1437 itens encontrados
Vulnerabilidades

EJB Bad Practices: Use of AWT/Swing

Abstract
O programa viola a especificação Enterprise JavaBeans usando AWT/Swing.
Explanation
A especificação Enterprise JavaBeans exige que todos os fornecedores de beans sigam um conjunto de orientações de programação destinadas a assegurar que o bean será portátil e terá um comportamento consistente em qualquer contêiner EJB [1].

Neste caso, o programa viola a seguinte orientação EJB:

"Um enterprise bean não deve usar a funcionalidade AWT para tentar a saída de informações em um monitor ou para inserir informações usando um teclado."

Uma exigência que a especificação justifica da seguinte maneira:

"Os servidores não permitem interação direta entre um programa de aplicativo e um teclado/tela conectado ao sistema do servidor."
References
[1] Jakarta Enterprise Beans 4.0 Eclipse Foundation
[2] Standards Mapping - Common Weakness Enumeration CWE ID 575
desc.structural.java.ejb_bad_practices_use_of_awt_swing

EJB Bad Practices: Use of Class Loader

Abstract
O programa viola a especificação Enterprise JavaBeans usando o carregador de classe.
Explanation
A especificação Enterprise JavaBeans exige que todos os fornecedores de beans sigam um conjunto de orientações de programação destinadas a assegurar que o bean será portátil e terá um comportamento consistente em qualquer contêiner EJB [1].

Neste caso, o programa viola a seguinte orientação EJB:

"O enterprise bean não deve tentar criar um carregador de classes; definir o carregador de classes de contexto; definir o gerenciador de segurança; criar um novo gerenciador de segurança; parar a JVM; ou alterar os fluxos de entrada, saída e erro."

Uma exigência que a especificação justifica da seguinte maneira:

"Essas funções são reservadas para o contêiner do Enterprise Beans. Permitir que o enterprise bean use essas funções pode comprometer a segurança e diminuir a capacidade do contêiner de gerenciar adequadamente o ambiente de tempo de execução."
References
[1] Jakarta Enterprise Beans 4.0 Eclipse Foundation
[2] Standards Mapping - Common Weakness Enumeration CWE ID 578
desc.structural.java.ejb_bad_practices_use_of_classloader

EJB Bad Practices: Use of java.io

Abstract
O programa viola a especificação Enterprise JavaBeans usando o pacote java.io.
Explanation
A especificação Enterprise JavaBeans exige que todos os fornecedores de beans sigam um conjunto de orientações de programação destinadas a assegurar que o bean será portátil e terá um comportamento consistente em qualquer contêiner EJB [1].

Neste caso, o programa viola a seguinte orientação EJB:

"Um enterprise bean deve ter cuidado ao usar o pacote Java I/O para tentar acessar arquivos e diretórios no sistema de arquivos."

Uma exigência que a especificação justifica da seguinte maneira:

"As APIs do sistema de arquivos não são adequadas para que componentes de negócios acessem dados. Os arquivos podem não estar acessíveis em todas as instâncias, ou seu conteúdo pode ser diferente em instâncias diferentes, e coordenar as atualizações do arquivo pode ser difícil. Os componentes de negócios devem usar uma API de gerenciador de recursos, como JDBC, para armazenar dados."
References
[1] Jakarta Enterprise Beans 4.0 Eclipse Foundation
[2] Standards Mapping - Common Weakness Enumeration CWE ID 576
desc.structural.java.ejb_bad_practices_use_of_java_io

EJB Bad Practices: Use of Sockets

Abstract
O programa viola a especificação Enterprise JavaBeans usando soquetes.
Explanation
A especificação Enterprise JavaBeans exige que todos os fornecedores de beans sigam um conjunto de orientações de programação destinadas a assegurar que o bean será portátil e terá um comportamento consistente em qualquer contêiner EJB [1].

Neste caso, o programa viola a seguinte orientação EJB:

"Um enterprise bean não deve tentar escutar em um soquete, aceitar conexões em um soquete ou usar um soquete para multitransmissão."

Uma exigência que a especificação justifica da seguinte maneira:

"A arquitetura do Enterprise Beans permite que uma instância de enterprise bean seja um cliente de soquete de rede, mas não permite que ela seja um servidor de rede. Permitir que a instância se torne um servidor de rede entraria em conflito com a função básica do enterprise bean: atender aos clientes do Enterprise Beans."
References
[1] Jakarta Enterprise Beans 4.0 Eclipse Foundation
[2] Standards Mapping - Common Weakness Enumeration CWE ID 577
desc.structural.java.ejb_bad_practices_use_of_sockets

EJB Bad Practices: Use of Synchronization Primitives

Abstract
O programa viola a especificação Enterprise JavaBeans usando primitivos de sincronização de threads.
Explanation
A especificação Enterprise JavaBeans exige que todos os fornecedores de beans sigam um conjunto de orientações de programação destinadas a assegurar que o bean será portátil e terá um comportamento consistente em qualquer contêiner EJB [1].

Neste caso, o programa viola a seguinte orientação EJB:

"Um enterprise bean não deve usar primitivas de sincronização de threads para sincronizar a execução de várias instâncias, a menos que seja um singleton session bean com simultaneidade gerenciada por bean."

Uma exigência que a especificação justifica da seguinte maneira:

"Essa regra é necessária para garantir uma semântica em tempo de execução consistente, pois, embora alguns contêineres do Enterprise Beans possam usar uma única JVM para executar todas as instâncias do enterprise bean, outros podem distribuir essas instâncias entre várias JVMs."
References
[1] Jakarta Enterprise Beans 4.0 Eclipse Foundation
[2] THI01-J. Do not invoke ThreadGroup methods CERT
[3] Standards Mapping - Common Weakness Enumeration CWE ID 574
desc.structural.java.ejb_bad_practices_use_of_synchronization_primitives

