界: Input Validation and Representation
输入验证与表示问题是由元字符、交替编码和数字表示引起的。安全问题源于信任输入。这些问题包括:“Buffer Overflows”、“Cross-Site Scripting”攻击、“SQL Injection”等其他问题。
Cross-Site Scripting: Content Sniffing
Abstract
向 Web 浏览器发送未经验证的数据可能导致某些浏览器执行恶意代码。
Explanation
Cross-Site Scripting (XSS) 漏洞会在以下情况下出现:
1.数据通过一个不可信赖的数据源进入 Web 应用程序。对于 Reflected XSS,不可信赖的数据源通常为 Web 请求,而对于 Persisted(也称为 Stored)XSS,该数据源通常为数据库或其他后端数据存储。
2.未经验证但包含在动态内容中的数据将传送给 Web 用户。
传送到 Web 浏览器的恶意内容通常采用 JavaScript 片段的形式,但也可能会包含一些 HTML、Flash 或者其他任意一种可以被浏览器执行的代码。基于 XSS 的攻击手段花样百出,几乎是无穷无尽的,但通常它们都会包含传输给攻击者的私有数据(如 Cookie 或者其他会话信息)。在攻击者的控制下,指引受害者进入恶意的网络内容;或者利用易受攻击的站点,对用户的机器进行其他恶意操作。
为了让浏览器将响应呈现为 HTML 或者可执行脚本的其他文档,必须指定
大多数现代浏览器不会呈现 HTML,也不会在为响应提供
但是,值得注意的是,MIME 类型的
因此,
示例 1:以下 JAX-RS 方法反映
如果攻击者所发送请求的
尽管响应明确声明应该将其视为 JSON 文档,但旧浏览器仍可能尝试将其呈现为 HTML 文档,使其容易受到 Cross-Site Scripting 攻击。
1.数据通过一个不可信赖的数据源进入 Web 应用程序。对于 Reflected XSS,不可信赖的数据源通常为 Web 请求,而对于 Persisted(也称为 Stored)XSS,该数据源通常为数据库或其他后端数据存储。
2.未经验证但包含在动态内容中的数据将传送给 Web 用户。
传送到 Web 浏览器的恶意内容通常采用 JavaScript 片段的形式,但也可能会包含一些 HTML、Flash 或者其他任意一种可以被浏览器执行的代码。基于 XSS 的攻击手段花样百出,几乎是无穷无尽的,但通常它们都会包含传输给攻击者的私有数据(如 Cookie 或者其他会话信息)。在攻击者的控制下,指引受害者进入恶意的网络内容;或者利用易受攻击的站点,对用户的机器进行其他恶意操作。
为了让浏览器将响应呈现为 HTML 或者可执行脚本的其他文档,必须指定
text/htmlMIME 类型。因此,仅当响应使用此 MIME 类型或者使用的任何其他类型同样强制浏览器将响应呈现为 HTML 或可执行 SVG 图像 (image/svg+xml) 和 XML 文档 (application/xml) 等脚本的其他文档时,才有可能使用 XSS。 大多数现代浏览器不会呈现 HTML,也不会在为响应提供
application/octet-stream 等 MIME 类型时执行脚本。但是,Internet Explorer 等某些浏览器可执行称为 Content Sniffing 的内容。Content Sniffing 涉及到忽略提供的 MIME 类型并尝试根据响应的内容推断正确的 MIME 类型。但是,值得注意的是,MIME 类型的
text/html是可能导致 XSS 漏洞的唯一 MIME 类型。可执行 SVG 图像 (image/svg+xml) 和 XML 文档 (application/xml) 等脚本的其他文档可能导致 XSS 漏洞,无论浏览器是否执行 Content Sniffing 都是如此。 因此,
<html><body><script>alert(1)</script></body></html> 等响应可能呈现为 HTML,即使其 content-type 标头设置为 application/octet-stream, multipart-mixed 等也是如此。示例 1:以下 JAX-RS 方法反映
application/octet-stream 响应中的用户数据。
@RestController
public class SomeResource {
@RequestMapping(value = "/test", produces = {MediaType.APPLICATION_OCTET_STREAM_VALUE})
public String response5(@RequestParam(value="name") String name){
return name;
}
}
如果攻击者所发送请求的
name参数设置为 <html><body><script>alert(1)</script></body></html>,则服务器将生成以下响应:
HTTP/1.1 200 OK
Content-Length: 51
Content-Type: application/octet-stream
Connection: Closed
<html><body><script>alert(1)</script></body></html>
尽管响应明确声明应该将其视为 JSON 文档,但旧浏览器仍可能尝试将其呈现为 HTML 文档,使其容易受到 Cross-Site Scripting 攻击。
References
[1] X-Content-Type-Options Mozilla
[2] MIME Type Detection in Windows Internet Explorer Microsoft
[3] Understanding Malicious Content Mitigation for Web Developers CERT
[4] HTML 4.01 Specification W3
[5] Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, and Heng Yin Attacks on WebView in the Android System
[6] Erika Chin and David Wagner Bifocals: Analyzing WebView Vulnerabilities in Android Applications
[7] INJECT-3: XML and HTML generation requires care Oracle
[8] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[9] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[10] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[11] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[12] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[13] Standards Mapping - CIS Kubernetes Benchmark complete
[14] Standards Mapping - Common Weakness Enumeration CWE ID 82, CWE ID 83, CWE ID 87, CWE ID 692
[15] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[16] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[17] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[18] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[19] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[20] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[21] Standards Mapping - FIPS200 SI
[22] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[23] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[24] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[25] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[26] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[27] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[28] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[29] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[30] Standards Mapping - OWASP Top 10 2021 A03 Injection
[31] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[32] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[33] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[38] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[39] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[40] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[41] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[42] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[43] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[44] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[45] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 116
[46] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[65] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[66] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[67] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[68] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.java.cross_site_scripting_content_sniffing
