Reino: Input Validation and Representation

Problemas de validação e representação da entrada são causados por metacaracteres, codificações alternativas e representações numéricas. Confiar na entrada resulta em problemas de segurança. Os problemas incluem: “Buffer Overflows”, ataques de “Cross-Site Scripting”, “SQL Injection”, entre outros.

183 itens encontrados
Vulnerabilidades

Struts: Erroneous validate() Method

Abstract
O formulário de validação define um método validate() que não consegue chamar super.validate().
Explanation
O Validador de Struts usa o método validate() de um formulário para verificar o conteúdo das propriedades do formulário em relação às restrições especificadas no formulário de validação associado. Isso significa que as seguintes classes têm um método validate() que faz parte da estrutura de validação:


    ValidatorForm
    ValidatorActionForm
    DynaValidatorForm
    DynaValidatorActionForm


Se você criar uma classe que estende uma dessas classes e se a sua classe implementar a lógica de validação personalizada substituindo o método validate(), você deverá chamar super.validate() na sua implementação validate(). Em caso negativo, a Estrutura de Validação não poderá verificar o conteúdo do formulário com base em um formulário de validação. Em outras palavras, a estrutura de validação será desabilitada para o formulário especificado.

Desabilitar a estrutura de validação de um formulário expõe o aplicativo a vários tipos de ataques. Entradas não verificadas resultam são a causa raiz de vulnerabilidades, como criação de scripts entre sites, controle de processos e SQL Injection. Embora aplicativos J2EE não sejam geralmente suscetíveis a ataques de corrupção de memória, se um aplicativo J2EE fizer interface com um código nativo que não realiza verificações de limites de matriz, um invasor poderá ser capaz de utilizar um erro de validação de entrada nesse aplicativo J2EE para lançar um ataque de buffer overflow.
References
[1] T. Husted et al. Struts in Action: Building Web Applications with the Leading Java Framework Manning Publications
[2] The Struts project The Apache Foundation
[3] Standards Mapping - Common Weakness Enumeration CWE ID 103
[4] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[9] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[21] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[22] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[23] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
desc.structural.java.struts_erroneous_validate_method

Struts: Form Does Not Extend Validation Class

Abstract
Todos os formulários do Struts devem estender uma classe Validator.
Explanation
Para usar o Struts Validator, um formulário deve estender um dos seguintes:


ValidatorForm
ValidatorActionForm
DynaValidatorActionForm
DynaValidaorForm


Você deve estender uma dessas classes porque o Struts Validator se conecta ao seu aplicativo implementando o método validate() nessas classes.

Os formulários derivados das seguintes classes não podem usar o Validador Struts:


ActionForm
DynaActionForm


Ignorar a estrutura de validação de um formulário expõe o aplicativo a vários tipos de ataques. A entrada não verificada é a causa raiz de vulnerabilidades como cross-site scripting, controle de processo e SQL injection. Embora os aplicativos J2EE geralmente não sejam suscetíveis a ataques de corrupção de memória, se um aplicativo J2EE faz interface com o código nativo que não executa a verificação de limite de array, um invasor pode ser capaz de usar um erro de validação de entrada no aplicativo J2EE para lançar um ataque de estouro de buffer (buffer overflow).
References
[1] T. Husted et al. Struts in Action: Building Web Applications with the Leading Java Framework Manning Publications
[2] The Struts project The Apache Foundation
[3] Standards Mapping - Common Weakness Enumeration CWE ID 104
[4] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[6] Standards Mapping - FIPS200 SI
[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[10] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[11] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[12] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[13] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[23] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
desc.config.java.struts_form_does_not_extend_validation_class

Struts: Form Field Without Validator

Abstract
Todos os campos de um formulário devem ser validados no formulário de validação correspondente.
Explanation
Omitir a validação até mesmo para um único campo de entrada pode permitir que os invasores tenham a margem de manobra de que precisam.

A entrada não verificada é a causa raiz de alguns dos piores e mais comuns problemas de segurança de software da atualidade. Vulnerabilidades de criação de script entre sites, SQL injection e controle de processos são todas derivadas de manipulações de entradas incompletas ou ausentes. Embora os aplicativos J2EE geralmente não sejam suscetíveis a ataques de corrupção de memória, se um aplicativo J2EE faz interface com o código nativo que não executa a verificação de limite de array, um invasor pode ser capaz de usar um erro de validação de entrada no aplicativo J2EE para lançar um ataque de estouro de buffer (buffer overflow).

Alguns aplicativos usam o mesmo ActionForm para mais de uma finalidade. Em situações como essa, alguns campos podem não ser utilizados em certos mapeamentos de ações. É fundamental que campos não utilizados também sejam validados. De preferência, esses campos não utilizados devem ser restritos de forma a poderem ser apenas vazios ou não definidos. Se os campos não utilizados não forem validados, a lógica de negócios compartilhada em uma ação pode permitir que os invasores se esquivem das verificações de validação que são realizadas para outros usos do formulário.
References
[1] T. Husted et al. Struts in Action: Building Web Applications with the Leading Java Framework Manning Publications
[2] The Struts project The Apache Foundation
[3] Standards Mapping - Common Weakness Enumeration CWE ID 105
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [3] CWE ID 020
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [3] CWE ID 020
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [4] CWE ID 020
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [4] CWE ID 020
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [6] CWE ID 020
[9] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[11] Standards Mapping - FIPS200 SI
[12] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3)
[16] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[17] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[18] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[19] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[20] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[21] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.config.java.struts_form_field_without_validator

Struts: Plugin Framework Not In Use

Abstract
Use o Struts Validator para evitar vulnerabilidades que resultam de entrada não verificada.
Explanation
A entrada não verificada é a principal causa de vulnerabilidades em aplicativos J2EE. A entrada não verificada pode levar a inúmeras vulnerabilidades, incluindo cross-site scripting, controle de processo e SQL injection. Embora os aplicativos J2EE geralmente não sejam suscetíveis a ataques de corrupção de memória, se um aplicativo J2EE faz interface com o código nativo que não executa a verificação de limite de array, um invasor pode ser capaz de usar um erro de validação de entrada no aplicativo J2EE para lançar um ataque de estouro de buffer (buffer overflow).

Para evitar tais ataques, use o Struts Validator para verificar todas as entradas do programa antes delas serem processadas pelo aplicativo. Use o Fortify Static Code Analyzer para garantir que não haja buracos na configuração do Struts Validator.

Os exemplos de uso do validador incluem a verificação para garantir que:

- Os campos de número de telefone contêm apenas caracteres válidos em números de telefone

- Os valores booleanos são apenas "T" ou "F"

- Cadeias de caracteres de forma livre têm tamanho e composição razoáveis
References
[1] T. Husted et al. Struts in Action: Building Web Applications with the Leading Java Framework Manning Publications
[2] The Struts Project The Apache Foundation
[3] Standards Mapping - Common Weakness Enumeration CWE ID 106
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [3] CWE ID 020
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [3] CWE ID 020
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [4] CWE ID 020
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [4] CWE ID 020
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [6] CWE ID 020
[9] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[11] Standards Mapping - FIPS200 SI
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[16] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[17] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[19] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[20] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[54] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.config.java.struts_plugin_framework_not_in_use

Struts: Unused Action Form

Abstract
Um formulário de ação não utilizado indica que a lógica do aplicativo pode não estar atualizada.
Explanation
O Struts usa entradas form-bean para mapear formulários HTML para ações. Se o elemento <action-mappings> do arquivo de configuração do Struts não contém uma entrada que corresponda a um formulário de ação relevante definido por meio de uma tag <form-bean>, a lógica do aplicativo pode não estar atualizada.

Exemplo 1: A configuração a seguir não contém um mapeamento para bean2 .

<form-beans>
  <form-bean name="bean1" type="coreservlets.UserFormBean1" />
  <form-bean name="bean2" type="coreservlets.UserFormBean2" />
</form-beans>

<action-mappings>
  <action path="/actions/register1" type="coreservlets.RegisterAction1" name="bean1" scope="request" />
</action-mappings>
References
[1] Apache Struts 1.3 Specification
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310
[3] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[4] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[5] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[6] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[7] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[8] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[9] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[10] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[11] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[12] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[13] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II
[15] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.config.java.struts_unused_action_form

Struts: Unused Validation Form

Abstract
Um formulário de validação não utilizado indica que a lógica de validação não está atualizada.
Explanation
É fácil para os desenvolvedores esquecerem de atualizar a lógica de validação ao remover ou renomear mapeamentos de formulários de ação. Uma indicação de que a lógica de validação não está sendo mantida adequadamente é a presença de um formulário de validação não utilizado.
References
[1] T. Husted et al. Struts in Action: Building Web Applications with the Leading Java Framework Manning Publications
[2] The Struts project The Apache Foundation
[3] Standards Mapping - Common Weakness Enumeration CWE ID 107
[4] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[6] Standards Mapping - FIPS200 CM
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[9] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[10] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[11] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[12] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[13] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[19] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[20] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[21] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[22] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[23] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[41] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.config.java.struts_unused_validation_form

Struts: Unvalidated Action Form

Abstract
Cada Formulário de Ação deve ter um formulário de validação correspondente.
Explanation
Se um mapeamento de formulário de ação do Struts especifica um formulário, ele deve ter um formulário de validação definido no Validador de Struts. Se um mapeamento de formulário de ação não tiver um formulário de validação definido, ele pode ser vulnerável a vários ataques que exploram uma entrada não verificada.

A entrada não verificada é a causa raiz de alguns dos piores e mais comuns problemas de segurança de software da atualidade. Vulnerabilidades de criação de script entre sites, SQL injection e controle de processos são todas derivadas de manipulações de entradas incompletas ou ausentes. Embora os aplicativos J2EE geralmente não sejam suscetíveis a ataques de corrupção de memória, se um aplicativo J2EE faz interface com o código nativo que não executa a verificação de limite de array, um invasor pode ser capaz de usar um erro de validação de entrada no aplicativo J2EE para lançar um ataque de estouro de buffer (buffer overflow).

Uma ação ou um formulário pode executar a validação de outras maneiras, mas o Struts Validator fornece uma excelente maneira de verificar se todas as entradas recebem pelo menos um nível básico de verificação. Sem essa abordagem, é difícil e, muitas vezes impossível, estabelecer com um alto nível de confiança que todas as entradas foram validadas.
References
[1] T. Husted et al. Struts in Action: Building Web Applications with the Leading Java Framework Manning Publications
[2] The Struts project The Apache Foundation
[3] Standards Mapping - Common Weakness Enumeration CWE ID 108
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [3] CWE ID 020
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [3] CWE ID 020
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [4] CWE ID 020
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [4] CWE ID 020
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [6] CWE ID 020
[9] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[11] Standards Mapping - FIPS200 SI
[12] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3)
[16] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[17] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[18] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[19] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[20] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[21] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.config.java.struts_unvalidated_action_form

Struts: Validator Turned Off

Abstract
Este mapeamento de formulário de ação desativa o método validate() do formulário.
Explanation
Um mapeamento de formulário de ação nunca deve desabilitar a validação. Desativar a validação desativa o Validador Struts, bem como qualquer lógica de validação personalizada realizada pelo formulário.

Exemplo 1: Um mapeamento de formulário de ação que desativa a validação.


<action path="/download"
type="com.website.d2.action.DownloadAction"
name="downloadForm"
scope="request"
input=".download"
validate="false">
</action>


A desativação da validação expõe essa ação a vários tipos de ataques. A entrada não verificada é a causa raiz de vulnerabilidades como cross-site scripting, controle de processo e SQL injection. Embora os aplicativos J2EE geralmente não sejam suscetíveis a ataques de corrupção de memória, se um aplicativo J2EE faz interface com o código nativo que não executa a verificação de limite de array, um invasor pode ser capaz de usar um erro de validação de entrada no aplicativo J2EE para lançar um ataque de estouro de buffer (buffer overflow).
References
[1] T. Husted et al. Struts in Action: Building Web Applications with the Leading Java Framework Manning Publications
[2] The Struts project The Apache Foundation
[3] Standards Mapping - Common Weakness Enumeration CWE ID 109
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [3] CWE ID 020
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [3] CWE ID 020
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [4] CWE ID 020
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [4] CWE ID 020
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [6] CWE ID 020
[9] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[11] Standards Mapping - FIPS200 SI
[12] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[15] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[16] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3)
[17] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[18] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[19] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[20] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[21] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[22] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[56] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.config.java.struts_validator_turned_off

Struts: Validator Without Form Field

Abstract
Os campos de validação que não aparecem nos formulários aos quais estão associados indicam que a lógica de validação está desatualizada.
Explanation
É fácil para os desenvolvedores esquecerem de atualizar a lógica de validação quando fazem alterações em uma classe ActionForm. Uma indicação de que a lógica de validação não está sendo mantida adequadamente são as inconsistências entre o formulário de ação e o formulário de validação.

Exemplo 1.a: Um formulário de ação com dois campos.


    public class DateRangeForm extends ValidatorForm {
    String startDate, endDate;
    public void setStartDate(String startDate) {
        this.startDate = startDate;
    }
    public void setEndDate(String endDate) {
        this.endDate = endDate;
    }
}


O exemplo 1.a mostra um formulário de ação que possui dois campos, sendo startDate e endDate .

Exemplo 1.b: Um formulário de validação com um terceiro campo.


<form name="DateRangeForm">
    <field property="startDate" depends="date">
        <arg0 key="start.date"/>
    </field>
    <field property="endDate" depends="date">
         <arg0 key="end.date"/>
    </field>
    <field property="scale" depends="integer">
         <arg0 key="range.scale"/>
    </field>
</form>


O exemplo 1.b lista um formulário de validação para o formulário de ação. O formulário de validação lista um terceiro campo: scale. A presença do terceiro campo sugere que a DateRangeForm foi modificada sem levar em consideração a validação.

É extremamente importante que a lógica de validação seja mantida e sincronizada com o restante do aplicativo. A entrada não verificada é a causa raiz de alguns dos piores e mais comuns problemas de segurança de software da atualidade. Vulnerabilidades de criação de script entre sites, SQL injection e controle de processos são todas derivadas de manipulações de entradas incompletas ou ausentes. Embora os aplicativos J2EE geralmente não sejam suscetíveis a ataques de corrupção de memória, se um aplicativo J2EE faz interface com o código nativo que não executa a verificação de limite de array, um invasor pode ser capaz de usar um erro de validação de entrada no aplicativo J2EE para lançar um ataque de estouro de buffer (buffer overflow).
References
[1] T. Husted et al. Struts in Action: Building Web Applications with the Leading Java Framework Manning Publications
[2] The Struts project The Apache Foundation
[3] Standards Mapping - Common Weakness Enumeration CWE ID 110
[4] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[6] Standards Mapping - FIPS200 CM
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[9] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[10] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[11] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[12] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[13] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[19] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[20] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[21] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[22] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[23] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[41] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.config.java.struts_validator_without_form_field

Template Injection

Abstract
Os dados controlados pelo usuário são usados como um modelo de mecanismo de modelo, que permite que invasores acessem o contexto do modelo e, em alguns casos, injetem e executem código arbitrário.
Explanation
Mecanismos de modelo são usados para renderizar conteúdo usando dados dinâmicos. Esses dados de contexto normalmente são controlados pelo usuário e formatados pelo modelo para gerar páginas da Web, e-mails, entre outros. Os mecanismos de modelo permitem que expressões de linguagem poderosas sejam usadas em modelos para renderizar conteúdo dinâmico, processando os dados de contexto com construções de código como condicionais, loops etc. Se um invasor puder controlar o modelo a ser renderizado, poderá injetar expressões que exponham dados de contexto ou até executar comandos arbitrários no servidor.

Exemplo 1: O exemplo a seguir mostra como um modelo é recuperado de uma solicitação HTTP e renderizado.

app.get('/', function(req, res){
    let param = req.params['template']
    let val = req.params['templateVal']
    let template = Handlebars.compile('{{user}}: {{' + param + '}}');
    let templateInput = {}
    templateInput['user'] = 'John'
    templateInput[param] = val
    let result = template(templateInput)
    //...
});


O Example 1 usa Handlebars como o mecanismo de modelo, e os dados controlados pelo usuário são concatenados no modelo compilado, o que permite que invasores executem JavaScript arbitrário.
References
[1] Server-Side Template Injection: RCE for the modern webapp
[2] Standards Mapping - Common Weakness Enumeration CWE ID 95
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [18] CWE ID 094
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [17] CWE ID 094
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [25] CWE ID 094
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [23] CWE ID 094
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [11] CWE ID 094
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[9] Standards Mapping - FIPS200 SI
[10] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.4 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.5 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.8 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[15] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[16] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[18] Standards Mapping - OWASP Top 10 2010 A1 Injection
[19] Standards Mapping - OWASP Top 10 2013 A1 Injection
[20] Standards Mapping - OWASP Top 10 2017 A1 Injection
[21] Standards Mapping - OWASP Top 10 2021 A03 Injection
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[34] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 116
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.javascript.template_injection

Unsafe JNI

Abstract
O uso indevido da JNI (Java Native Interface) pode tornar aplicativos Java vulneráveis a falhas de segurança em outras linguagens.
Explanation
Erros de JNI não segura ocorrem quando um aplicativo Java usa a JNI para chamar um código escrito em outra linguagem de programação.
Exemplo 1: O seguinte código Java define uma classe denominada Echo. A classe declara um método nativo que usa C para ecoar comandos inseridos no console de volta para o usuário.


    class Echo {
	public native void runEcho();

	static {
		System.loadLibrary("echo");
		}

	public static void main(String[] args) {
		new Echo().runEcho();
		}
}


O código C a seguir define o método nativo implementado na classe Echo:


#include <jni.h>
#include "Echo.h" //a classe java do Example 1 compilada com javah
#include <stdio.h>

JNIEXPORT void JNICALL
Java_Echo_runEcho(JNIEnv *env, jobject obj)
{
	char buf[64];
	gets(buf);
	printf(buf);
}


Como o exemplo é implementado em Java, pode parecer que ele é imune a problemas de memória, como vulnerabilidades de buffer overflow. Embora o Java faça um bom trabalho de garantir a segurança de operações de memória, essa proteção não se estende a vulnerabilidades que ocorrem no código-fonte escrito em outras linguagens que são acessadas usando a Java Native Interface. Apesar das proteções de memória oferecidas em Java, o código C nesse exemplo é vulnerável a um buffer overflow por utilizar gets(), que não realiza nenhuma verificação de limites em sua entrada.

