界: API Abuse

API 是调用方和被调用方之间的约定。最常见的 API 滥用是由于调用方未能遵守此约定的终止导致的。例如,如果某个程序在调用 chroot() 后未能调用 chdir(),则违反了用于指定如何安全地更改活动根目录的约定。库滥用的另一个典型示例是期望被调用方向调用方返回可信的 DNS 信息。在这种情况下,调用方通过对被调用方行为做出某种假设(返回值可用于身份验证目的)滥用其 API。另一方也可能违反调用方-被调用方约定。例如,如果编码器子类化 SecureRandom 并返回一个非随机值,则将违反此约定。

83 个项目已找到
弱点

Often Misused: Exception Handling

Abstract
_alloca() 函数会抛出一个堆栈溢出异常,可能造成程序的崩溃。
Explanation
_alloca() 函数在堆栈上分配存储空间。如果分配请求对于可用的堆栈空间来说太大,_alloca() 将会抛出一个异常。如果未能捕获到异常,程序将会崩溃,并有可能引起 denial of service 攻击。

在 Microsoft Visual Studio 2005(R) 中,_alloca() 已经被淘汰。它已由更加安全的 _alloca_s() 所取代。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 248
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[3] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[4] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 1.3
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[9] Standards Mapping - OWASP Top 10 2004 A7 Improper Error Handling
[10] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.7
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.2, Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention, Control Objective B.3.2 - Terminal Software Attack Mitigation
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention, Control Objective B.3.2 - Terminal Software Attack Mitigation
[23] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3120 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3120 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3120 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3120 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3120 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3120 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3120 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II
desc.semantic.cpp.often_misused_exception_handling._alloca

Often Misused: File System

Abstract
将一个长度不合适的输出缓冲区传递到一个 path manipulation 函数,会导致 buffer overflow。
Explanation
Windows 提供了大量的实用程序函数来处理包含文件名的缓冲区。在大多数情况下,结果会返回到一个作为输入传入的缓冲区中。(通常文件名会进行适当的修改。)大多数函数需要缓冲区至少为 MAX_PATH 字节的长度,但是您应该逐一检查每一个函数的文档。如果缓冲区大小不足以存储处理的结果,那么就会发生 buffer overflow。

示例 1:

char *createOutputDirectory(char *name) {
	char outputDirectoryName[128];
	if (getCurrentDirectory(128, outputDirectoryName) == 0) {
		return null;
	}
	if (!PathAppend(outputDirectoryName, "output")) {
		return null;
	}
	if (!PathAppend(outputDirectoryName, name)) {
		return null;
	}
	if (SHCreateDirectoryEx(NULL, outputDirectoryName, NULL)
        != ERROR_SUCCESS) {
		return null;
	}
	return StrDup(outputDirectoryName);
}


在这个例子中,函数在当前目录中创建了名为 "output\<name>" 的目录,并且返回了一个同样名称的堆分配副本。对于大多数当前目录和名称参数的值来说,该函数都能够正常工作。但是,如果 name 参数特别长,那么第二个对 PathAppend() 的调用可能会溢出 outputDirectoryName 缓冲区,因为该缓冲区比 MAX_PATH 字节小。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 249, CWE ID 560
[2] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[3] Standards Mapping - OWASP Top 10 2004 A5 Buffer Overflow
[4] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.5
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.2
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.2
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.2
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.2
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.2
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[16] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3590.1 CAT I
[17] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3590.1 CAT I
[18] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3590.1 CAT I
[19] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3590.1 CAT I
[20] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3590.1 CAT I
[21] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3590.1 CAT I
[22] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3590.1 CAT I
desc.semantic.cpp.often_misused_file_system.windows
Abstract
由参数 umask() 指定的掩码常常很容易与 chmod() 的参数混淆。
Explanation
umask() man page 以错误的指令开始:

"umask sets the umask to mask & 0777"

尽管这种行为可以更好地遵从 chmod() 的用法,这种情况下,由用户提供的参数指定在特定文件上启用的位数,但事实上 umask() 的行为恰恰相反: umask() 将 umask 设为 ~mask & 0777

umask() man page 接下来描述了 umask() 的正确使用方法:

open() 使用 umask 为新建文件设置初始文件权限。 具体而言,它会关闭 umask 从 mode 参数传递到 open(2) 的权限(例如,umask 的通用默认值 022 会导致以权限 0666 & ~022 = 0644 = rw-r--r-- 创建新文件,而在正常情况下,mode 应该为 0666)。”
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 249, CWE ID 560
[2] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[3] Standards Mapping - OWASP Top 10 2004 A5 Buffer Overflow
[4] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.5
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.2
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.2
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.2
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.2
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.2
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[16] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3590.1 CAT I
[17] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3590.1 CAT I
[18] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3590.1 CAT I
[19] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3590.1 CAT I
[20] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3590.1 CAT I
[21] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3590.1 CAT I
[22] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3590.1 CAT I
desc.semantic.java.often_misused_file_system
Abstract
标识调用会使用跟踪符号链接的方法。
Explanation
我们已知某些函数会盲目跟踪链接。如果出现这种情况,您的应用程序将打开、读取或将数据写入符号链接指向的文件而不是显示符号链接。攻击者会欺骗应用程序写入备选或关键系统文件,或者将受损数据提供给应用程序。

示例 1:以下代码使用跟踪符号链接的函数:


...
	struct stat output;
	int ret = stat(aFilePath, &output);
	// error handling omitted for this example
	struct timespec accessTime = output.st_atime;
...
References
[1] Apple Secure Coding Guide Apple
[2] Standards Mapping - Common Weakness Enumeration CWE ID 249, CWE ID 560
[3] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[4] Standards Mapping - OWASP Top 10 2004 A5 Buffer Overflow
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.5
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.2
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.2
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.2
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.2
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.2
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[17] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3590.1 CAT I
[18] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3590.1 CAT I
[19] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3590.1 CAT I
[20] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3590.1 CAT I
[21] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3590.1 CAT I
[22] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3590.1 CAT I
[23] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3590.1 CAT I
desc.semantic.objc.methods_follow_sym_links
Abstract
由参数 umask() 指定的掩码常常很容易与 chmod() 的参数混淆。
Explanation
umask() man page 以错误的指令开始:

“umask sets the umask to mask & 0777”

尽管这种行为可以更好地遵从 chmod() 的用法,这种情况下,由用户提供的参数指定在特定文件上启用的位数,但事实上 umask() 的行为恰恰相反:umask() 将 umask 设为 ~mask & 0777

umask() man page 接下来描述了 umask() 的正确使用方法:

“umask 用于为新建文件设置初始文件权限。具体的说,将会通过 mode 参数关闭 umask 中的权限(例如,umask 的通用默认值 022 会导致以权限 0666 & ~022 = 0644 = rw-r--r-- 创建新文件,而在正常情况下,mode 应该为 0666)。”
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 249, CWE ID 560
[2] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[3] Standards Mapping - OWASP Top 10 2004 A5 Buffer Overflow
[4] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.5
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.2
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.2
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.2
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.2
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.2
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[16] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3590.1 CAT I
[17] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3590.1 CAT I
[18] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3590.1 CAT I
[19] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3590.1 CAT I
[20] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3590.1 CAT I
[21] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3590.1 CAT I
[22] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3590.1 CAT I
desc.semantic.python.often_misused_file_system.umask
Abstract
调用使用先写入临时文件再写入目标文件的方法。
Explanation
许多 API 通过完全写入临时文件,然后再将整个文件复制到目标位置,来最大限度地降低数据丢失的风险。确保识别的方法不会用于公共或临时目录中的文件或路径,因为攻击者会在临时文件写入目标文件之前将其即时替换。这使攻击者能够控制公共目录中应用程序使用的文件内容。

