1437 个项目已找到
弱点

Dangerous Function: xp_cmdshell

Abstract
无法安全地使用函数 xp_cmdshell。不应该使用此函数。
Explanation
某些函数不论如何使用都有危险性。函数 xp_cmdshell 会启动 Windows 命令 shell 来执行提供的命令字符串。该命令会在默认系统中或提供的代理上下文中执行。但目前没有一种方法可将用户限制为只能执行一组预先指定的特权操作,为用户授予任何权限都会允许其执行任何命令字符串。
References
[1] xp_cmdshell
[2] Standards Mapping - Common Weakness Enumeration CWE ID 242
[3] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[4] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 7.1.2
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 7.1.2
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 7.1.2
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 7.1.2
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 7.2.2
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 7.2.2
[11] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[12] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control
[14] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 676
[15] Standards Mapping - Web Application Security Consortium Version 2.00 OS Commanding (WASC-31)
[16] Standards Mapping - Web Application Security Consortium 24 + 2 OS Commanding
desc.semantic.sql.dangerous_function_xp_cmdshell

Dangerous Method

Abstract
该方法已标注为危险。所有对此方法的使用都会标记为问题。
Explanation
已将注释 FortifyDangerous 应用于此方法。这被用来表示该类型危险,并且所有对其的使用都应进行安全性检查。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 749
[2] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[3] Standards Mapping - OWASP Application Security Verification Standard 4.0 14.5.1 Validate HTTP Request Header Requirements (L1 L2 L3)
[4] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[10] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[11] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[12] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[13] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 676
desc.structural.java.dangerous_method

Dangerous Type

Abstract
该变量属于已被注释为危险的类型。
Explanation
已将注释 FortifyDangerous 应用于此类型。这被用来表示该类型危险,并且所有对其的使用都应进行安全性检查。

References
[1] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[2] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[3] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[4] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[8] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[9] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[10] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
desc.structural.java.dangerous_class_variable

Database Bad Practices: Use of Restricted Accounts

Abstract
已尝试使用以下帐户之一连接数据库:admin、管理员、来宾、超级用户或 sa。
Explanation
Windows Azure SQL 数据库仅支持 SQL Server 身份验证。不支持 Windows 身份验证(集成安全性)。用户每次连接 Windows Azure SQL 数据库时必须提供凭据(登录名和密码)。根据 Microsoft Windows Azure SQL 数据库常规指导原则和限制,以下帐户名不可用:admin、管理员、来宾、超级用户、sa。
References
[1] Security Guidelines and Limitations (Windows Azure SQL Database)
[2] Windows Azure SQL Database Concepts
[3] Transact-SQL Support (Windows Azure SQL Database)
[4] Development Considerations in Windows Azure SQL Database
[5] Managing Databases and Logins in Windows Azure SQL Database
[6] Configure and manage Azure AD authentication with Azure SQL
[7] How to: Connect to Windows Azure SQL Database Using sqlcmd
[8] Copying Databases in Windows Azure SQL Database
[9] Data Types (Windows Azure SQL Database)
[10] Deprecated Database Engine Features in SQL Server 2012
[11] EXECUTE AS (Transact-SQL)
[12] Security Statements
[13] System Stored Procedures (Windows Azure SQL Database)
[14] Guidelines and Limitations (Windows Azure SQL Database)
[15] General Guidelines and Limitations (Windows Azure SQL Database)
[16] Standards Mapping - Common Weakness Enumeration CWE ID 272
[17] Standards Mapping - Common Weakness Enumeration Top 25 2023 [22] CWE ID 269
[18] Standards Mapping - Common Weakness Enumeration Top 25 2024 [15] CWE ID 269
[19] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000381, CCI-002233, CCI-002235
[20] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[21] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1), CM-7 Least Functionality (P1)
[22] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege, CM-7 Least Functionality
[23] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.4.3 Access Control Architectural Requirements (L2 L3), 10.2.2 Malicious Code Search (L2 L3)
[24] Standards Mapping - OWASP Mobile 2024 M1 Improper Credential Usage
[25] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 7.1.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 7.1.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 7.1.2
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 7.1.2
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 7.1.2
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 7.1.2
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 7.2.2
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 7.2.2
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3500 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3500 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3500 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3500 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3500 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3500 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3500 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[59] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[60] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.structural.sql.code_quality_database_authentication_use_of_restricted_accounts

