7 个项目已找到

弱点

Android Misconfiguration: Debug Information

Java/JSP

Abstract

调试消息可帮助攻击者了解系统并计划攻击形式。

Explanation

Android 应用程序可以配置为生成调试二进制代码。这些二进制文件可提供详细的调试消息，不应在生产环境中使用。<application> 标签的 debuggable 属性定义编译后的二进制文件是否应包含调试信息。

使用调试二进制文件会导致应用程序向用户提供尽可能多的关于其自身的信息。调试二进制文件旨在用于开发或测试环境，如果部署到生产环境中可能会带来安全风险。攻击者可以利用其从调试输出中获得的附加信息，对应用程序所用的框架、数据库或其他资源发动攻击。

References

[1] JavaDoc for Android Android

[2] Standards Mapping - Common Weakness Enumeration CWE ID 11

[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-002420, CCI-003272

[4] Standards Mapping - FIPS200 CM

[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SA-15 Development Process and Standards and Tools (P2), SC-8 Transmission Confidentiality and Integrity (P1), SI-11 Error Handling (P2)

[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SA-15 Development Process and Standards and Tools, SC-8 Transmission Confidentiality and Integrity, SI-11 Error Handling

[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 14.1.3 Build (L2 L3)

[9] Standards Mapping - OWASP Mobile 2014 M10 Lack of Binary Protections

[10] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration

[11] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-RESILIENCE-4

[12] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[13] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling

[14] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[16] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[17] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention

[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3120 CAT II, APP3620 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3120 CAT II, APP3620 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3120 CAT II, APP3620 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3120 CAT II, APP3620 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3120 CAT II, APP3620 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3120 CAT II, APP3620 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3120 CAT II, APP3620 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[50] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)

[51] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage

desc.config.java.android_misconfiguration_debug_information

Missing Check for Null Parameter

Java/JSP

Abstract

此函数违反了必须将其参数与 null 进行比较的约定。

Explanation

Java 标准指出，在实现 Object.equals()、Comparable.compareTo() 和 Comparator.compare() 时，如果其参数为 null，则必须返回一个指定值。不遵守该约定可能会导致发生意外的行为。

示例 1：以下代码实现了 equals() 方法，但不会将其参数与 null 进行比较。


public boolean equals(Object object)
{
   return (toString().equals(object.toString()));
}

References

[1] MET10-J. Follow the general contract when implementing the compareTo() method CERT

[2] MET08-J. Preserve the equality contract when overriding the equals() method CERT

[3] Standards Mapping - Common Weakness Enumeration CWE ID 398

[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

desc.controlflow.java.missing_check_for_null_parameter

PCI Privacy Violation

Java/JSP

Abstract

对机密信息（如客户密码或社会保障号码）处理不当会危及用户的个人隐私，这是一种非法行为。

Explanation

Privacy Violation 会在以下情况下发生：

1. 用户私人信息进入了程序。

2. 数据被写到了一个外部介质，例如控制台、file system 或网络。
示例 1：以下代码包含一个日志记录语句，该语句通过在日志文件中存储添加到数据库中的各条记录信息来跟踪这些信息。


pass = getPassword();
...
dbmsLog.println(id+":"+pass+":"+type+":"+tstamp);

Example 1 中的代码会将明文密码记录到文件系统中。虽然许多开发人员认为文件系统是存储数据的安全位置，但这不是绝对的，特别是涉及到隐私问题时。

在移动世界中隐私是最令人担心的问题之一，其原因有以下两点。一是设备丢失的几率较高。第二点与移动应用程序之间的进程间通信有关。在移动平台上，可以从各种来源下载应用程序，并且可以在同一设备上同时运行这些应用程序。因为恶意软件在银行应用程序附近运行的可能性很高，所以应用程序的作者需要注意消息所包含的信息，这些消息将会发送给在设备上运行的其他应用程序。移动应用程序之间的进程间通信不应包含敏感信息。