Encoding Confusion: BiDi Control Characters

Abstract
Os caracteres de controle bidirecional no código-fonte podem levar a ataques de origem trojan.
Explanation
O código-fonte que contém caracteres de controle de substituição bidirecional Unicode pode ser um sinal de um ataque de ameaça interna. Esse ataque pode ser alavancado por meio da cadeia de suprimentos para linguagens de programação como C, C++, C#, Go, Java, JavaScript, Python e Rust. Diversas variantes de ataque já foram publicados por Nicholas Boucher e Ross Anderson, incluindo: Retornos iniciais, comentários e strings estendidas.
Exemplo 1: O código a seguir exibe um caractere de controle, presente em um arquivo de código-fonte C, que leva a um ataque de Retorno Antecipado:

#include <stdio.h>

int main() {
	/* Nothing to see here; newline RLI /*/ return 0 ;
	printf("Do we get here?\n");
	return 0;
}

O caractere Unicode de controle bidirecional isolado da direita para a esquerda (RLI), em Example 1, faz com que o código seja visto como o seguinte:

#include <stdio.h>

int main() {
	/* Nothing to see here; newline; return 0 /*/
	printf("Do we get here?\n");
	return 0;
}

É importante ressaltar que um desenvolvedor que realiza uma revisão de código, em um editor/visualizador vulnerável, não veria visivelmente o que um compilador vulnerável processará. Especificamente, a instrução de retorno antecipado que modifica o fluxo do programa.
References
[1] Nicholas Boucher, and R. Anderson Trojan Source: Invisible Vulnerabilities
[2] Standards Mapping - Common Weakness Enumeration CWE ID 451
[3] Standards Mapping - OWASP Top 10 2017 A1 Injection
[4] Standards Mapping - OWASP Top 10 2021 A03 Injection
[5] Standards Mapping - Smart Contract Weakness Classification SWC-130
desc.regex.universal.encoding_confusion_bidi_control_characters

Experimental API

Abstract
O aplicativo usa uma biblioteca experimental.
Explanation
Essa biblioteca é considerada experimental e não deve ser usada em ambientes de produção, a menos que você saiba o que está fazendo.
desc.semantic.scala.experimental_api

Expression Language Injection: Spring

Abstract
A avaliação de expressões SpEL não validadas pode levar a uma execução remota de código.
Explanation
A Spring Expression Language (SpEL para abreviar) é uma linguagem de expressão poderosa que suporta a consulta e a manipulação de um gráfico de objetos em tempo de execução. A sintaxe de linguagem é semelhante ao EL Unificado, mas oferece recursos adicionais, principalmente a invocação do método e a funcionalidade básica do modelo de string.
Permitir que expressões não validadas sejam avaliadas permitirá que um invasor execute um código arbitrário.

Exemplo 1: O aplicativo usa dados não validados controlados pelo usuário para criar e avaliar uma expressão SpEL:


String expression = request.getParameter("input");
SpelExpressionParser parser = new SpelExpressionParser();
SpelExpression expr = parser.parseRaw(expression);
Exemplo 2: O aplicativo usa dados não validados controlados pelo usuário em uma tag Spring que realiza a avaliação dupla SpEL:


    <spring:message text="" code="${param['message']}"></spring:message>
References
[1] Dan Amodio Remote Code with Expression Language Injection
[2] Expression Language Injection OWASP
[3] CVE-2011-2730 Red Hat
[4] Standards Mapping - Common Weakness Enumeration CWE ID 94, CWE ID 95, CWE ID 917
[5] Standards Mapping - Common Weakness Enumeration Top 25 2019 [18] CWE ID 094
[6] Standards Mapping - Common Weakness Enumeration Top 25 2020 [17] CWE ID 094
[7] Standards Mapping - Common Weakness Enumeration Top 25 2021 [25] CWE ID 077
[8] Standards Mapping - Common Weakness Enumeration Top 25 2022 [17] CWE ID 077, [25] CWE ID 094
[9] Standards Mapping - Common Weakness Enumeration Top 25 2023 [16] CWE ID 077, [23] CWE ID 094
[10] Standards Mapping - Common Weakness Enumeration Top 25 2024 [11] CWE ID 094, [13] CWE ID 077
[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[12] Standards Mapping - FIPS200 SI
[13] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[14] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[15] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[16] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.4 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.5 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.8 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[17] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[18] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[19] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[20] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[21] Standards Mapping - OWASP Top 10 2010 A1 Injection
[22] Standards Mapping - OWASP Top 10 2013 A1 Injection
[23] Standards Mapping - OWASP Top 10 2017 A1 Injection
[24] Standards Mapping - OWASP Top 10 2021 A03 Injection
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[37] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 094
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[60] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.java.expression_language_injection_spring

External Content: Content Delivery Network

Abstract
Depender de uma CDN para fornecer o código essencial diretamente aos usuários pode resultar na execução de código mal-intencionado.
Explanation
Usar uma CDN para servir um aplicativo dependente de JavaScript oferece muito mais vantagens que servir o JavaScript do próprio servidor do aplicativo. Essas vantagens incluem a melhoria do desempenho e a redução da manutenção do código para o proprietário do aplicativo. No entanto, o aplicativo supõe que a CDN distribuirá conteúdo seguro para o navegador. Se um invasor comprometer uma CDN, ela enviará código mal-intencionado ao navegador do usuário. O navegador do usuário passará a executar um código que o aplicativo não pode controlar ou detectar como mal-intencionado.

Exemplo 1: O código ASPX a seguir inclui o código jQuery da Microsoft referenciando a Microsoft CDN:


...
<script src="http://ajax.microsoft.com/ajax/jquery/jquery-1.4.2.min.js" type="text/javascript"></script>
...
Exemplo 2: O código ASPX a seguir permite o redirecionamento automático de todas as solicitações de script da estrutura ASP.NET à Microsoft Ajax CDN:


...
<asp:ScriptManager
   ID="ScriptManager1"
   EnableCdn="true"
   Runat="Server" />
...