Dead Code

Abstract
永远不会执行该指令。
Explanation
周围的代码使该指令永远不会被执行。

示例 1:第二个 if 语句的条件无法得到满足。这需要变量 s 为非 null 变量,且仅在可以将 s 指定为非 null 值的路径时,存在 return 语句。


String s = null;

if (b) {
   s = "Yes";
   return;
}

if (s != null) {
   Dead();
}
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 561
[2] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 2.1
[3] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 2.1
[4] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-1-1, Rule 0-1-2
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 0.0.1, Rule 0.0.2
[6] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.1 Input Validation Requirements (L1 L2 L3), 8.1.3 General Data Protection (L2 L3)
[7] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3050 CAT II
[8] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3050 CAT II
[9] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3050 CAT II
[10] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3050 CAT II
[11] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3050 CAT II
[12] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3050 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3050 CAT II
[14] Standards Mapping - Smart Contract Weakness Classification SWC-135
desc.internal.cpp.dead_code

Denial of Service

Abstract
攻击者可以造成程序崩溃或使合法用户无法进行使用。
Explanation
攻击者可能通过对应用程序发送大量请求,而使它拒绝对合法用户的服务,但是这种攻击形式经常会在网络层就被排除掉了。更加严重的是那些只需要使用少量请求就可以使得攻击者让应用程序过载的 bug。通过这类 bug,攻击者可指定请求使用的系统资源数量,或者持续使用这些系统资源的时间,从而导致资源耗尽的情况发生。

示例 1:通过以下代码,用户可以指定当前工作进程处于休眠状态的时长。通过指定一个较大的数值,攻击者可以无限期地占用该工作进程。


...
CALL FUNCTION 'ENQUE_SLEEP'
  EXPORTING
    SECONDS = usrInput.
...
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 730
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-002386
[3] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14
[4] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-4 Security Impact Analysis (P2), CM-6 Configuration Settings (P1), SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-4 Impact Analyses, CM-6 Configuration Settings, SC-5 Denial of Service Protection, SI-10 Information Input Validation
[8] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.1.1 File Upload Requirements (L1 L2 L3)
[10] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[11] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[12] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.4 - Web Software Attack Mitigation
[17] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-002950 CAT II, APSC-DV-003320 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-002950 CAT II, APSC-DV-003320 CAT II
[39] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[40] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.abap.denial_of_service
Abstract
应用程序使用客户端的远程 IP 地址创建 RateLimitPartition。
Explanation
基于客户端的 IP 地址创建 RateLimitPartitions 会使应用程序容易受到采用 IP 源地址欺骗的拒绝服务 (DDoS) 攻击。

示例 1:在以下示例中,GetTokenBucketLimiter() 方法在创建 RateLimitPartition 时使用远程 IP 地址 (RemoteIpAddress) 作为分区键:


...
builder.Services.AddRateLimiter(limiterOptions => {
    limiterOptions.GlobalLimiter = PartitionedRateLimiter.Create<HttpContext, IPAddress>(context => {

        IPAddress? ip = context.Connection.RemoteIpAddress;

        return RateLimitPartition.GetTokenBucketLimiter(ip!, _ =>
            new TokenBucketRateLimiterOptions
            {
                TokenLimit = 7
            });
    });
});
...
References
[1] By Arvin Kahbazi, Maarten Balliauw, and Rick Anderson Rate limiting middleware in ASP.NET Core Microsoft
[2] P, Ferguson Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing Cisco Systems
[3] Standards Mapping - Common Weakness Enumeration CWE ID 730
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-002386
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-4 Security Impact Analysis (P2), CM-6 Configuration Settings (P1), SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-4 Impact Analyses, CM-6 Configuration Settings, SC-5 Denial of Service Protection, SI-10 Information Input Validation
[10] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.1.1 File Upload Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[14] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.4 - Web Software Attack Mitigation
[19] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-002950 CAT II, APSC-DV-003320 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-002950 CAT II, APSC-DV-003320 CAT II
[41] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[42] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.dotnet.asp_dotnet_core_rate_limitting_denial_of_service
Abstract
攻击者可以造成程序崩溃或使合法用户无法进行使用。
Explanation
攻击者可能通过对应用程序发送大量请求,而使它拒绝对合法用户的服务,但是这种攻击形式经常会在网络层就被排除掉了。更加严重的是那些只需要使用少量请求就可以使得攻击者让应用程序过载的 bug。这种 bug 允许攻击者去指定请求使用系统资源的数量,或者是持续使用这些系统资源的时间。