示例 2：以下代码会从 Android WebView 存储中读取给定站点的用户名和密码，并将其广播给所有注册的接收者。


...
webview.setWebViewClient(new WebViewClient() {
  public void onReceivedHttpAuthRequest(WebView view,
        HttpAuthHandler handler, String host, String realm) {
    String[] credentials = view.getHttpAuthUsernamePassword(host, realm);
    String username = credentials[0];
    String password = credentials[1];
    Intent i = new Intent();
    i.setAction("SEND_CREDENTIALS");
    i.putExtra("username", username);
    i.putExtra("password", password);
    view.getContext().sendBroadcast(i);
  }
});
...

此示例演示了几个问题。首先，WebView 凭证以明文的形式存储且不经过 hash 处理。因此，如果用户拥有 root 设备（或使用仿真器），他们就能读取存储的给定站点的密码。其次，明文凭证将被广播给所有注册的接收者，这就意味着任何使用 SEND_CREDENTIALS 收听的注册接收者都将收到消息。即使权限限制接收者人数，广播也不会受到保护；既然这样，我们也不建议将权限作为修复方式使用。

可以通过多种方式将私人数据输入到程序中：

— 以密码或个人信息的形式直接从用户处获取

— 由应用程序访问数据库或者其他数据存储形式

— 间接地从合作者或者第三方处获取

通常，在移动环境下，此私人信息除了包括密码、SSN 和其他常规个人信息之外，还包括以下信息：

- 位置

- 手机号码

- 序列号和设备 ID

- 网络运营商信息

- 语音信箱信息

有时，某些数据并没有贴上私人数据标签，但在特定的上下文中也有可能成为私人信息。比如，通常认为学生的学号不是私人信息，因为学号中并没有明确而公开的信息用以定位特定学生的个人信息。但是，如果学校用学生的社会保障号码生成学号，那么这时学号应被视为私人信息。

安全和隐私似乎一直是一对矛盾。从安全的角度看，您应该记录所有重要的操作，以便日后可以鉴定那些非法的操作。然而，当其中牵涉到私人数据时，这种做法就存在一定风险了。

虽然私人数据处理不当的方式多种多样，但常见风险来自于盲目信任。程序员通常会信任运行程序的操作环境，因此认为将私人信息存放在文件系统、注册表或者其他本地控制的资源中是值得信任的。尽管已经限制了某些资源的访问权限，但仍无法保证所有访问这些资源的个体都是值得信任的。例如，2004 年，一个不道德的 AOL 员工将大约 9200 万个私有客户电子邮件地址卖给了一个通过垃圾邮件进行营销的境外赌博网站 [1]。

鉴于此类备受瞩目的信息盗取事件，私人信息的收集与管理正日益规范化。要求各个组织应根据其经营地点、所从事的业务类型及其处理的私人数据性质，遵守下列一个或若干个联邦和州的规定：

- Safe Harbor Privacy Framework [3]

- Gramm-Leach Bliley Act (GLBA) [4]

- Health Insurance Portability and Accountability Act (HIPAA) [5]

- California SB-1386 [6]

尽管制定了这些规范，Privacy Violation 漏洞仍时有发生。

References

[1] J. Oates AOL man pleads guilty to selling 92m email addies The Register

[2] Privacy Initiatives U.S. Federal Trade Commission

[3] Safe Harbor Privacy Framework U.S. Department of Commerce

[4] Financial Privacy: The Gramm-Leach Bliley Act (GLBA) Federal Trade Commission

[5] Health Insurance Portability and Accountability Act (HIPAA) U.S. Department of Human Services

[6] California SB-1386 Government of the State of California

[7] M. Howard, D. LeBlanc Writing Secure Code, Second Edition Microsoft Press

[8] SQLCipher.