No Example 2, o controle ScriptManager configura sua página ASPX para redirecionar automaticamente qualquer solicitação de script à CDN apropriada.
References
[1] Content Deliver Network and its Regulation The Journal of China Universities of Posts and Telecommunications
[2] Managed Content Security Delivery radware
[3] Standards Mapping - Common Weakness Enumeration CWE ID 94, CWE ID 98
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [18] CWE ID 094
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [17] CWE ID 094
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [25] CWE ID 094
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [23] CWE ID 094
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [11] CWE ID 094
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.5 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.8 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.9 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.3 File Execution Requirements (L1 L2 L3), 12.3.6 File Execution Requirements (L2 L3), 14.2.4 Dependency (L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[16] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[17] Standards Mapping - OWASP Top 10 2007 A3 Malicious File Execution
[18] Standards Mapping - OWASP Top 10 2010 A1 Injection
[19] Standards Mapping - OWASP Top 10 2013 A1 Injection
[20] Standards Mapping - OWASP Top 10 2017 A1 Injection
[21] Standards Mapping - OWASP Top 10 2021 A03 Injection
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[31] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 094
[32] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 098
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-003300 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.semantic.dotnet.external_content_content_delivery_network

File Based Cross-Zone Scripting

Abstract
É perigoso carregar um arquivo capaz de executar scripts não confiáveis dentro do contexto do seu aplicativo.
Explanation
Erros de Execução de Scripts entre Zonas com Base em Arquivo ocorrem quando as seguintes condições são atendidas:

1. É carregado um arquivo capaz de permitir que scripts sejam executados dentro do seu aplicativo

2. O script carregado é considerado como sendo da mesma origem que o aplicativo em execução.

Quando essas duas condições são atendidas, uma série de ataques pode ser habilitada, especialmente se outras partes determinarem a confiança com base em se as informações são provenientes dos limites do seu aplicativo.

Exemplo 1: O código a seguir usa uma WebView do Android a fim de carregar um arquivo localmente:

...
myWebView.loadUrl("file:///android_asset/www/index.html");
...

No Example 1, o renderizador WebView do Android trata todo o conteúdo carregado com loadUrl(), com uma URL começando com "file://" como estando na mesma origem.

Existem algumas maneiras típicas de um invasor se aproveitar de uma vulnerabilidade de Criação de Script entre Zonas com Base em Arquivo ao carregar um arquivo:
- o arquivo local pode ser manipulado por um invasor, que pode injetar script nesse arquivo.
Isso dependerá de permissões de arquivo, na localização do arquivo ou em condições de corrida, nas quais um arquivo pode ser salvo e então carregado (pode haver uma janela de tempo para modificação).

- o arquivo pode ser chamado para um recurso externo.
Isso pode ocorrer quando o arquivo carregado recupera scripts de um recurso externo.

Exemplo 2: O código a seguir examina uma fonte externa para determinar o JavaScript que ele deve executar.

  <script src="http://www.example.com/js/fancyWidget.js"></script>

No Example 2, está sendo usado um protocolo não seguro que poderia permitir que o script resultante seja modificado por um agente mal-intencionado. Como alternativa, outros ataques podem ser realizados para reencaminhar a máquina ao site de um invasor.

- o arquivo carregado pode conter vulnerabilidades de criação de scripts entre sites.
Se o arquivo que está sendo carregado for capaz de ter código injetado, este talvez possa ser executado no contexto do seu aplicativo. Esta pode não ser necessariamente a capacidade de injetar JavaScript, mas a simples capacidade de injetar HTML também pode permitir invasões ou ataques de Negação de Serviço.
References
[1] Erika Chin and David Wagner Bifocals: Analyzing WebView Vulnerabilities in Android Applications
[2] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [1] CWE ID 079
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-2
[17] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[18] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[19] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[20] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[21] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[22] Standards Mapping - OWASP Top 10 2021 A03 Injection
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[35] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[36] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[37] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002560 CAT I
[60] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[61] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.semantic.java.file_based_cross_zone_scripting
Abstract
É perigoso carregar um arquivo local capaz de executar scripts não confiáveis dentro do contexto privilegiado do seu aplicativo.
Explanation
A execução de scripts entre zonas com base em arquivo ocorre quando as seguintes condições são atendidas:

1. É carregado um arquivo capaz de permitir que scripts sejam executados dentro do seu aplicativo.


2. O script carregado é considerado como tendo a mesma origem que o aplicativo em execução (file://).

Quando essas duas condições são atendidas, uma série de ataques pode ser habilitada, especialmente se outras partes determinarem a confiança com base em se as informações são provenientes dos limites do seu aplicativo.

Exemplo 1: O código a seguir usa o método UIWebView.loadRequest(_:) para carregar um arquivo local:

...
NSURL *url = [[NSBundle mainBundle] URLForResource: filename withExtension:extension]; 
[webView loadRequest:[[NSURLRequest alloc] initWithURL:url]];
...


No Example 1, o mecanismo WebView trata todo o conteúdo carregado com UIWebView.loadRequest(_:), com uma URL que começa com file://, como estando na origem de arquivo local privilegiada.

Existem algumas maneiras típicas de um invasor se aproveitar de uma vulnerabilidade de execução de script entre zonas com base em arquivo ao carregar a partir de um arquivo:

- O arquivo local pode ser controlado pelo invasor. Por exemplo, o invasor pode enviar o arquivo para a sua vítima, que então o armazena no aplicativo vulnerável (por exemplo: um aplicativo de armazenamento na nuvem)
- O arquivo local pode ser manipulado por um invasor, que pode injetar script nesse arquivo. Isso dependerá de permissões de arquivo, na localização do arquivo ou em condições de corrida, nas quais um arquivo pode ser salvo e então carregado (pode haver uma janela de tempo para modificação).
- O arquivo pode ser chamado para um recurso externo. Isso pode ocorrer quando o arquivo carregado recupera scripts de um recurso externo.
- O arquivo carregado pode conter vulnerabilidades de execução de scripts entre sites. Se o arquivo que está sendo carregado contiver código injetado, talvez esse código possa ser executado no contexto do seu aplicativo. O código injetado não precisa ser o código JavaScript - um HTML injetado também pode permitir desfigurações ou ataques de negação de serviço.

