界: Input Validation and Representation

输入验证与表示问题是由元字符、交替编码和数字表示引起的。安全问题源于信任输入。这些问题包括：“Buffer Overflows”、“Cross-Site Scripting”攻击、“SQL Injection”等其他问题。

Value Shadowing: Server Variable

C#/VB.NET/ASP.NET

Abstract

程序以不确定的方式访问服务器变量，这可能会使它容易受到攻击。

Explanation

HttpRequest 类可通过编程的方式利用数组（例如 Request["myParam"]）访问 QueryString、Form、Cookies 或 ServerVariables 集合中的变量。如果多个变量使用相同的名称，.NET 框架将返回按以下顺序搜索这些集合时最先显示的变量值：QueryString、Form、Cookies、ServerVariables。由于 QueryString 会首先搜索，因此 QueryString 参数可能会取代 Form、Cookies 和 ServerVariables 变量的值。同样，Form 值可能会取代 Cookies 和 ServerVariables 集合中的变量，Cookies 集合中的变量可能会取代 ServerVariables 中的变量。
示例 1：以下代码将检查 HTTP Referer 头文件服务器变量，在对内容提供服务之前确定请求是否来自 www.example.com。


    ...
    if (Request["HTTP_REFERER"].StartsWith("http://www.example.com"))
        ServeContent();
    else
        Response.Redirect("http://www.example.com/");
    ...

假设在访问 http://www.example.com/ProtectedImages.aspx 时执行Example 1 中的代码。如果攻击者直接请求该 URL，则不会设置相应的 referer 标头，并且该请求将失败。然而，如果攻击者提交具有所需值的假冒 HTTP_REFERER 参数，例如 http://www.example.com/ProtectedImages.aspx?HTTP_REFERER=http%3a%2f%2fwww.example.com，则查找将从 QueryString 而不是 ServerVariables 返回值，并且此检查将成功。

References

[1] Microsoft IIS Server Variables

[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310

[3] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)

[4] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation

[5] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6

[6] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6

[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6

[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6

[9] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[10] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[11] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[12] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation

[13] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation

[14] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II

[15] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II

desc.semantic.dotnet.value_shadowing_server_variable