6 个项目已找到

弱点

Reflected File Download

Java/JSP

Abstract

应用程序允许攻击者创建 URL，强制下载看似来自受信任域的任意内容。

Explanation

Reflected File Download (RFD) 是一种漏洞，攻击者可以利用该漏洞创建网络钓鱼 URL 或页面，一旦有用户访问 URL 或页面，则开始下载包含看似来自受信任域的任意内容的文件。由于用户信任给定的域，他/她很可能会打开下载的文件，进而可能导致执行恶意代码。

为确保攻击者成功发动 RFD 攻击，需要满足以下要求：
- 目标应用程序在未经适当验证或编码的情况下反映用户输入。此类漏洞用于注入有效负载。
- 目标应用程序允许许可 URL。因此，攻击者可以控制下载文件的名称和扩展名。
- 目标应用程序的 Content-Disposition 标头配置错误，攻击者可以控制 HTTP 响应的 Content-Type 和/或 Content-Disposition 标头，或者目标应用程序包含 Content-Type（默认不会在浏览器中呈现）。

例如，如果应用程序使用 Spring Web MVC ContentNegotiationManager 动态生成不同的响应格式，则满足发动 RFD 攻击的必要条件。

ContentNegotiationManager 配置为根据请求路径扩展决定响应格式，使用 Java Activation Framework (JAF) 查找与客户端请求格式更匹配的 Content-Type。同时，客户端也可以通过请求的 Accept 标头中发送的媒体类型来指定响应内容类型。

示例 1：在以下示例中，应用程序配置为允许通过路径扩展策略和 Java Activation Framework 确定响应内容类型：


<bean id="contentNegotiationManager" class="org.springframework.web.accept.ContentNegotiationManagerFactoryBean">
  <property name="favorPathExtension" value="true" />
  <property name="useJaf" value="true" />
</bean>

示例 2：在以下示例中，应用程序配置为允许通过请求的 Accept 标头确定响应内容类型：


<bean id="contentNegotiationManager" class="org.springframework.web.accept.ContentNegotiationManagerFactoryBean">
  <property name="ignoreAcceptHeader" value="false" />
</bean>

请注意，Spring 4.2.1 的 ContentNegotiationManagerFactoryBean 属性默认值为：

- useJaf：true
- favorPathExtension：true
- ignoreAcceptHeader：falseExample 1 中所示的配置允许攻击者创建一个恶意 URL，例如：

http://server/some/resource/endpoint/foo.bat?input=payload

因此，ContentNegotiationManager 将使用 Java Activation Framework（如果在类路径中发现 activation.jar）尝试解析给定文件扩展名的媒体类型，并相应设置响应的 ContentType 标头。在此示例中，文件扩展名是“bat”，进而生成 application/x-msdownload 的 Content-Type 标头（尽管实际 Content-Type 可能因服务器 OS 和 JAF 配置而异）。因此，一旦受害者访问此恶意 URL，他/她的计算机将自动开始下载包含攻击者控制内容的“.bat”文件。如果随后执行此文件，受害者计算机将运行攻击者有效负载指定的任何命令。

References

[1] Oren Hafif Reflected File Download - A New Web Attack Vector

[2] Alvaro Munoz Reflected File Download in Spring MVC

[3] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 233

[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079

[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079

[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079

[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079

[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079

[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754

[10] Standards Mapping - FIPS200 SI

[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)

[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation

[14] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization

[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 8.1.3 General Data Protection (L2 L3)

[16] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection

[17] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input

[18] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws

[19] Standards Mapping - OWASP Top 10 2010 A1 Injection

[20] Standards Mapping - OWASP Top 10 2013 A1 Injection

[21] Standards Mapping - OWASP Top 10 2017 A1 Injection

[22] Standards Mapping - OWASP Top 10 2021 A03 Injection

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.6

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation

[34] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079

[35] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079

[36] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079

[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I

[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I

[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I

[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I

[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I

[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I

[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I

[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I

[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I

[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I

[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I

[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I

[58] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)

desc.config.java.reflected_file_download

Server-Side Request Forgery

Abstract

应用程序将使用用户控制的数据启动与第三方系统的连接，以创建资源 URI。

Explanation

当攻击者可以影响应用程序服务器建立的网络连接时，将会发生 Server-Side Request Forgery。网络连接源自于应用程序服务器内部 IP，因此攻击者将可以使用此连接来避开网络控制，并扫描或攻击没有以其他方式暴露的内部资源。

示例 1：在下列示例中，攻击者将能够控制服务器连接至的 URL。


...
PageReference ref = ApexPages.currentPage();
Map<String,String> params = ref.getParameters();
HttpRequest req = new HttpRequest();
req.setEndpoint(params.get('url'));
HTTPResponse res = new Http().send(req);

攻击者能否劫持网络连接取决于他可以控制的 URI 的特定部分以及用于建立连接的库。例如，控制 URI 方案将使攻击者可以使用不同于 http 或 https 的协议，类似于下面这样：

- up://
- ldap://
- jar://
- gopher://
- mailto://
- ssh2://
- telnet://
- expect://