示例 1:以下代码使用易受攻击的方法将活动的 transactionId 写入应用程序 Documents 目录下的一个临时文件:


...
//get the documents directory:
let documentsPath = NSSearchPathForDirectoriesInDomains(.DocumentDirectory, .UserDomainMask, true)[0]
//make a file name to write the data to using the documents directory:
let fileName = NSString(format:"%@/tmp_activeTrans.txt", documentsPath)
// write data to the file
let transactionId = "TransactionId=12341234"
transactionId.writeToFile(fileName, atomically:true)
...
References
[1] Apple Secure Coding Guide Apple
[2] Apple NSString Class Reference Apple
[3] Standards Mapping - Common Weakness Enumeration CWE ID 249, CWE ID 560
[4] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[5] Standards Mapping - OWASP Top 10 2004 A5 Buffer Overflow
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.5
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.2
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.2
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.2
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.2
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.2
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[18] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3590.1 CAT I
[19] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3590.1 CAT I
[20] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3590.1 CAT I
[21] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3590.1 CAT I
[22] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3590.1 CAT I
[23] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3590.1 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3590.1 CAT I
desc.semantic.swift.methods_unsafe_on_public_or_tmp_directories

Often Misused: File Upload

Abstract
允许用户上传文件可能会让攻击者注入危险内容或恶意代码,并在服务器上运行。
Explanation
无论编写程序所用的语言是什么,最具破坏性的攻击通常都会涉及执行远程代码,攻击者借此可在程序上下文中成功执行恶意代码。如果允许攻击者向某个可通过 Web 访问的目录上传文件,并能够将这些文件传递给代码解释器(如 JSP/ASPX/PHP),他们就能促使这些文件中包含的恶意代码在服务器上执行。

使用以下代码可接收上传的文件并将其分配给 posted 对象。FileUpload 属于类型 System.Web.UI.HtmlControls.HtmlInputFile
示例 1:

HttpPostedFile posted = FileUpload.PostedFile;

即使程序将上传的文件存储在一个无法通过 Web 访问的目录中,攻击者仍然有可能通过向服务器环境引入恶意内容来发动其他攻击。如果程序容易出现 path manipulation、command injection 或危险的 file inclusion 漏洞,那么攻击者就可能上传带恶意内容的文件,并利用另一种漏洞促使程序读取或执行该文件。
References
[1] Alla Bezroutchko Secure file upload in PHP web applications
[2] Standards Mapping - Common Weakness Enumeration CWE ID 434
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [16] CWE ID 434
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [15] CWE ID 434
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [10] CWE ID 434
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [10] CWE ID 434
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [10] CWE ID 434
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [10] CWE ID 434
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.2.1 File Integrity Requirements (L2 L3), 12.5.2 File Download Requirements (L1 L2 L3), 13.1.5 Generic Web Service Security Verification Requirements (L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[16] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2007 A3 Malicious File Execution
[18] Standards Mapping - OWASP Top 10 2010 A1 Injection
[19] Standards Mapping - OWASP Top 10 2013 A1 Injection
[20] Standards Mapping - OWASP Top 10 2017 A1 Injection
[21] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.4 - Web Software Attack Mitigation
[34] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 434
[35] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 434
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-003300 CAT II
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.semantic.dotnet.often_misused_file_upload
Abstract
允许用户上传文件可能导致攻击者注入危险内容或恶意代码以便在服务器上运行。
Explanation
无论编写程序所用的语言是什么,最具破坏性的攻击通常都会涉及执行远程代码,攻击者借此可在程序上下文中成功执行恶意代码。如果允许攻击者向某个可通过 Web 访问的目录上传文件,并能够将这些文件传递给代码解释器(如 JSP/ASPX/PHP),他们就能促使这些文件中包含的恶意代码在服务器上执行。

示例 1:以下 Spring MVC 控制器类包含可用于处理上传文件的参数。

@Controller
public class MyFormController {
    ...
    @RequestMapping("/test")
    public String uploadFile (org.springframework.web.multipart.MultipartFile file) {
       ...
    }    ...
}


即使程序将上传的文件存储在一个无法通过 Web 访问的目录中,攻击者仍然有可能通过向服务器环境引入恶意内容来发动其他攻击。如果程序容易出现 path manipulation、command injection 或危险的 file inclusion 漏洞,那么攻击者就可能上传带恶意内容的文件,并利用另一种漏洞促使程序读取或执行该文件。
References
[1] Alla Bezroutchko Secure file upload in PHP web applications
[2] Standards Mapping - Common Weakness Enumeration CWE ID 434
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [16] CWE ID 434
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [15] CWE ID 434
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [10] CWE ID 434
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [10] CWE ID 434
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [10] CWE ID 434
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [10] CWE ID 434
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.2.1 File Integrity Requirements (L2 L3), 12.5.2 File Download Requirements (L1 L2 L3), 13.1.5 Generic Web Service Security Verification Requirements (L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[16] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2007 A3 Malicious File Execution
[18] Standards Mapping - OWASP Top 10 2010 A1 Injection
[19] Standards Mapping - OWASP Top 10 2013 A1 Injection
[20] Standards Mapping - OWASP Top 10 2017 A1 Injection
[21] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.4 - Web Software Attack Mitigation
[34] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 434
[35] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 434
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-003300 CAT II
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.structural.java.often_misused_file_upload_spring
Abstract
允许用户上传文件可能会让攻击者注入危险内容或恶意代码,并在服务器上运行。
Explanation
无论编写程序所用的语言是什么,最具破坏性的攻击通常都会涉及执行远程代码,攻击者借此可在程序上下文中成功执行恶意代码。如果允许攻击者向某个可通过 Web 访问的目录上传文件,并能够将这些文件传递给 PHP 解释器,他们就能促使这些文件中包含的恶意代码在服务器上执行。

示例 1:以下代码会处理上传的文件,并将它们移到 Web 根目录下的一个目录中。攻击者可以将恶意的 PHP 源文件上传到该程序中,并随后从服务器中请求这些文件,这会促使 PHP 解析器执行这些文件。


<?php
$udir = 'upload/'; // Relative path under Web root
$ufile = $udir . basename($_FILES['userfile']['name']);
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $ufile)) {
    echo "Valid upload received\n";
} else {
    echo "Invalid upload rejected\n";
} ?>