O Sun Java(TM) Tutorial fornece a seguinte descrição da JNI [1]:

A estrutura JNI permite que seu método nativo use objetos Java da mesma forma que o código Java usa esses objetos. Um método nativo pode criar objetos Java, incluindo arrays e strings, e depois inspecionar e usar esses objetos para realizar suas tarefas. Um método nativo também pode inspecionar e usar objetos criados pelo código do aplicativo Java. Um método nativo pode até mesmo atualizar objetos Java que ele criou ou que foram transmitidos para ele, e esses objetos atualizados estão disponíveis para o aplicativo Java. Portanto, tanto o lado da linguagem nativa quanto o lado do Java de um aplicativo podem criar, atualizar e acessar objetos Java e depois compartilhar esses objetos entre eles.

A vulnerabilidade no Example 1 pode ser facilmente detectada por meio de uma auditoria de código-fonte da implementação do método nativo. Isso pode não ser prático ou possível, dependendo da disponibilidade do código-fonte C e de como o projeto está estruturado, mas, em muitos casos, pode ser suficiente. No entanto, a capacidade de compartilhar objetos entre métodos Java e nativos expande o possível risco de casos muito mais traiçoeiros nos quais a manipulação imprópria de dados pode fazer com que vulnerabilidades inesperadas ou operações não seguras no código nativo corrompam estruturas de dados em Java.

Vulnerabilidades no código nativo acessado por meio de um aplicativo Java são geralmente exploradas da mesma maneira do que em aplicativos escritos na linguagem nativa. O único desafio a um ataque desse tipo é que o atacante deve identificar que o aplicativo Java usa um código nativo para realizar determinadas operações. Isso pode ser feito de uma variedade de maneiras, entre elas identificando comportamentos específicos que muitas vezes são implementados com código nativo ou explorando um vazamento de informações do sistema no aplicativo Java que expõe seu uso de JNI [2].
References
[1] B. Stearns The Java Tutorial: The Java Native Interface
[2] JNI00-J. Define wrappers around native methods CERT
[3] INPUT-3: Define wrappers around native methods Oracle
[4] Standards Mapping - Common Weakness Enumeration CWE ID 111
[5] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[7] Standards Mapping - FIPS200 SI
[8] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[11] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[12] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[14] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[26] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[48] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.semantic.java.unsafe_jni

Unsafe JSNI

Abstract
O uso indevido da JSNI (JavaScript Native Interface) pode tornar aplicativos GWT vulneráveis a falhas de segurança em JaveScript.
Explanation
Os erros JSNI inseguros ocorrem quando um aplicativo GWT usa JSNI para chamar o código javascript.
Exemplo 1: O seguinte código Java define uma classe denominada Redirect. A classe declara um método JavaScript nativo, que usa JavaScript para alterar o local do documento.


import com.google.gwt.user.client.ui.UIObject;

class MyDiv {

    ...

    public static void changeName(final UIObject object, final String name) {
        changeName(object.getElement(), url);
    }

    public static native void changeName(final Element e, final String name) /*-{
        $wnd.jQuery(e).html(name);
    }-*/;

    ...
}


Neste exemplo, passar dados não confiáveis para a função JSNI pode resultar em um DOM baseado em Cross-Site Scripting.
References
[1] JSNI Google
[2] Standards Mapping - Common Weakness Enumeration CWE ID 111
[3] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[5] Standards Mapping - FIPS200 SI
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[9] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[10] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[11] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[23] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[45] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.semantic.java.unsafe_jsni

Unsafe Native Invoke

Abstract
O uso indevido de Platform Invocation Services pode tornar aplicativos gerenciados vulneráveis a falhas de segurança em outras linguagens.
Explanation
Erros de invocação nativa não segura ocorrem quando um aplicativo gerenciado usa P/Invoke para chamar um código nativo (não gerenciado) escrito em outra linguagem de programação.

Exemplo 1: O código C# a seguir define uma classe denominada Echo. A classe declara um método nativo que usa C para ecoar comandos inseridos no console de volta para o usuário.


class Echo
{
  [DllImport("mylib.dll")]
  internal static extern void RunEcho();

  static void main(String[] args)
  {
    RunEcho();
  }
}


O código C a seguir define o método nativo implementado na classe Echo:


#include <stdio.h>

void __stdcall RunEcho()
{
  char* buf = (char*) malloc(64 * sizeof(char));
  gets(buf);
  printf(buf);
}


Como a classe Echo é implementada em um código gerenciado, pode parecer que ela é imune a problemas de memória, como vulnerabilidades de buffer overflow. Embora o ambiente gerenciado seja capaz de manter a segurança das operações de memória, essa proteção não se estende a vulnerabilidades que ocorrem no código nativo acessado com o uso de P/Invoke. Apesar das proteções de memória oferecidas no ambiente de tempo de execução gerenciado, o código nativo neste exemplo é vulnerável a um buffer overflow por utilizar gets(), que não realiza nenhuma verificação de limites em sua entrada. Além disso, buf é alocado, mas não é liberado e, portanto, é um vazamento de memória.

A vulnerabilidade no Example 1 pode ser facilmente detectada por meio de uma auditoria de código-fonte da implementação do método nativo. Isso pode não ser prático ou possível, dependendo da disponibilidade do código-fonte e de como o projeto está estruturado, mas, em muitos casos, pode ser suficiente. No entanto, a capacidade de compartilhar objetos entre os ambientes gerenciados e nativos aumenta o possível risco de casos muito mais traiçoeiros em que a manipulação imprópria de dados pode provocar vulnerabilidades inesperadas ou operações não seguras no código nativo, corrompendo estruturas de dados no código gerenciado.

Vulnerabilidades no código nativo acessado por meio de um aplicativo gerenciado são geralmente exploradas da mesma maneira que em aplicativos escritos na linguagem nativa. O único desafio a um ataque desse tipo é que o invasor deve identificar se o aplicativo gerenciado usa um código nativo para realizar determinadas operações. Isso pode ser feito de várias maneiras, entre elas identificando comportamentos específicos que muitas vezes são implementados com código nativo ou explorando um vazamento de informações do sistema no aplicativo gerenciado que expõe seu uso de P/Invoke.
References
[1] How to: Call Native DLLs from Managed Code Using PInvoke
[2] Standards Mapping - Common Weakness Enumeration CWE ID 111
[3] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[5] Standards Mapping - FIPS200 SI
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[9] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[10] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[11] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[23] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[45] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.dotnet.unsafe_native_invoke

Unsafe Reflection

Abstract
Um invasor pode ser capaz de criar caminhos de fluxo de controle inesperados através do aplicativo, possivelmente se esquivando de verificações de segurança.
Explanation
Se um invasor puder fornecer valores que, em seguida, forem usados pelo aplicativo para determinar qual classe instanciar ou qual método invocar, existirá o potencial de que esse invasor crie caminhos de fluxo de controle através do aplicativo que não foram planejados pelos desenvolvedores desse aplicativo. Esse vetor de ataque pode permitir que o invasor ignore verificações de autenticação ou controle de acesso ou, em outros casos, pode fazer com que o aplicativo se comporte de maneira inesperada. Até mesmo a capacidade de controlar os argumentos transmitidos a um determinado método ou construtor pode proporcionar a um invasor astuto a vantagem necessária para organizar um ataque bem-sucedido.

Exemplo 1: Um motivo comum pelo qual os programadores utilizam a tecnologia de reflexão é para implementar seus próprios expedidores de comandos. O seguinte exemplo mostra um expedidor de comandos que não usa reflexão:


    var params:Object = LoaderInfo(this.root.loaderInfo).parameters;
    var ctl:String = String(params["ctl"]);
    var ao:Worker;
    if (ctl == "Add) {
      ao = new AddCommand();
    } else if (ctl == "Modify") {
      ao = new ModifyCommand();
    } else {
      throw new UnknownActionError();
    }
    ao.doAction(params);


Um programador pode refatorar esse código para usar a reflexão, da seguinte maneira:


    var params:Object = LoaderInfo(this.root.loaderInfo).parameters;
    var ctl:String = String(params["ctl"]);
    var ao:Worker;
    var cmdClass:Class = getDefinitionByName(ctl + "Command") as Class;
    ao = new cmdClass();
    ao.doAction(params);


Inicialmente, a refatoração parece oferecer diversas vantagens. Há menos linhas de código, os blocos if/else foram totalmente eliminados e agora é possível adicionar novos tipos de comando sem modificar o expedidor de comandos.

No entanto, a refatoração permite que um invasor instancie qualquer objeto que implementa a interface Worker. Se o expedidor de comandos ainda for responsável pelo controle de acesso, sempre que os programadores criarem uma nova classe que implementa a interface Worker, eles deverão se lembrar de modificar o código de controle de acesso do expedidor. Se o código de controle de acesso não for modificado, algumas classes Worker não terão controle de acesso.

Uma maneira de resolver esse problema de controle de acesso é tornar o objeto Worker responsável pela execução da verificação de controle de acesso. Veja a seguir um exemplo do código novamente refatorado:


    var params:Object = LoaderInfo(this.root.loaderInfo).parameters;
    var ctl:String = String(params["ctl"]);
    var ao:Worker;
    var cmdClass:Class = getDefinitionByName(ctl + "Command") as Class;
    ao = new cmdClass();
    ao.checkAccessControl(params);
    ao.doAction(params);


Embora seja uma melhoria, isso incentiva uma abordagem descentralizada ao controle de acesso, facilitando erros de controle de acesso por parte dos programadores.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 470, CWE ID 494
[2] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001764, CCI-001774, CCI-002754
[4] Standards Mapping - FIPS200 SI
[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-7 Least Functionality (P1), SI-10 Information Input Validation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-7 Least Functionality, SI-10 Information Input Validation
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.2 Configuration Architectural Requirements (L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.3 File Execution Requirements (L1 L2 L3), 14.2.3 Dependency (L1 L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[14] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[16] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[17] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[18] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[19] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[20] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[21] Standards Mapping - OWASP Top 10 2021 A03 Injection
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.5 - Web Software Attack Mitigation
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[56] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.actionscript.unsafe_reflection
Abstract
Permitir que entradas não validadas determinem o método de retorno de chamada de um objeto Continuation pode permitir que invasores criem caminhos de fluxo de controle inesperados através do aplicativo, potencialmente ignorando as verificações de segurança.
Explanation
Se um invasor puder fornecer valores que o aplicativo usará para determinar qual classe instanciar ou qual método invocar, o invasor poderá criar caminhos de fluxo de controle inesperados por meio do aplicativo. Isso pode permitir que o invasor ignore as verificações de autenticação ou controle de acesso ou, possivelmente, faça com que o aplicativo se comporte de maneira inesperada.

Exemplo 1: O método de ação a seguir inicia uma solicitação assíncrona para um serviço da Web externo e define a propriedade continuationMethod, que determina o nome do método a ser chamado ao receber uma resposta.

public Object startRequest() {
    Continuation con = new Continuation(40);

    Map<String,String> params = ApexPages.currentPage().getParameters();

    if (params.containsKey('contMethod')) {
        con.continuationMethod = params.get('contMethod');
    } else {
        con.continuationMethod = 'processResponse';
    }

    HttpRequest req = new HttpRequest();
    req.setMethod('GET');
    req.setEndpoint(LONG_RUNNING_SERVICE_URL);
    this.requestLabel = con.addHttpRequest(req);
    return con;
}

Essa implementação permite que a propriedade continuationMethod seja definida por parâmetros de solicitação de tempo de execução, o que permite que invasores chamem qualquer função que corresponda ao nome.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 470, CWE ID 494
[2] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001764, CCI-001774, CCI-002754
[4] Standards Mapping - FIPS200 SI
[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-7 Least Functionality (P1), SI-10 Information Input Validation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-7 Least Functionality, SI-10 Information Input Validation
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.2 Configuration Architectural Requirements (L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.3 File Execution Requirements (L1 L2 L3), 14.2.3 Dependency (L1 L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[14] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[16] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[17] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[18] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[19] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[20] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[21] Standards Mapping - OWASP Top 10 2021 A03 Injection
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.5 - Web Software Attack Mitigation
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[56] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.apex.unsafe_reflection
Abstract
Um invasor pode ser capaz de criar caminhos de fluxo de controle inesperados através do aplicativo, possivelmente se esquivando de verificações de segurança.
Explanation
Se um invasor puder fornecer valores que, em seguida, forem usados pelo aplicativo para determinar qual classe instanciar ou qual método invocar, existirá o potencial de que esse invasor crie caminhos de fluxo de controle através do aplicativo que não foram planejados pelos desenvolvedores desse aplicativo. Esse vetor de ataque pode permitir que o invasor ignore verificações de autenticação ou controle de acesso ou, em outros casos, pode fazer com que o aplicativo se comporte de maneira inesperada. Até mesmo a capacidade de controlar os argumentos transmitidos a um determinado método ou construtor pode proporcionar a um invasor astuto a vantagem necessária para organizar um ataque bem-sucedido.

Exemplo 1: Os programadores costumam usar o recurso de reflexão para implementar dispatchers de comandos. O exemplo a seguir mostra um dispatcher de comandos que não usa reflexão:


...
Dim ctl As String
Dim ao As New Worker()
ctl = Request.Form("ctl")
If (String.Compare(ctl,"Add") = 0) Then
        ao.DoAddCommand(Request)
Else If (String.Compare(ctl,"Modify") = 0) Then
        ao.DoModifyCommand(Request)
Else
        App.EventLog("No Action Found", 4)
End If
...


Um programador pode refatorar esse código para usar a reflexão, da seguinte maneira:


...
Dim ctl As String
Dim ao As New Worker()
ctl = Request.Form("ctl")
CallByName(ao, ctl, vbMethod, Request)
...


Inicialmente, a refatoração parece oferecer diversas vantagens. Há menos linhas de código, os blocos if/else foram totalmente eliminados e agora é possível adicionar novos tipos de comando sem modificar o expedidor de comandos.

No entanto, a refatoração permite que um invasor chame qualquer método implementado pelo objeto Worker. Se o dispatcher de comandos for responsável pelo controle de acesso, sempre que os programadores criarem um novo método na classe Worker, eles deverão modificar a lógica de controle de acesso do dispatcher. Se essa lógica de controle de acesso se tornar obsoleta, alguns métodos Worker não terão controle de acesso.

Uma maneira de resolver esse problema de controle de acesso é tornar o objeto Worker responsável pela execução da verificação de controle de acesso. Veja a seguir um exemplo do código novamente refatorado:


...
Dim ctl As String
Dim ao As New Worker()
ctl = Request.Form("ctl")
If (ao.checkAccessControl(ctl,Request) = True) Then
        CallByName(ao, "Do" & ctl & "Command", vbMethod, Request)
End If
...


Embora seja uma melhoria, isso incentiva uma abordagem descentralizada ao controle de acesso, facilitando erros de controle de acesso por parte dos programadores.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 470, CWE ID 494
[2] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001764, CCI-001774, CCI-002754
[4] Standards Mapping - FIPS200 SI
[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-7 Least Functionality (P1), SI-10 Information Input Validation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-7 Least Functionality, SI-10 Information Input Validation
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.2 Configuration Architectural Requirements (L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.3 File Execution Requirements (L1 L2 L3), 14.2.3 Dependency (L1 L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[14] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[16] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[17] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[18] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[19] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[20] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[21] Standards Mapping - OWASP Top 10 2021 A03 Injection
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.5 - Web Software Attack Mitigation
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[56] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.dotnet.unsafe_reflection
Abstract
Um invasor pode ser capaz de criar caminhos de fluxo de controle inesperados através do aplicativo, possivelmente se esquivando de verificações de segurança.
Explanation
Se um invasor puder fornecer valores que, em seguida, forem usados pelo aplicativo para determinar qual classe instanciar ou qual método invocar, existirá o potencial de que esse invasor crie caminhos de fluxo de controle através do aplicativo que não foram planejados pelos desenvolvedores desse aplicativo. Esse vetor de ataque pode permitir que o invasor ignore verificações de autenticação ou controle de acesso ou, em outros casos, pode fazer com que o aplicativo se comporte de maneira inesperada.

Essa situação torna-se um cenário apocalíptico quando o invasor pode carregar arquivos para um local que é exibido no caminho da biblioteca ou no caminho do aplicativo. Em qualquer uma dessas condições, o invasor pode usar o recurso de reflexão para introduzir no aplicativo um novo comportamento presumivelmente mal-intencionado.
Exemplo 1: Um motivo comum pelo qual os programadores utilizam a API de reflexão é para implementar seus próprios expedidores de comandos. O exemplo a seguir mostra um dispatcher de comandos JNI que usa a reflexão para executar um método Java identificado por um valor lido a partir de uma solicitação CGI. Essa implementação permite que um invasor chame qualquer função definida em clazz.


char* ctl = getenv("ctl");
...
jmethodID mid = GetMethodID(clazz, ctl, sig);
status = CallIntMethod(env, clazz, mid, JAVA_ARGS);
...
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 470, CWE ID 494
[2] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001764, CCI-001774, CCI-002754
[4] Standards Mapping - FIPS200 SI
[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-7 Least Functionality (P1), SI-10 Information Input Validation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-7 Least Functionality, SI-10 Information Input Validation
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.2 Configuration Architectural Requirements (L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.3 File Execution Requirements (L1 L2 L3), 14.2.3 Dependency (L1 L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[14] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[16] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[17] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[18] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[19] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[20] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[21] Standards Mapping - OWASP Top 10 2021 A03 Injection
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.5 - Web Software Attack Mitigation
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[56] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.cpp.unsafe_reflection
Abstract
Interpretar instruções controladas pelo usuário em tempo de execução pode permitir que os invasores executem um código mal-intencionado.
Explanation
Se um invasor puder fornecer valores que o aplicativo usará para determinar qual método invocar ou qual valor de campo recuperar, haverá a possibilidade de o invasor criar caminhos de fluxo de controle por meio do aplicativo que não foram planejados pelos desenvolvedores do aplicativo. Esse vetor de ataque pode permitir que o invasor ignore as verificações de autenticação ou controle de acesso ou, caso contrário, fazer com que o aplicativo se comporte de maneira inesperada.

