界: Input Validation and Representation

输入验证与表示问题是由元字符、交替编码和数字表示引起的。安全问题源于信任输入。这些问题包括：“Buffer Overflows”、“Cross-Site Scripting”攻击、“SQL Injection”等其他问题。

1 个项目已找到

弱点

Reflected File Download

Java/JSP

Abstract

应用程序允许攻击者创建 URL，强制下载看似来自受信任域的任意内容。

Explanation

Reflected File Download (RFD) 是一种漏洞，攻击者可以利用该漏洞创建网络钓鱼 URL 或页面，一旦有用户访问 URL 或页面，则开始下载包含看似来自受信任域的任意内容的文件。由于用户信任给定的域，他/她很可能会打开下载的文件，进而可能导致执行恶意代码。

为确保攻击者成功发动 RFD 攻击，需要满足以下要求：
- 目标应用程序在未经适当验证或编码的情况下反映用户输入。此类漏洞用于注入有效负载。
- 目标应用程序允许许可 URL。因此，攻击者可以控制下载文件的名称和扩展名。
- 目标应用程序的 Content-Disposition 标头配置错误，攻击者可以控制 HTTP 响应的 Content-Type 和/或 Content-Disposition 标头，或者目标应用程序包含 Content-Type（默认不会在浏览器中呈现）。

例如，如果应用程序使用 Spring Web MVC ContentNegotiationManager 动态生成不同的响应格式，则满足发动 RFD 攻击的必要条件。

ContentNegotiationManager 配置为根据请求路径扩展决定响应格式，使用 Java Activation Framework (JAF) 查找与客户端请求格式更匹配的 Content-Type。同时，客户端也可以通过请求的 Accept 标头中发送的媒体类型来指定响应内容类型。

示例 1：在以下示例中，应用程序配置为允许通过路径扩展策略和 Java Activation Framework 确定响应内容类型：


<bean id="contentNegotiationManager" class="org.springframework.web.accept.ContentNegotiationManagerFactoryBean">
  <property name="favorPathExtension" value="true" />
  <property name="useJaf" value="true" />
</bean>

示例 2：在以下示例中，应用程序配置为允许通过请求的 Accept 标头确定响应内容类型：


<bean id="contentNegotiationManager" class="org.springframework.web.accept.ContentNegotiationManagerFactoryBean">
  <property name="ignoreAcceptHeader" value="false" />
</bean>

请注意，Spring 4.2.1 的 ContentNegotiationManagerFactoryBean 属性默认值为：

- useJaf：true
- favorPathExtension：true
- ignoreAcceptHeader：falseExample 1 中所示的配置允许攻击者创建一个恶意 URL，例如：

http://server/some/resource/endpoint/foo.bat?input=payload

因此，ContentNegotiationManager 将使用 Java Activation Framework（如果在类路径中发现 activation.jar）尝试解析给定文件扩展名的媒体类型，并相应设置响应的 ContentType 标头。在此示例中，文件扩展名是“bat”，进而生成 application/x-msdownload 的 Content-Type 标头（尽管实际 Content-Type 可能因服务器 OS 和 JAF 配置而异）。因此，一旦受害者访问此恶意 URL，他/她的计算机将自动开始下载包含攻击者控制内容的“.bat”文件。如果随后执行此文件，受害者计算机将运行攻击者有效负载指定的任何命令。

References

[1] Oren Hafif Reflected File Download - A New Web Attack Vector

[2] Alvaro Munoz Reflected File Download in Spring MVC

[3] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 233

[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079

[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079

[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079

[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079

[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079

[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754

[10] Standards Mapping - FIPS200 SI

[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)

[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation

[14] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization

[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 8.1.3 General Data Protection (L2 L3)

[16] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection

[17] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input

[18] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws

[19] Standards Mapping - OWASP Top 10 2010 A1 Injection

[20] Standards Mapping - OWASP Top 10 2013 A1 Injection

[21] Standards Mapping - OWASP Top 10 2017 A1 Injection

[22] Standards Mapping - OWASP Top 10 2021 A03 Injection

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.6

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation

[34] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079

[35] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079

[36] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079

[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I

[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I

[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I

[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I

[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I

[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I

[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I

[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I

[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I

[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I

[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I

[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I

[58] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)

desc.config.java.reflected_file_download