[9] FUNDAMENTALS-4: Establish trust boundaries Oracle

[10] CONFIDENTIAL-2: Do not log highly sensitive information Oracle

[11] Standards Mapping - Common Weakness Enumeration CWE ID 359

[12] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200

[13] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200

[14] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200

[15] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000169

[16] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), AU-12 Audit Generation (P1)

[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, AU-12 Audit Record Generation

[19] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization

[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.2.2 Client-side Data Protection (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 10.2.1 Malicious Code Search (L2 L3)

[21] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage

[22] Standards Mapping - OWASP Mobile 2024 M6 Inadequate Privacy Controls

[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1

[24] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling

[25] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 8.4

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.6, Requirement 8.4

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.2, Requirement 3.4, Requirement 6.5.5, Requirement 8.4

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.2, Requirement 3.4, Requirement 8.2.1

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.2, Requirement 3.4, Requirement 8.2.1

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.2, Requirement 3.4, Requirement 8.2.1

[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.2, Requirement 3.4, Requirement 8.2.1

[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.3.1, Requirement 3.5.1, Requirement 8.3.1

[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography

[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design

[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design

[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000650 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000650 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000650 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000650 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000650 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000650 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000650 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000650 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000650 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000650 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000650 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000650 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000650 CAT II

[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000650 CAT II

[58] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)

[59] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage

desc.dataflow.java.pci_privacy_violation

Query String Injection: Amazon Web Services

Java/JSP

Abstract

构建包含用户输入的 SimpleDB 选择指令会允许攻击者查看未经授权的记录。

Explanation

Query string injection 漏洞会在以下情况下发生：
1. 数据从一个不可信赖的数据源进入程序。

2. 数据被用于动态地构造 SimpleDB 查询字符串。

例 1：以下代码动态地构造并执行了一个 SimpleDB select() 查询，该查询可搜索与用户指定产品类别相匹配的清单。用户还可以指定对结果进行排序的列。假定在执行此代码片段之前已正确验证了应用程序并设置了 customerID 的值。


...
String customerID = getAuthenticatedCustomerID(customerName, customerCredentials);
...
AmazonSimpleDBClient sdbc = new AmazonSimpleDBClient(appAWSCredentials);
String query = "select * from invoices where productCategory = '"
            + productCategory + "' and customerID = '"
            + customerID + "' order by '"
            + sortColumn + "' asc";
SelectResult sdbResult = sdbc.select(new SelectRequest(query));
...

这一代码所执行的查询如下所示：


select * from invoices
where productCategory = 'Fax Machines'
and customerID = '12345678'
order by 'price' asc

但是，由于这个查询是动态构造的，它由一个不变的基查询字符串和一个用户输入字符串连接而成，因此仅当 productCategory 和 price 不包含单引号字符时，才会正确执行这一查询。但是，如果攻击者为 productCategory 提供了字符串“Fax Machines' or productCategory = \"”，并为 sortColumn 提供了字符串“\" order by 'price”，则查询将变为如下所示：


select * from invoices
where productCategory = 'Fax Machines' or productCategory = "'
and customerID = '12345678'
order by '" order by 'price' asc

或者采用以下人类可读性更好的形式：


select * from invoices
where productCategory = 'Fax Machines'
or productCategory = "' and customerID = '12345678' order by '"
order by 'price' asc

这些输入使攻击者能够绕过 customerID 所要求的 Authentication，并查看与 'Fax Machines' 相匹配的所有客户清单记录。

References

[1] Secure Use of Cloud Storage

[2] Standards Mapping - Common Weakness Enumeration CWE ID 89

[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [6] CWE ID 089

[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [6] CWE ID 089

[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [6] CWE ID 089

[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [3] CWE ID 089

[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [3] CWE ID 089

[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754

[9] Standards Mapping - FIPS200 SI

[10] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)

[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation

[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.4 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.5 Output Encoding and Injection Prevention Requirements (L1 L2 L3)

[14] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[15] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation

[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4

[17] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws

[18] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws

[19] Standards Mapping - OWASP Top 10 2010 A1 Injection

[20] Standards Mapping - OWASP Top 10 2013 A1 Injection

[21] Standards Mapping - OWASP Top 10 2017 A1 Injection

[22] Standards Mapping - OWASP Top 10 2021 A03 Injection

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation

[34] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 089

[35] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 089

[36] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 089

[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[58] Standards Mapping - Web Application Security Consortium Version 2.00 SQL Injection (WASC-19)

[59] Standards Mapping - Web Application Security Consortium 24 + 2 SQL Injection

desc.dataflow.java.query_string_injection_amazon_web_services

Query String Injection: Android Provider

Java/JSP

Abstract

构建含有用户输入的 SQLite 查询指令会让攻击者能够查看未经授权的记录。

Explanation

Query string injection 漏洞会在以下情况下发生：
1. 数据从一个不可信赖的数据源进入程序。

在这种情况下，Fortify Static Code Analyzer（Fortify 静态代码分析器）无法确定数据源是否可信赖。

2. 数据用于动态地构造一个 SQLite 查询。

SQLite query string injection 允许恶意用户查看未经授权的记录，但不允许用户以任何方式更改数据库的状态。

例 1：以下代码动态地构造并执行了一个 SQLite 查询，该查询可搜索与客户和用户指定产品类别相关联的清单。用户还可以指定对结果进行排序的列。假定在执行此代码片段之前已正确验证了程序和设置了 customerID 的值。


  ...
  productCategory = this.getIntent().getExtras().getString("productCategory");
  sortColumn = this.getIntent().getExtras().getString("sortColumn");
  customerID = getAuthenticatedCustomerID(customerName, customerCredentials);
  c = invoicesDB.query(Uri.parse(invoices), columns, "productCategory = '" + productCategory + "' and customerID = '" + customerID + "'", null, null, null, "'" + sortColumn + "'asc", null);
  ...

这一代码所执行的查询如下所示：


  select * from invoices
  where productCategory = 'Fax Machines'
  and customerID = '12345678'
  order by 'price' asc

但是，这个查询是动态构造的，由一个常数基查询字符串和一个用户输入字符串 productCategory 连在一起形成。因此只有在 productCategory 与 sortColumn 不包含单引号字符时，这一查询才能正确执行。如果攻击者为 productCategory 提供了字符串“Fax Machines' or productCategory = \"”，并为 sortColumn 提供了字符串“\" order by 'price”，则查询将变为如下所示：


  select * from invoices
  where productCategory = 'Fax Machines' or productCategory = "'
  and customerID = '12345678'
  order by '" order by 'price' asc

或者采用以下可读性更好的形式：


  select * from invoices
  where productCategory = 'Fax Machines'
  or productCategory = "' and customerID = '12345678' order by '"
  order by 'price' asc

这些输入使攻击者能绕过 customerID 所要求的 authentication，并查看与 'Fax Machines' 相匹配的所有客户清单记录。

References

[1] Android Developers-Reference: SQLite Database

[2] SQL as Understood by SQLite

[3] Standards Mapping - Common Weakness Enumeration CWE ID 89

[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [6] CWE ID 089

[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [6] CWE ID 089

[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [6] CWE ID 089

[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [3] CWE ID 089

[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [3] CWE ID 089

[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754

[10] Standards Mapping - FIPS200 SI

[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)

[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation

[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.4 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.5 Output Encoding and Injection Prevention Requirements (L1 L2 L3)

[15] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection

[16] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation

[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4

[18] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws

[19] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws

[20] Standards Mapping - OWASP Top 10 2010 A1 Injection

[21] Standards Mapping - OWASP Top 10 2013 A1 Injection

[22] Standards Mapping - OWASP Top 10 2017 A1 Injection

[23] Standards Mapping - OWASP Top 10 2021 A03 Injection

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation

[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation

[35] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 089

[36] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 089

[37] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 089

[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[55] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002540 CAT I, APSC-DV-002560 CAT I

