541 个项目已找到

弱点

Often Misused: Encoding

Abstract

在 .NET Framework 中不恰当地覆盖类会导致在服务器上执行任意代码、滥用应用程序逻辑或拒绝服务。

Explanation

无论编写程序所用的语言是什么，最具破坏性的攻击通常都会涉及执行远程代码，攻击者借此可在程序上下文中成功执行恶意代码。在 .NET Framework 中，Decoder 和 Encoding 类中的 GetChars 方法以及 Encoder 和 Encoding 类中的 GetBytes 方法在内部对字符数组和字节数组执行指针运算，以将字符范围转换为字节数范围，反之亦然。
在执行指针算术运算时，开发人员通常会以错误的方式覆盖上述方法，进而引入诸如任意代码执行、应用程序逻辑滥用和拒绝服务等漏洞。

References

[1] Standards Mapping - Common Weakness Enumeration CWE ID 176

[2] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[3] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.2 Output Encoding and Injection Prevention Requirements (L1 L2 L3)

[4] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation

[5] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4

[6] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[7] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

desc.structural.dotnet.often_misused_encoding

Abstract

此方法难以正确使用。

Explanation

我们很容易相信此编码方法可保护系统免受注入攻击，但是如果未在正确的上下文中准确使用此方法，则其提供的保护会远逊于宣称的效果。

例 1：下列编码方法调用使攻击者可以利用其插入恶意 JavaScript 的机会较小：


    out.println("x = " + encoder.encodeForJavaScript(input) + ";");

References

[1] OWASP ESAPI Secure Coding Guideline

[2] Standards Mapping - Common Weakness Enumeration CWE ID 176

[3] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[4] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.2 Output Encoding and Injection Prevention Requirements (L1 L2 L3)

[5] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation

[6] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4

[7] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[8] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

desc.structural.java.often_misused_encoding

Abstract

标识调用可对字符应用最佳适应算法。传递给默认 API 方法的不受支持的字符可通过最佳适应算法映射到危险字符。

Explanation

当操作系统及其上运行的应用程序之间的字符集不匹配时，传递给默认 API 方法的不受支持的字符可通过最佳适应算法映射到危险字符。

例 1：在 Objective-C 中，以下代码示例会将包含 UTF-8 字符的 NSString 对象转换成 ASCII 数据然后返回：


...
unichar ellipsis = 0x2026;
NSString *myString = [NSString stringWithFormat:@"My Test String%C", ellipsis];
NSData *asciiData = [myString dataUsingEncoding:NSASCIIStringEncoding allowLossyConversion:YES];
NSString *asciiString = [[NSString alloc] initWithData:asciiData encoding:NSASCIIStringEncoding];
NSLog(@"Original: %@ (length %d)", myString, [myString length]);
NSLog(@"Best-fit-mapped: %@ (length %d)", asciiString, [asciiString length]);
// output:
// Original: My Test String... (length 15)
// Best-fit-mapped: My Test String... (length 17)
...

如果仔细查看输出，您会发现“...”字符已转换成三个连续的句号。如果根据输出缓冲区调整了输出缓冲区大小，则应用程序易受缓冲区溢出攻击。其他字符可从一个字符映射到两个。希腊字符“fi”会映射到“f”，后跟“i”。通过前期加载包含这些字符的缓冲区，攻击者可完全控制用于实施缓冲区溢出攻击的字符数量。

References

[1] Apple Secure Coding Guide Apple

[2] String Programming Guide Apple

[3] Standards Mapping - Common Weakness Enumeration CWE ID 176

[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[5] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.2 Output Encoding and Injection Prevention Requirements (L1 L2 L3)