Exemplo 1: Neste exemplo, o aplicativo recupera o nome de uma função a ser chamada de um argumento da linha de comando.


...
    func beforeExampleCallback(scope *Scope){
        input := os.Args[1]
        if input{
            scope.CallMethod(input)
        }
    }
...
Exemplo 2: De forma semelhante no exemplo anterior, o aplicativo usa o pacote reflect para obter o nome de uma função a ser chamada de um argumento da linha de comando.

...
    input := os.Args[1]
	var worker WokerType
	reflect.ValueOf(&worker).MethodByName(input).Call([]reflect.Value{})
...
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 470, CWE ID 494
[2] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001764, CCI-001774, CCI-002754
[4] Standards Mapping - FIPS200 SI
[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-7 Least Functionality (P1), SI-10 Information Input Validation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-7 Least Functionality, SI-10 Information Input Validation
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.2 Configuration Architectural Requirements (L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.3 File Execution Requirements (L1 L2 L3), 14.2.3 Dependency (L1 L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[14] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[16] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[17] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[18] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[19] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[20] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[21] Standards Mapping - OWASP Top 10 2021 A03 Injection
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.5 - Web Software Attack Mitigation
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[56] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.golang.unsafe_reflection
Abstract
Um invasor pode ser capaz de criar caminhos de fluxo de controle inesperados através do aplicativo, possivelmente se esquivando de verificações de segurança.
Explanation
Se um invasor puder fornecer valores que, em seguida, forem usados pelo aplicativo para determinar qual classe instanciar ou qual método invocar, existirá o potencial de que esse invasor crie caminhos de fluxo de controle através do aplicativo que não foram planejados pelos desenvolvedores desse aplicativo. Esse vetor de ataque pode permitir que o invasor ignore verificações de autenticação ou controle de acesso ou, em outros casos, pode fazer com que o aplicativo se comporte de maneira inesperada. Até mesmo a capacidade de controlar os argumentos transmitidos a um determinado método ou construtor pode proporcionar a um invasor astuto a vantagem necessária para organizar um ataque bem-sucedido.

Essa situação se transformará em um cenário apocalíptico se o invasor puder carregar arquivos em um local exibido no caminho de classe do aplicativo ou se puder adicionar novas entradas ao caminho de classe do aplicativo. Em qualquer uma dessas condições, o invasor pode usar o recurso de reflexão para introduzir no aplicativo um novo comportamento presumivelmente mal-intencionado.
Exemplo 1: Um motivo comum pelo qual os programadores utilizam a API de reflexão é para implementar seus próprios expedidores de comandos. O seguinte exemplo mostra um expedidor de comandos que não usa reflexão:


String ctl = request.getParameter("ctl");
Worker ao = null;
if (ctl.equals("Add")) {
  ao = new AddCommand();
} else if (ctl.equals("Modify")) {
  ao = new ModifyCommand();
} else {
  throw new UnknownActionError();
}
ao.doAction(request);


Um programador pode refatorar esse código para usar a reflexão, da seguinte maneira:


    String ctl = request.getParameter("ctl");
    Class cmdClass = Class.forName(ctl + "Command");
    Worker ao = (Worker) cmdClass.newInstance();
    ao.doAction(request);


Inicialmente, a refatoração parece oferecer diversas vantagens. Há menos linhas de código, os blocos if/else foram totalmente eliminados e agora é possível adicionar novos tipos de comando sem modificar o expedidor de comandos.

No entanto, a refatoração permite que um invasor instancie qualquer objeto que implementa a interface Worker. Se o expedidor de comandos ainda for responsável pelo controle de acesso, sempre que os programadores criarem uma nova classe que implementa a interface Worker, eles deverão se lembrar de modificar o código de controle de acesso do expedidor. Se o código de controle de acesso não for modificado, algumas classes Worker não terão controle de acesso.

Uma maneira de resolver esse problema de controle de acesso é tornar o objeto Worker responsável pela execução da verificação de controle de acesso. Veja a seguir um exemplo do código novamente refatorado:


String ctl = request.getParameter("ctl");
Class cmdClass = Class.forName(ctl + "Command");
Worker ao = (Worker) cmdClass.newInstance();
ao.checkAccessControl(request);
ao.doAction(request);


Embora seja uma melhoria, isso incentiva uma abordagem descentralizada ao controle de acesso, facilitando erros de controle de acesso por parte dos programadores.

Esse código também destaca outro problema de segurança com o uso da reflexão para construir um expedidor de comandos. Um invasor pode invocar o construtor padrão para qualquer tipo de objeto. Na verdade, o invasor nem mesmo é impedido de acessar objetos que implementam a interface Worker; o construtor padrão para qualquer objeto no sistema pode ser invocado. Se o objeto não implementar a interface Worker, um ClassCastException será lançado antes da atribuição a ao, mas, se o construtor realizar operações que funcionarem a favor do invasor, os danos já terão sido feitos. Embora esse cenário seja relativamente favorável em aplicativos simples, em aplicativos maiores, nos quais a complexidade cresce exponencialmente, não é absurdo considerar que um invasor possa encontrar um construtor a ser otimizado como parte de um ataque.

As verificações de acesso também podem ficar comprometidas mais abaixo na cadeia a execução do código quando certas APIs Java que realizam tarefas usando a verificação de carregadores de classe do chamador imediato são invocadas em objetos não confiáveis retornados por chamadas de reflexão. Essas APIs Java ignoram a verificação de SecurityManager que garante que todos os chamadores na cadeia de execução tenham as permissões de segurança necessárias. É necessário ter cautela para garantir que essas APIs não sejam invocadas nos objetos não confiáveis retornados pela reflexão, pois elas podem ignorar verificações de acesso de segurança e deixar o sistema vulnerável a ataques remotos. Para obter mais informações sobre essas APIs Java, consulte a Orientação 9 das orientações para codificação segura da linguagem de programação Java.
References
[1] Secure Coding Guidelines for the Java Programming Language, Version 4.0
[2] Standards Mapping - Common Weakness Enumeration CWE ID 470, CWE ID 494
[3] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001764, CCI-001774, CCI-002754
[5] Standards Mapping - FIPS200 SI
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[10] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-7 Least Functionality (P1), SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-7 Least Functionality, SI-10 Information Input Validation
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.2 Configuration Architectural Requirements (L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.3 File Execution Requirements (L1 L2 L3), 14.2.3 Dependency (L1 L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[15] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[17] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[18] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[19] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[20] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[21] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[22] Standards Mapping - OWASP Top 10 2021 A03 Injection
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.5 - Web Software Attack Mitigation
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.java.unsafe_reflection
Abstract
Os invasores podem controlar um argumento para o método performSelector, o que pode permitir que eles criem caminhos inesperados de controle de fluxo por meio do aplicativo, potencialmente ignorando as verificações de segurança.
Explanation
Se um invasor puder fornecer valores que, em seguida, forem usados pelo aplicativo para determinar qual classe instanciar ou qual método invocar, existirá o potencial de que esse invasor crie caminhos de fluxo de controle através do aplicativo que não foram planejados pelos desenvolvedores desse aplicativo. Esse vetor de ataque pode permitir que o invasor ignore verificações de autenticação ou controle de acesso ou, em outros casos, pode fazer com que o aplicativo se comporte de maneira inesperada.

Exemplo 1: Uma razão comum pela qual os programadores usam a API do seletor é implementar o próprio despachante de comando deles. O exemplo a seguir mostra um dispatcher de comando Objective-C, que usa a reflexão para executar um método arbitrário identificado por um valor lido a partir de uma solicitação URL de esquema personalizado. Essa implementação permite a um invasor chamar qualquer função mediante a correspondência da assinatura do método definido na classe UIApplicationDelegate.


...
- (BOOL)application:(UIApplication *)application openURL:(NSURL *)url
  sourceApplication:(NSString *)sourceApplication annotation:(id)annotation  {

    NSString *query = [url query];
    NSString *pathExt = [url pathExtension];
    [self performSelector:NSSelectorFromString(pathExt) withObject:query];
...
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 470, CWE ID 494
[2] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001764, CCI-001774, CCI-002754
[4] Standards Mapping - FIPS200 SI
[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-7 Least Functionality (P1), SI-10 Information Input Validation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-7 Least Functionality, SI-10 Information Input Validation
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.2 Configuration Architectural Requirements (L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.3 File Execution Requirements (L1 L2 L3), 14.2.3 Dependency (L1 L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[14] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[16] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[17] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[18] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[19] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[20] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[21] Standards Mapping - OWASP Top 10 2021 A03 Injection
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.5 - Web Software Attack Mitigation
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[56] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.objc.unsafe_reflection
Abstract
Um invasor pode ser capaz de criar caminhos de fluxo de controle inesperados através do aplicativo, possivelmente se esquivando de verificações de segurança.
Explanation
Se um invasor puder fornecer valores que, em seguida, forem usados pelo aplicativo para determinar qual classe instanciar ou qual método invocar, existirá o potencial de que esse invasor crie caminhos de fluxo de controle através do aplicativo que não foram planejados pelos desenvolvedores desse aplicativo. Esse vetor de ataque pode permitir que o invasor ignore verificações de autenticação ou controle de acesso ou, em outros casos, pode fazer com que o aplicativo se comporte de maneira inesperada. Até mesmo a capacidade de controlar os argumentos transmitidos a um determinado método ou construtor pode proporcionar a um invasor astuto a vantagem necessária para organizar um ataque bem-sucedido.

Essa situação se transformará em um cenário apocalíptico se o invasor puder carregar arquivos em um local exibido no caminho de classe do aplicativo ou se puder adicionar novas entradas ao caminho de classe do aplicativo. Em qualquer uma dessas condições, o invasor pode usar o recurso de reflexão para introduzir no aplicativo um novo comportamento presumivelmente mal-intencionado.
Exemplo 1: Um motivo comum pelo qual os programadores utilizam a API de reflexão é para implementar seus próprios expedidores de comandos. O seguinte exemplo mostra um expedidor de comandos que não usa reflexão:


$ctl = $_GET["ctl"];
$ao = null;
if (ctl->equals("Add")) {
  $ao = new AddCommand();
} else if ($ctl.equals("Modify")) {
  $ao = new ModifyCommand();
} else {
  throw new UnknownActionError();
}
$ao->doAction(request);


Um programador pode refatorar esse código para usar a reflexão, da seguinte maneira:


    $ctl = $_GET["ctl"];
    $args = $_GET["args"];
    $cmdClass = new ReflectionClass(ctl . "Command");
    $ao = $cmdClass->newInstance($args);
    $ao->doAction(request);


Inicialmente, a refatoração parece oferecer diversas vantagens. Há menos linhas de código, os blocos if/else foram totalmente eliminados e agora é possível adicionar novos tipos de comando sem modificar o expedidor de comandos.

No entanto, a refatoração permite que um invasor instancie qualquer objeto que implementa a interface Worker. Se o expedidor de comandos ainda for responsável pelo controle de acesso, sempre que os programadores criarem uma nova classe que implementa a interface Worker, eles deverão se lembrar de modificar o código de controle de acesso do expedidor. Se o código de controle de acesso não for modificado, algumas classes Worker não terão controle de acesso.

Uma maneira de resolver esse problema de controle de acesso é tornar o objeto Worker responsável pela execução da verificação de controle de acesso. Veja a seguir um exemplo do código novamente refatorado:


	$ctl = $_GET["ctl"];
    $args = $_GET["args"];
    $cmdClass = new ReflectionClass(ctl . "Command");
    $ao = $cmdClass->newInstance($args);
	$ao->checkAccessControl(request);
	ao->doAction(request);


Embora seja uma melhoria, isso incentiva uma abordagem descentralizada ao controle de acesso, facilitando erros de controle de acesso por parte dos programadores.

Esse código também destaca outro problema de segurança com o uso da reflexão para construir um expedidor de comandos. Um invasor pode invocar o construtor padrão para qualquer tipo de objeto. Na verdade, o invasor nem mesmo é impedido de acessar objetos que implementam a interface Worker; o construtor padrão para qualquer objeto no sistema pode ser invocado. Se o objeto não implementar a interface Worker, um ClassCastException será lançado antes da atribuição a $ao, mas, se o construtor realizar operações que funcionarem a favor do invasor, os danos já terão sido feitos. Embora esse cenário seja relativamente favorável em aplicativos simples, em aplicativos maiores, nos quais a complexidade cresce exponencialmente, não é absurdo considerar que um invasor possa encontrar um construtor a ser otimizado como parte de um ataque.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 470, CWE ID 494
[2] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001764, CCI-001774, CCI-002754
[4] Standards Mapping - FIPS200 SI
[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-7 Least Functionality (P1), SI-10 Information Input Validation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-7 Least Functionality, SI-10 Information Input Validation
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.2 Configuration Architectural Requirements (L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.3 File Execution Requirements (L1 L2 L3), 14.2.3 Dependency (L1 L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[14] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[16] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[17] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[18] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[19] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[20] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[21] Standards Mapping - OWASP Top 10 2021 A03 Injection
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.5 - Web Software Attack Mitigation
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[56] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.php.unsafe_reflection
Abstract
Um invasor pode ser capaz de criar caminhos de fluxo de controle inesperados através do aplicativo, possivelmente se esquivando de verificações de segurança.
Explanation
Se um invasor puder fornecer valores que, em seguida, forem usados pelo aplicativo para determinar qual classe instanciar ou qual método invocar, existirá o potencial de que esse invasor crie caminhos de fluxo de controle através do aplicativo que não foram planejados pelos desenvolvedores desse aplicativo. Esse vetor de ataque pode permitir que o invasor ignore verificações de autenticação ou controle de acesso ou, em outros casos, pode fazer com que o aplicativo se comporte de maneira inesperada. Até mesmo a capacidade de controlar os argumentos transmitidos a um determinado método ou construtor pode proporcionar a um invasor astuto a vantagem necessária para organizar um ataque bem-sucedido.

Essa situação se transformará em um cenário apocalíptico se o invasor puder carregar arquivos em um local exibido no caminho de classe do aplicativo ou se puder adicionar novas entradas ao caminho de classe do aplicativo. Em qualquer uma dessas condições, o invasor pode usar o recurso de reflexão para introduzir no aplicativo um novo comportamento presumivelmente mal-intencionado.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 470, CWE ID 494
[2] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001764, CCI-001774, CCI-002754
[4] Standards Mapping - FIPS200 SI
[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-7 Least Functionality (P1), SI-10 Information Input Validation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-7 Least Functionality, SI-10 Information Input Validation
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.2 Configuration Architectural Requirements (L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.3 File Execution Requirements (L1 L2 L3), 14.2.3 Dependency (L1 L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[14] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[16] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[17] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[18] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[19] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[20] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[21] Standards Mapping - OWASP Top 10 2021 A03 Injection
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.5 - Web Software Attack Mitigation
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[56] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.python.unsafe_reflection
Abstract
Um invasor pode ser capaz de criar caminhos de fluxo de controle inesperados através do aplicativo, possivelmente se esquivando de verificações de segurança.
Explanation
Se um invasor puder fornecer valores que, em seguida, forem usados pelo aplicativo para determinar qual classe instanciar ou qual método invocar, existirá o potencial de que esse invasor crie caminhos de fluxo de controle através do aplicativo que não foram planejados pelos desenvolvedores desse aplicativo. Esse vetor de ataque pode permitir ao invasor ignorar a autenticação, ignorar as verificações de controle de acesso ou, de outra maneira, fazer com que o aplicativo se comporte de maneira inesperada. Até mesmo a capacidade de controlar os argumentos transmitidos a um determinado método ou construtor pode proporcionar a um invasor astuto a vantagem necessária para organizar um ataque bem-sucedido.

Essa situação se tornará um cenário apocalíptico se o invasor puder carregar arquivos em um local exibido no caminho de carregamento do aplicativo ou adicionar novas entradas a esse caminho. Em qualquer uma dessas condições, o invasor pode usar o recurso de reflexão para introduzir no aplicativo um novo comportamento presumivelmente mal-intencionado.
Exemplo 1: Um motivo comum pelo qual os programadores utilizam a reflexão é para implementar seus próprios expedidores de comandos. O seguinte exemplo mostra um expedidor de comandos que não usa reflexão:


ctl = req['ctl']
if ctl=='add'
  addCommand(req)
elsif ctl=='modify'
  modifyCommand(req)
else
  raise UnknownCommandError.new
end


Um programador pode refatorar esse código para usar a reflexão, da seguinte maneira:


ctl = req['ctl']
ctl << "Command"
send(ctl)


Inicialmente, a refatoração parece oferecer diversas vantagens. Há menos linhas de código, os blocos if/else foram totalmente eliminados e agora é possível adicionar novos tipos de comando sem modificar o expedidor de comandos.

