Mapping - FIPS200 SI
[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.5 Input Validation Requirements (L1 L2 L3)
[9] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[10] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[11] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[12] Standards Mapping - OWASP Top 10 2010 A10 Unvalidated Redirects and Forwards
[13] Standards Mapping - OWASP Top 10 2013 A10 Unvalidated Redirects and Forwards
[14] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[27] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 601
[28] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 601
[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[52] Standards Mapping - Web Application Security Consortium Version 2.00 URL Redirector Abuse (WASC-38)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Content Spoofing
desc.dataflow.vb.open_redirect

OpenAPI Misconfiguration: Credential Leakage

Abstract
En la especificación OpenAPI no aplica la comunicación cifrada al intercambiar credenciales confidenciales de clientes.
Explanation
Se ha detectado una operación de API que permite el viaje de las credenciales a través de un canal no cifrado. Los requisitos de OpenAPI de security y las definiciones de servers de destino para una operación API siempre anularán la configuración global respectiva.

Sin embargo, cuando estos ajustes no están definidos para una operación, se establecen de forma predeterminada en los valores especificados de forma global.
References
[1] OpenAPI Initiative OpenAPI Specification v3.1.0 - 4.8.30 Security Requirement Object
[2] OpenAPI Initiative OpenAPI Specification v3.1.0 - 4.8.10 Operation Object
[3] CIO Council The HTTPS-Only Standard
[4] Josh Fruhlinger What is SSL, TLS? And how this encryption protocol works
[5] Standards Mapping - Common Weakness Enumeration CWE ID 319
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001453, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123
[7] Standards Mapping - FIPS200 SC
[8] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), MA-4 Nonlocal Maintenance (P2), SC-8 Transmission Confidentiality and Integrity (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, MA-4 Nonlocal Maintenance, SC-8 Transmission Confidentiality and Integrity
[11] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.9.1 Communications Architectural Requirements (L2 L3), 2.2.5 General Authenticator Requirements (L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 6.2.7 Algorithms (L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.1 Communications Security Requirements (L1 L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3), 9.2.1 Server Communications Security Requirements (L2 L3), 9.2.2 Server Communications Security Requirements (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 14.1.3 Build (L2 L3), 14.4.5 HTTP Security Headers Requirements (L1 L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[14] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications
[22] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[28] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.configuration.json.openapi_misconfiguration_credential_leakage.master
Abstract
En la especificación OpenAPI no aplica la comunicación cifrada al intercambiar credenciales confidenciales de clientes.
Explanation
Se ha detectado una operación de API que permite el viaje de las credenciales a través de un canal no cifrado. Los requisitos de OpenAPI de security y las definiciones de servers de destino para una operación API siempre anularán la configuración global respectiva.

Sin embargo, cuando estos ajustes no están definidos para una operación, se establecen de forma predeterminada en los valores especificados de forma global.
References
[1] OpenAPI Initiative OpenAPI Specification v3.1.0 - 4.8.30 Security Requirement Object
[2] OpenAPI Initiative OpenAPI Specification v3.1.0 - 4.8.10 Operation Object
[3] CIO Council The HTTPS-Only Standard
[4] Josh Fruhlinger What is SSL, TLS? And how this encryption protocol works
[5] Standards Mapping - Common Weakness Enumeration CWE ID 319
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001453, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123
[7] Standards Mapping - FIPS200 SC
[8] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), MA-4 Nonlocal Maintenance (P2), SC-8 Transmission Confidentiality and Integrity (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, MA-4 Nonlocal Maintenance, SC-8 Transmission Confidentiality and Integrity
[11] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.9.1 Communications Architectural Requirements (L2 L3), 2.2.5 General Authenticator Requirements (L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 6.2.7 Algorithms (L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.1 Communications Security Requirements (L1 L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3), 9.2.1 Server Communications Security Requirements (L2 L3), 9.2.2 Server Communications Security Requirements (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 14.1.3 Build (L2 L3), 14.4.5 HTTP Security Headers Requirements (L1 L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[14] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications
[22] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[28] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.configuration.yaml.openapi_misconfiguration_credential_leakage.master