Se o arquivo controlado pelo invasor for carregado localmente com uma URL file://, a Política de mesma origem permitirá que os scripts nesse arquivo acessem qualquer outro arquivo da mesma origem, o que pode permitir que um invasor acesse qualquer arquivo local que contenha informações confidenciais.
References
[1] Same-origin policy for file: URIs Mozilla
[2] Old Habits Die Hard: Cross-Zone Scripting in Dropbox & Google Drive Mobile Apps IBM
[3] loadHTMLString(_:baseURL:) API documentation Apple
[4] loadRequest(_:) API documentation Apple
[5] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[6] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[7] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[8] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[9] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[10] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[11] Standards Mapping - Common Weakness Enumeration Top 25 2024 [1] CWE ID 079
[12] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[13] Standards Mapping - FIPS200 SI
[14] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[15] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[16] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[18] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[19] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-2
[20] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[21] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[22] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[23] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2021 A03 Injection
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[38] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[39] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[40] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[41] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002560 CAT I
[63] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[64] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.objc.file_based_cross_zone_scripting
Abstract
É perigoso carregar um arquivo local capaz de executar scripts não confiáveis dentro do contexto privilegiado do seu aplicativo.
Explanation
A execução de scripts entre zonas com base em arquivo ocorre quando as seguintes condições são atendidas:

1. É carregado um arquivo capaz de permitir que scripts sejam executados dentro do seu aplicativo.


2. O script carregado é considerado como tendo a mesma origem que o aplicativo em execução (file://).

Quando essas duas condições são atendidas, uma série de ataques pode ser habilitada, especialmente se outras partes determinarem a confiança com base em se as informações são provenientes dos limites do seu aplicativo.

Exemplo 1: O código a seguir usa o método UIWebView.loadRequest(_:) para carregar um arquivo local:

...
let url = Bundle.main.url(forResource: filename, withExtension: extension)
self.webView!.load(URLRequest(url:url!))
...


No Example 1, o mecanismo WebView trata todo o conteúdo carregado com UIWebView.loadRequest(_:), com uma URL que começa com file://, como estando na origem de arquivo local privilegiada.

Existem algumas maneiras típicas de um invasor se aproveitar de uma vulnerabilidade de execução de script entre zonas com base em arquivo ao carregar a partir de um arquivo:

- O arquivo local pode ser controlado pelo invasor. Por exemplo, o invasor pode enviar o arquivo para a sua vítima, que então o armazena no aplicativo vulnerável (por exemplo: um aplicativo de armazenamento na nuvem)
- O arquivo local pode ser manipulado por um invasor, que pode injetar script nesse arquivo. Isso dependerá de permissões de arquivo, na localização do arquivo ou em condições de corrida, nas quais um arquivo pode ser salvo e então carregado (pode haver uma janela de tempo para modificação).
- O arquivo pode ser chamado para um recurso externo. Isso pode ocorrer quando o arquivo carregado recupera scripts de um recurso externo.
- O arquivo carregado pode conter vulnerabilidades de execução de scripts entre sites. Se o arquivo que está sendo carregado contiver código injetado, talvez esse código possa ser executado no contexto do seu aplicativo. O código injetado não precisa ser o código JavaScript - um HTML injetado também pode permitir desfigurações ou ataques de negação de serviço.

Se o arquivo controlado pelo invasor for carregado localmente com uma URL file://, a Política de mesma origem permitirá que os scripts nesse arquivo acessem qualquer outro arquivo da mesma origem, o que pode permitir que um invasor acesse qualquer arquivo local que contenha informações confidenciais.
References
[1] Same-origin policy for file: URIs Mozilla
[2] Old Habits Die Hard: Cross-Zone Scripting in Dropbox & Google Drive Mobile Apps IBM
[3] loadHTMLString(_:baseURL:) API documentation Apple
[4] loadRequest(_:) API documentation Apple
[5] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[6] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[7] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[8] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[9] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[10] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[11] Standards Mapping - Common Weakness Enumeration Top 25 2024 [1] CWE ID 079
[12] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[13] Standards Mapping - FIPS200 SI
[14] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[15] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[16] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[18] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[19] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-2
[20] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[21] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[22] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[23] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2021 A03 Injection
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[38] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[39] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[40] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[41] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002560 CAT I
[63] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[64] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.swift.file_based_cross_zone_scripting

File Disclosure: Django

Abstract
Criar uma instância FileResponse com entrada de usuário poderia permitir que um invasor fizesse o download dos binários do aplicativo ou visualizasse arquivos arbitrários dentro de diretórios protegidos.
Explanation
A divulgação de arquivos ocorre quando:
1. Os dados entram em um programa por uma fonte não confiável.


2. Os dados são usados para construir dinamicamente um caminho.

Exemplo 1: Este código usa dados não confiáveis e os usa para abrir um arquivo que é retornado ao usuário.


from django.http import FileResponse
...
def file_disclosure(request):
    path = request.GET['returnURL']
    return FileResponse(open(path, 'rb'))
...


Se um invasor fornecesse uma URL com o parâmetro de solicitação correspondente a um local de arquivo sensível, ele seria capaz de visualizar esse arquivo. Por exemplo, "http://www.yourcorp.com/webApp/logic?returnURL=settings.py" permitiria a eles visualizar o "settings.py" do aplicativo.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 552
[2] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[4] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[7] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.12.1 Secure File Upload Architectural Requirements (L2 L3), 12.5.1 File Download Requirements (L1 L2 L3)
[9] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[10] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[11] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[12] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[13] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[14] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[15] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[28] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 073
[29] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002560 CAT I
[44] Standards Mapping - Web Application Security Consortium Version 2.00 URL Redirector Abuse (WASC-38)
desc.dataflow.python.file_disclosure_django

File Disclosure: J2EE

Abstract
A construção de um caminho de redirecionamento no lado do servidor com a entrada do usuário pode permitir que um invasor baixe binários de aplicativos (incluindo arquivos jar ou classes de aplicativo) ou visualize arquivos arbitrários dentro de diretórios protegidos.
Explanation
Uma divulgação de arquivos ocorre quando:
1. Os dados entram em um programa por uma fonte não confiável.


2. Os dados são usados para construir dinamicamente um caminho.

Exemplo 1: O código a seguir usa dados não confiáveis para construir um caminho que é usado em um redirecionamento no lado do servidor.