No entanto, a refatoração permite a um invasor executar qualquer método que termine com a palavra "Command". Caso o distribuidor de comando ainda seja responsável pelo controle de acesso, sempre que os programadores criarem um novo método que termine com "Command", eles deverão se lembrar de modificar o código de controle de acesso do despachante. Mesmo assim, a prática comum quando se tem vários métodos de nome semelhante pode ser criá-los dinamicamente ao usar define_method(), ou pode ser chamá-los ao substituir missing_method(). Fazer a auditoria e o rastreio desses métodos assim como de que maneira o código de controle é utilizado com eles é muito difícil e, ao considerar essa situação, ela também dependerá de quais outros códigos de biblioteca estão carregados; isso fará com que essa tarefa seja quase impossível de realizar corretamente.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 470, CWE ID 494
[2] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001764, CCI-001774, CCI-002754
[4] Standards Mapping - FIPS200 SI
[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-7 Least Functionality (P1), SI-10 Information Input Validation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-7 Least Functionality, SI-10 Information Input Validation
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.2 Configuration Architectural Requirements (L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.3 File Execution Requirements (L1 L2 L3), 14.2.3 Dependency (L1 L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[14] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[16] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[17] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[18] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[19] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[20] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[21] Standards Mapping - OWASP Top 10 2021 A03 Injection
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.5 - Web Software Attack Mitigation
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[56] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.ruby.unsafe_reflection
Abstract
Um invasor pode ser capaz de criar caminhos de fluxo de controle inesperados através do aplicativo, possivelmente se esquivando de verificações de segurança.
Explanation
Se um invasor puder fornecer valores que, em seguida, forem usados pelo aplicativo para determinar qual classe instanciar ou qual método invocar, existirá o potencial de que esse invasor crie caminhos de fluxo de controle através do aplicativo que não foram planejados pelos desenvolvedores desse aplicativo. Esse vetor de ataque pode permitir que o invasor ignore verificações de autenticação ou controle de acesso ou, em outros casos, pode fazer com que o aplicativo se comporte de maneira inesperada. Até mesmo a capacidade de controlar os argumentos transmitidos a um determinado método ou construtor pode proporcionar a um invasor astuto a vantagem necessária para organizar um ataque bem-sucedido.

Essa situação se transformará em um cenário apocalíptico se o invasor puder carregar arquivos em um local exibido no caminho de classe do aplicativo ou se puder adicionar novas entradas ao caminho de classe do aplicativo. Em qualquer uma dessas condições, o invasor pode usar o recurso de reflexão para introduzir no aplicativo um novo comportamento presumivelmente mal-intencionado.
Exemplo 1: Um motivo comum pelo qual os programadores utilizam a API de reflexão é para implementar seus próprios expedidores de comandos. O exemplo a seguir mostra um expedidor de comandos que usa reflexão:


def exec(ctl: String) = Action { request =>
    val cmdClass = Platform.getClassForName(ctl + "Command")
    Worker ao = (Worker) cmdClass.newInstance()
    ao.doAction(request)
    ...
}


Inicialmente, a refatoração parece oferecer diversas vantagens. Há menos linhas de código, os blocos if/else foram totalmente eliminados e agora é possível adicionar novos tipos de comando sem modificar o expedidor de comandos.

No entanto, a refatoração permite que um invasor instancie qualquer objeto que implementa a interface Worker. Se o expedidor de comandos ainda for responsável pelo controle de acesso, sempre que os programadores criarem uma nova classe que implementa a interface Worker, eles deverão se lembrar de modificar o código de controle de acesso do expedidor. Se o código de controle de acesso não for modificado, algumas classes Worker não terão controle de acesso.

Uma maneira de resolver esse problema de controle de acesso é tornar o objeto Worker responsável pela execução da verificação de controle de acesso. Veja a seguir um exemplo do código novamente refatorado:


def exec(ctl: String) = Action { request =>
    val cmdClass = Platform.getClassForName(ctl + "Command")
    Worker ao = (Worker) cmdClass.newInstance()
    ao.checkAccessControl(request);
    ao.doAction(request)
    ...
}


Embora seja uma melhoria, isso incentiva uma abordagem descentralizada ao controle de acesso, facilitando erros de controle de acesso por parte dos programadores.

Esse código também destaca outro problema de segurança com o uso da reflexão para construir um expedidor de comandos. Um invasor pode invocar o construtor padrão para qualquer tipo de objeto. Na verdade, o invasor nem mesmo é impedido de acessar objetos que implementam a interface Worker; o construtor padrão para qualquer objeto no sistema pode ser invocado. Se o objeto não implementar a interface Worker, um ClassCastException será lançado antes da atribuição a ao, mas, se o construtor realizar operações que funcionarem a favor do invasor, os danos já terão sido feitos. Embora esse cenário seja relativamente favorável em aplicativos simples, em aplicativos maiores, nos quais a complexidade cresce exponencialmente, não é absurdo considerar que um invasor possa encontrar um construtor a ser otimizado como parte de um ataque.

As verificações de acesso também podem ficar comprometidas mais abaixo na cadeia a execução do código quando certas APIs Java que realizam tarefas usando a verificação de carregadores de classe do chamador imediato são invocadas em objetos não confiáveis retornados por chamadas de reflexão.Essas APIs Java ignoram a verificação de SecurityManager que garante que todos os chamadores na cadeia de execução tenham as permissões de segurança necessárias.É necessário ter cautela para garantir que essas APIs não sejam invocadas nos objetos não confiáveis retornados pela reflexão, pois elas podem ignorar verificações de acesso de segurança e deixar o sistema vulnerável a ataques remotos.Para obter mais informações sobre essas APIs Java, consulte a Orientação 9 das orientações para codificação segura da linguagem de programação Java.
References
[1] Secure Coding Guidelines for the Java Programming Language, Version 4.0
[2] Standards Mapping - Common Weakness Enumeration CWE ID 470, CWE ID 494
[3] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001764, CCI-001774, CCI-002754
[5] Standards Mapping - FIPS200 SI
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[10] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-7 Least Functionality (P1), SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-7 Least Functionality, SI-10 Information Input Validation
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.2 Configuration Architectural Requirements (L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.3 File Execution Requirements (L1 L2 L3), 14.2.3 Dependency (L1 L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[15] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[17] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[18] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[19] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[20] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[21] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[22] Standards Mapping - OWASP Top 10 2021 A03 Injection
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.5 - Web Software Attack Mitigation
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.scala.unsafe_reflection
Abstract
Os invasores podem controlar um argumento para o método performSelector, o que pode permitir que eles criem caminhos inesperados de controle de fluxo por meio do aplicativo, potencialmente ignorando as verificações de segurança.
Explanation
Se um invasor puder fornecer valores que, em seguida, forem usados pelo aplicativo para determinar qual classe instanciar ou qual método invocar, existirá o potencial de que esse invasor crie caminhos de fluxo de controle através do aplicativo que não foram planejados pelos desenvolvedores desse aplicativo. Esse vetor de ataque pode permitir que o invasor ignore verificações de autenticação ou controle de acesso ou, em outros casos, pode fazer com que o aplicativo se comporte de maneira inesperada.

Exemplo 1: Uma razão comum pela qual os programadores usam a API do seletor é implementar o próprio despachante de comando deles. O exemplo a seguir mostra um dispatcher de comando Swift que usa a reflexão para executar um método arbitrário identificado por um valor lido de uma solicitação de esquema de URL personalizada. Essa implementação permite a um invasor chamar qualquer função mediante a correspondência da assinatura do método definido na classe UIApplicationDelegate.


func application(app: UIApplication, openURL url: NSURL, options: [String : AnyObject]) -> Bool {
    ...
    let query = url.query
    let pathExt = url.pathExtension
    let selector = NSSelectorFromString(pathExt!)
    performSelector(selector, withObject:query)
    ...
}
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 470, CWE ID 494
[2] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001764, CCI-001774, CCI-002754
[4] Standards Mapping - FIPS200 SI
[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-7 Least Functionality (P1), SI-10 Information Input Validation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-7 Least Functionality, SI-10 Information Input Validation
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.2 Configuration Architectural Requirements (L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.3 File Execution Requirements (L1 L2 L3), 14.2.3 Dependency (L1 L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[14] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[16] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[17] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[18] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[19] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[20] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[21] Standards Mapping - OWASP Top 10 2021 A03 Injection
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.5 - Web Software Attack Mitigation
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[56] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.swift.unsafe_reflection
Abstract
Um invasor pode ser capaz de criar caminhos de fluxo de controle inesperados através do aplicativo, possivelmente se esquivando de verificações de segurança.
Explanation
Se um invasor puder fornecer valores que, em seguida, forem usados pelo aplicativo para determinar qual classe instanciar ou qual método invocar, existirá o potencial de que esse invasor crie caminhos de fluxo de controle através do aplicativo que não foram planejados pelos desenvolvedores desse aplicativo. Esse vetor de ataque pode permitir que o invasor ignore verificações de autenticação ou controle de acesso ou, em outros casos, pode fazer com que o aplicativo se comporte de maneira inesperada. Até mesmo a capacidade de controlar os argumentos transmitidos a um determinado método ou construtor pode proporcionar a um invasor astuto a vantagem necessária para organizar um ataque bem-sucedido.

Exemplo 1: Um motivo comum pelo qual os programadores utilizam o CallByName é para implementar o próprio dispatcher de comandos. O seguinte exemplo mostra um dispatcher de comandos que não utiliza a função CallByName:


...
Dim ctl As String
Dim ao As new Worker
ctl = Request.Form("ctl")
If String.Compare(ctl,"Add") = 0 Then
	ao.DoAddCommand Request
Else If String.Compare(ctl,"Modify") = 0 Then
	ao.DoModifyCommand Request
Else
	App.EventLog "No Action Found", 4
End If
...



Um programador pode refatorar esse código para usar a reflexão, da seguinte maneira:


...
Dim ctl As String
Dim ao As Worker
ctl = Request.Form("ctl")
CallByName ao, ctl, vbMethod, Request
...




Inicialmente, a refatoração parece oferecer diversas vantagens. Há menos linhas de código, os blocos if/else foram totalmente eliminados e agora é possível adicionar novos tipos de comando sem modificar o expedidor de comandos.

No entanto, a refatoração permite que um invasor chame qualquer método implementado pelo objeto Worker. Se o dispatcher de comandos ainda for responsável pelo controle de acesso, sempre que os programadores criarem um novo método na classe Worker, eles deverão se lembrar de modificar o código de controle de acesso do dispatcher. Se eles não conseguirem modificar o código de controle de acesso, alguns métodos Worker não terão nenhum controle de acesso.

Uma maneira de resolver esse problema de controle de acesso é tornar o objeto Worker responsável pela execução da verificação de controle de acesso. Veja a seguir um exemplo do código novamente refatorado:


...
Dim ctl As String
Dim ao As Worker
ctl = Request.Form("ctl")
If ao.checkAccessControl(ctl,Request) = True Then
	CallByName ao, "Do" & ctl & "Command", vbMethod, Request
End If
...



Embora seja uma melhoria, isso incentiva uma abordagem descentralizada ao controle de acesso, facilitando erros de controle de acesso por parte dos programadores.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 470, CWE ID 494
[2] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001764, CCI-001774, CCI-002754
[4] Standards Mapping - FIPS200 SI
[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-7 Least Functionality (P1), SI-10 Information Input Validation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-7 Least Functionality, SI-10 Information Input Validation
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.2 Configuration Architectural Requirements (L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.3 File Execution Requirements (L1 L2 L3), 14.2.3 Dependency (L1 L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[14] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[16] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[17] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[18] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[19] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[20] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[21] Standards Mapping - OWASP Top 10 2021 A03 Injection
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.5 - Web Software Attack Mitigation
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[56] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.vb.unsafe_reflection

Value Shadowing

Abstract
O programa acessa uma variável de forma ambígua, o que pode deixá-lo aberto a ataques.
Explanation
A classe HttpRequest fornece acesso programático a variáveis das coleções QueryString, Form, Cookies ou ServerVariables sob a forma de um acesso de array (por exemplo, Request["myParam"]). Quando há mais de uma variável com o mesmo nome, o .NET Framework retorna o valor da variável que aparece primeiro quando as coleções são pesquisadas, na ordem seguinte: QueryString, Form, Cookies e depois ServerVariables. Como QueryString vem em primeiro lugar na ordem de pesquisa, é possível que parâmetros QueryString substituam valores de formulários, cookies e variáveis de servidor. Da mesma forma, valores de formulário podem substituir variáveis nas coleções Cookies e ServerVariables, enquanto variáveis da coleção Cookies podem substituir as de ServerVariables.
Exemplo 1: Imagine que um aplicativo de operações bancários armazena temporariamente o endereço de e-mail de um usuário em um cookie e lê esse valor quando deseja entrar em contato com o usuário. O código a seguir lê o valor do cookie e envia um saldo de conta ao endereço de e-mail especificado.

...
    String toAddress = Request["email"];        //Expects cookie value
    Double balance = GetBalance(userID);
    SendAccountBalance(toAddress, balance);
...

Suponha que o código no Example 1 seja executado durante uma visita a http://www.example.com/GetBalance.aspx. Se um invasor puder fazer com que um usuário autenticado clique em um link que solicita http://www.example.com/GetBalance.aspx?email=evil%40evil.com, um e-mail com o saldo da conta desse usuário será enviado para evil@evil.com.
References
[1] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310
[2] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[3] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[4] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[10] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[11] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[12] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[13] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II
desc.semantic.dotnet.value_shadowing

Value Shadowing: Server Variable

Abstract
O programa acessa uma variável do servidor de forma ambígua, o que pode deixá-lo aberto a ataques.
Explanation
A classe HttpRequest fornece acesso programático a variáveis das coleções QueryString, Form, Cookies ou ServerVariables sob a forma de um acesso de array (por exemplo, Request["myParam"]). Quando há mais de uma variável com o mesmo nome, o .NET Framework retorna o valor da variável que aparece primeiro quando as coleções são pesquisadas, na ordem seguinte: QueryString, Form, Cookies e depois ServerVariables. Como QueryString vem em primeiro lugar na ordem de pesquisa, é possível que parâmetros QueryString substituam valores de formulários, cookies e variáveis de servidor. Da mesma forma, valores de formulário podem substituir variáveis nas coleções Cookies e ServerVariables, enquanto variáveis da coleção Cookies podem substituir as de ServerVariables.
Exemplo 1: O código a seguir verifica a variável de servidor do cabeçalho HTTP Referer para ver se a solicitação é proveniente de www.example.com antes de apresentar o conteúdo.

    ...
    if (Request["HTTP_REFERER"].StartsWith("http://www.example.com"))
        ServeContent();
    else
        Response.Redirect("http://www.example.com/");
    ...


Suponha que o código no Example 1 seja executado durante uma visita a http://www.example.com/ProtectedImages.aspx. Se um invasor realizar uma solicitação direta para a URL, o cabeçalho de referência adequado não será definido e a solicitação falhará. No entanto, se o invasor enviar um parâmetro HTTP_REFERER artificial com o valor necessário, como http://www.example.com/ProtectedImages.aspx?HTTP_REFERER=http%3a%2f%2fwww.example.com, a pesquisa retornará esse valor de QueryString em vez de ServerVariables, e a verificação será bem-sucedida.
References
[1] Microsoft IIS Server Variables
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310
[3] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[4] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[11] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[12] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[14] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II
desc.semantic.dotnet.value_shadowing_server_variable

XML Entity Expansion Injection

Abstract
O uso de analisadores XML que não estão configurados para impedir ou limitar a resolução de entidade de DTD (Definição de Tipo de Documento) pode expor o analisador a uma XML Entity Expansion injection
Explanation
A XML Entity Expansion injection, também conhecida como XML Bombs, consiste em ataques DoS que se beneficiam de blocos XML válidos e corretamente formados que se expandem exponencialmente até esgotarem os recursos alocados do servidor. O XML permite definir entidades personalizadas que atuam como macros de substituição de string. Aninhando resoluções de entidades recorrentes, um invasor pode facilmente travar os recursos do servidor.

O documento XML a seguir mostra um exemplo de uma Bomba XML.

    <?xml version="1.0"?>
    <!DOCTYPE lolz [
      <!ENTITY lol "lol">
      <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
      <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
      <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
      <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
      <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
      <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
      <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
      <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
    ]>
    <lolz>&lol9;</lolz>


Esse teste pode travar o servidor expandindo o pequeno documento XML para mais de 3 GB de memória.
References
[1] XML External Entity (XXE) Processing OWASP
[2] Testing for XML Injection OWASP
[3] XML External Entities The Web Application Security Consortium
[4] Standards Mapping - Common Weakness Enumeration CWE ID 776
[5] Standards Mapping - Common Weakness Enumeration Top 25 2024 [24] CWE ID 400
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310, CCI-002385
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[9] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.1.2 File Upload Requirements (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[12] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[14] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[15] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[16] Standards Mapping - OWASP Top 10 2010 A1 Injection
[17] Standards Mapping - OWASP Top 10 2013 A1 Injection
[18] Standards Mapping - OWASP Top 10 2017 A4 XML External Entities (XXE)
[19] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2.2 - Web Software Attack Mitigation
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I
[52] Standards Mapping - Web Application Security Consortium Version 2.00 XML Entity Expansion (WASC-44)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.abap.xml_entity_expansion_injection
Abstract
O uso de analisadores XML que não estão configurados para impedir ou limitar a resolução de entidade de DTD (definição de tipo de documento) pode expor o analisador a um ataque de XML Entity Expansion Injection
Explanation
Ataques de injeção de Expansão de Entidades XML são ataques de DoS que se beneficiam de blocos XML válidos e bem-formados que se expandem exponencialmente até esgotarem os recursos alocados para o servidor. O XML permite definir entidades personalizadas que funcionam como macros de substituição de string. Por meio do aninhamento de resoluções de entidades recorrentes, um invasor pode facilmente fazer com que os recursos do servidor entrem em colapso.

O seguinte documento XML mostra um exemplo de uma Bomba de XML.