[6] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation

[7] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4

[8] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[9] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

desc.semantic.objc.method_may_best_fit_map_characters

Abstract

标识调用可对字符应用最佳适应算法。传递给默认 API 方法的不受支持的字符可通过最佳适应算法映射到危险字符。

Explanation

当操作系统及其上运行的应用程序之间的字符集不匹配时，传递给默认 API 方法的不受支持的字符可通过最佳适应算法映射到危险字符。

例 1：在 Swift 中，以下代码示例会将包含 UTF-8 字符的 NSString 对象转换成 ASCII 数据然后返回：


...
let ellipsis = 0x2026;
let myString = NSString(format:"My Test String %C", ellipsis)
let asciiData = myString.dataUsingEncoding(NSASCIIStringEncoding, allowLossyConversion:true)
let asciiString = NSString(data:asciiData!, encoding:NSASCIIStringEncoding)
NSLog("Original: %@ (length %d)", myString, myString.length)
NSLog("Best-fit-mapped: %@ (length %d)", asciiString!, asciiString!.length)

// output:
// Original: My Test String ... (length 16)
// Best-fit-mapped: My Test String ... (length 18)
...

References

[1] Apple Secure Coding Guide Apple

[2] String Programming Guide Apple

[3] Standards Mapping - Common Weakness Enumeration CWE ID 176

[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[5] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.2 Output Encoding and Injection Prevention Requirements (L1 L2 L3)

[6] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation

[7] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4

[8] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[9] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

desc.semantic.swift.method_may_best_fit_map_characters

Often Misused: File System

Abstract

将一个长度不合适的输出缓冲区传递到一个 path manipulation 函数，会导致 buffer overflow。

Explanation

Windows 提供了大量的实用程序函数来处理包含文件名的缓冲区。在大多数情况下，结果会返回到一个作为输入传入的缓冲区中。（通常文件名会进行适当的修改。）大多数函数需要缓冲区至少为 MAX_PATH 字节的长度，但是您应该逐一检查每一个函数的文档。如果缓冲区大小不足以存储处理的结果，那么就会发生 buffer overflow。

示例 1：


char *createOutputDirectory(char *name) {
	char outputDirectoryName[128];
	if (getCurrentDirectory(128, outputDirectoryName) == 0) {
		return null;
	}
	if (!PathAppend(outputDirectoryName, "output")) {
		return null;
	}
	if (!PathAppend(outputDirectoryName, name)) {
		return null;
	}
	if (SHCreateDirectoryEx(NULL, outputDirectoryName, NULL)
        != ERROR_SUCCESS) {
		return null;
	}
	return StrDup(outputDirectoryName);
}

在这个例子中，函数在当前目录中创建了名为 "output\<name>" 的目录，并且返回了一个同样名称的堆分配副本。对于大多数当前目录和名称参数的值来说，该函数都能够正常工作。但是，如果 name 参数特别长，那么第二个对 PathAppend() 的调用可能会溢出 outputDirectoryName 缓冲区，因为该缓冲区比 MAX_PATH 字节小。

References

[1] Standards Mapping - Common Weakness Enumeration CWE ID 249, CWE ID 560

[2] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[3] Standards Mapping - OWASP Top 10 2004 A5 Buffer Overflow

[4] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.5

[5] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1

[6] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.2

[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.2

[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.2

[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.2

[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.2

[11] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[13] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[14] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[15] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection

[16] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3590.1 CAT I

[17] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3590.1 CAT I

[18] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3590.1 CAT I

[19] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3590.1 CAT I

[20] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3590.1 CAT I

[21] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3590.1 CAT I

[22] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3590.1 CAT I

desc.semantic.cpp.often_misused_file_system.windows

Abstract

由参数 umask() 指定的掩码常常很容易与 chmod() 的参数混淆。

Explanation

umask() man page 以错误的指令开始：

"umask sets the umask to mask & 0777"

尽管这种行为可以更好地遵从 chmod() 的用法，这种情况下，由用户提供的参数指定在特定文件上启用的位数，但事实上 umask() 的行为恰恰相反： umask() 将 umask 设为 ~mask & 0777。

umask() man page 接下来描述了 umask() 的正确使用方法：

“open() 使用 umask 为新建文件设置初始文件权限。具体而言，它会关闭 umask 从 mode 参数传递到 open(2) 的权限（例如，umask 的通用默认值 022 会导致以权限 0666 & ~022 = 0644 = rw-r--r-- 创建新文件，而在正常情况下，mode 应该为 0666）。”