即使程序将上传的文件存储在一个无法通过 Web 访问的目录中,攻击者仍然有可能通过向服务器环境引入恶意内容来发动其他攻击。如果程序容易出现 path manipulation、command injection 或 remote include 漏洞,那么攻击者就可能上传带恶意内容的文件,并利用另一种漏洞促使程序读取或执行该文件。
References
[1] M. Achour et al. PHP Manual
[2] Alla Bezroutchko Secure file upload in PHP web applications
[3] Standards Mapping - Common Weakness Enumeration CWE ID 434
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [16] CWE ID 434
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [15] CWE ID 434
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [10] CWE ID 434
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [10] CWE ID 434
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [10] CWE ID 434
[9] Standards Mapping - Common Weakness Enumeration Top 25 2024 [10] CWE ID 434
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[11] Standards Mapping - FIPS200 SI
[12] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.2.1 File Integrity Requirements (L2 L3), 12.5.2 File Download Requirements (L1 L2 L3), 13.1.5 Generic Web Service Security Verification Requirements (L2 L3)
[16] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[17] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[18] Standards Mapping - OWASP Top 10 2007 A3 Malicious File Execution
[19] Standards Mapping - OWASP Top 10 2010 A1 Injection
[20] Standards Mapping - OWASP Top 10 2013 A1 Injection
[21] Standards Mapping - OWASP Top 10 2017 A1 Injection
[22] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.4 - Web Software Attack Mitigation
[35] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 434
[36] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 434
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-003300 CAT II
[59] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.semantic.php.often_misused_file_upload
Abstract
允许用户上传文件可能会让攻击者注入危险内容或恶意代码,并在服务器上运行。
Explanation
无论编写程序所用的语言是什么,最具破坏性的攻击通常都会涉及执行远程代码,攻击者借此可在程序上下文中成功执行恶意代码。如果允许攻击者向某个可通过 Web 访问的目录上传文件,并能够将这些文件传递给 Python 解释器,这些攻击者就能让这些文件中包含的恶意代码在服务器上执行。

示例 1:以下代码会处理上传的文件,并将它们移到 Web 根目录下的一个目录中。攻击者可以将恶意文件上传到该程序,并随后从服务器中请求这些文件。


from django.core.files.storage import default_storage
from django.core.files.base import File
...
def handle_upload(request):
  files = request.FILES
  for f in files.values():
    path = default_storage.save('upload/', File(f))
...


即使程序将上传的文件存储在一个无法通过 Web 访问的目录中,攻击者仍然有可能通过向服务器环境引入恶意内容来发动其他攻击。如果程序容易出现 path manipulation、command injection 或 remote include 漏洞,那么攻击者就可能上传带恶意内容的文件,并利用另一种漏洞促使程序读取或执行该文件。
References
[1] Django Foundation File Uploads
[2] Standards Mapping - Common Weakness Enumeration CWE ID 434
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [16] CWE ID 434
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [15] CWE ID 434
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [10] CWE ID 434
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [10] CWE ID 434
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [10] CWE ID 434
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [10] CWE ID 434
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.2.1 File Integrity Requirements (L2 L3), 12.5.2 File Download Requirements (L1 L2 L3), 13.1.5 Generic Web Service Security Verification Requirements (L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[16] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2007 A3 Malicious File Execution
[18] Standards Mapping - OWASP Top 10 2010 A1 Injection
[19] Standards Mapping - OWASP Top 10 2013 A1 Injection
[20] Standards Mapping - OWASP Top 10 2017 A1 Injection
[21] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.4 - Web Software Attack Mitigation
[34] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 434
[35] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 434
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-003300 CAT II
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.structural.python.often_misused_file_upload
Abstract
允许用户上传文件可能会让攻击者注入危险内容或恶意代码,并在服务器上运行。
Explanation
无论编写程序所用的语言是什么,最具破坏性的攻击通常都会涉及执行远程代码,攻击者借此可在程序上下文中成功执行恶意代码。如果允许攻击者上传文件到公开的可执行目录中,则他们可以让这些文件中包含的恶意代码在服务器上执行。

即使程序将上传的文件存储在一个无法公开访问的目录中,攻击者仍然有可能通过向服务器环境引入恶意内容来发动其他攻击。如果程序容易出现 path manipulation、command injection 或 remote include 漏洞,那么攻击者就可能上传带恶意内容的文件,并利用另一种漏洞促使程序读取或执行该文件。
References
[1] Alla Bezroutchko Secure file upload in PHP web applications
[2] Standards Mapping - Common Weakness Enumeration CWE ID 434
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [16] CWE ID 434
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [15] CWE ID 434
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [10] CWE ID 434
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [10] CWE ID 434
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [10] CWE ID 434
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [10] CWE ID 434
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.2.1 File Integrity Requirements (L2 L3), 12.5.2 File Download Requirements (L1 L2 L3), 13.1.5 Generic Web Service Security Verification Requirements (L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[16] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2007 A3 Malicious File Execution
[18] Standards Mapping - OWASP Top 10 2010 A1 Injection
[19] Standards Mapping - OWASP Top 10 2013 A1 Injection
[20] Standards Mapping - OWASP Top 10 2017 A1 Injection
[21] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.4 - Web Software Attack Mitigation
[34] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 434
[35] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 434
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-003300 CAT II
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.structural.ruby.often_misused_file_upload
Abstract
允许用户上传文件可能会让攻击者注入危险内容或恶意代码,并在服务器上运行。
Explanation
无论编写程序所用的语言是什么,最具破坏性的攻击通常都会涉及执行远程代码,攻击者借此可在程序上下文中成功执行恶意代码。如果允许攻击者向某个可通过 Web 访问的目录上传文件,并能够将这些文件传递给代码解释器(如 JSP/ASPX/PHP),他们就能促使这些文件中包含的恶意代码在服务器上执行。
即使程序将上传的文件存储在一个无法通过 Web 访问的目录中,攻击者仍然有可能通过向服务器环境引入恶意内容来发动其他攻击。如果程序容易出现 path manipulation、command injection 或危险的 file inclusion 漏洞,那么攻击者就可能上传带恶意内容的文件,并利用另一种漏洞促使程序读取或执行该文件。

类型为 file<input> 标签表示程序接受文件上传。
示例 1:

<input type="file">
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 434
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [16] CWE ID 434
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [15] CWE ID 434
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [10] CWE ID 434
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [10] CWE ID 434
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [10] CWE ID 434
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [10] CWE ID 434
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[9] Standards Mapping - FIPS200 SI
[10] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.2.1 File Integrity Requirements (L2 L3), 12.5.2 File Download Requirements (L1 L2 L3), 13.1.5 Generic Web Service Security Verification Requirements (L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[15] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[16] Standards Mapping - OWASP Top 10 2007 A3 Malicious File Execution
[17] Standards Mapping - OWASP Top 10 2010 A1 Injection
[18] Standards Mapping - OWASP Top 10 2013 A1 Injection
[19] Standards Mapping - OWASP Top 10 2017 A1 Injection
[20] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.4 - Web Software Attack Mitigation
[33] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 434
[34] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 434
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-003300 CAT II
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.content.html.often_misused_file_upload

Often Misused: Mixing Template Languages

Abstract
避免混合模板语言,以防止绕过 Cross-Site Scripting 保护。
Explanation
混合模板引擎时,意味着之前为模板实施的保护可能不再起作用,或不再有效。在危害最轻的情况下,这可能会导致功能无法按预期运行,但还可能会让恶意用户能够规避引擎保护,从而引发 cross-site scripting 漏洞。