...
String returnURL = request.getParameter("returnURL");
	RequestDispatcher rd = request.getRequestDispatcher(returnURL);
	rd.forward();
...
Exemplo 2: O código a seguir usa dados não confiáveis para construir um caminho que é usado em um redirecionamento no lado do servidor.


...
	<% String returnURL = request.getParameter("returnURL"); %>
	<jsp:include page="<%=returnURL%>" />
	...



Se um invasor fornecesse uma URL com o parâmetro de solicitação correspondente a um local de arquivo sensível, ele seria capaz de visualizar esse arquivo. Por exemplo, "http://www.yourcorp.com/webApp/logic?returnURL=WEB-INF/applicationContext.xml" permitiria visualizar o arquivo applicationContext.xml do aplicativo.
Depois que o invasor tiver applicationContext.xml, ele poderia localizar e baixar outros arquivos de configuração referenciados nesse arquivo ou até mesmo em arquivos de classe ou jar. Isso permitiria que os invasores obtivessem informações confidenciais sobre um aplicativo e as direcionassem para outros tipos de ataques.
References
[1] Ryan Berg and Dinis Cruz Two Security Vulnerabilities in the Spring Framework's MVC
[2] Standards Mapping - Common Weakness Enumeration CWE ID 552
[3] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[5] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[8] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.12.1 Secure File Upload Architectural Requirements (L2 L3), 12.5.1 File Download Requirements (L1 L2 L3)
[10] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[11] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[12] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[13] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[14] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[15] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[16] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[29] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 073
[30] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002560 CAT I
[45] Standards Mapping - Web Application Security Consortium Version 2.00 URL Redirector Abuse (WASC-38)
desc.dataflow.java.file_disclosure_j2ee

File Disclosure: Spring

Abstract
A construção de um caminho de redirecionamento no lado do servidor com a entrada do usuário pode permitir que um invasor baixe binários de aplicativos (incluindo arquivos jar ou classes de aplicativo) ou visualize arquivos arbitrários dentro de diretórios protegidos.
Explanation
Uma divulgação de arquivos ocorre quando:
1. Os dados entram em um programa por uma fonte não confiável.


2. Os dados são usados para construir dinamicamente um caminho.

Exemplo 1: O código a seguir usa dados não confiáveis para construir um caminho que é usado em um redirecionamento no lado do servidor.


...
	String returnURL = request.getParameter("returnURL");
	return new ModelAndView(returnURL);
	...


Se um invasor fornecesse uma URL com o parâmetro de solicitação correspondente a um local de arquivo sensível, ele seria capaz de visualizar esse arquivo. Por exemplo, "http://www.yourcorp.com/webApp/logic?returnURL=WEB-INF/applicationContext.xml" permitiria visualizar o arquivo applicationContext.xml do aplicativo.
Depois que o invasor tiver applicationContext.xml, ele poderia localizar e baixar outros arquivos de configuração referenciados nesse arquivo ou até mesmo em arquivos de classe ou jar. Isso permitiria que os invasores obtivessem informações confidenciais sobre um aplicativo e as direcionassem para outros tipos de ataques.
References
[1] Ryan Berg and Dinis Cruz Two Security Vulnerabilities in the Spring Framework's MVC
[2] Standards Mapping - Common Weakness Enumeration CWE ID 552
[3] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[5] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[8] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.12.1 Secure File Upload Architectural Requirements (L2 L3), 12.5.1 File Download Requirements (L1 L2 L3)
[10] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[11] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[12] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[13] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[14] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[15] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[16] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[29] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 073
[30] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002560 CAT I
[45] Standards Mapping - Web Application Security Consortium Version 2.00 URL Redirector Abuse (WASC-38)
desc.dataflow.java.file_disclosure_spring

File Disclosure: Spring Webflow

Abstract
A construção de um caminho de redirecionamento do lado do servidor com a entrada do usuário pode permitir que um invasor baixe binários de aplicativos (incluindo classes de aplicativos ou arquivos jar) ou visualize arquivos arbitrários em diretórios protegidos.
Explanation
No Spring Webflow, um resolvedor de visualização é usado para traduzir o nome de uma visualização em uma tecnologia de renderização real. Normalmente, um resolvedor de visualização limitará o tipo e a localização dos arquivos usando prefixos e sufixos. No entanto, o uso de parâmetros de solicitação para especificar o nome da visualização permite que esse mecanismo seja contornado.
Exemplo 1: As seguintes configurações do Spring Webflow usam parâmetros de solicitação para especificar o nome da visualização.

<webflow:end-state id="finalStep" view="${requestParameters.url}"/>
<webflow:view-state id="showView" view="${requestParameters.test}">

O resolvedor de visualização padrão do Spring Webflow destina-se a permitir que apenas arquivos jsp em "/ WEB-INF / views /" sejam resolvidos.


<bean class="org.springframework.web.servlet.view.
               InternalResourceViewResolver">
    <property name="prefix" value="/WEB-INF/views/" />
    <property name="suffix" value=".jsp" />
</bean>


Um invasor pode usar o seguinte URL para visualizar o arquivo applicationContext.xml: "http://www.yourcorp.com/webApp/logic?url=../applicationContext.xml;x="
O InternalResourceViewResolver pegará o prefixo com o qual está configurado, concatenará o valor passado no atributo de visualização e finalmente adicionará o sufixo.
A URL relativa resultante, "/WEB-INF/views/../applicationContext.xml;x=.jsp" é passada para o distribuidor de solicitações do lado do servidor. O ponto e vírgula permite que o invasor converta o sufixo ".jsp" em um parâmetro de caminho. Este ataque pode ser usado para divulgar qualquer arquivo na raiz do aplicativo da web.
References
[1] Ryan Berg and Dinis Cruz Two Security Vulnerabilities in the Spring Framework's MVC
[2] Seth Ladd Expert Spring MVC and Web Flow
[3] Standards Mapping - Common Weakness Enumeration CWE ID 552
[4] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[9] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.12.1 Secure File Upload Architectural Requirements (L2 L3), 12.5.1 File Download Requirements (L1 L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[12] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[13] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[14] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[15] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[16] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[17] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[30] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 073
[31] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002560 CAT I
[46] Standards Mapping - Web Application Security Consortium Version 2.00 URL Redirector Abuse (WASC-38)
desc.configuration.java.file_disclosure_spring_webflow

File Disclosure: Struts

Abstract
A construção de um caminho de redirecionamento no lado do servidor com a entrada do usuário pode permitir que um invasor baixe binários de aplicativos (incluindo arquivos jar ou classes de aplicativo) ou visualize arquivos arbitrários dentro de diretórios protegidos.
Explanation
Uma divulgação de arquivos ocorre quando:
1. Os dados entram em um programa por uma fonte não confiável.