攻击者将可以利用劫持的此网络连接执行以下类型的攻击：

- 对内联网资源进行端口扫描。
- 避开防火墙。
- 攻击运行于应用程序服务器或内联网上易受攻击的程序。
- 使用 Injection 攻击或 CSRF 攻击内部/外部 Web 应用程序。
- 执行 DNS 缓存中毒攻击。

References

[1] Standards Mapping - Common Weakness Enumeration CWE ID 918

[2] Standards Mapping - Common Weakness Enumeration Top 25 2021 [24] CWE ID 918

[3] Standards Mapping - Common Weakness Enumeration Top 25 2022 [21] CWE ID 918

[4] Standards Mapping - Common Weakness Enumeration Top 25 2023 [19] CWE ID 918

[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754

[6] Standards Mapping - FIPS200 SI

[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)

[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation

[10] Standards Mapping - OWASP API 2023 API7 Server Side Request Forgery

[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.6 Sanitization and Sandboxing Requirements (L1 L2 L3), 12.6.1 SSRF Protection Requirements (L1 L2 L3), 13.1.1 Generic Web Service Security Verification Requirements (L1 L2 L3)

[12] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication

[13] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation

[14] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input

[15] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference

[16] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References

[17] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References

[18] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control

[19] Standards Mapping - OWASP Top 10 2021 A10 Server-Side Request Forgery

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control

[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation

[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation

[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I

[47] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I

[48] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I

[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I

[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I

[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I

[52] Standards Mapping - Web Application Security Consortium Version 2.00 Abuse of Functionality (WASC-42)

desc.dataflow.apex.server_side_request_forgery

Abstract

应用程序将使用用户控制的数据启动与第三方系统的连接，以创建资源 URI。

Explanation

当攻击者可以影响应用程序服务器建立的网络连接时，将会发生 Server-Side Request Forgery。网络连接源自于应用程序服务器内部 IP，因此攻击者将可以使用此连接来避开网络控制，并扫描或攻击没有以其他方式暴露的内部资源。

示例：在下列示例中，攻击者将能够控制服务器连接至的 URL。


string url = Request.Form["url"];
HttpClient client = new HttpClient();
HttpResponseMessage response = await client.GetAsync(url);

攻击者能否劫持网络连接取决于他可以控制的 URI 的特定部分以及用于建立连接的库。例如，控制 URI 方案将使攻击者可以使用不同于 http 或 https 的协议，类似于下面这样：

- up://
- ldap://
- jar://
- gopher://
- mailto://
- ssh2://
- telnet://
- expect://

攻击者将可以利用劫持的此网络连接执行下列攻击：

- 对内联网资源进行端口扫描。
- 避开防火墙。
- 攻击运行于应用程序服务器或内联网上易受攻击的程序。
- 使用 Injection 攻击或 CSRF 攻击内部/外部 Web 应用程序。
- 使用 file:// 方案访问本地文件。
- 在 Windows 系统上，file:// 方案和 UNC 路径可以允许攻击者扫描和访问内部共享。
- 执行 DNS 缓存中毒攻击。

References

[1] Alexander Polyakov SSRF vs. Business critical applications BlackHat 2012

[2] SSRF bible. Cheatsheet ONSec Labs

[3] Standards Mapping - Common Weakness Enumeration CWE ID 918

[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [24] CWE ID 918

[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [21] CWE ID 918

[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [19] CWE ID 918

[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754

[8] Standards Mapping - FIPS200 SI

[9] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)

[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation

[12] Standards Mapping - OWASP API 2023 API7 Server Side Request Forgery

[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.6 Sanitization and Sandboxing Requirements (L1 L2 L3), 12.6.1 SSRF Protection Requirements (L1 L2 L3), 13.1.1 Generic Web Service Security Verification Requirements (L1 L2 L3)

[14] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication

[15] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation

[16] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input

[17] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference

[18] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References

[19] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References

[20] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control

[21] Standards Mapping - OWASP Top 10 2021 A10 Server-Side Request Forgery

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation

[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I

[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I

[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I

[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I

[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I

[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I

[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I

[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I

[54] Standards Mapping - Web Application Security Consortium Version 2.00 Abuse of Functionality (WASC-42)

desc.dataflow.dotnet.server_side_request_forgery

Abstract

应用程序将使用用户控制的数据启动与第三方系统的连接，以创建资源 URI。

Explanation


char *url = maliciousInput(); 
CURL *curl = curl_easy_init();
curl_easy_setopt(curl, CURLOPT_URL, url);
CURLcode res = curl_easy_perform(curl);

攻击者能否劫持网络连接取决于他可以控制的 URI 的特定部分以及用于建立连接的库。例如，控制 URI 方案将使攻击者可以使用不同于 http 或 https 的协议，类似于下面这样：

- up://
- ldap://
- jar://
- gopher://
- mailto://
- ssh2://
- telnet://
- expect://

攻击者将可以利用劫持的此网络连接执行下列攻击：

- 对内联网资源进行端口扫描。
- 避开防火墙。
- 攻击运行于应用程序服务器或内联网上易受攻击的程序。
- 使用 Injection 攻击或 CSRF 攻击内部/外部 Web 应用程序。
- 使用 file:// 方案访问本地文件。
- 在 Windows 系统上，使用 file:// 方案和 UNC 路径将让攻击者能够扫描和访问内部共享部分。
- 执行 DNS 缓存中毒攻击。