示例 1:在以下代码中,配置 AngularJS 模块以使用 "[[" 和 "]]" 作为表达式分隔符,而不是使用默认值。


myModule.config(function($interpolateProvider){
    $interpolateProvider.startSymbol("[[");
    $interpolateProvider.endSymbol("]]");
});


这可能会导致其他模板引擎执行验证,以转义可能与 AngularJS 表达式不兼容的表达式,因而可能会使用户可以绕过常规验证,在浏览器中运行他们自己的代码。
References
[1] AngularJS $interpolateProvider documentation Google
[2] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[3] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
desc.structural.javascript.often_misused_mixing_template_languages

Often Misused: Privilege Management

Abstract
没有遵守最低权限原则会增加引发其他漏洞的风险。
Explanation
利用 root 权限运行的程序已经造成了无数的 Unix 安全灾难。仔细检查您的程序授权是否会引发安全问题十分必要,同样重要的是,对那些授予了权限的应用程序,应及时撤销其权限并返回至未授权状态,把因忽略漏洞而引发的破坏控制到最小。


Privilege management 函数有时会以一些不明显的方式运行,并且它们在不同的平台上面会有较大差异。当您从一个非 root 用户切换到另外一个用户时,这种差异会尤其明显。

信号处理程序以及产生的进程会在其本身进程所具有的权限运行,所以当触发某一个信号或执行子进程时,一个进程以 root 权限运行,信号处理程序或者子进程将会以 Root 权限运行。因此,攻击者有可能利用这个提高的权限来进行更严重的破坏。
References
[1] H. Chen, D. Wagner, and D. Dean. Setuid Demystified. 11th USENIX Security Symposium
[2] B. Chess and J. West, Secure Programming with Static Analysis. Boston, MA: Addison-Wesley, 2007.
[3] Standards Mapping - Common Weakness Enumeration CWE ID 250
[4] Standards Mapping - Common Weakness Enumeration Top 25 2023 [22] CWE ID 269
[5] Standards Mapping - Common Weakness Enumeration Top 25 2024 [15] CWE ID 269
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-000381, CCI-002233, CCI-002235
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1), CM-5 Access Restrictions for Change (P1), CM-7 Least Functionality (P1), IA-5 Authenticator Management (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege, CM-5 Access Restrictions for Change, CM-7 Least Functionality, IA-5 Authenticator Management
[10] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.2.1 Authentication Architectural Requirements (L2 L3), 10.2.2 Malicious Code Search (L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[13] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[15] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 7.1.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 7.1.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 7.1.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 7.1.2
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 7.1.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 7.1.2
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 7.2.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 7.2.2
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[27] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 250
[28] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 250
[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3500 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3500 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3500 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3500 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3500 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3500 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3500 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II, APSC-DV-001795 CAT II, APSC-DV-002960 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II, APSC-DV-001795 CAT II, APSC-DV-002960 CAT II
[51] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[52] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.semantic.cpp.often_misused_privilege_management.setuid
Abstract
未能遵循最小特权原则会增加其他漏洞带来的风险。
Explanation
root 权限运行的程序已导致了无数的 Unix 安全灾难。您必须仔细审查特权程序是否存在各种安全问题,但同样重要的是,特权程序应尽快恢复到非特权状态,以限制被忽略的漏洞可能造成的损害。


权限管理功能可能会以一些不太明显的方式运行,并且它们在不同平台上具有不同的特性。如果您从一个非 root 用户转换到另一个非 root 用户,这些不一致尤为明显。

信号处理程序和派生的流程以所拥有流程的权限运行,因此,如果在触发信号或执行子流程时某个流程以 root 身份运行,则信号处理程序或子流程将以 root 权限运行。攻击者可能会利用这些提升的权限进行进一步的破坏。
References
[1] H. Chen, D. Wagner, and D. Dean. Setuid Demystified. 11th USENIX Security Symposium
[2] Standards Mapping - Common Weakness Enumeration CWE ID 250
[3] Standards Mapping - Common Weakness Enumeration Top 25 2023 [22] CWE ID 269
[4] Standards Mapping - Common Weakness Enumeration Top 25 2024 [15] CWE ID 269
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-000381, CCI-002233, CCI-002235
[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1), CM-5 Access Restrictions for Change (P1), CM-7 Least Functionality (P1), IA-5 Authenticator Management (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege, CM-5 Access Restrictions for Change, CM-7 Least Functionality, IA-5 Authenticator Management
[9] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.2.1 Authentication Architectural Requirements (L2 L3), 10.2.2 Malicious Code Search (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[12] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[14] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 7.1.1
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 7.1.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 7.1.2
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 7.1.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 7.1.2
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 7.1.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 7.2.2
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 7.2.2
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[26] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 250
[27] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 250
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3500 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3500 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3500 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3500 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3500 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3500 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3500 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II, APSC-DV-001795 CAT II, APSC-DV-002960 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II, APSC-DV-001795 CAT II, APSC-DV-002960 CAT II
[50] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[51] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.semantic.golang.often_misused_privilege_management
Abstract
没有遵守最低权限原则会增加引发其他漏洞的风险。
Explanation
利用 root 权限运行的程序已经造成了无数的 Unix 安全灾难。 仔细检查您的程序授权是否会引发安全问题十分必要,同样重要的是,对那些授予了权限的程序,应及时撤销其权限并返回至未授权状态,将因忽略漏洞而引发的损害控制到最小。


Privilege management 函数有时会以一些不明显的方式运行,并且它们在不同的平台上面会有较大差异。 当您从一个非 root 用户切换到另外一个用户时,这种差异会尤其明显。

信号处理程序以及产生的进程会以其所拥有进程的权限运行,所以在某进程以 root 权限运行时,如果触发某一个信号或执行子进程,则信号处理程序或者子进程将会以 root 权限运行。 因此,攻击者有可能利用这些提高的权限来进行更严重的破坏。
References
[1] H. Chen, D. Wagner, and D. Dean. Setuid Demystified. 11th USENIX Security Symposium
[2] Standards Mapping - Common Weakness Enumeration CWE ID 250
[3] Standards Mapping - Common Weakness Enumeration Top 25 2023 [22] CWE ID 269
[4] Standards Mapping - Common Weakness Enumeration Top 25 2024 [15] CWE ID 269
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-000381, CCI-002233, CCI-002235
[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1), CM-5 Access Restrictions for Change (P1), CM-7 Least Functionality (P1), IA-5 Authenticator Management (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege, CM-5 Access Restrictions for Change, CM-7 Least Functionality, IA-5 Authenticator Management
[9] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.2.1 Authentication Architectural Requirements (L2 L3), 10.2.2 Malicious Code Search (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[12] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[14] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 7.1.1
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 7.1.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 7.1.2
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 7.1.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 7.1.2
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 7.1.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 7.2.2
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 7.2.2
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[26] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 250
[27] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 250
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3500 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3500 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3500 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3500 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3500 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3500 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3500 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II, APSC-DV-001795 CAT II, APSC-DV-002960 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II, APSC-DV-001795 CAT II, APSC-DV-002960 CAT II
[50] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[51] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.semantic.java.often_misused_privilege_management
Abstract
没有遵守最低权限原则会增加引发其他漏洞的风险。
Explanation
利用 root 权限运行的程序已经造成了无数的 Unix 安全灾难。仔细检查您的程序授权是否会引发安全问题十分必要,同样重要的是,对那些授予了权限的应用程序,应及时撤销其权限并返回至未授权状态,把因忽略漏洞而引发的破坏控制到最小。