<?xml version="1.0"?>
<!DOCTYPE lolz [
  <!ENTITY lol "lol">
  <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
  <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
  <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
  <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
  <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
  <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
  <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
  <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>


Esse teste pode fazer com que o servidor entre em colapso, expandindo o pequeno documento XML até que ele ocupe mais de 3 GB de memória.
References
[1] XML Denial of Service Attacks and Defenses MSDN Magazine
[2] XML External Entity (XXE) Processing OWASP
[3] Testing for XML Injection OWASP
[4] XML External Entities The Web Application Security Consortium
[5] Standards Mapping - Common Weakness Enumeration CWE ID 776
[6] Standards Mapping - Common Weakness Enumeration Top 25 2024 [24] CWE ID 400
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310, CCI-002385
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[10] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.1.2 File Upload Requirements (L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[13] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[15] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[16] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2010 A1 Injection
[18] Standards Mapping - OWASP Top 10 2013 A1 Injection
[19] Standards Mapping - OWASP Top 10 2017 A4 XML External Entities (XXE)
[20] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2.2 - Web Software Attack Mitigation
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I
[53] Standards Mapping - Web Application Security Consortium Version 2.00 XML Entity Expansion (WASC-44)
[54] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.dotnet.xml_entity_expansion_injection
Abstract
O uso de analisadores XML que não estão configurados para impedir ou limitar a resolução de entidade de DTD (Definição de Tipo de Documento) pode expor o analisador a uma XML Entity Expansion injection
Explanation
A XML Entity Expansion injection, também conhecida como XML Bombs, são ataques Denial of Service (DoS) que se beneficiam de blocos XML válidos e bem-formados que se expandem exponencialmente até esgotarem os recursos alocados para o servidor. O XML permite definir entidades personalizadas que funcionam como macros de substituição de string. Por meio do aninhamento de resoluções de entidades recorrentes, um invasor pode facilmente fazer com que os recursos do servidor entrem em colapso.

O seguinte documento XML mostra um exemplo de uma Bomba de XML.

<?xml version="1.0"?>
<!DOCTYPE lolz [
  <!ENTITY lol "lol">
  <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
  <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
  <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
  <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
  <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
  <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
  <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
  <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>


Esse teste pode fazer com que o servidor entre em colapso, expandindo o pequeno documento XML até que ele ocupe mais de 3 GB de memória.
References
[1] XML External Entity (XXE) Processing OWASP
[2] Testing for XML Injection OWASP
[3] XML External Entities The Web Application Security Consortium
[4] INJECT-5: Restrict XML inclusion Oracle
[5] Standards Mapping - Common Weakness Enumeration CWE ID 776
[6] Standards Mapping - Common Weakness Enumeration Top 25 2024 [24] CWE ID 400
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310, CCI-002385
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[10] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.1.2 File Upload Requirements (L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[13] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[15] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[16] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2010 A1 Injection
[18] Standards Mapping - OWASP Top 10 2013 A1 Injection
[19] Standards Mapping - OWASP Top 10 2017 A4 XML External Entities (XXE)
[20] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2.2 - Web Software Attack Mitigation
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I
[53] Standards Mapping - Web Application Security Consortium Version 2.00 XML Entity Expansion (WASC-44)
[54] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.java.xee_injection
Abstract
O uso de analisadores XML que não estão configurados para impedir ou limitar a resolução de entidade de DTD (Definição de Tipo de Documento) pode expor o analisador a uma XML Entity Expansion injection
Explanation
A XML Entity Expansion injection, também conhecida como XML Bombs, consiste em ataques DoS que se beneficiam de blocos XML válidos e corretamente formados que se expandem exponencialmente até esgotarem os recursos alocados do servidor. O XML permite definir entidades personalizadas que atuam como macros de substituição de string. Aninhando resoluções de entidades recorrentes, um invasor pode facilmente travar os recursos do servidor.

O documento XML a seguir mostra um exemplo de uma Bomba XML.

    <?xml version="1.0"?>
    <!DOCTYPE lolz [
      <!ENTITY lol "lol">
      <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
      <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
      <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
      <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
      <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
      <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
      <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
      <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
    ]>
    <lolz>&lol9;</lolz>


Esse teste pode travar o servidor expandindo o pequeno documento XML para mais de 3 GB de memória.
References
[1] XML External Entity (XXE) Processing OWASP
[2] Testing for XML Injection OWASP
[3] XML External Entities The Web Application Security Consortium
[4] Standards Mapping - Common Weakness Enumeration CWE ID 776
[5] Standards Mapping - Common Weakness Enumeration Top 25 2024 [24] CWE ID 400
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310, CCI-002385
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[9] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.1.2 File Upload Requirements (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[12] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[14] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[15] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[16] Standards Mapping - OWASP Top 10 2010 A1 Injection
[17] Standards Mapping - OWASP Top 10 2013 A1 Injection
[18] Standards Mapping - OWASP Top 10 2017 A4 XML External Entities (XXE)
[19] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2.2 - Web Software Attack Mitigation
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I
[52] Standards Mapping - Web Application Security Consortium Version 2.00 XML Entity Expansion (WASC-44)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.php.xml_entity_expansion_injection
Abstract
O uso de analisadores XML que não estão configurados para impedir ou limitar a resolução de entidade de DTD (Definição de Tipo de Documento) pode expor o analisador a uma XML Entity Expansion injection
Explanation
A injeção de Expansão de Entidades XML, também conhecida como Bombas de XML, são ataques de DoS que se beneficiam de blocos XML válidos e bem-formados que se expandem exponencialmente até esgotarem os recursos alocados para o servidor. O XML permite definir entidades personalizadas que funcionam como macros de substituição de string. Por meio do aninhamento de resoluções de entidades recorrentes, um invasor pode facilmente fazer com que os recursos do servidor entrem em colapso.

O seguinte documento XML mostra um exemplo de uma Bomba de XML.

<?xml version="1.0"?>
<!DOCTYPE lolz [
  <!ENTITY lol "lol">
  <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
  <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
  <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
  <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
  <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
  <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
  <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
  <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>


Esse teste pode fazer com que o servidor entre em colapso, expandindo o pequeno documento XML até que ele ocupe mais de 3 GB de memória.
References
[1] XML vulnerabilities
[2] Announcing defusedxml, Fixes for XML Security Issues
[3] defusedxml
[4] defusedexpat
[5] XML External Entity (XXE) Processing OWASP
[6] Testing for XML Injection OWASP
[7] XML External Entities The Web Application Security Consortium
[8] Standards Mapping - Common Weakness Enumeration CWE ID 776
[9] Standards Mapping - Common Weakness Enumeration Top 25 2024 [24] CWE ID 400
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310, CCI-002385
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[13] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.1.2 File Upload Requirements (L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[16] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[18] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[19] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[20] Standards Mapping - OWASP Top 10 2010 A1 Injection
[21] Standards Mapping - OWASP Top 10 2013 A1 Injection
[22] Standards Mapping - OWASP Top 10 2017 A4 XML External Entities (XXE)
[23] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2.2 - Web Software Attack Mitigation
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I
[56] Standards Mapping - Web Application Security Consortium Version 2.00 XML Entity Expansion (WASC-44)
[57] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.python.xee_injection
Abstract
O uso de analisadores XML que não estão configurados para impedir ou limitar a resolução de entidade de DTD (Definição de Tipo de Documento) pode expor o analisador a uma XML Entity Expansion injection
Explanation
A injeção de Expansão de Entidades XML, também conhecida como Bombas de XML, são ataques de DoS que se beneficiam de blocos XML válidos e bem-formados que se expandem exponencialmente até esgotarem os recursos alocados para o servidor. O XML permite definir entidades personalizadas que funcionam como macros de substituição de string. Por meio do aninhamento de resoluções de entidades recorrentes, um invasor pode facilmente fazer com que os recursos do servidor entrem em colapso.

O seguinte documento XML mostra um exemplo de uma Bomba de XML.

<?xml version="1.0"?>
<!DOCTYPE lolz [
  <!ENTITY lol "lol">
  <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
  <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
  <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
  <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
  <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
  <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
  <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
  <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>


Esse teste pode fazer com que o servidor entre em colapso, expandindo o pequeno documento XML até que ele ocupe mais de 3 GB de memória.
References
[1] XML External Entity (XXE) Processing OWASP
[2] Testing for XML Injection OWASP
[3] XML External Entities The Web Application Security Consortium
[4] Standards Mapping - Common Weakness Enumeration CWE ID 776
[5] Standards Mapping - Common Weakness Enumeration Top 25 2024 [24] CWE ID 400
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310, CCI-002385
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[9] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.1.2 File Upload Requirements (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[12] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[14] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[15] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[16] Standards Mapping - OWASP Top 10 2010 A1 Injection
[17] Standards Mapping - OWASP Top 10 2013 A1 Injection
[18] Standards Mapping - OWASP Top 10 2017 A4 XML External Entities (XXE)
[19] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2.2 - Web Software Attack Mitigation
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I
[52] Standards Mapping - Web Application Security Consortium Version 2.00 XML Entity Expansion (WASC-44)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.ruby.xee_injection

XML External Entity Injection

Abstract
O uso de analisadores de XML que não impedem nem limitam a resolução de entidades externas pode expor o analisador a um ataque de Entidades Externas XML.
Explanation
Ataques de Entidades Externas XML tiram proveito de um recurso XML para criar documentos dinamicamente na ocasião do processamento. Uma entidade XML permite incluir dados dinamicamente a partir de um determinado recurso. Entidades externas permitem que um documento XML inclua dados de um URI externo. A menos que configuradas para fazerem o contrário, entidades externas forçam o analisador XML a acessar o recurso especificado pelo URI, como um arquivo no computador local ou em um sistema remoto. Esse comportamento expõe o aplicativo a ataques de XXE (Entidades Externas XML), que podem causar a negação de serviço do sistema local, obter acesso não autorizado a arquivos na máquina local, fazer a varredura de máquinas remotas e realizar a negação de serviço de sistemas remotos.

O código ABAP a seguir demonstra análise XML insegura:

...
DATA(ixml) = cl_ixml=>create( ).
DATA(stream_factory) = ixml->create_stream_factory( ).
istream = stream_factory->create_istream_string(
  `<?xml version="1.0" encoding="UTF-8"?> ` &&
  `<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> ` &&
  `<stockCheck>&xxe;</stockCheck>` ).
istream->set_dtd_restriction( level = 0 ).
DATA(document) = ixml->create_document( ).
parser = ixml->create_parser(
                          stream_factory = stream_factory
                          istream        = istream
                          document       = document ).
parser->set_validating( mode = `0` ).
DATA(rc) = parser->parse( ).
...


Esse exemplo poderá revelar o conteúdo do arquivo de senha "/etc/passwd" nos sistemas Linux se o analisador XML tentar substituir a entidade pelo conteúdo desse arquivo.
References
[1] XML Denial of Service Attacks and Defenses MSDN Magazine
[2] XML External Entity (XXE) Processing OWASP
[3] Testing for XML Injection OWASP
[4] XML External Entities The Web Application Security Consortium
[5] Standards Mapping - Common Weakness Enumeration CWE ID 611
[6] Standards Mapping - Common Weakness Enumeration Top 25 2019 [17] CWE ID 611
[7] Standards Mapping - Common Weakness Enumeration Top 25 2020 [19] CWE ID 611
[8] Standards Mapping - Common Weakness Enumeration Top 25 2021 [23] CWE ID 611
[9] Standards Mapping - Common Weakness Enumeration Top 25 2022 [24] CWE ID 611
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310, CCI-002385, CCI-002754
[11] Standards Mapping - FIPS200 SI
[12] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[16] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.5.2 Deserialization Prevention Requirements (L1 L2 L3)
[20] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage
[21] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[22] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-STORAGE-2
[23] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[24] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[25] Standards Mapping - OWASP Top 10 2010 A1 Injection
[26] Standards Mapping - OWASP Top 10 2013 A1 Injection
[27] Standards Mapping - OWASP Top 10 2017 A4 XML External Entities (XXE)
[28] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2.2 - Web Software Attack Mitigation
[41] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Web Application Security Consortium Version 2.00 XML External Entities (WASC-43)
desc.dataflow.abap.xml_external_entity_injection
Abstract
O uso de analisadores de XML que não impedem nem limitam a resolução de entidades externas pode expor o analisador a um ataque de Entidades Externas XML.
Explanation
Ataques de Entidades Externas XML tiram proveito de um recurso XML para criar documentos dinamicamente na ocasião do processamento. Uma entidade XML permite incluir dados dinamicamente a partir de um determinado recurso. Entidades externas permitem que um documento XML inclua dados de um URI externo. A menos que configuradas para fazerem o contrário, entidades externas forçam o analisador XML a acessar o recurso especificado pelo URI, por exemplo, um arquivo na máquina local ou em um sistema remoto. Esse comportamento expõe o aplicativo a ataques de XXE (Entidades Externas XML), que podem ser usados para realizar a negação de serviço do sistema local, obter acesso não autorizado a arquivos na máquina local, fazer a varredura de máquinas remotas e realizar a negação de serviço de sistemas remotos.

O seguinte documento XML mostra um exemplo de ataque de XXE.

<?xml version="1.0" encoding="ISO-8859-1"?>
 <!DOCTYPE foo [
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///c:/winnt/win.ini" >]><foo>&xxe;</foo>


Esse exemplo poderá revelar o conteúdo do arquivo do sistema C:\winnt\win.ini se o analisador XML tentar substituir a entidade pelo conteúdo desse arquivo.
References
[1] XML Denial of Service Attacks and Defenses MSDN Magazine
[2] XML External Entity (XXE) Processing OWASP
[3] Testing for XML Injection OWASP
[4] XML External Entities The Web Application Security Consortium
[5] Standards Mapping - Common Weakness Enumeration CWE ID 611
[6] Standards Mapping - Common Weakness Enumeration Top 25 2019 [17] CWE ID 611
[7] Standards Mapping - Common Weakness Enumeration Top 25 2020 [19] CWE ID 611
[8] Standards Mapping - Common Weakness Enumeration Top 25 2021 [23] CWE ID 611
[9] Standards Mapping - Common Weakness Enumeration Top 25 2022 [24] CWE ID 611
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310, CCI-002385, CCI-002754
[11] Standards Mapping - FIPS200 SI
[12] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[16] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.5.2 Deserialization Prevention Requirements (L1 L2 L3)
[20] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage
[21] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[22] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-STORAGE-2
[23] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[24] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[25] Standards Mapping - OWASP Top 10 2010 A1 Injection
[26] Standards Mapping - OWASP Top 10 2013 A1 Injection
[27] Standards Mapping - OWASP Top 10 2017 A4 XML External Entities (XXE)
[28] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2.2 - Web Software Attack Mitigation
[41] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Web Application Security Consortium Version 2.00 XML External Entities (WASC-43)
desc.controlflow.dotnet.xml_external_entity_injection
Abstract
O método identificado permite referências a entidades externas. Essa chamada pode permitir que um invasor injete uma entidade externa XML no documento XML para revelar o conteúdo de arquivos ou recursos de rede internos.
Explanation
Uma injeção de Entidade Externa XML (XXE) ocorre quando:

1. Os dados entram em um programa por uma fonte não confiável.

2. Os dados são gravados em um elemento <ENTITY> da DTD (Definição de Tipo de Documento) em um documento XML.

Em geral, os aplicativos usam o XML para armazenar dados ou enviar mensagens. Quando usados para armazenar dados, documentos XML são frequentemente tratados como bancos de dados e podem conter informações confidenciais. Mensagens XML são muitas vezes utilizadas em serviços Web e também podem ser usadas para transmitir informações confidenciais. Mensagens XML podem até mesmo ser usadas para enviar credenciais de autenticação.

A semântica de documentos e mensagens XML poderá ser alterada se um invasor tiver a capacidade de escrever XML bruto. No melhor dos casos, um invasor pode ser capaz de inserir referências a entidades aninhadas e fazer com que um analisador XML consuma quantidades cada vez maiores de recursos da CPU. Em casos mais perniciosos da injeção de entidades externas XML, um invasor pode ser capaz de adicionar elementos XML que expõem o conteúdo de recursos do sistema de arquivos local ou que revelam a existência de recursos de rede internos.

Exemplo 1: veja a seguir um código Objective-C que é vulnerável a ataques de XXE:


- (void) parseSomeXML: (NSString *) rawXml {

    BOOL success;
    NSData *rawXmlConvToData = [rawXml dataUsingEncoding:NSUTF8StringEncoding];
    NSXMLParser *myParser = [[NSXMLParser alloc] initWithData:rawXmlConvToData];
    [myParser setShouldResolveExternalEntities:YES];
    [myParser setDelegate:self];
}


Suponha que um invasor seja capaz de controlar o conteúdo de rawXml de tal forma que o XML tenha a seguinte aparência:


 <?xml version="1.0" encoding="ISO-8859-1"?>
 <!DOCTYPE foo [
   <!ELEMENT foo ANY >
   <!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo>


Quando o XML for avaliado pelo servidor, o elemento <foo> incluirá o conteúdo do arquivo boot.ini.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 611
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [17] CWE ID 611
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [19] CWE ID 611
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [23] CWE ID 611
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [24] CWE ID 611
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310, CCI-002385, CCI-002754
[7] Standards Mapping - FIPS200 SI
[8] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[10] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[11] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[12] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.5.2 Deserialization Prevention Requirements (L1 L2 L3)
[16] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage
[17] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[18] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-STORAGE-2
[19] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[20] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[21] Standards Mapping - OWASP Top 10 2010 A1 Injection
[22] Standards Mapping - OWASP Top 10 2013 A1 Injection
[23] Standards Mapping - OWASP Top 10 2017 A4 XML External Entities (XXE)
[24] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2.2 - Web Software Attack Mitigation
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Web Application Security Consortium Version 2.00 XML External Entities (WASC-43)
desc.semantic.cpp.xml_external_entity_injection
Abstract
O uso de analisadores de XML que não impedem nem limitam a resolução de entidades externas pode expor o analisador a um ataque de Entidades Externas XML.
Explanation
Ataques de Entidades Externas XML tiram proveito de um recurso XML para criar documentos dinamicamente na ocasião do processamento. Uma entidade XML permite a inclusão de dados dinamicamente a partir de um determinado recurso. Entidades externas permitem que um documento XML inclua dados de um URI externo. A menos que configuradas para fazerem o contrário, entidades externas forçam o analisador XML a acessar o recurso especificado pelo URI, por exemplo, um arquivo na máquina local ou em um sistema remoto. Esse comportamento expõe o aplicativo a ataques de XXE (Entidades Externas XML), que podem ser usados para realizar a negação de serviço do sistema local, obter acesso não autorizado a arquivos na máquina local, fazer a varredura de máquinas remotas e realizar a negação de serviço de sistemas remotos.
Exemplo 1: O documento XML a seguir mostra um exemplo de um ataque de XXE.