示例 1:以下代码允许用户指定当前进程处于休眠状态的时长。通过指定一个较大的数字,攻击者便可以无限期地阻碍进程。


  unsigned int usrSleepTime = uatoi(usrInput);
  sleep(usrSleepTime);
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 730
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-002386
[3] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14
[4] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-4 Security Impact Analysis (P2), CM-6 Configuration Settings (P1), SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-4 Impact Analyses, CM-6 Configuration Settings, SC-5 Denial of Service Protection, SI-10 Information Input Validation
[8] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.1.1 File Upload Requirements (L1 L2 L3)
[10] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[11] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[12] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.4 - Web Software Attack Mitigation
[17] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-002950 CAT II, APSC-DV-003320 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-002950 CAT II, APSC-DV-003320 CAT II
[39] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[40] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.cpp.denial_of_service
Abstract
攻击者可以造成程序崩溃或使合法用户无法进行使用。
Explanation
攻击者可能通过对应用程序发送大量请求,而使它拒绝对合法用户的服务,但是这种攻击形式经常会在网络层就被排除掉了。更加严重的是那些只需要使用少量请求就可以使得攻击者让应用程序过载的 bug。这种 bug 允许攻击者去指定请求使用系统资源的数量,或者是持续使用这些系统资源的时间。

示例 1:通过以下代码,用户可以指定线程处于休眠状态的时长。通过指定一个较大的数值,攻击者可以无限期地占用该线程。因此,只需少量的请求,攻击者就能耗尽应用程序的线程池。


Sleep(url.duration);
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 730
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-002386
[3] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14
[4] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-4 Security Impact Analysis (P2), CM-6 Configuration Settings (P1), SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-4 Impact Analyses, CM-6 Configuration Settings, SC-5 Denial of Service Protection, SI-10 Information Input Validation
[8] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.1.1 File Upload Requirements (L1 L2 L3)
[10] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[11] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[12] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.4 - Web Software Attack Mitigation
[17] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-002950 CAT II, APSC-DV-003320 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-002950 CAT II, APSC-DV-003320 CAT II
[39] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[40] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.cfml.denial_of_service
Abstract
攻击者可能会引发程序崩溃,也可能导致合法用户无法使用。
Explanation
攻击者可能向应用程序发送大量请求,促使应用程序拒绝向合法用户提供服务,但通常可以在网络层化解泛洪攻击。如果存在 Bug,情况将变得更加糟糕,攻击者通过少量请求即可引发应用程序过载。攻击者可以通过此类 Bug 指定请求消耗的系统资源量或资源使用持续时间。

示例 1:以下代码允许用户指定 Future 函数的执行时间。如果指定较大的数字,则攻击者可能会无限期地占用 Future 函数。


  final duration = Platform.environment['DURATION'];
  Future.delayed(Duration(seconds: int.parse(duration!)), () => ...);
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 730
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-002386
[3] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14
[4] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-4 Security Impact Analysis (P2), CM-6 Configuration Settings (P1), SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-4 Impact Analyses, CM-6 Configuration Settings, SC-5 Denial of Service Protection, SI-10 Information Input Validation
[8] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.1.1 File Upload Requirements (L1 L2 L3)
[10] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[11] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[12] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.4 - Web Software Attack Mitigation
[17] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-002950 CAT II, APSC-DV-003320 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-002950 CAT II, APSC-DV-003320 CAT II
[39] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[40] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.dart.denial_of_service
Abstract
攻击者可能会引发程序崩溃,也可能导致合法用户无法使用。
Explanation
攻击者可能向应用程序发送大量请求,促使应用程序拒绝向合法用户提供服务,但通常可以在网络层化解泛洪攻击。如果存在 Bug,情况将变得更加糟糕,攻击者通过少量请求即可引发应用程序过载。攻击者可以通过此类 Bug 指定请求消耗的系统资源量或资源使用持续时间。