Privilege management 函数有时会以一些不明显的方式运行,并且它们在不同的平台上面会有较大差异。当您从一个非 root 用户切换到另外一个用户时,这种差异会尤其明显。

信号处理程序以及产生的进程会在其本身进程所具有的权限运行,所以当触发某一个信号或执行子进程时,一个进程以 root 权限运行,信号处理程序或者子进程将会以 Root 权限运行。因此,攻击者有可能利用这个提高的权限来进行更严重的破坏。
References
[1] H. Chen, D. Wagner, and D. Dean. Setuid Demystified. 11th USENIX Security Symposium
[2] Standards Mapping - Common Weakness Enumeration CWE ID 250
[3] Standards Mapping - Common Weakness Enumeration Top 25 2023 [22] CWE ID 269
[4] Standards Mapping - Common Weakness Enumeration Top 25 2024 [15] CWE ID 269
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-000381, CCI-002233, CCI-002235
[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1), CM-5 Access Restrictions for Change (P1), CM-7 Least Functionality (P1), IA-5 Authenticator Management (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege, CM-5 Access Restrictions for Change, CM-7 Least Functionality, IA-5 Authenticator Management
[9] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.2.1 Authentication Architectural Requirements (L2 L3), 10.2.2 Malicious Code Search (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[12] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[14] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 7.1.1
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 7.1.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 7.1.2
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 7.1.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 7.1.2
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 7.1.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 7.2.2
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 7.2.2
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[26] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 250
[27] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 250
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3500 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3500 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3500 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3500 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3500 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3500 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3500 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II, APSC-DV-001795 CAT II, APSC-DV-002960 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II, APSC-DV-001795 CAT II, APSC-DV-002960 CAT II
[50] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[51] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.dataflow.python.often_misused_privilege_management

Often Misused: SMS

Abstract
应用程序执行特定于 iOS 的 SMS 相关操作。
Explanation
除非特定于 iOS 的 SMS 相关操作对于应用程序的核心功能必不可少,否则不应执行这些操作。 专为移动设备而编写的恶意软件通常会滥用此类功能,以从用户处窃取金钱或数据。

示例 1: 在以下情况下,应用程序会发送一条 SMS 消息,或者预先撰写并向用户显示一条提示其发送或取消的 SMS 消息:

...
Device.OpenUri("sms:+12345678910");
...
References
[1] Apple UIApplication Class Reference
[2] Apple MFMessageComposeViewController Class Reference
[3] Xamarin Messaging Plugin for Xamarin and Windows
[4] Standards Mapping - Common Weakness Enumeration CWE ID 265
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165
[6] Standards Mapping - FIPS200 AC
[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.5 Configuration Architectural Requirements (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[12] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[14] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[15] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.2, Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.2, Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[28] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285
[29] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 285
[30] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[45] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[46] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.semantic.dotnet.often_misused_sms
Abstract
应用程序执行 SMS 相关操作。
Explanation
除非 SMS 相关操作对于应用程序的核心功能必不可少,否则不应执行这些操作。专为移动设备而编写的恶意软件通常会滥用此类功能,以从用户处窃取金钱或数据。

示例 1:在以下情况下,应用程序会发送一条 SMS 消息,或者预先撰写并向用户显示一条提示其发送或取消的 SMS 消息:

...
[[CTMessageCenter sharedMessageCenter] sendSMSWithText:@"Hello world!" serviceCenter:nil toAddress:@"+12345678910"];
...

// or

...
[[UIApplication sharedApplication] openURL:[NSURL URLWithString:@"sms:+12345678910"]];
...

// or

...
MFMessageComposeViewController *messageComposerVC = [[MFMessageComposeViewController alloc] init];

[messageComposerVC setMessageComposeDelegate:self];
[messageComposerVC setBody:@"Hello World!"];
[messageComposerVC setRecipients:[NSArray arrayWithObject:@"+12345678910"]];

[self presentViewController:messageComposerVC animated:YES completion:nil];
...
References
[1] Apple UIApplication Class Reference
[2] Apple MFMessageComposeViewController Class Reference
[3] Standards Mapping - Common Weakness Enumeration CWE ID 265
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165
[5] Standards Mapping - FIPS200 AC
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.5 Configuration Architectural Requirements (L2 L3)
[10] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[11] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[12] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[13] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[14] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.2, Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.2, Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[27] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285
[28] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 285
[29] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[44] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[45] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.semantic.objc.often_misused_sms
Abstract
应用程序执行 SMS 相关操作。
Explanation
除非 SMS 相关操作对于应用程序的核心功能必不可少,否则不应执行这些操作。专为移动设备而编写的恶意软件通常会滥用此类功能,以从用户处窃取金钱或数据。

示例 1:在以下情况下,应用程序会发送一条 SMS 消息,或者预先撰写并向用户显示一条提示其发送或取消的 SMS 消息:


...
UIApplication.sharedApplication().openURL(NSURL(string: "sms:+12345678910"))
...


或者


...
let messageComposeVC = MFMessageComposeViewController()
messageComposeVC.messageComposeDelegate = self
messageComposeVC.body = "Hello World!"
messageComposeVC.recipients = ["+12345678910"]

presentViewController(messageComposeVC, animated: true, completion: nil)
...
References
[1] Apple UIApplication Class Reference
[2] Apple MFMessageComposeViewController Class Reference
[3] Standards Mapping - Common Weakness Enumeration CWE ID 265
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165
[5] Standards Mapping - FIPS200 AC
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.5 Configuration Architectural Requirements (L2 L3)
[10] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[11] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[12] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[13] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[14] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.2, Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.2, Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[27] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285
[28] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 285
[29] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[44] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[45] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.structural.swift.often_misused_sms

Often Misused: Spring Remote Service

Abstract
远程服务在 Spring 应用程序中配置。默认情况下,这些远程服务不要求身份验证,也不要求进出该服务的信息必须是明文形式。这就使攻击者有机会访问需要特定权限的操作或者获取敏感数据。
Explanation
Spring 提供了一种简单的机制,可将任何 Spring 托管的 bean 转换为通过 RMI、HTTP、Burlap、Hessian 和 JMX 协议暴露给外部的对象。远程 Spring bean 的任何公共方法都支持外部调用,而且客户端和远程对象之间传递的数据都是明文形式。这些服务的主要问题是,它们在默认情况下是开放的,而且本身不提供任何机密性或完整性保证。
References
[1] Anirvan Chakraborty , Jessica Ditt , Aleksa Vukotic , Jan Machacek ProSpring 2.5
[2] Gary Mak , Daniel Rubio , Josh Long Spring Recipes
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-000804, CCI-001084, CCI-002165
[4] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), IA-8 Identification and Authentication (Non-Organizational Users) (P1), SC-3 Security Function Isolation (P1), SC-8 Transmission Confidentiality and Integrity (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, IA-8 Identification and Authentication (Non-Organizational Users), SC-3 Security Function Isolation, SC-8 Transmission Confidentiality and Integrity
[7] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[8] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[9] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[10] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[12] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1, Requirement 6.5.10
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4, Requirement 6.5.9
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.4, Requirement 6.5.8
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.4, Requirement 6.5.8
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.4, Requirement 6.5.8
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.4, Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.4, Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control, Control Objective 6.2 - Sensitive Data Protection
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control, Control Objective 6.2 - Sensitive Data Protection
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective 6.2 - Sensitive Data Protection, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.4.1 - Web Software Communications
[25] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3260.1 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3260 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3260 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3260 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3260 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3260 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3260 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[48] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.configuration.java.often_misused_spring_remote_service