<?xml version="1.0" encoding="ISO-8859-1"?>
 <!DOCTYPE foo [
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///dev/random" >]><foo>&xxe;</foo>


Esse exemplo poderá travar o servidor (em um sistema UNIX), se o analisador de XML tentar substituir a entidade pelo conteúdo do arquivo /dev/random.

Exemplo 2: O código Java a seguir demonstra como um analisador XML pode ser explorado para executar um ataque de XXE.

String xml = "...";
...
try {
    SAXParserFactory factory = SAXParserFactory.newInstance();
    SAXParser saxParser = factory.newSAXParser();

    DefaultHandler handler = new DefaultHandler() {
        @Override
        public void characters(char[] ch, int start, int length) throws SAXException {
            System.out.println(new String(ch, start, length));
        }
    };

    saxParser.parse(new InputSource(new StringReader(xml)), handler);
} catch (Exception e) {
    e.printStackTrace();
}
...

Neste exemplo, o código Java usa uma string XML com uma referência de entidade externa. Isso poderá levar a uma falha do servidor em um sistema UNIX se não for configurado corretamente para desabilitar a resolução de entidades externas.
References
[1] XML External Entity (XXE) Processing OWASP
[2] Testing for XML Injection OWASP
[3] XML External Entities The Web Application Security Consortium
[4] IDS17-J. Prevent XML External Entity Attacks CERT
[5] DOS-1: Beware of activities that may use disproportionate resources Oracle
[6] INJECT-5: Restrict XML inclusion Oracle
[7] Standards Mapping - Common Weakness Enumeration CWE ID 611
[8] Standards Mapping - Common Weakness Enumeration Top 25 2019 [17] CWE ID 611
[9] Standards Mapping - Common Weakness Enumeration Top 25 2020 [19] CWE ID 611
[10] Standards Mapping - Common Weakness Enumeration Top 25 2021 [23] CWE ID 611
[11] Standards Mapping - Common Weakness Enumeration Top 25 2022 [24] CWE ID 611
[12] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310, CCI-002385, CCI-002754
[13] Standards Mapping - FIPS200 SI
[14] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[16] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[17] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[18] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[19] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[20] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.5.2 Deserialization Prevention Requirements (L1 L2 L3)
[22] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage
[23] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[24] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-STORAGE-2
[25] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[26] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[27] Standards Mapping - OWASP Top 10 2010 A1 Injection
[28] Standards Mapping - OWASP Top 10 2013 A1 Injection
[29] Standards Mapping - OWASP Top 10 2017 A4 XML External Entities (XXE)
[30] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[38] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[39] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[41] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[42] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2.2 - Web Software Attack Mitigation
[43] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[65] Standards Mapping - Web Application Security Consortium Version 2.00 XML External Entities (WASC-43)
desc.semantic.java.xxe_injection
Abstract
O uso de processadores de XML que não impedem nem limitam a resolução de entidades externas pode expor o aplicativo a um ataque de Entidade Externa XML.
Explanation
Os ataques de Entidade Externa XML se beneficiam de um recurso XML para criar documentos dinamicamente em tempo de execução. Uma entidade XML permite a inclusão de dados dinamicamente de um recurso específico. Entidades externas permitem que um documento XML inclua dados de um URI externo. A menos que configuradas para fazerem o contrário, entidades externas forçam o analisador XML a acessar o recurso especificado pelo URI, como um arquivo no computador local ou em um sistema remoto. Esse comportamento expõe o aplicativo a ataques de XXE (Entidades Externas XML), que permite aos invasores realizar a negação de serviço do sistema local, obter acesso não autorizado a arquivos na máquina local, fazer a varredura de computadores remotos e realizar a negação de serviço de sistemas remotos.


Exemplo 1: O documento XML a seguir mostra um exemplo de um ataque de XXE.

<?xml version="1.0" encoding="ISO-8859-1"?>
 <!DOCTYPE foo [
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///dev/random" >]><foo>&xxe;</foo>


Esse exemplo poderá travar o servidor (em um sistema UNIX) se o analisador XML tentar substituir a entidade pelo conteúdo do arquivo /dev/random.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 611
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [17] CWE ID 611
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [19] CWE ID 611
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [23] CWE ID 611
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [24] CWE ID 611
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310, CCI-002385, CCI-002754
[7] Standards Mapping - FIPS200 SI
[8] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[10] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[11] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[12] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.5.2 Deserialization Prevention Requirements (L1 L2 L3)
[16] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage
[17] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[18] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-STORAGE-2
[19] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[20] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[21] Standards Mapping - OWASP Top 10 2010 A1 Injection
[22] Standards Mapping - OWASP Top 10 2013 A1 Injection
[23] Standards Mapping - OWASP Top 10 2017 A4 XML External Entities (XXE)
[24] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2.2 - Web Software Attack Mitigation
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Web Application Security Consortium Version 2.00 XML External Entities (WASC-43)
desc.dataflow.javascript.xxe_injection
Abstract
O método identificado permite referências a entidades externas. Essa chamada pode permitir que um invasor injete uma entidade externa XML no documento XML para revelar o conteúdo de arquivos ou recursos de rede internos.
Explanation
Uma injeção de Entidade Externa XML (XXE) ocorre quando:

1. Os dados entram em um programa por uma fonte não confiável.

2. Os dados são gravados em um elemento <ENTITY> da DTD (Definição de Tipo de Documento) em um documento XML.

Em geral, os aplicativos usam o XML para armazenar dados ou enviar mensagens. Quando usados para armazenar dados, documentos XML são frequentemente tratados como bancos de dados e podem conter informações confidenciais. Mensagens XML são muitas vezes utilizadas em serviços Web e também podem ser usadas para transmitir informações confidenciais. Mensagens XML podem até mesmo ser usadas para enviar credenciais de autenticação.

A semântica de documentos e mensagens XML poderá ser alterada se um invasor tiver a capacidade de escrever XML bruto. No melhor dos casos, um invasor pode ser capaz de inserir referências a entidades aninhadas e fazer com que um analisador XML consuma quantidades cada vez maiores de recursos da CPU. Em casos mais perniciosos da injeção de entidades externas XML, um invasor pode ser capaz de adicionar elementos XML que expõem o conteúdo de recursos do sistema de arquivos local ou que revelam a existência de recursos de rede internos.

Exemplo 1:estes são alguns códigos vulneráveis a ataques XXE:


- (void) parseSomeXML: (NSString *) rawXml {

    BOOL success;
    NSData *rawXmlConvToData = [rawXml dataUsingEncoding:NSUTF8StringEncoding];
    NSXMLParser *myParser = [[NSXMLParser alloc] initWithData:rawXmlConvToData];
    [myParser setShouldResolveExternalEntities:YES];
    [myParser setDelegate:self];
}


Suponha que um invasor seja capaz de controlar o conteúdo de rawXml de tal forma que o XML tenha a seguinte aparência:


 <?xml version="1.0" encoding="ISO-8859-1"?>
 <!DOCTYPE foo [
   <!ELEMENT foo ANY >
   <!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo>


Quando o XML for avaliado pelo servidor, o elemento <foo> incluirá o conteúdo do arquivo boot.ini.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 611
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [17] CWE ID 611
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [19] CWE ID 611
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [23] CWE ID 611
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [24] CWE ID 611
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310, CCI-002385, CCI-002754
[7] Standards Mapping - FIPS200 SI
[8] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[10] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[11] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[12] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.5.2 Deserialization Prevention Requirements (L1 L2 L3)
[16] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage
[17] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[18] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-STORAGE-2
[19] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[20] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[21] Standards Mapping - OWASP Top 10 2010 A1 Injection
[22] Standards Mapping - OWASP Top 10 2013 A1 Injection
[23] Standards Mapping - OWASP Top 10 2017 A4 XML External Entities (XXE)
[24] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2.2 - Web Software Attack Mitigation
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Web Application Security Consortium Version 2.00 XML External Entities (WASC-43)
desc.semantic.objc.xml_external_entity_injection
Abstract
Processar um documento XML não validado pode permitir que um invasor altere a estrutura e o conteúdo do XML, escaneie a porta do servidor host ou escaneie o host da rede interna, inclua arquivos arbitrários do sistema de arquivos, ou cause um ataque de negação de serviço do aplicativo.
Explanation
Uma injeção de Entidade Externa XML (XXE) ocorre quando:

1. Os dados entram em um programa por uma fonte não confiável.

2. Os dados são gravados em um documento XML.

Em geral, os aplicativos usam o XML para armazenar dados ou enviar mensagens. Quando usados para armazenar dados, documentos XML são frequentemente tratados como bancos de dados e podem conter informações confidenciais. Mensagens XML são muitas vezes utilizadas em serviços Web e também podem ser usadas para transmitir informações confidenciais. Mensagens XML podem até mesmo ser usadas para enviar credenciais de autenticação.

A semântica de documentos e mensagens XML poderá ser alterada se um invasor tiver a capacidade de escrever XML bruto. No caso mais benigno, um invasor pode ser capaz de inserir referências de entidade aninhada e fazer com que um analisador XML consuma cada vez mais quantidades de recursos da CPU. Em casos mais nefastos de injeção de XXE, um invasor pode ser capaz de adicionar elementos XML que expõem o conteúdo de recursos do sistema de arquivos local, revelam a existência de recursos de rede interna ou exponha conteúdo back-end em si.

Exemplo 1: Estes são alguns códigos vulneráveis a ataques XXE:

Pressuponha que um invasor possa controlar o XML de entrada para o seguinte código:


...
<?php
$goodXML = $_GET["key"];
$doc = simplexml_load_string($goodXml);
echo $doc->testing;
?>
...


Agora suponha que o XML a seguir é passado pelo invasor para o código no Example 2:



<?xml version="1.0" encoding="ISO-8859-1"?>
 <!DOCTYPE foo [
   <!ELEMENT foo ANY >
   <!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo>



Quando o XML é processado, o conteúdo do elemento <foo> é preenchido com o conteúdo do arquivo boot.ini do sistema. O invasor pode usar elementos XML que são devolvidos ao cliente para roubar dados ou obter informações sobre a existência de recursos de rede.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 611
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [17] CWE ID 611
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [19] CWE ID 611
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [23] CWE ID 611
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [24] CWE ID 611
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310, CCI-002385, CCI-002754
[7] Standards Mapping - FIPS200 SI
[8] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[10] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[11] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[12] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.5.2 Deserialization Prevention Requirements (L1 L2 L3)
[16] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage
[17] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[18] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-STORAGE-2
[19] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[20] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[21] Standards Mapping - OWASP Top 10 2010 A1 Injection
[22] Standards Mapping - OWASP Top 10 2013 A1 Injection
[23] Standards Mapping - OWASP Top 10 2017 A4 XML External Entities (XXE)
[24] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2.2 - Web Software Attack Mitigation
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Web Application Security Consortium Version 2.00 XML External Entities (WASC-43)
desc.dataflow.php.xml_external_entity_injection
Abstract
O uso de processadores de XML que não impedem nem limitam a resolução de entidades externas pode expor o aplicativo a ataques de Entidades Externas XML.
Explanation
Os ataques de Entidades Externas XML se beneficiam de um recurso XML para criar documentos dinamicamente em tempo de execução. Uma entidade XML permite a inclusão de dados dinamicamente de um recurso específico. Entidades externas permitem que um documento XML inclua dados de um URI externo. A menos que configuradas para fazerem o contrário, entidades externas forçam o analisador XML a acessar o recurso especificado pelo URI, como um arquivo no computador local ou em um sistema remoto. Esse comportamento expõe o aplicativo a ataques de XXE (Entidades Externas XML), que os invasores podem usar para realizar a negação de serviço do sistema local, obter acesso não autorizado a arquivos na máquina local, fazer a varredura de computadores remotos e realizar a negação de serviço de sistemas remotos.


Exemplo 1: O seguinte documento XML mostra um exemplo de ataque de XXE.

<?xml version="1.0" encoding="ISO-8859-1"?>
 <!DOCTYPE foo [
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///dev/random" >]><foo>&xxe;</foo>


Esse exemplo poderá travar o servidor (em um sistema UNIX), se o analisador de XML tentar substituir a entidade pelo conteúdo do arquivo /dev/random.
References
[1] XML vulnerabilities
[2] Announcing defusedxml, Fixes for XML Security Issues
[3] defusedxml
[4] defusedexpat
[5] XML External Entity (XXE) Processing OWASP
[6] Testing for XML Injection (OWASP-DV-008) OWASP
[7] XML External Entities The Web Application Security Consortium
[8] Standards Mapping - Common Weakness Enumeration CWE ID 611
[9] Standards Mapping - Common Weakness Enumeration Top 25 2019 [17] CWE ID 611
[10] Standards Mapping - Common Weakness Enumeration Top 25 2020 [19] CWE ID 611
[11] Standards Mapping - Common Weakness Enumeration Top 25 2021 [23] CWE ID 611
[12] Standards Mapping - Common Weakness Enumeration Top 25 2022 [24] CWE ID 611
[13] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310, CCI-002385, CCI-002754
[14] Standards Mapping - FIPS200 SI
[15] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[16] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[17] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[18] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[19] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[20] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[21] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[22] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.5.2 Deserialization Prevention Requirements (L1 L2 L3)
[23] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage
[24] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[25] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-STORAGE-2
[26] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[27] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[28] Standards Mapping - OWASP Top 10 2010 A1 Injection
[29] Standards Mapping - OWASP Top 10 2013 A1 Injection
[30] Standards Mapping - OWASP Top 10 2017 A4 XML External Entities (XXE)
[31] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[38] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[39] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[40] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[41] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[42] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[43] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2.2 - Web Software Attack Mitigation
[44] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[65] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[66] Standards Mapping - Web Application Security Consortium Version 2.00 XML External Entities (WASC-43)
desc.dataflow.python.xxe_injection
Abstract
O uso de analisadores de XML que não impedem nem limitam a resolução de entidades externas pode expor o analisador a um ataque de Entidades Externas XML.
Explanation
Ataques de Entidades Externas XML tiram proveito de um recurso XML para criar documentos dinamicamente na ocasião do processamento. Uma entidade XML permite a inclusão de dados dinamicamente a partir de um determinado recurso. Entidades externas permitem que um documento XML inclua dados de um URI externo. A menos que configuradas para fazerem o contrário, entidades externas forçam o analisador XML a acessar o recurso especificado pelo URI, por exemplo, um arquivo na máquina local ou em um sistema remoto. Esse comportamento expõe o aplicativo a ataques de XXE (Entidades Externas XML), que podem ser usados para realizar a negação de serviço do sistema local, obter acesso não autorizado a arquivos na máquina local, fazer a varredura de máquinas remotas e realizar a negação de serviço de sistemas remotos.

O seguinte documento XML mostra um exemplo de ataque de XXE.

<?xml version="1.0" encoding="ISO-8859-1"?>
 <!DOCTYPE foo [
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>


O documento XML de exemplo lerá o conteúdo de /etc/passwd e o incluirá no documento.

Exemplo 1:O código a seguir usa um analisador XML não seguro para processar uma entrada não confiável a partir de uma solicitação HTTP. 


def readFile() = Action { request =>
    val xml = request.cookies.get("doc")
    val doc = XMLLoader.loadString(xml)
    ...
}
References
[1] XML External Entity (XXE) Processing OWASP
[2] Testing for XML Injection OWASP
[3] XML External Entities The Web Application Security Consortium
[4] IDS17-J. Prevent XML External Entity Attacks CERT
[5] DOS-1: Beware of activities that may use disproportionate resources Oracle
[6] INJECT-5: Restrict XML inclusion Oracle
[7] Standards Mapping - Common Weakness Enumeration CWE ID 611
[8] Standards Mapping - Common Weakness Enumeration Top 25 2019 [17] CWE ID 611
[9] Standards Mapping - Common Weakness Enumeration Top 25 2020 [19] CWE ID 611
[10] Standards Mapping - Common Weakness Enumeration Top 25 2021 [23] CWE ID 611
[11] Standards Mapping - Common Weakness Enumeration Top 25 2022 [24] CWE ID 611
[12] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310, CCI-002385, CCI-002754
[13] Standards Mapping - FIPS200 SI
[14] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[16] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[17] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[18] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[19] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[20] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.5.2 Deserialization Prevention Requirements (L1 L2 L3)
[22] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage
[23] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[24] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-STORAGE-2
[25] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[26] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[27] Standards Mapping - OWASP Top 10 2010 A1 Injection
[28] Standards Mapping - OWASP Top 10 2013 A1 Injection
[29] Standards Mapping - OWASP Top 10 2017 A4 XML External Entities (XXE)
[30] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[38] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[39] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[41] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[42] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2.2 - Web Software Attack Mitigation
[43] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[65] Standards Mapping - Web Application Security Consortium Version 2.00 XML External Entities (WASC-43)
desc.dataflow.scala.xml_external_entity_injection
Abstract
O método identificado permite referências a entidades externas. Essa chamada pode permitir que um invasor injete uma entidade externa XML no documento XML para revelar o conteúdo de arquivos ou recursos de rede internos.
Explanation
Uma injeção de Entidade Externa XML (XXE) ocorre quando:

1. Os dados entram em um programa por uma fonte não confiável.

2. Os dados são gravados em um elemento <ENTITY> da DTD (Definição de Tipo de Documento) em um documento XML.

Em geral, os aplicativos usam o XML para armazenar dados ou enviar mensagens. Quando usados para armazenar dados, documentos XML são frequentemente tratados como bancos de dados e podem conter informações confidenciais. Mensagens XML são muitas vezes utilizadas em serviços Web e também podem ser usadas para transmitir informações confidenciais. Mensagens XML podem até mesmo ser usadas para enviar credenciais de autenticação.

