Reino: Code Quality
Códigos de baixa qualidade levam a comportamentos imprevisíveis. Da perspectiva do usuário, isso normalmente se manifesta como usabilidade ruim. Para um invasor, trata-se de uma oportunidade para atacar o sistema de formas imprevistas.
Intent Manipulation: Implicit Internal Intent
Abstract
Uma
Intent interna implícita foi detectada. Intenções internas implícitas podem expor o sistema a ataques do tipo man-in-the-middle em componentes internos.Explanation
Uma
A capacidade de processar uma
Exemplo 1: O código a seguir usa uma
Intent interna usa uma ação personalizada conforme definido por um componente interno. Intenções implícitas podem facilitar a chamada de intenções de qualquer componente externo sem o conhecimento do componente específico. A combinação das duas permite que um aplicativo acesse intenções especificadas para um uso interno específico fora do contexto do aplicativo desejado.A capacidade de processar uma
Intent interna de um aplicativo externo pode permitir uma ampla variedade de explorações man-in-the-middle que variam em gravidade desde vazamento de informações e negação de serviço até execução remota de código, dependendo da capacidade de ação interna especificada pela Intent.Exemplo 1: O código a seguir usa uma
Intent interna implícita.
...
val imp_internal_intent_action = Intent("INTERNAL_ACTION_HERE")
startActivity(imp_internal_intent_action)
...
References
[1] Remediation of Implicit Internal Intent Vulnerability
[2] Standards Mapping - Common Weakness Enumeration CWE ID 99
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[7] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[17] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II
[39] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[40] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.java.intent_manipulation_implicit_internal_intent