2. Os dados são usados para construir dinamicamente um caminho.

Exemplo 1: O código a seguir usa dados não confiáveis para construir um caminho que é usado em um redirecionamento no lado do servidor.


...
	String returnURL = request.getParameter("returnURL");
	return new ActionForward(returnURL);
	...


Se um invasor fornecesse uma URL com o parâmetro de solicitação correspondente a um local de arquivo sensível, ele seria capaz de visualizar esse arquivo. Por exemplo, "http://www.yourcorp.com/webApp/logic?returnURL=WEB-INF/applicationContext.xml" permitiria visualizar o arquivo applicationContext.xml do aplicativo.
Depois que o invasor tiver applicationContext.xml, ele poderia localizar e baixar outros arquivos de configuração referenciados nesse arquivo ou até mesmo em arquivos de classe ou jar. Isso permitiria que os invasores obtivessem informações confidenciais sobre um aplicativo e as direcionassem para outros tipos de ataques.
References
[1] Ryan Berg and Dinis Cruz Two Security Vulnerabilities in the Spring Framework's MVC
[2] Standards Mapping - Common Weakness Enumeration CWE ID 552
[3] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[5] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[8] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.12.1 Secure File Upload Architectural Requirements (L2 L3), 12.5.1 File Download Requirements (L1 L2 L3)
[10] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[11] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[12] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[13] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[14] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[15] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[16] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[29] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 073
[30] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002560 CAT I
[45] Standards Mapping - Web Application Security Consortium Version 2.00 URL Redirector Abuse (WASC-38)
desc.dataflow.java.file_disclosure_struts

File Permission Manipulation

Abstract
Permitir que a entrada do usuário altere permissões de arquivo diretamente pode deixar que um invasor acesse recursos do sistema que, de outra forma, estariam protegidos.
Explanation
Erros de File Permission Manipulation ocorrem quando qualquer uma das seguintes condições é atendida:

1. Um invasor pode especificar um caminho usado em uma operação que modifica as permissões no sistema de arquivos.

2. Um invasor pode especificar as permissões atribuídas por uma operação no sistema de arquivos.

Exemplo 1: O código a seguir usa entrada de variáveis de ambiente do sistema para definir permissões de arquivo. Se os invasores puderem alterar as variáveis de ambiente do sistema, poderão usar o programa para obter acesso a arquivos manipulados pelo programa. Se o programa também for vulnerável a Path Manipulation, um invasor poderá usar essa vulnerabilidade para acessar arquivos arbitrariamente no sistema.


    permissions := strconv.Atoi(os.Getenv("filePermissions"));
    fMode := os.FileMode(permissions)
    os.chmod(filePath, fMode);
    ...
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 264, CWE ID 732
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [15] CWE ID 732
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [16] CWE ID 732
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [22] CWE ID 732
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165
[6] Standards Mapping - FIPS200 AC
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[10] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 4.3.3 Other Access Control Considerations (L2 L3), 7.3.3 Log Protection Requirements (L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[13] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[15] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[28] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 732
[29] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 732
[30] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 732
[31] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[46] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.golang.file_permission_manipulation
Abstract
Permitir que a entrada do usuário altere permissões de arquivo diretamente pode deixar que um invasor acesse recursos do sistema que, de outra forma, estariam protegidos.
Explanation
Erros de manipulação de permissões de arquivo ocorrem quando qualquer uma das condições a seguir é atendida:

1. Um invasor pode especificar um caminho usado em uma operação que modifica permissões no sistema de arquivos.

2. Um invasor pode especificar as permissões atribuídas por uma operação no sistema de arquivos.

Exemplo 1: O código a seguir usa a entrada de propriedades do sistema para definir a máscara de permissão padrão. Se os invasores puderem alterar as propriedades do sistema, eles poderão usar o programa para obter acesso a arquivos manipulados pelo programa. Se o programa também for vulnerável à manipulação de caminho, um invasor poderá usar essa vulnerabilidade para acessar arquivos arbitrários no sistema.


  String permissionMask = System.getProperty("defaultFileMask");
  Path filePath = userFile.toPath();
  ...
  Set<PosixFilePermission> perms = PosixFilePermissions.fromString(permissionMask);
  Files.setPosixFilePermissions(filePath, perms);
...
References
[1] FIO01-J. Create files with appropriate access permissions CERT
[2] Standards Mapping - Common Weakness Enumeration CWE ID 264, CWE ID 732
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [15] CWE ID 732
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [16] CWE ID 732
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [22] CWE ID 732
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165
[7] Standards Mapping - FIPS200 AC
[8] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[11] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 4.3.3 Other Access Control Considerations (L2 L3), 7.3.3 Log Protection Requirements (L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[14] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[16] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[29] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 732
[30] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 732
[31] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 732
[32] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[47] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.java.file_permission_manipulation
Abstract
Permitir que a entrada do usuário altere permissões de arquivo diretamente pode deixar que um invasor acesse recursos do sistema que, de outra forma, estariam protegidos.
Explanation
Erros de manipulação de permissões de arquivo ocorrem quando qualquer uma das condições a seguir é atendida:

1. Um invasor pode especificar um caminho usado em uma operação que modifica permissões no sistema de arquivos.

2. Um invasor pode especificar as permissões atribuídas por uma operação no sistema de arquivos.

Exemplo 1: O código a seguir é projetado para definir as permissões de arquivo adequadas para os usuários fazerem upload de páginas da Web via FTP. Ele usa a entrada de uma solicitação HTTP para marcar um arquivo como visualizável para usuários externos.


	$rName = $_GET['publicReport'];
	chmod("/home/". authenticateUser . "/public_html/" . rName,"0755");
...


