3 个项目已找到

弱点

Missing Check for Null Parameter

Java/JSP

Abstract

此函数违反了必须将其参数与 null 进行比较的约定。

Explanation

Java 标准指出，在实现 Object.equals()、Comparable.compareTo() 和 Comparator.compare() 时，如果其参数为 null，则必须返回一个指定值。不遵守该约定可能会导致发生意外的行为。

示例 1：以下代码实现了 equals() 方法，但不会将其参数与 null 进行比较。


public boolean equals(Object object)
{
   return (toString().equals(object.toString()));
}

References

[1] MET10-J. Follow the general contract when implementing the compareTo() method CERT

[2] MET08-J. Preserve the equality contract when overriding the equals() method CERT

[3] Standards Mapping - Common Weakness Enumeration CWE ID 398

[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

desc.controlflow.java.missing_check_for_null_parameter

Value Shadowing

C#/VB.NET/ASP.NET

Abstract

程序以不确定的方式访问变量，这可能会使它容易受到攻击。

Explanation

HttpRequest 类可通过编程的方式利用数组（例如 Request["myParam"]）访问 QueryString、Form、Cookies 或 ServerVariables 集合中的变量。如果多个变量使用相同的名称，.NET 框架将返回按以下顺序搜索这些集合时最先显示的变量值：QueryString、Form、Cookies、ServerVariables。由于 QueryString 会首先搜索，因此 QueryString 参数可能会取代 Form、Cookies 和 ServerVariables 变量的值。同样，Form 值可能会取代 Cookies 和 ServerVariables 集合中的变量，Cookies 集合中的变量可能会取代 ServerVariables 中的变量。
示例 1：假设某个银行应用程序将用户的电子邮件地址临时存储在 Cookie 中，并在需要联系用户时读取该值。以下代码会读取 Cookie 值，并将帐户余额发送到指定的电子邮件地址。


...
    String toAddress = Request["email"];        //Expects cookie value
    Double balance = GetBalance(userID);
    SendAccountBalance(toAddress, balance);
...

假设在访问 http://www.example.com/GetBalance.aspx 时执行Example 1 中的代码。如果攻击者能够使经过身份验证的用户单击请求 http://www.example.com/GetBalance.aspx?email=evil%40evil.com 的链接，则会将包含该用户的帐户余额的电子邮件发送到 evil@evil.com。

References

[1] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310

[2] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)

[3] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation

[4] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6

[5] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6

[6] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6

[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6

[8] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[9] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[10] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation

[11] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation

[12] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II

desc.semantic.dotnet.value_shadowing

Value Shadowing: Server Variable

C#/VB.NET/ASP.NET

Abstract

程序以不确定的方式访问服务器变量，这可能会使它容易受到攻击。

Explanation

HttpRequest 类可通过编程的方式利用数组（例如 Request["myParam"]）访问 QueryString、Form、Cookies 或 ServerVariables 集合中的变量。如果多个变量使用相同的名称，.NET 框架将返回按以下顺序搜索这些集合时最先显示的变量值：QueryString、Form、Cookies、ServerVariables。由于 QueryString 会首先搜索，因此 QueryString 参数可能会取代 Form、Cookies 和 ServerVariables 变量的值。同样，Form 值可能会取代 Cookies 和 ServerVariables 集合中的变量，Cookies 集合中的变量可能会取代 ServerVariables 中的变量。
示例 1：以下代码将检查 HTTP Referer 头文件服务器变量，在对内容提供服务之前确定请求是否来自 www.example.com。


    ...
    if (Request["HTTP_REFERER"].StartsWith("http://www.example.com"))
        ServeContent();
    else
        Response.Redirect("http://www.example.com/");
    ...

假设在访问 http://www.example.com/ProtectedImages.aspx 时执行Example 1 中的代码。如果攻击者直接请求该 URL，则不会设置相应的 referer 标头，并且该请求将失败。然而，如果攻击者提交具有所需值的假冒 HTTP_REFERER 参数，例如 http://www.example.com/ProtectedImages.aspx?HTTP_REFERER=http%3a%2f%2fwww.example.com，则查找将从 QueryString 而不是 ServerVariables 返回值，并且此检查将成功。

References

[1] Microsoft IIS Server Variables

[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310

[3] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)

[4] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation

[5] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6

[6] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6

[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6

[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6

[9] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[10] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[11] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation

[12] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation

[13] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II

desc.semantic.dotnet.value_shadowing_server_variable