A semântica de documentos e mensagens XML poderá ser alterada se um invasor tiver a capacidade de escrever XML bruto. No melhor dos casos, um invasor pode ser capaz de inserir referências a entidades aninhadas e fazer com que um analisador XML consuma quantidades cada vez maiores de recursos da CPU. Em casos mais perniciosos da injeção de entidades externas XML, um invasor pode ser capaz de adicionar elementos XML que expõem o conteúdo de recursos do sistema de arquivos local ou que revelam a existência de recursos de rede internos.

Exemplo 1:estes são alguns códigos vulneráveis a ataques XXE:


func parseXML(xml: String) {
    parser = NSXMLParser(data: rawXml.dataUsingEncoding(NSUTF8StringEncoding)!)
    parser.delegate = self
    parser.shouldResolveExternalEntities = true
    parser.parse()
}


Suponha que um invasor seja capaz de controlar o conteúdo de rawXml de tal forma que o XML tenha a seguinte aparência:


 <?xml version="1.0" encoding="ISO-8859-1"?>
 <!DOCTYPE foo [
   <!ELEMENT foo ANY >
   <!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo>


Quando o XML for avaliado pelo servidor, o elemento <foo> incluirá o conteúdo do arquivo boot.ini.
References
[1] XML External Entity (XXE) Processing OWASP
[2] Testing for XML Injection OWASP
[3] XML External Entities The Web Application Security Consortium
[4] Standards Mapping - Common Weakness Enumeration CWE ID 611
[5] Standards Mapping - Common Weakness Enumeration Top 25 2019 [17] CWE ID 611
[6] Standards Mapping - Common Weakness Enumeration Top 25 2020 [19] CWE ID 611
[7] Standards Mapping - Common Weakness Enumeration Top 25 2021 [23] CWE ID 611
[8] Standards Mapping - Common Weakness Enumeration Top 25 2022 [24] CWE ID 611
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310, CCI-002385, CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.5.2 Deserialization Prevention Requirements (L1 L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage
[20] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[21] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-STORAGE-2
[22] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[23] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[24] Standards Mapping - OWASP Top 10 2010 A1 Injection
[25] Standards Mapping - OWASP Top 10 2013 A1 Injection
[26] Standards Mapping - OWASP Top 10 2017 A4 XML External Entities (XXE)
[27] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2.2 - Web Software Attack Mitigation
[40] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Web Application Security Consortium Version 2.00 XML External Entities (WASC-43)
desc.structural.swift.xml_external_entity_injection

XML Injection

Abstract
A gravação de dados não validados em um documento XML pode permitir que um invasor altere a estrutura e o conteúdo do XML.
Explanation
Uma injeção de XML ocorre quando:

1. Os dados entram em um programa por uma fonte não confiável.

2. Os dados são gravados em um documento XML.

Em geral, os aplicativos usam o XML para armazenar dados ou enviar mensagens. Quando usados para armazenar dados, documentos XML são frequentemente tratados como bancos de dados e podem conter informações confidenciais. Mensagens XML são muitas vezes utilizadas em serviços Web e também podem ser usadas para transmitir informações confidenciais. Mensagens XML podem até mesmo ser usadas para enviar credenciais de autenticação.

A semântica de documentos e mensagens XML poderá ser alterada se um invasor tiver a capacidade de escrever XML bruto. No melhor dos casos, um invasor pode inserir tags estranhas e fazer com que um analisador de XML lance uma exceção. Em casos mais perniciosos de injeção de XML, um invasor pode adicionar elementos XML que alteram credenciais de autenticação ou modificam preços em um banco de dados de comércio eletrônico XML. Às vezes, a injeção de XML pode provocar criação de scripts entre sites ou avaliação de código dinâmico.

Exemplo 1:

Suponha que um invasor possa controlar shoes no seguinte XML:

<order>
   <price>100.00</price>
   <item>shoes</item>
</order>


Agora, suponha que esse XML esteja incluído em uma solicitação de serviço Web back-end para efetuar um pedido de um par de sapatos. Suponha que o invasor modifique seu pedido e substitua shoes com por shoes</item><price>1.00</price><item>shoes. O novo XML teria a seguinte aparência:

<order>
    <price>100.00</price>
    <item>shoes</item><price>1.00</price><item>shoes</item>
</order>


Ao usar analisadores ABAP iXML, o valor a partir da segunda tag <price> substitui o valor da primeira tag <price>. Isso permite que o invasor compre um par de sapatos de $100 por apenas $1.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 91
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.10 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[13] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[15] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[16] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2010 A1 Injection
[18] Standards Mapping - OWASP Top 10 2013 A1 Injection
[19] Standards Mapping - OWASP Top 10 2017 A1 Injection
[20] Standards Mapping - OWASP Top 10 2021 A03 Injection
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Web Application Security Consortium Version 2.00 XML Injection (WASC-23)
desc.dataflow.abap.xml_injection
Abstract
A gravação de dados não validados em um documento XML pode permitir que um invasor altere a estrutura e o conteúdo do XML.
Explanation
Uma injeção de XML ocorre quando:

1. Os dados entram em um programa por uma fonte não confiável.

2. Os dados são gravados em um documento XML.

Em geral, os aplicativos usam o XML para armazenar dados ou enviar mensagens. Quando usados para armazenar dados, documentos XML são frequentemente tratados como bancos de dados e podem conter informações confidenciais. Mensagens XML são muitas vezes utilizadas em serviços Web e também podem ser usadas para enviar informações confidenciais. Mensagens XML podem até mesmo ser usadas para enviar credenciais de autenticação.

A semântica de documentos e mensagens XML poderá ser alterada se um invasor tiver a capacidade de escrever XML bruto. No melhor dos casos, um invasor pode ser capaz de inserir tags estranhas e fazer com que um analisador de XML lance uma exceção. Em casos mais perniciosos de injeção de XML, um invasor pode ser capaz de adicionar elementos XML que alteram credenciais de autenticação ou modificam preços em um banco de dados de comércio eletrônico XML. Em alguns casos, a injeção de XML pode até mesmo provocar criação de scripts entre sites ou avaliação de código dinâmico.

Exemplo 1:

Suponha que um invasor seja capaz de controlar shoes no seguinte XML.

<order>
   <price>100.00</price>
   <item>shoes</item>
</order>


Agora, suponha que esse XML está incluído em uma solicitação de serviço Web back-end para efetuar um pedido de um par de sapatos. Suponha que o invasor modifique seu pedido e substitua shoes com por shoes</item><price>1.00</price><item>shoes. O novo XML teria a seguinte aparência:

<order>
   <price>100.00</price>
   <item>shoes</item><price>1.00</price><item>shoes</item>
</order>


Ao usar analisadores SAX, o valor a partir da segunda tag <price> substitui o valor da primeira tag <price>. Isso permite que o invasor compre um par de sapatos de $100 por apenas $1.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 91
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.10 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[13] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[15] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[16] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2010 A1 Injection
[18] Standards Mapping - OWASP Top 10 2013 A1 Injection
[19] Standards Mapping - OWASP Top 10 2017 A1 Injection
[20] Standards Mapping - OWASP Top 10 2021 A03 Injection
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Web Application Security Consortium Version 2.00 XML Injection (WASC-23)
desc.dataflow.dotnet.xml_injection
Abstract
O método identificado grava uma entrada XML não validada. Essa chamada pode permitir que um invasor injete elementos ou atributos arbitrários no documento XML.
Explanation
Uma injeção de XML ocorre quando:

1. Os dados entram em um programa por uma fonte não confiável.


2. Os dados são gravados em um documento XML.

Em geral, os aplicativos usam o XML para armazenar dados ou enviar mensagens. Quando usados para armazenar dados, documentos XML são frequentemente tratados como bancos de dados e podem conter informações confidenciais. Mensagens XML são muitas vezes utilizadas em serviços Web e também podem ser usadas para transmitir informações confidenciais. Mensagens XML podem até mesmo ser usadas para enviar credenciais de autenticação.

A semântica de documentos e mensagens XML poderá ser alterada se um invasor tiver a capacidade de escrever XML bruto. No melhor dos casos, um invasor pode ser capaz de inserir tags estranhas e fazer com que um analisador de XML lance uma exceção. Em casos mais perniciosos de injeção de XML, um invasor pode ser capaz de adicionar elementos XML que alteram credenciais de autenticação ou modificam preços em um banco de dados de comércio eletrônico XML. Em alguns casos, a injeção de XML pode provocar criação de scripts entre sites ou avaliação de código dinâmico.

Exemplo 1:

Suponha que um invasor seja capaz de controlar shoes no seguinte XML.

<order>
   <price>100.00</price>
   <item>shoes</item>
</order>


Agora, suponha que esse XML está incluído em uma solicitação de serviço Web back-end para efetuar um pedido de um par de sapatos. Suponha que o invasor modifique seu pedido e substitua shoes com por shoes</item><price>1.00</price><item>shoes. O novo XML teria a seguinte aparência:

<order>
    <price>100.00</price>
    <item>shoes</item><price>1.00</price><item>shoes</item>
</order>


Ao usar analisadores SAX, o valor a partir da segunda tag <price> substitui o valor da primeira tag <price>. Isso permite que o invasor compre um par de sapatos de $100 por apenas $1.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 91
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.10 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[13] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[15] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[16] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2010 A1 Injection
[18] Standards Mapping - OWASP Top 10 2013 A1 Injection
[19] Standards Mapping - OWASP Top 10 2017 A1 Injection
[20] Standards Mapping - OWASP Top 10 2021 A03 Injection
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Web Application Security Consortium Version 2.00 XML Injection (WASC-23)
desc.dataflow.cpp.xml_injection
Abstract
A gravação de dados não validados em um documento XML pode permitir que um invasor altere a estrutura e o conteúdo do XML.
Explanation
Uma injeção de XML ocorre quando:

1. Os dados entram em um programa por uma fonte não confiável.

2. Os dados são gravados em um documento XML.

Em geral, os aplicativos usam o XML para armazenar dados ou enviar mensagens. Quando usados para armazenar dados, documentos XML são frequentemente tratados como bancos de dados e podem conter informações confidenciais. Mensagens XML são muitas vezes utilizadas em serviços Web e também podem ser usadas para transmitir informações confidenciais. Mensagens XML podem até mesmo ser usadas para enviar credenciais de autenticação.

A semântica de documentos e mensagens XML poderá ser alterada se um invasor tiver a capacidade de escrever XML bruto. No melhor dos casos, um invasor pode inserir tags estranhas e fazer com que um analisador de XML lance uma exceção. Em casos mais perniciosos de injeção de XML, um invasor pode adicionar elementos XML que alteram credenciais de autenticação ou modificam preços em um banco de dados de comércio eletrônico XML. Às vezes, a injeção de XML pode provocar criação de scripts entre sites ou avaliação de código dinâmico.

Exemplo 1:

Suponha que um invasor possa controlar shoes no seguinte XML:

<order>
   <price>100.00</price>
   <item>shoes</item>
</order>


Agora, suponha que esse XML esteja incluído em uma solicitação de serviço Web back-end para efetuar um pedido de um par de sapatos. Suponha que o invasor modifique seu pedido e substitua shoes com por shoes</item><price>1.00</price><item>shoes. O novo XML teria a seguinte aparência:

<order>
    <price>100.00</price>
    <item>shoes</item><price>1.00</price><item>shoes</item>
</order>


Ao usar analisadores SAX, o valor a partir da segunda tag &lt;price&gt; substitui o valor da primeira tag <price>. Isso permite que o invasor compre um par de sapatos de $100 por apenas $1.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 91
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.10 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[13] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[15] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[16] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2010 A1 Injection
[18] Standards Mapping - OWASP Top 10 2013 A1 Injection
[19] Standards Mapping - OWASP Top 10 2017 A1 Injection
[20] Standards Mapping - OWASP Top 10 2021 A03 Injection
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Web Application Security Consortium Version 2.00 XML Injection (WASC-23)
desc.dataflow.golang.xml_injection
Abstract
A gravação de dados não validados em um documento XML pode permitir que um invasor altere a estrutura e o conteúdo do XML.
Explanation
Uma injeção de XML ocorre quando:

1. Os dados entram em um programa por uma fonte não confiável.

2. Os dados são gravados em um documento XML.

Em geral, os aplicativos usam o XML para armazenar dados ou enviar mensagens. Quando usados para armazenar dados, documentos XML são frequentemente tratados como bancos de dados e podem conter informações confidenciais. Mensagens XML são muitas vezes utilizadas em serviços Web e também podem ser usadas para transmitir informações confidenciais. Mensagens XML podem até mesmo ser usadas para enviar credenciais de autenticação.

A semântica de documentos e mensagens XML poderá ser alterada se um invasor tiver a capacidade de escrever XML bruto. No melhor dos casos, um invasor pode ser capaz de inserir tags estranhas e fazer com que um analisador de XML lance uma exceção. Em casos mais perniciosos de injeção de XML, um invasor pode ser capaz de adicionar elementos XML que alteram credenciais de autenticação ou modificam preços em um banco de dados de comércio eletrônico XML. Em alguns casos, a injeção de XML pode provocar criação de scripts entre sites ou avaliação de código dinâmico.

Exemplo 1:

Suponha que um invasor seja capaz de controlar shoes no seguinte XML.

<order>
   <price>100.00</price>
   <item>shoes</item>
</order>


Agora, suponha que esse XML está incluído em uma solicitação de serviço Web back-end para efetuar um pedido de um par de sapatos. Suponha que o invasor modifique seu pedido e substitua shoes com por shoes</item><price>1.00</price><item>shoes. O novo XML teria a seguinte aparência:

<order>
    <price>100.00</price>
    <item>shoes</item><price>1.00</price><item>shoes</item>
</order>


Ao usar analisadores SAX, o valor a partir da segunda tag <price> substitui o valor da primeira tag <price>. Isso permite que o invasor compre um par de sapatos de $100 por apenas $1.
References
[1] IDS16-J. Prevent XML Injection CERT
[2] INJECT-3: XML and HTML generation requires care Oracle
[3] Standards Mapping - Common Weakness Enumeration CWE ID 91
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[5] Standards Mapping - FIPS200 SI
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[10] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.10 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[15] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[17] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[18] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[19] Standards Mapping - OWASP Top 10 2010 A1 Injection
[20] Standards Mapping - OWASP Top 10 2013 A1 Injection
[21] Standards Mapping - OWASP Top 10 2017 A1 Injection
[22] Standards Mapping - OWASP Top 10 2021 A03 Injection
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Web Application Security Consortium Version 2.00 XML Injection (WASC-23)
desc.dataflow.java.xml_injection
Abstract
A gravação de dados não validados em um documento XML pode permitir que um invasor altere a estrutura e o conteúdo do XML.
Explanation
Uma injeção de XML ocorre quando:

1. Os dados entram em um programa por uma fonte não confiável.


2. Os dados são gravados em um documento XML.

Em geral, os aplicativos usam o XML para armazenar dados ou enviar mensagens. Quando usados para armazenar dados, documentos XML são frequentemente tratados como bancos de dados e podem conter informações confidenciais. Mensagens XML são muitas vezes utilizadas em serviços Web e também podem ser usadas para transmitir informações confidenciais. Mensagens XML podem até mesmo ser usadas para enviar credenciais de autenticação.

A semântica de documentos e mensagens XML poderá ser alterada se um invasor tiver a capacidade de escrever XML bruto. No melhor dos casos, um invasor pode ser capaz de inserir tags estranhas e fazer com que um analisador de XML lance uma exceção. Em casos mais perniciosos de injeção de XML, um invasor pode ser capaz de adicionar elementos XML que alteram credenciais de autenticação ou modificam preços em um banco de dados de comércio eletrônico XML. Em alguns casos, a injeção de XML pode provocar criação de scripts entre sites ou avaliação de código dinâmico.

Exemplo 1:

Suponha que um invasor possa controlar shoes no XML a seguir.

<order>
   <price>100.00</price>
   <item>shoes</item>
</order>


Agora, suponha que esse XML está incluído em uma solicitação de serviço Web back-end para efetuar um pedido de um par de sapatos. Suponha que o invasor modifique seu pedido e substitua shoes com por shoes</item><price>1.00</price><item>shoes. O novo XML teria a seguinte aparência:

<order>
    <price>100.00</price>
    <item>shoes</item><price>1.00</price><item>shoes</item>
</order>


Isso pode permitir que um invasor compre um par de sapatos que custam US$100,00 por US$1,00.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 91
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.10 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[13] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[15] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[16] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2010 A1 Injection
[18] Standards Mapping - OWASP Top 10 2013 A1 Injection
[19] Standards Mapping - OWASP Top 10 2017 A1 Injection
[20] Standards Mapping - OWASP Top 10 2021 A03 Injection
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Web Application Security Consortium Version 2.00 XML Injection (WASC-23)
desc.dataflow.javascript.xml_injection
Abstract
O método identificado grava uma entrada XML não validada. Essa chamada pode permitir que um invasor injete elementos ou atributos arbitrários no documento XML.
Explanation
Uma injeção de XML ocorre quando:

1. Os dados entram em um programa por uma fonte não confiável.


2. Os dados são gravados em um documento XML.

Em geral, os aplicativos usam o XML para armazenar dados ou enviar mensagens. Quando usados para armazenar dados, documentos XML são frequentemente tratados como bancos de dados e podem conter informações confidenciais. Mensagens XML são muitas vezes utilizadas em serviços Web e também podem ser usadas para transmitir informações confidenciais. Mensagens XML podem até mesmo ser usadas para enviar credenciais de autenticação.