No entanto, se um invasor fornecer um valor mal-intencionado para publicReport, como "../../localuser/public_html/.htpasswd", o aplicativo tornará o arquivo especificado como legível para o invasor.

Exemplo 2: O código a seguir usa a entrada de um arquivo de configuração para definir a máscara de permissão padrão. Se os invasores puderem alterar o arquivo de configuração, eles poderão usar o programa para obter acesso aos arquivos manipulados pelo programa. Se o programa também for vulnerável à manipulação de caminho, um invasor poderá usar essa vulnerabilidade para acessar arquivos arbitrários no sistema.


...
$mask = $CONFIG_TXT['perms'];
chmod($filename,$mask);
...
References
[1] G. Hoglund, G. McGraw Exploiting Software Addison-Wesley
[2] Standards Mapping - Common Weakness Enumeration CWE ID 264, CWE ID 732
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [15] CWE ID 732
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [16] CWE ID 732
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [22] CWE ID 732
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165
[7] Standards Mapping - FIPS200 AC
[8] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[11] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 4.3.3 Other Access Control Considerations (L2 L3), 7.3.3 Log Protection Requirements (L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[14] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[16] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[29] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 732
[30] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 732
[31] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 732
[32] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[47] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.php.file_permission_manipulation
Abstract
Permitir que a entrada do usuário altere permissões de arquivo diretamente pode deixar que um invasor acesse recursos do sistema que, de outra forma, estariam protegidos.
Explanation
Erros de File Permission Manipulation ocorrem quando qualquer uma das condições a seguir é atendida:

1. Um invasor pode especificar um caminho usado em uma operação que modifica permissões no sistema de arquivos.

2. Um invasor pode especificar as permissões atribuídas por uma operação no sistema de arquivos.

Exemplo 1: O código a seguir usa entrada de variáveis de ambiente do sistema para definir permissões de arquivo. Se os invasores puderem alterar as variáveis de ambiente do sistema, eles poderão usar o programa para obter acesso a arquivos manipulados pelo programa. Se o programa também for vulnerável à Path Manipulation, um invasor poderá usar essa vulnerabilidade para acessar arquivos arbitrários no sistema.


    permissions = os.getenv("filePermissions");
    os.chmod(filePath, permissions);
    ...
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 264, CWE ID 732
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [15] CWE ID 732
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [16] CWE ID 732
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [22] CWE ID 732
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165
[6] Standards Mapping - FIPS200 AC
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[10] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 4.3.3 Other Access Control Considerations (L2 L3), 7.3.3 Log Protection Requirements (L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[13] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[15] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[28] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 732
[29] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 732
[30] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 732
[31] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[46] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.python.file_permission_manipulation
Abstract
Permitir que a entrada do usuário altere permissões de arquivo diretamente pode deixar que um invasor acesse recursos do sistema que, de outra forma, estariam protegidos.
Explanation
Erros de manipulação de permissões de arquivo ocorrem quando qualquer uma das condições a seguir é atendida:

1. Um invasor pode especificar um caminho usado em uma operação que modifica permissões no sistema de arquivos.

2. Um invasor pode especificar as permissões atribuídas por uma operação no sistema de arquivos.

Exemplo 1: O código a seguir é projetado para definir as permissões de arquivo adequadas para os usuários fazerem upload de páginas da Web via FTP. Ele usa a entrada de uma solicitação HTTP para marcar um arquivo como visualizável para usuários externos.


...
  rName = req['publicReport']
  File.chmod("/home/#{authenticatedUser}/public_html/#{rName}", "0755")
...


No entanto, se um invasor fornecer um valor mal-intencionado para publicReport, como "../../localuser/public_html/.htpasswd", o aplicativo tornará o arquivo especificado como legível para o invasor.

Exemplo 2: O código a seguir usa a entrada de um arquivo de configuração para definir a máscara de permissão padrão. Se os invasores puderem alterar o arquivo de configuração, eles poderão usar o programa para obter acesso aos arquivos manipulados pelo programa. Se o programa também for vulnerável à manipulação de caminho, um invasor poderá usar essa vulnerabilidade para acessar arquivos arbitrários no sistema.


...
mask = config_params['perms']
File.chmod(filename, mask)
...
References
[1] G. Hoglund, G. McGraw Exploiting Software Addison-Wesley
[2] Standards Mapping - Common Weakness Enumeration CWE ID 264, CWE ID 732
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [15] CWE ID 732
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [16] CWE ID 732
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [22] CWE ID 732
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165
[7] Standards Mapping - FIPS200 AC
[8] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[11] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 4.3.3 Other Access Control Considerations (L2 L3), 7.3.3 Log Protection Requirements (L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[14] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[16] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[29] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 732
[30] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 732
[31] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 732
[32] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[47] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.ruby.file_permission_manipulation

Flash Misconfiguration: Overly Permissive Cross-Domain Policy

Abstract
O programa define uma política entre domínios excessivamente permissiva.
Explanation
Por padrão, aplicativos Flash estão sujeitos à Política de Mesma Origem, que garante que dois aplicativos SWF possam acessar os dados um do outro somente se forem provenientes do mesmo domínio. O Adobe Flash permite que os desenvolvedores alterem essa política programaticamente ou por meio das configurações apropriadas no arquivo de configuração crossdomain.xml. No entanto, é necessário tomar precauções ao alterar as configurações, pois uma política entre domínios excessivamente permissiva permitirá que um aplicativo mal-intencionado se comunique com o aplicativo vítima de modo impróprio, resultando em falsificação, roubo de dados, retransmissão e outros ataques.