Often Misused: Spring Web Service

Abstract
Web 服务在 Spring 应用程序中配置,默认情况下,这些 Web 服务不要求身份验证,也不要求进出该服务的信息必须是明文形式。这就使攻击者有机会访问需要特定权限的操作或者获取敏感数据。
Explanation
Spring 提供了一种简单的机制,可以通过 Spring WS 或 XFire 将任何 Spring 托管的 bean 转换为 Web 服务。远程 Spring bean 的任何公共方法都支持外部调用,而且客户端和启用了 Web 服务的对象之间传递的数据都是明文形式。这些服务的主要问题是,它们在默认情况下是开放的,而且本身不提供任何机密性或完整性保证。
References
[1] Anirvan Chakraborty , Jessica Ditt , Aleksa Vukotic , Jan Machacek ProSpring 2.5
[2] Gary Mak , Daniel Rubio , Josh Long Spring Recipes
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-000804, CCI-001084, CCI-002165
[4] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), IA-8 Identification and Authentication (Non-Organizational Users) (P1), SC-3 Security Function Isolation (P1), SC-8 Transmission Confidentiality and Integrity (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, IA-8 Identification and Authentication (Non-Organizational Users), SC-3 Security Function Isolation, SC-8 Transmission Confidentiality and Integrity
[7] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[8] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[9] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[10] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[12] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1, Requirement 6.5.10
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4, Requirement 6.5.9
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.4, Requirement 6.5.8
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.4, Requirement 6.5.8
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.4, Requirement 6.5.8
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.4, Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.4, Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control, Control Objective 6.2 - Sensitive Data Protection
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control, Control Objective 6.2 - Sensitive Data Protection
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective 6.2 - Sensitive Data Protection, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.4.1 - Web Software Communications
[25] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3260.1 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3260 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3260 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3260 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3260 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3260 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3260 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[48] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.configuration.java.often_misused_spring_web_service

Often Misused: Strings

Abstract
在多字节和 Unicode 字符之间转换的函数很容易引起 buffer overflow。
Explanation
Windows 提供了 MultiByteToWideChar()WideCharToMultiByte()UnicodeToBytes()BytesToUnicode() 函数,以在多字节(通常为 ANSI)字符串和 Unicode(宽字符)字符串之间进行转换。由于这些函数的长度参数所指定的单位各不相同,一个是字节,另一个是字符,使得它们的使用很容易出错。在一个多字节字符串中,每一个字符占用的字节数是可变的,因此,此类字符串的长度很容易指定为所有字节数的总量。但在 Unicode 中,字符通常有固定的长度,所以字符串长度一般都是根据它们所包含的字符数来决定的。所以,在长度参数中错误地指定了错误的单位,会导致 buffer overflow。

示例 1:以下函数采用一个定义为多字节字符串的用户名和一个指针来组成用户信息的结构,并以用户相关信息对该结构进行填充。因为在 Windows authentication 中,用户名使用 Unicode,所以 username 参数是第一个从多字节字符串转换成 Unicode 字符串的参数。


void getUserInfo(char *username, struct _USER_INFO_2 info){
WCHAR unicodeUser[UNLEN+1];
MultiByteToWideChar(CP_ACP, 0, username, -1,
     unicodeUser, sizeof(unicodeUser));
NetUserGetInfo(NULL, unicodeUser, 2, (LPBYTE *)&info);
}


该函数错误地将 unicodeUser 的长度以字节形式传递出去,而不是字符形式。调用 MultiByteToWideChar() 可能会把 (UNLEN+1)*sizeof(WCHAR) 宽字符或者 (UNLEN+1)*sizeof(WCHAR)*sizeof(WCHAR) 字节,写到 unicodeUser 数组,该数组仅分配了 (UNLEN+1)*sizeof(WCHAR) 字节。如果 username 字符串包含了多于 UNLEN 的字符,那么调用 MultiByteToWideChar() 将会溢出 unicodeUser 缓冲区。
References
[1] Security Considerations: International Features Microsoft
[2] Standards Mapping - Common Weakness Enumeration CWE ID 176, CWE ID 251
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002824
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-16 Memory Protection (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-16 Memory Protection
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.2 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[11] Standards Mapping - OWASP Top 10 2004 A5 Buffer Overflow
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.5
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.2
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.2
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.2
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.2
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[24] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3590.1 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3590.1 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3590.1 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3590.1 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3590.1 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3590.1 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3590.1 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002590 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002590 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002590 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002590 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002590 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002590 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002590 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002590 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002590 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002590 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002590 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002590 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002590 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002590 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002590 CAT I
[46] Standards Mapping - Web Application Security Consortium Version 2.00 Buffer Overflow (WASC-07)
[47] Standards Mapping - Web Application Security Consortium 24 + 2 Buffer Overflow
desc.semantic.cpp.often_misused_strings.multibytewidechar

Often Misused: sun.misc.Unsafe

Abstract
应用程序使用 sun.misc.Unsafe 中的功能。此类中的所有功能本质上均不安全,只能通过反射进行访问。
Explanation
sun.misc.Unsafe 类用于执行不安全的低级操作,不适合开发人员使用。
Unsafe 类只能通过受信任代码获取,且通常通过反射获取,因为其可用来破坏系统或手动分配堆内存,如果处理不当,可能会对系统产生不利影响。必须仔细检查和测试与 sun.misc.Unsafe 相关的所有功能,确保不出现错误。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 676
[2] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[3] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[4] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[9] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[10] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[11] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[12] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 676
[13] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP2060.4 CAT II, APP3590.2 CAT I
[14] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP2060.4 CAT II, APP3590.2 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP2060.4 CAT II, APP3590.2 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP2060.4 CAT II, APP3590.2 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP2060.4 CAT II, APP3590.2 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP2060.4 CAT II, APP3590.2 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP2060.4 CAT II, APP3590.2 CAT II
desc.structural.java.often_misused_sun_misc_unsafe

Password Management: Weak Redundancy

Abstract
为了确认密码,应提供两次新密码而不是复制新密码。
Explanation
更改密码或新建用户帐户通常需要提供两次新密码以进行确认。传递复制的密码而不是传递两次密码会导致 API 无法确保用户没有输入错误的密码,而且会导致规避密码确认的安全机制。

例 1:

