界: Encapsulation

封装即绘制强边界。在 Web 浏览器中，这可能意味着确保您的移动代码不会被其他移动代码滥用。在服务器上，这可能意味着区分已验证数据和未验证数据、区分一个用户的数据和另一个用户的数据，或者区分允许用户查看的数据和不允许用户查看的数据。

File Based Cross-Zone Scripting

Abstract

如果加载一个文件可能导致在应用程序上下文中运行不可信赖的脚本，则是很危险的。

Explanation

当满足以下条件时会发生 File Based Cross Zone Scripting 漏洞：

1. 加载一个文件，这可能会允许在您的应用程序中运行脚本

2. 加载的脚本采用与运行的应用程序一样的来源。

当满足这两个条件时，可以实现一系列攻击，尤其是当其他各方根据信息是否来自您的应用程序范围内来确定信任时。

例 1：以下代码使用 Android WebView 以便在本地加载文件：


...
myWebView.loadUrl("file:///android_asset/www/index.html");
...

在Example 1 中，Android WebView 呈现器会将使用 loadUrl() 通过以“file://”开头的 URL 加载的所有内容视为来源相同。

当从文件进行加载时，攻击者可以通过几种典型方法来利用 File Based Cross-Zone Scripting 漏洞：
- 本地文件可能受可将脚本注入该文件的攻击者操纵。
这将取决于文件权限、文件所在位置，或者文件先保存再加载的竞争条件（可能有供进行修改的时间段）。

- 文件可能会调出到外部资源。
当加载的文件从外部资源检索脚本时，可能会发生这种情况。

例 2：以下代码查看外部数据源，以确定它应该运行的 JavaScript。


  <script src="http://www.example.com/js/fancyWidget.js"></script>

在Example 2 中，使用了不安全的协议，这可能会允许恶意操作者修改所生成的脚本。或者，可能会执行其他攻击，以将计算机重新路由到攻击者的站点。

- 加载的文件可能包含 cross-site scripting 漏洞。
如果所加载的文件能够注入代码，则注入的代码也许能够在您的应用程序上下文中运行。这不一定是注入 JavaScript 的能力，而仅仅能够注入 HTML 也可以实现涂改或拒绝服务攻击。

References

[1] Erika Chin and David Wagner Bifocals: Analyzing WebView Vulnerabilities in Android Applications

[2] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80

[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079

[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079

[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079

[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079

[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079

[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [1] CWE ID 079

[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754

[10] Standards Mapping - FIPS200 SI

[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)

[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation

[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)

[15] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection

[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-2

[17] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting

[18] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)

[19] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)

[20] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)

[21] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)

[22] Standards Mapping - OWASP Top 10 2021 A03 Injection

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection

[35] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079

[36] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079

[37] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079

[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I

[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I

[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I

[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I

[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I

[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I

[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I

[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I

[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I

[55] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I

[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I

[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I

[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002560 CAT I

[59] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002560 CAT I

[60] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)

[61] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting

desc.semantic.java.file_based_cross_zone_scripting

Abstract

如果加载本地文件可能导致在应用程序的特许上下文中运行不可信赖的脚本，则是很危险的。

Explanation

当满足以下条件时会发生 File-Based Cross Zone Scripting 漏洞：

1. 加载一个文件，这可能会允许在您的应用程序中运行脚本。

2. 加载的脚本被视为与运行的应用程序具有相同的来源 (file://)。

当满足这两个条件时，可以实现一系列攻击，尤其是当其他各方根据信息是否来自您的应用程序范围内来确定信任时。

示例 1：以下代码使用了 UIWebView.loadRequest(_:) 方法加载本地文件：


...
NSURL *url = [[NSBundle mainBundle] URLForResource: filename withExtension:extension]; 
[webView loadRequest:[[NSURLRequest alloc] initWithURL:url]];
...

在Example 1 中，WebView 引擎会将使用 UIWebView.loadRequest(_:) 通过以 file:// 开头的 URL 加载的所有内容视为位于本地特权文件源中。

当从文件进行加载时，攻击者可以通过几种典型方法来利用 File-Based Cross-Zone Scripting 漏洞：

- 本地文件可能由攻击者控制。例如，攻击者可能将文件发送到受害者，受害者然后又将该文件存储到易受攻击的应用程序（例如：云存储应用程序）。
- 本地文件可能受可将脚本注入该文件的攻击者操纵。这将取决于文件权限、文件所在位置，或者文件先保存再加载的竞争条件（可能有供进行修改的时间段）。
- 文件可能会调出到外部资源。当加载的文件从外部资源检索脚本时，可能会发生这种情况。
- 加载的文件可能包含 cross-site scripting 漏洞。如果正在加载的文件包含注入代码，则此代码可能会在您的应用程序上下文中运行。注入的代码不必是 JavaScript 代码 - 注入的 HTML 也可以实现涂改或拒绝服务攻击。

如果攻击者控制的文件是使用 file:// URL 在本地加载的，则同源策略将允许此文件中的脚本访问来自同一来源的所有其他文件，从而使攻击者可以访问包含敏感信息的任何本地文件。

References

[1] Same-origin policy for file: URIs Mozilla

[2] Old Habits Die Hard: Cross-Zone Scripting in Dropbox & Google Drive Mobile Apps IBM

[3] loadHTMLString(_:baseURL:) API documentation Apple

[4] loadRequest(_:) API documentation Apple

[5] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80

[6] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079

[7] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079

[8] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079

[9] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079

[10] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079

[11] Standards Mapping - Common Weakness Enumeration Top 25 2024 [1] CWE ID 079

[12] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754

[13] Standards Mapping - FIPS200 SI

[14] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[15] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)

[16] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation

[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)

[18] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection

[19] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-2

[20] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting

[21] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)

[22] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)

[23] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)

[24] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)

[25] Standards Mapping - OWASP Top 10 2021 A03 Injection

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7

[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7

[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[34] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[35] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[36] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[37] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection

[38] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079

[39] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079

[40] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079

[41] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I

[47] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I

[48] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I

[49] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I

[50] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I

[51] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I

[52] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I

[53] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I

[54] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I

[55] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I

[56] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I

[57] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I

[58] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I

[59] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I

[60] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I

[61] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002560 CAT I

[62] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002560 CAT I

[63] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)

[64] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting

desc.dataflow.objc.file_based_cross_zone_scripting

Abstract

如果加载本地文件可能导致在应用程序的特许上下文中运行不可信赖的脚本，则是很危险的。

Explanation


...
let url = Bundle.main.url(forResource: filename, withExtension: extension)
self.webView!.load(URLRequest(url:url!))
...