A semântica de documentos e mensagens XML poderá ser alterada se um invasor tiver a capacidade de escrever XML bruto. No melhor dos casos, um invasor pode ser capaz de inserir tags estranhas e fazer com que um analisador de XML lance uma exceção. Em casos mais perniciosos de injeção de XML, um invasor pode ser capaz de adicionar elementos XML que alteram credenciais de autenticação ou modificam preços em um banco de dados de comércio eletrônico XML. Em alguns casos, a injeção de XML pode provocar criação de scripts entre sites ou avaliação de código dinâmico.

Exemplo 1:

Suponha que um invasor seja capaz de controlar shoes no seguinte XML.

<order>
   <price>100.00</price>
   <item>shoes</item>
</order>


Agora, suponha que esse XML está incluído em uma solicitação de serviço Web back-end para efetuar um pedido de um par de sapatos. Suponha que o invasor modifique seu pedido e substitua shoes com por shoes</item><price>1.00</price><item>shoes. O novo XML teria a seguinte aparência:

<order>
    <price>100.00</price>
    <item>shoes</item><price>1.00</price><item>shoes</item>
</order>


Ao usar analisadores SAX, o valor a partir da segunda tag <price> substitui o valor da primeira tag <price>. Isso permite que o invasor compre um par de sapatos de $100 por apenas $1.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 91
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.10 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[13] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[15] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[16] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2010 A1 Injection
[18] Standards Mapping - OWASP Top 10 2013 A1 Injection
[19] Standards Mapping - OWASP Top 10 2017 A1 Injection
[20] Standards Mapping - OWASP Top 10 2021 A03 Injection
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Web Application Security Consortium Version 2.00 XML Injection (WASC-23)
desc.dataflow.objc.xml_injection
Abstract
A gravação de dados não validados em um documento XML pode permitir que um invasor altere a estrutura e o conteúdo do XML.
Explanation
Uma injeção de XML ocorre quando:

1. Os dados entram em um programa por uma fonte não confiável.

2. Os dados são gravados em um documento XML.

Em geral, os aplicativos usam o XML para armazenar dados ou enviar mensagens. Quando usados para armazenar dados, documentos XML são frequentemente tratados como bancos de dados e podem conter informações confidenciais. Mensagens XML são muitas vezes utilizadas em serviços Web e também podem ser usadas para transmitir informações confidenciais. Mensagens XML podem até mesmo ser usadas para enviar credenciais de autenticação.

A semântica de documentos e mensagens XML poderá ser alterada se um invasor tiver a capacidade de escrever XML bruto. No melhor dos casos, um invasor pode ser capaz de inserir tags estranhas e fazer com que um analisador de XML lance uma exceção. Em casos mais perniciosos de injeção de XML, um invasor pode ser capaz de adicionar elementos XML que alteram credenciais de autenticação ou modificam preços em um banco de dados de comércio eletrônico XML. Em alguns casos, a injeção de XML pode provocar criação de scripts entre sites ou avaliação de código dinâmico.

Exemplo 1:

Suponha que um invasor seja capaz de controlar shoes no seguinte XML.

<order>
   <price>100.00</price>
   <item>shoes</item>
</order>


Agora, suponha que esse XML está incluído em uma solicitação de serviço Web back-end para efetuar um pedido de um par de sapatos. Suponha que o invasor modifique seu pedido e substitua shoes com por shoes</item><price>1.00</price><item>shoes. O novo XML teria a seguinte aparência:

<order>
    <price>100.00</price>
    <item>shoes</item><price>1.00</price><item>shoes</item>
</order>


Ao usar analisadores XML, o valor da segunda marca <price> substitui o valor da primeira marca <price>. Isso permite que o invasor compre um par de sapatos de $100 por apenas $1.


Uma forma mais grave desse ataque chamada de injeção de XXE pode ocorrer quando o invasor controla a frente ou todo o documento XML que é analisado.

Exemplo 2: Estes são alguns códigos vulneráveis a ataques XXE:

Pressuponha que um invasor possa controlar o XML de entrada para o seguinte código:


...
<?php
$goodXML = $_GET["key"];
$doc = simplexml_load_string($goodXml);
echo $doc->testing;
?>
...


Agora suponha que o XML a seguir é passado pelo invasor para o código no Example 2:



<?xml version="1.0" encoding="ISO-8859-1"?>
 <!DOCTYPE foo [
   <!ELEMENT foo ANY >
   <!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo>



Quando o XML é processado, o conteúdo do elemento <foo> é preenchido com o conteúdo do arquivo boot.ini do sistema. O invasor pode usar elementos XML que são devolvidos ao cliente para roubar dados ou obter informações sobre a existência de recursos de rede.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 91
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.10 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[13] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[15] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[16] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2010 A1 Injection
[18] Standards Mapping - OWASP Top 10 2013 A1 Injection
[19] Standards Mapping - OWASP Top 10 2017 A1 Injection
[20] Standards Mapping - OWASP Top 10 2021 A03 Injection
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Web Application Security Consortium Version 2.00 XML Injection (WASC-23)
desc.dataflow.php.xml_injection
Abstract
A gravação de dados não validados em um documento XML pode permitir que um invasor altere a estrutura e o conteúdo do XML.
Explanation
Uma injeção de XML ocorre quando:

1. Os dados entram em um programa por uma fonte não confiável.

2. Os dados são gravados em um documento XML.

Em geral, os aplicativos usam o XML para armazenar dados ou enviar mensagens. Quando usados para armazenar dados, documentos XML são frequentemente tratados como bancos de dados e podem conter informações confidenciais. Mensagens XML são muitas vezes utilizadas em serviços Web e também podem ser usadas para transmitir informações confidenciais. Mensagens XML podem até mesmo ser usadas para enviar credenciais de autenticação.

A semântica de documentos e mensagens XML poderá ser alterada se um invasor tiver a capacidade de escrever XML bruto. No melhor dos casos, um invasor pode ser capaz de inserir tags estranhas e fazer com que um analisador de XML lance uma exceção. Em casos mais perniciosos de injeção de XML, um invasor pode ser capaz de adicionar elementos XML que alteram credenciais de autenticação ou modificam preços em um banco de dados de comércio eletrônico XML. Em alguns casos, a injeção de XML pode provocar criação de scripts entre sites ou avaliação de código dinâmico.

Exemplo 1:

Suponha que um invasor seja capaz de controlar shoes no seguinte XML.

<order>
    <price>100.00</price>
    <item>shoes</item>
</order>


Agora, suponha que esse XML está incluído em uma solicitação de serviço Web back-end para efetuar um pedido de um par de sapatos. Suponha que o invasor modifique seu pedido e substitua shoes com por shoes</item><price>1.00</price><item>shoes. O novo XML teria a seguinte aparência:

<order>
    <price>100.00</price>
    <item>shoes</item><price>1.00</price><item>shoes</item>
</order>


Ao usar analisadores SAX, o valor a partir da segunda tag <price> substitui o valor da primeira tag <price>. Isso permite que o invasor compre um par de sapatos de $100 por apenas $1.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 91
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.10 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[13] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[15] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[16] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2010 A1 Injection
[18] Standards Mapping - OWASP Top 10 2013 A1 Injection
[19] Standards Mapping - OWASP Top 10 2017 A1 Injection
[20] Standards Mapping - OWASP Top 10 2021 A03 Injection
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Web Application Security Consortium Version 2.00 XML Injection (WASC-23)
desc.dataflow.python.xml_injection
Abstract
A gravação de dados não validados em um documento XML pode permitir que um invasor altere a estrutura e o conteúdo do XML. A análise de XML não validado pode resultar em negação de serviço, exposição de informações confidenciais e até execução remota de código.
Explanation
Uma injeção de XML ocorre quando:

1. Os dados entram em um programa por uma fonte não confiável.

2. Os dados são gravados em um documento XML ou analisados como XML.

Em geral, os aplicativos usam o XML para armazenar dados ou enviar mensagens. Quando usados para armazenar dados, documentos XML são frequentemente tratados como bancos de dados e podem conter informações confidenciais. Mensagens XML são muitas vezes utilizadas em serviços Web e também podem ser usadas para transmitir informações confidenciais. Mensagens XML podem até mesmo ser usadas para enviar credenciais de autenticação.

A semântica de documentos e mensagens XML poderá ser alterada se um invasor tiver a capacidade de escrever XML bruto. No melhor dos casos, um invasor pode ser capaz de inserir tags estranhas e fazer com que um analisador de XML lance uma exceção. Em casos mais perniciosos de injeção de XML, um invasor pode ser capaz de adicionar elementos XML que alteram credenciais de autenticação ou modificam preços em um banco de dados de comércio eletrônico XML. Em alguns casos, a injeção de XML pode provocar criação de scripts entre sites ou avaliação de código dinâmico.

Exemplo 1:

Suponha que um invasor seja capaz de controlar shoes no seguinte XML.

<order>
    <price>100.00</price>
    <item>shoes</item>
</order>


Agora, suponha que esse XML está incluído em uma solicitação de serviço Web back-end para efetuar um pedido de um par de sapatos. Suponha que o invasor modifique seu pedido e substitua shoes com por shoes</item><price>1.00</price><item>shoes. O novo XML teria a seguinte aparência:

<order>
    <price>100.00</price>
    <item>shoes</item><price>1.00</price><item>shoes</item>
</order>


Ao usar analisadores SAX, o valor a partir da segunda tag <price> substitui o valor da primeira tag <price>. Isso permite que o invasor compre um par de sapatos de $100 por apenas $1.
References
[1] Introduction to Software Security: XML Injection Atacks University of Wisconsin-Madison
[2] Exploitation: XML External Entity (XXE) Injection Depth Security
[3] Standards Mapping - Common Weakness Enumeration CWE ID 91
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[5] Standards Mapping - FIPS200 SI
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[10] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.10 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[15] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[17] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[18] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[19] Standards Mapping - OWASP Top 10 2010 A1 Injection
[20] Standards Mapping - OWASP Top 10 2013 A1 Injection
[21] Standards Mapping - OWASP Top 10 2017 A1 Injection
[22] Standards Mapping - OWASP Top 10 2021 A03 Injection
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Web Application Security Consortium Version 2.00 XML Injection (WASC-23)
desc.dataflow.ruby.xml_injection
Abstract
A gravação de dados não validados em um documento XML pode permitir que um invasor altere a estrutura e o conteúdo do XML. A análise de XML não validado pode resultar em negação de serviço, exposição de informações confidenciais e até execução remota de código.
Explanation
Uma injeção de XML ocorre quando:

1. Os dados entram em um programa por uma fonte não confiável.

2. Os dados são gravados em um documento XML ou analisados como XML.

Em geral, os aplicativos usam o XML para armazenar dados ou enviar mensagens. Quando usados para armazenar dados, documentos XML são frequentemente tratados como bancos de dados e podem conter informações confidenciais. Mensagens XML são muitas vezes utilizadas em serviços Web e também podem ser usadas para transmitir informações confidenciais. Mensagens XML podem até mesmo ser usadas para enviar credenciais de autenticação.

A semântica de documentos e mensagens XML poderá ser alterada se um invasor tiver a capacidade de escrever XML bruto. No melhor dos casos, um invasor pode ser capaz de inserir tags estranhas e fazer com que um analisador de XML lance uma exceção. Em casos mais perniciosos de injeção de XML, um invasor pode ser capaz de adicionar elementos XML que alteram credenciais de autenticação ou modificam preços em um banco de dados de comércio eletrônico XML. Em alguns casos, a injeção de XML pode provocar criação de scripts entre sites ou avaliação de código dinâmico.

Exemplo 1:

Suponha que um invasor seja capaz de controlar shoes no seguinte XML.

<order>
   <price>100.00</price>
   <item>shoes</item>
</order>


Agora, suponha que esse XML está incluído em uma solicitação de serviço Web back-end para efetuar um pedido de um par de sapatos. Suponha que o invasor modifique seu pedido e substitua shoes com por shoes</item><price>1.00</price><item>shoes. O novo XML teria a seguinte aparência:

<order>
    <price>100.00</price>
    <item>shoes</item><price>1.00</price><item>shoes</item>
</order>


Ao usar analisadores SAX, o valor da segunda marca <price> substitui o valor da primeira marca <price>.Isso permite que o invasor compre um par de sapatos de $100 por apenas $1.
References
[1] IDS16-J. Prevent XML Injection CERT
[2] INJECT-3: XML and HTML generation requires care Oracle
[3] Standards Mapping - Common Weakness Enumeration CWE ID 91
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[5] Standards Mapping - FIPS200 SI
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[10] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.10 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[15] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[17] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[18] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[19] Standards Mapping - OWASP Top 10 2010 A1 Injection
[20] Standards Mapping - OWASP Top 10 2013 A1 Injection
[21] Standards Mapping - OWASP Top 10 2017 A1 Injection
[22] Standards Mapping - OWASP Top 10 2021 A03 Injection
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Web Application Security Consortium Version 2.00 XML Injection (WASC-23)
desc.dataflow.scala.xml_injection
Abstract
O método identificado grava uma entrada XML não validada. Essa chamada pode permitir que um invasor injete elementos ou atributos arbitrários no documento XML.
Explanation
Uma injeção de XML ocorre quando:

1. Os dados entram em um programa por uma fonte não confiável.


2. Os dados são gravados em um documento XML.

Em geral, os aplicativos usam o XML para armazenar dados ou enviar mensagens. Quando usados para armazenar dados, documentos XML são frequentemente tratados como bancos de dados e podem conter informações confidenciais. Mensagens XML são muitas vezes utilizadas em serviços Web e também podem ser usadas para transmitir informações confidenciais. Mensagens XML podem até mesmo ser usadas para enviar credenciais de autenticação.

A semântica de documentos e mensagens XML poderá ser alterada se um invasor tiver a capacidade de escrever XML bruto. No melhor dos casos, um invasor pode ser capaz de inserir tags estranhas e fazer com que um analisador de XML lance uma exceção. Em casos mais perniciosos de injeção de XML, um invasor pode ser capaz de adicionar elementos XML que alteram credenciais de autenticação ou modificam preços em um banco de dados de comércio eletrônico XML. Em alguns casos, a injeção de XML pode provocar criação de scripts entre sites ou avaliação de código dinâmico.

Exemplo 1:

Suponha que um invasor seja capaz de controlar shoes no XML a seguir.

<order>
   <price>100.00</price>
   <item>shoes</item>
</order>


Agora, suponha que esse XML está incluído em uma solicitação de serviço Web back-end para efetuar um pedido de um par de sapatos. Suponha que o invasor modifique seu pedido e substitua shoes com por shoes</item><price>1.00</price><item>shoes. O novo XML teria a seguinte aparência:

<order>
    <price>100.00</price>
    <item>shoes</item><price>1.00</price><item>shoes</item>
</order>


Ao usar analisadores SAX, o valor a partir da segunda tag <price> substitui o valor da primeira tag <price>. Isso permite que o invasor compre um par de sapatos de $100 por apenas $1.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 91
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.10 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[13] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[15] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[16] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2010 A1 Injection
[18] Standards Mapping - OWASP Top 10 2013 A1 Injection
[19] Standards Mapping - OWASP Top 10 2017 A1 Injection
[20] Standards Mapping - OWASP Top 10 2021 A03 Injection
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Web Application Security Consortium Version 2.00 XML Injection (WASC-23)
desc.dataflow.swift.xml_injection

XML Injection: Open XML

Abstract
A gravação de dados não validados em um documento Open XML pode permitir que um invasor altere a estrutura e o conteúdo do XML subjacente.
Explanation
Injeção de XML: O Open XML ocorre quando:

1. Os dados entram em um programa por uma fonte não confiável.


2. Os dados são gravados em um documento Open XML.

Normalmente usam-se documentos Open XML para armazenar informações a serem apresentadas a outras pessoas, e eles costumam ter informações confidenciais.

A semântica de documentos Open XML poderá ser alterada se um invasor tiver a capacidade de gravar XML bruto. No melhor dos casos, um invasor pode inserir tags estranhas e fazer com que um analisador de Open XML lance uma exceção. Em casos mais perniciosos de injeção de XML, um invasor pode modificar, adicionar ou remover elementos XML que especificam informações importantes. Em alguns casos, a injeção de XML pode até mesmo provocar criação de scripts entre sites ou avaliação de código dinâmico.

Exemplo 1:

Imaginemos que um invasor consiga controlar a tag a:t do seguinte documento Open XML.

<a:t>YoY results: up 10%</a:t>


Agora, suponhamos que esse XML esteja incluído em uma apresentação do Powerpoint que uma empresa está fornecendo a seus acionistas. Nesse caso, a empresa tem um serviço de upload de documentos no site voltado aos clientes, que tem uma vulnerabilidade de injeção de XML. Suponha que o invasor modifique o documento para dizer "Resultados anuais: diminuição de 10%". Essa atualização significativa pode acarretar uma grande oscilação nos preços das ações da empresa. Mesmo sem modificação, um usuário com acesso a essas informações confidenciais antes de elas se tornarem de conhecimento público pode se utilizar dessas informações no mercado de ações de forma parecida ao uso de informações privilegiadas.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 91
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.10 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[8] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[9] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[11] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[12] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[13] Standards Mapping - OWASP Top 10 2010 A1 Injection
[14] Standards Mapping - OWASP Top 10 2013 A1 Injection
[15] Standards Mapping - OWASP Top 10 2017 A1 Injection
[16] Standards Mapping - OWASP Top 10 2021 A03 Injection
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Web Application Security Consortium Version 2.00 XML Injection (WASC-23)
desc.dataflow.dotnet.xml_injection_open_xml