    String password=request.getParameter("password");
    ...
    DefaultUser user = (DefaultUser) ESAPI.authenticator().createUser(username, password, password);
References
[1] OWASP ESAPI Secure Coding API: User
[2] Standards Mapping - Common Weakness Enumeration CWE ID 521
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[9] Standards Mapping - FIPS200 IA
[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.1.11 Password Security Requirements (L1 L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.1 Service Authentication Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[13] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 6.5.4, Requirement 6.5.6, Requirement 8.3.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 6.5.4, Requirement 6.5.6, Requirement 8.3.1
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography, Control Objective C.2.1.2 - Web Software Access Controls
desc.structural.java.password_management_weak_redundancy

Poor Style: Explicit Call to finalize()

Abstract
方法 finalize() 只能在对象回收后才能由 JVM 进行调用。
Explanation
尽管 Java 语言规范中允许外部终结器调用对象的 finalize() 方法,但这其实并不是一个好办法。例如,直接调用 finalize() 意味着要不止一次地调用 finalize() 方法:第一次将会直接调用,而最后一次调用会在对象回收之后执行。

例 1:以下代码片段直接调用 finalize() 方法:


// time to clean up
widget.finalize();
References
[1] MET12-J. Do not use finalizers CERT
[2] Standards Mapping - Common Weakness Enumeration CWE ID 586
desc.structural.java.poor_style_explicit_call_to_finalize

React Bad Practices: Dangerously Set InnerHTML

Abstract
dangerouslySetInnerHTML 属性不必要地被设置 HTML from code。
Explanation
虽然 React 中的 dangerouslySetInnerHTML 属性可以替代在浏览器 DOM 中使用 innerHTML,但 API 已重命名以传达使用 innerHTML 的潜在危险。通常情况下,设置 HTML from code 是有风险的,因为它很容易在无意中使您的用户遭受 Cross-Site Scripting (XSS) 攻击。
示例 1:以下代码将 HTML from code 设置为 dangerouslySetInnerHTML 属性:

      function MyComponent(data) {
        return (
          <div
            dangerouslySetInnerHTML={{__html: data.innerHTML}}
          />
        );
      }
desc.structural.javascript.react_bad_practices_dangerously_set_innerhtml

Restricted Method

Abstract
此方法受到限制。每次使用此方法都会被标记为问题。
Explanation
在外部函数和内存 API 中,某些方法被视为受到限制,因为错误地使用它们可能会导致 JVM 崩溃或内存损坏。
References
[1] Oracle Foreign Function and Memory API: Restricted Methods
[2] Standards Mapping - Common Weakness Enumeration CWE ID 749
[3] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-16 Memory Protection (P1)
[4] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-16 Memory Protection
[5] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.4.2 Memory/String/Unmanaged Code Requirements (L1 L2 L3)
[6] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 676
desc.structural.java.ffr_restricted_methods

SQL Bad Practices: Direct Update

Abstract
Open SQL 直接写入操作不可取,应尽量避免。
Explanation
Open SQL 直接写入操作(插入/更新/修改/删除)通常不可取,应尽量避免。它们会破坏系统的完整性和安全性,且不允许这样操作。



此外,Open SQL 直接写入操作很容易出错,并可能会导致意外的系统行为。在 SAP 中需要留意的一些问题包括:

- SAP 建议使用“更新绑定”技巧来保证 SAP LUW(逻辑工作单位)中的数据完整性,其中,数据完整性问题可能会涉及多个数据库 LUW。在不更新绑定的条件下直接修改表条目会导致 SAP 事务不一致。

- Open SQL 直接写入操作仅设置数据库级别锁定,避开 SAP 应用程序锁定。这可能会导致死锁和数据损坏。

- Open SQL 直接写入操作回避开应用程序中的 SAP 授权检查。

- 使用标准机制编写表条目、编辑检查、审计跟踪时,可正确执行相关更新(如更改文档)。使用 Open SQL 直接写入操作时并非如此。

References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 662
[2] Standards Mapping - Common Weakness Enumeration Top 25 2022 [22] CWE ID 362
[3] Standards Mapping - Common Weakness Enumeration Top 25 2023 [21] CWE ID 362
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002235
[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege
[8] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000500 CAT II
[9] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000500 CAT II
[10] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000500 CAT II
desc.structural.abap.sql_bad_practices_direct_update

SQL Bad Practices: Underspecified Identifier

Abstract
不应在调用程序的权限程序包中使用没有架构的标识符。
Explanation
在调用程序的权限或 AUTHID CURRENT_USER 程序包中,标识符是根据当前用户的架构首先解析的。如果该代码的定义程序未明确表明标识符所属的架构,这可能会导致意外的行为。

示例 1:以下代码通过在权限表中查找用户来检查该用户是否具有执行相应操作的权限。大多数用户仅具有 SYS.PERMISSIONS 的读取权限,且无法修改已定义的权限。


CREATE or REPLACE FUNCTION check_permissions(
  p_name IN VARCHAR2, p_action IN VARCHAR2)
  RETURN BOOLEAN
  AUTHID CURRENT_USER
IS
  r_count NUMBER;
  perm BOOLEAN := FALSE;
BEGIN
  SELECT count(*) INTO r_count FROM PERMISSIONS
    WHERE name = p_name AND action = p_action;
  IF r_count > 0 THEN
    perm := TRUE;
  END IF;
  RETURN perm;
END check_permissions


如果调用 check_permissions 函数的用户在其架构中定义了一个 PERMISSIONS 表,则该数据库会解析该标识符以引用本地表。该用户将具有对新表的写入权限,并可以对其进行修改以获得在其他情况下不可能拥有的权限。
References
[1] Oracle Oracle Database PL/SQL Language Reference
[2] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
desc.structural.sql.sql_bad_practices_underspecified_identifier

Struts 2 Bad Practices: Application Map Tampering

Abstract
Struts 2.x Action 实施类,使攻击者有机会通过将任意数据绑定到会话、应用程序或请求服务器端对象,修改应用程序的业务逻辑。
Explanation
Apache Struts 2.x 包含新的 Aware 接口,允许开发人员使用相关运行时信息,轻松将映射注入到其 Actions 代码中。这些接口包括:org.apache.struts2.interceptor.ApplicationtAwareorg.apache.struts2.interceptor.SessionAwareorg.apache.struts2.interceptor.RequestAware。为了将这些数据映射中的任意内容注入到其 Actions 代码中,开发人员需要实现接口中指定的 setter(例如:setSession,适用于 SessionAware 接口):

public class VulnerableAction extends ActionSupport implements SessionAware {

  protected Map<String, Object> session;

  @Override
  public void setSession(Map<String, Object> session) {
    this.session = session;
  }

另一方面,Struts 2.x 会自动通过 Action 中定义的 public accessors 将来自用户的请求数据绑定到 Action 的属性。由于 Aware 接口要求实现 Aware 接口中定义的 public setter,因此这一 setter 也将自动绑定到与 Aware 接口 setter 名称相匹配的任意请求参数,这可允许远程攻击者通过伪造的参数修改应用程序的运行时数据值,使其实现的接口受到影响,如 SessionAwareRequestAwareApplicationAware 接口所示。