Abstract
向 Web 浏览器发送未经验证的数据可能导致某些浏览器执行恶意代码。
Explanation
Cross-Site Scripting (XSS) 漏洞会在以下情况下出现:
1.数据通过一个不可信赖的数据源进入 Web 应用程序。对于 Reflected XSS,不可信赖的数据源通常为 Web 请求,而对于 Persisted(也称为 Stored)XSS,该数据源通常为数据库或其他后端数据存储。
2.未经验证但包含在动态内容中的数据将传送给 Web 用户。
传送到 Web 浏览器的恶意内容通常采用 JavaScript 片段的形式,但也可能会包含一些 HTML、Flash 或者其他任意一种可以被浏览器执行的代码。基于 XSS 的攻击手段花样百出,几乎是无穷无尽的,但通常它们都会包含传输给攻击者的私有数据(如 Cookie 或者其他会话信息)。在攻击者的控制下,指引受害者进入恶意的网络内容;或者利用易受攻击的站点,对用户的机器进行其他恶意操作。
为了让浏览器将响应呈现为 HTML 或者可执行脚本的其他文档,必须指定
大多数现代浏览器不会呈现 HTML,也不会在为响应提供
但是,值得注意的是,MIME 类型的
因此,
示例 1:以下 AWS Lambda 函数反映了
如果攻击者所发送请求的
尽管响应明确声明应该将其视为 JSON 文档,但旧浏览器仍可能尝试将其呈现为 HTML 文档,使其容易受到 Cross-Site Scripting 攻击。
1.数据通过一个不可信赖的数据源进入 Web 应用程序。对于 Reflected XSS,不可信赖的数据源通常为 Web 请求,而对于 Persisted(也称为 Stored)XSS,该数据源通常为数据库或其他后端数据存储。
2.未经验证但包含在动态内容中的数据将传送给 Web 用户。
传送到 Web 浏览器的恶意内容通常采用 JavaScript 片段的形式,但也可能会包含一些 HTML、Flash 或者其他任意一种可以被浏览器执行的代码。基于 XSS 的攻击手段花样百出,几乎是无穷无尽的,但通常它们都会包含传输给攻击者的私有数据(如 Cookie 或者其他会话信息)。在攻击者的控制下,指引受害者进入恶意的网络内容;或者利用易受攻击的站点,对用户的机器进行其他恶意操作。
为了让浏览器将响应呈现为 HTML 或者可执行脚本的其他文档,必须指定
text/html MIME 类型。因此,仅当响应使用此 MIME 类型或者使用的任何其他类型同样强制浏览器将响应呈现为 HTML 或可执行 SVG 图像 (image/svg+xml) 和 XML 文档 (application/xml) 等脚本的其他文档时,才有可能使用 XSS。 大多数现代浏览器不会呈现 HTML,也不会在为响应提供
application/json 等 MIME 类型时执行脚本。但是,Internet Explorer 等某些浏览器可执行称为 Content Sniffing 的内容。Content Sniffing 涉及到忽略提供的 MIME 类型并尝试根据响应的内容推断正确的 MIME 类型。但是,值得注意的是,MIME 类型的
text/html 是可能导致 XSS 漏洞的唯一 MIME 类型。可执行 SVG 图像 (image/svg+xml) 和 XML 文档 (application/xml) 等脚本的其他文档可能导致 XSS 漏洞,无论浏览器是否执行 Content Sniffing 都是如此。 因此,
<html><body><script>alert(1)</script></body></html> 等响应可能呈现为 HTML,即使其 content-type 标头设置为 application/json 也是如此。示例 1:以下 AWS Lambda 函数反映了
application/json 响应中的用户数据。
def mylambda_handler(event, context):
name = event['name']
response = {
"statusCode": 200,
"body": "{'name': name}",
"headers": {
'Content-Type': 'application/json',
}
}
return response
如果攻击者所发送请求的
name 参数设置为 <html><body><script>alert(1)</script></body></html>,则服务器将生成以下响应:
HTTP/1.1 200 OK
Content-Length: 88
Content-Type: application/json
Connection: Closed
{'name': '<html><body><script>alert(1)</script></body></html>'}
尽管响应明确声明应该将其视为 JSON 文档,但旧浏览器仍可能尝试将其呈现为 HTML 文档,使其容易受到 Cross-Site Scripting 攻击。
References
[1] X-Content-Type-Options Mozilla
[2] MIME Type Detection in Windows Internet Explorer Microsoft
[3] Understanding Malicious Content Mitigation for Web Developers CERT
[4] HTML 4.01 Specification W3
[5] Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, and Heng Yin Attacks on WebView in the Android System
[6] Erika Chin and David Wagner Bifocals: Analyzing WebView Vulnerabilities in Android Applications
[7] INJECT-3: XML and HTML generation requires care Oracle
[8] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[9] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[10] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[11] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[12] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[13] Standards Mapping - CIS Kubernetes Benchmark complete
[14] Standards Mapping - Common Weakness Enumeration CWE ID 82, CWE ID 83, CWE ID 87, CWE ID 692
[15] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[16] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[17] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[18] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[19] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[20] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[21] Standards Mapping - FIPS200 SI
[22] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[23] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[24] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[25] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[26] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[27] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[28] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[29] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[30] Standards Mapping - OWASP Top 10 2021 A03 Injection
[31] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[32] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[33] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[38] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[39] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[40] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[41] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[42] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[43] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[44] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[45] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 116
[46] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[65] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[66] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[67] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[68] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.python.cross_site_scripting_content_sniffing