Exemplo 1: O trecho a seguir é um exemplo de uso de um caractere curinga para especificar programaticamente os domínios com os quais o aplicativo tem permissão para se comunicar.


   flash.system.Security.allowDomain("*");


O uso de * como argumento para allowDomain() indica que os dados do aplicativo estão acessíveis a outros aplicativos SWF de qualquer domínio.
References
[1] Peleus Uhley Creating more secure SWF web applications
[2] Matt Wood and Prajakta Jagdale Auditing Adobe Flash through Static Analysis
[3] Standards Mapping - Common Weakness Enumeration CWE ID 942
[4] Standards Mapping - Common Weakness Enumeration Top 25 2023 [24] CWE ID 863
[5] Standards Mapping - Common Weakness Enumeration Top 25 2024 [18] CWE ID 863
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001368, CCI-001414
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 14.4.6 HTTP Security Headers Requirements (L1 L2 L3), 14.5.3 Validate HTTP Request Header Requirements (L1 L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[12] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[13] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[25] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[40] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.semantic.actionscript.flash_misconfiguration_overly_permissive_cross_domain_policy

Flash Misconfiguration: Overly Permissive Custom Headers Policy

Abstract
O programa define uma política de cabeçalhos personalizados excessivamente permissiva.
Explanation
Por padrão, aplicativos Flash estão sujeitos à Política de Mesma Origem, que garante que dois aplicativos SWF possam acessar os dados um do outro somente se forem provenientes do mesmo domínio. O Adobe Flash permite que os desenvolvedores alterem essa política programaticamente ou por meio das configurações apropriadas no arquivo de configuração crossdomain.xml. A partir do Flash Player 9.0.124.0, a Adobe também introduziu a capacidade de definir quais cabeçalhos personalizados o Flash Player pode enviar entre domínios. No entanto, é preciso ter cuidado ao definir essas configurações porque uma política de cabeçalhos personalizados excessivamente permissiva, quando aplicada junto com a política de vários domínios excessivamente permissiva, permitirá que um aplicativo mal-intencionado envie cabeçalhos de sua escolha para o aplicativo de destino, levando, possivelmente, a um variedade de ataques ou causando erros na execução do aplicativo que não saberá como tratar os cabeçalhos recebidos.

Exemplo 1: A configuração a seguir mostra o uso de um caractere curinga para especificar quais cabeçalhos o Flash Player pode enviar entre domínios.


  <cross-domain-policy>
    <allow-http-request-headers-from domain="*" headers="*"/>
  </cross-domain-policy>


Usar * como o valor do atributo de headers indica que qualquer cabeçalho será enviado entre domínios.
References
[1] Peleus Uhley Creating more secure SWF web applications
[2] Matt Wood and Prajakta Jagdale Auditing Adobe Flash through Static Analysis
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001368, CCI-001414
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement
[7] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[8] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[9] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[10] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[21] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[36] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.config.actionscript.flash_misconfiguration_overly_permissive_custom_headers_policy

Flash Misconfiguration: Policy Restrictions Bypass

Abstract
O programa usa entradas de usuário não validadas para se esquivar de restrições de política entre domínios.
Explanation
Por padrão, aplicativos Flash estão sujeitos à Política de Mesma Origem, que garante que dois aplicativos SWF possam acessar os dados um do outro somente se forem provenientes do mesmo domínio. O Adobe Flash permite que os desenvolvedores alterem essa política programaticamente ou por meio das configurações apropriadas no arquivo de configuração crossdomain.xml. No entanto, é necessário tomar precauções ao decidir quem pode influenciar as configurações, pois uma política entre domínios excessivamente permissiva permitirá que um aplicativo mal-intencionado se comunique com o aplicativo vítima de modo impróprio, resultando em falsificação, roubo de dados, retransmissão e outros ataques. Vulnerabilidades de desvio de restrições de política ocorrem quando:

1. Os dados entram no aplicativo por uma fonte não confiável.

2. Os dados são utilizados para carregar ou modificar configuração de política entre domínios.
Exemplo 1: O código a seguir usa o valor de um dos parâmetros para o arquivo SWF carregado como a URL a partir da qual carregar o arquivo de política entre domínios.


   ...
   var params:Object = LoaderInfo(this.root.loaderInfo).parameters;
   var url:String = String(params["url"]);
   flash.system.Security.loadPolicyFile(url);
   ...
Exemplo 2: O código a seguir usa o valor de um dos parâmetros para o arquivo SWF carregado com o objetivo de definir a lista de domínios confiáveis.


   ...
   var params:Object = LoaderInfo(this.root.loaderInfo).parameters;
   var domain:String = String(params["domain"]);
   flash.system.Security.allowDomain(domain);
   ...
References
[1] Peleus Uhley Creating more secure SWF web applications
[2] Matt Wood and Prajakta Jagdale Auditing Adobe Flash through Static Analysis
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001368, CCI-001414
[4] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement
[7] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[8] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[9] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[20] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[35] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.actionscript.flash_misconfiguration_policy_restrictions_bypass

Flash Misconfiguration: Unauthorized Data Access

Abstract
O programa permite que aplicativos SWF HTTP e HTTPS se comuniquem.
Explanation
A partir do Flash Player 7, aplicativos SWF carregados via HTTP não podem acessar dados de aplicativos SWF carregados via HTTPS por padrão. O Adobe Flash permite que os desenvolvedores alterem essa restrição programaticamente ou por meio das configurações apropriadas no arquivo de configuração crossdomain.xml. No entanto, é necessário tomar precauções ao definir essas configurações, pois aplicativos SWF carregados via HTTP estão sujeitos a ataques do tipo MITM (man-in-the-middle) e, portanto, não devem ser confiáveis.

Exemplo 1: O código a seguir chama allowInsecureDomain(), que desativa a restrição que impede aplicativos SWF carregados via HTTP de acessar os dados de aplicativos SWF carregados via HTTPS.


   flash.system.Security.allowInsecureDomain("*");
References
[1] Peleus Uhley Creating more secure SWF web applications
[2] Matt Wood and Prajakta Jagdale Auditing Adobe Flash through Static Analysis
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001368, CCI-001414
[4] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement
[7] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[8] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[9] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[10] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.4, Requirement 6.5.8
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.4, Requirement 6.5.8
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.4, Requirement 6.5.8
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.4, Requirement 6.5.8
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control, Control Objective 6.2 - Sensitive Data Protection
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control, Control Objective 6.2 - Sensitive Data Protection
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective 6.2 - Sensitive Data Protection, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.4.1 - Web Software Communications
[21] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 862
[22] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[37] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.semantic.actionscript.flash_misconfiguration_unauthorized_data_access