下面的 URL 将允许攻击者重写会话映射中的“roles”属性。这可能会使攻击者成为管理员。

http://server/VulnerableAction?session.roles=admin


当这些接口仅要求实现 setter accessors 时,如果同时也实现相应的 getter,则对这些映射集合的更改将在会话范围内持续,而不是仅影响当前的请求范围。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 20
[2] Standards Mapping - Common Weakness Enumeration Top 25 2021 [4] CWE ID 020
[3] Standards Mapping - Common Weakness Enumeration Top 25 2022 [4] CWE ID 020
[4] Standards Mapping - Common Weakness Enumeration Top 25 2023 [6] CWE ID 020
[5] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001082, CCI-002754
[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-2 Application Partitioning (P1), SI-10 Information Input Validation (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-2 Separation of System and User Functionality, SI-10 Information Input Validation
[10] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[13] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[14] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[15] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[16] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[18] Standards Mapping - OWASP Top 10 2021 A03 Injection
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[46] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Process Validation (WASC-40)
desc.structural.java.struts2_bad_practices_application_map_tampering

Struts 2 Bad Practices: Dynamic Method Invocation

Abstract
Struts 2 Action 暴露了可由最终用户调用的公共方法,从而覆盖 Action 的 execute() 方法。
Explanation
Struts 2 引入了一种称为“动态方法调用”的功能,该功能允许 Action 暴露方法而非 execute()!(感叹号)字符或 method: 前缀可用于 Action URL,在启用“动态方法调用”的情况下,可调用 Action 中的任何公共方法。没有意识到此功能的开发者可能会无意中将内部业务逻辑暴露给攻击者。

例如,如果 Action 包含一种称为 getUserPassword() 的公共方法,该方法没有采用参数且未禁用“动态方法调用”功能,则攻击者可以利用这点访问以下 URL: http://server/app/recoverpassword!getPassword.action
References
[1] Struts 2 Security Vulnerability - Dynamic Method Invocation
[2] Struts 2 - Dynamic Method Invocation
[3] Standards Mapping - Common Weakness Enumeration CWE ID 285
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001764, CCI-001774, CCI-002165
[5] Standards Mapping - FIPS200 AC
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), CM-7 Least Functionality (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, CM-7 Least Functionality
[9] Standards Mapping - OWASP API 2023 API5 Broken Function Level Authorization
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.1.4 Generic Web Service Security Verification Requirements (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[12] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[13] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[14] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[15] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[16] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[17] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[30] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285
[31] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 285
[32] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 862
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.structural.java.struts2_bad_practices_dynamic_method_invocation

Struts 2 Bad Practices: Request Map Tampering

Abstract
Struts 2.x Action 实施类,使攻击者有机会通过将任意数据绑定到会话、应用程序或请求服务器端对象,修改应用程序的业务逻辑。
Explanation
Apache Struts 2.x 包含新的 Aware 接口,允许开发人员使用相关运行时信息,轻松将映射注入到其 Actions 代码中。这些接口包括:org.apache.struts2.interceptor.ApplicationtAwareorg.apache.struts2.interceptor.SessionAwareorg.apache.struts2.interceptor.RequestAware。为了将这些数据映射中的任意内容注入到其 Actions 代码中,开发人员需要实现接口中指定的 setter(例如:setSession,适用于 SessionAware 接口):

public class VulnerableAction extends ActionSupport implements SessionAware {

  protected Map<String, Object> session;

  @Override
  public void setSession(Map<String, Object> session) {
    this.session = session;
  }

另一方面,Struts 2.x 会自动通过 Action 中定义的 public accessors 将来自用户的请求数据绑定到 Action 的属性。由于 Aware 接口要求实现 Aware 接口中定义的 public setter,因此这一 setter 也将自动绑定到与 Aware 接口 setter 名称相匹配的任意请求参数,这可允许远程攻击者通过伪造的参数修改应用程序的运行时数据值,使其实现的接口受到影响,如 SessionAwareRequestAwareApplicationAware 接口所示。

下面的 URL 将允许攻击者重写会话映射中的“roles”属性。这可能会使攻击者成为管理员。

http://server/VulnerableAction?session.roles=admin


当这些接口仅要求实现 setter accessors 时,如果同时也实现相应的 getter,则对这些映射集合的更改将在会话范围内持续,而不是仅影响当前的请求范围。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 20
[2] Standards Mapping - Common Weakness Enumeration Top 25 2021 [4] CWE ID 020
[3] Standards Mapping - Common Weakness Enumeration Top 25 2022 [4] CWE ID 020
[4] Standards Mapping - Common Weakness Enumeration Top 25 2023 [6] CWE ID 020
[5] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001082, CCI-002754
[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-2 Application Partitioning (P1), SI-10 Information Input Validation (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-2 Separation of System and User Functionality, SI-10 Information Input Validation
[10] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[13] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[14] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[15] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[16] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[18] Standards Mapping - OWASP Top 10 2021 A03 Injection
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[31] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[46] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Process Validation (WASC-40)
desc.structural.java.struts2_bad_practices_request_map_tampering

Struts 2 Bad Practices: Session Map Tampering

Abstract
Struts 2.x Action 实施类,使攻击者有机会通过将任意数据绑定到会话、应用程序或请求服务器端对象,修改应用程序的业务逻辑。
Explanation
Apache Struts 2.x 包含新的 Aware 接口,允许开发人员使用相关运行时信息,轻松将映射注入到其 Actions 代码中。这些接口包括:org.apache.struts2.interceptor.ApplicationtAwareorg.apache.struts2.interceptor.SessionAwareorg.apache.struts2.interceptor.RequestAware。为了将这些数据映射中的任意内容注入到其 Actions 代码中,开发人员需要实现接口中指定的 setter(例如:setSession,适用于 SessionAware 接口):

public class VulnerableAction extends ActionSupport implements SessionAware {

  protected Map<String, Object> session;

  @Override
  public void setSession(Map<String, Object> session) {
    this.session = session;
  }

另一方面,Struts 2.x 会自动通过 Action 中定义的 public accessors 将来自用户的请求数据绑定到 Action 的属性。由于 Aware 接口要求实现 Aware 接口中定义的 public setter,因此这一 setter 也将自动绑定到与 Aware 接口 setter 名称相匹配的任意请求参数,这可允许远程攻击者通过伪造的参数修改应用程序的运行时数据值,使其实现的接口受到影响,如 SessionAwareRequestAwareApplicationAware 接口所示。

下面的 URL 将允许攻击者重写会话映射中的“roles”属性。这可能会使攻击者成为管理员。

http://server/VulnerableAction?session.roles=admin


当这些接口仅要求实现 setter accessors 时,如果同时也实现相应的 getter,则对这些映射集合的更改将在会话范围内持续,而不是仅影响当前的请求范围。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 20
[2] Standards Mapping - Common Weakness Enumeration Top 25 2021 [4] CWE ID 020
[3] Standards Mapping - Common Weakness Enumeration Top 25 2022 [4] CWE ID 020
[4] Standards Mapping - Common Weakness Enumeration Top 25 2023 [6] CWE ID 020
[5] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001082, CCI-002754
[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-2 Application Partitioning (P1), SI-10 Information Input Validation (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-2 Separation of System and User Functionality, SI-10 Information Input Validation
[10] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[13] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[14] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[15] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[16] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[18] Standards Mapping - OWASP Top 10 2021 A03 Injection
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[46] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Process Validation (WASC-40)
desc.structural.java.struts2_bad_practices_session_map_tampering