[59] Standards Mapping - Web Application Security Consortium Version 2.00 SQL Injection (WASC-19)

[60] Standards Mapping - Web Application Security Consortium 24 + 2 SQL Injection

desc.semantic.java.query_string_injection_android_provider

Value Shadowing

C#/VB.NET/ASP.NET

Abstract

程序以不确定的方式访问变量，这可能会使它容易受到攻击。

Explanation

HttpRequest 类可通过编程的方式利用数组（例如 Request["myParam"]）访问 QueryString、Form、Cookies 或 ServerVariables 集合中的变量。如果多个变量使用相同的名称，.NET 框架将返回按以下顺序搜索这些集合时最先显示的变量值：QueryString、Form、Cookies、ServerVariables。由于 QueryString 会首先搜索，因此 QueryString 参数可能会取代 Form、Cookies 和 ServerVariables 变量的值。同样，Form 值可能会取代 Cookies 和 ServerVariables 集合中的变量，Cookies 集合中的变量可能会取代 ServerVariables 中的变量。
示例 1：假设某个银行应用程序将用户的电子邮件地址临时存储在 Cookie 中，并在需要联系用户时读取该值。以下代码会读取 Cookie 值，并将帐户余额发送到指定的电子邮件地址。


...
    String toAddress = Request["email"];        //Expects cookie value
    Double balance = GetBalance(userID);
    SendAccountBalance(toAddress, balance);
...

假设在访问 http://www.example.com/GetBalance.aspx 时执行Example 1 中的代码。如果攻击者能够使经过身份验证的用户单击请求 http://www.example.com/GetBalance.aspx?email=evil%40evil.com 的链接，则会将包含该用户的帐户余额的电子邮件发送到 evil@evil.com。

References

[1] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310

[2] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)

[3] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation

[4] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6

[5] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6

[6] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6

[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6

[8] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[9] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[10] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation

[11] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation

[12] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II

desc.semantic.dotnet.value_shadowing

Value Shadowing: Server Variable

C#/VB.NET/ASP.NET

Abstract

程序以不确定的方式访问服务器变量，这可能会使它容易受到攻击。

Explanation

HttpRequest 类可通过编程的方式利用数组（例如 Request["myParam"]）访问 QueryString、Form、Cookies 或 ServerVariables 集合中的变量。如果多个变量使用相同的名称，.NET 框架将返回按以下顺序搜索这些集合时最先显示的变量值：QueryString、Form、Cookies、ServerVariables。由于 QueryString 会首先搜索，因此 QueryString 参数可能会取代 Form、Cookies 和 ServerVariables 变量的值。同样，Form 值可能会取代 Cookies 和 ServerVariables 集合中的变量，Cookies 集合中的变量可能会取代 ServerVariables 中的变量。
示例 1：以下代码将检查 HTTP Referer 头文件服务器变量，在对内容提供服务之前确定请求是否来自 www.example.com。


    ...
    if (Request["HTTP_REFERER"].StartsWith("http://www.example.com"))
        ServeContent();
    else
        Response.Redirect("http://www.example.com/");
    ...

假设在访问 http://www.example.com/ProtectedImages.aspx 时执行Example 1 中的代码。如果攻击者直接请求该 URL，则不会设置相应的 referer 标头，并且该请求将失败。然而，如果攻击者提交具有所需值的假冒 HTTP_REFERER 参数，例如 http://www.example.com/ProtectedImages.aspx?HTTP_REFERER=http%3a%2f%2fwww.example.com，则查找将从 QueryString 而不是 ServerVariables 返回值，并且此检查将成功。

References

[1] Microsoft IIS Server Variables

[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310

[3] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)

[4] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation

[5] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6

[6] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6

[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6

[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6

[9] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[10] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[11] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation

[12] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation

[13] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II

desc.semantic.dotnet.value_shadowing_server_variable