示例 1:如果攻击者设置了较大的值,使用不受信任的数据设置服务超时可能会导致服务无响应。


func test(r *http.Request) {
  ...
  i, _ := strconv.Atoi(r.FormValue("TIME"))
  runtime.KeepAlive(i)
  ...
  }
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 730
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-002386
[3] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14
[4] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-4 Security Impact Analysis (P2), CM-6 Configuration Settings (P1), SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-4 Impact Analyses, CM-6 Configuration Settings, SC-5 Denial of Service Protection, SI-10 Information Input Validation
[8] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.1.1 File Upload Requirements (L1 L2 L3)
[10] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[11] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[12] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.4 - Web Software Attack Mitigation
[17] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-002950 CAT II, APSC-DV-003320 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-002950 CAT II, APSC-DV-003320 CAT II
[39] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[40] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.golang.denial_of_service
Abstract
攻击者可以造成程序崩溃或使合法用户无法进行使用。
Explanation
攻击者可能通过对应用程序发送大量请求,而使它拒绝对合法用户的服务,但是这种攻击形式经常会在网络层就被排除掉了。更加严重的是那些只需要使用少量请求就可以使得攻击者让应用程序过载的 bug。这种 bug 允许攻击者去指定请求使用系统资源的数量,或者是持续使用这些系统资源的时间。

示例 1:通过以下代码,用户可以指定线程处于休眠状态的时长。通过指定一个较大的数值,攻击者可以无限期地占用该线程。因此,只需少量的请求,攻击者就能耗尽应用程序的线程池。


  int usrSleepTime = Integer.parseInt(usrInput);
  Thread.sleep(usrSleepTime);
示例 2:以下代码从一个 zip 文件中读取字符串。因为它使用 readLine() 方法,所以可以读取一批极大量的输入。攻击者能够利用该代码引发一个 OutOfMemoryException 异常,或者消耗大量的内存,从而致使程序需要更多的时间去执行垃圾信息的收集,或在随后的操作过程中用完内存资源。


  InputStream zipInput = zipFile.getInputStream(zipEntry);
  Reader zipReader = new InputStreamReader(zipInput);
  BufferedReader br = new BufferedReader(zipReader);
  String line = br.readLine();
References
[1] DOS-1: Beware of activities that may use disproportionate resources Oracle
[2] Standards Mapping - Common Weakness Enumeration CWE ID 730
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-002386
[4] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-4 Security Impact Analysis (P2), CM-6 Configuration Settings (P1), SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-4 Impact Analyses, CM-6 Configuration Settings, SC-5 Denial of Service Protection, SI-10 Information Input Validation
[9] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.1.1 File Upload Requirements (L1 L2 L3)
[11] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[12] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[13] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.4 - Web Software Attack Mitigation
[18] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-002950 CAT II, APSC-DV-003320 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-002950 CAT II, APSC-DV-003320 CAT II
[40] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[41] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.java.denial_of_service
Abstract
攻击者可以造成程序崩溃或使合法用户无法进行使用。
Explanation
攻击者可能通过对应用程序发送大量请求,而使它拒绝对合法用户的服务,但是这种攻击形式经常会在网络层就被排除掉了。更加严重的是那些只需要使用少量请求就可以使得攻击者让应用程序过载的 bug。这种 bug 允许攻击者去指定请求使用系统资源的数量,或者是持续使用这些系统资源的时间。

示例 1:以下代码允许用户指定要使用的 file system 大小。通过指定一个较大的数字,攻击者可以耗尽 file system 资源。


  var fsync = requestFileSystemSync(0, userInput);
示例 2:下列代码会写入一个文件。由于在用户代理将此文件视为已关闭之前,此文件可能会持续写入和重写,因此磁盘配额、IO 带宽和可能需要分析此文件内容的进程都会受到影响。


function oninit(fs) {
  fs.root.getFile('applog.txt', {create: false}, function(fileEntry) {
    fileEntry.createWriter(function(fileWriter) {
      fileWriter.seek(fileWriter.length);
      var bb = new BlobBuilder();
      bb.append('Appending to a file');
      fileWriter.write(bb.getBlob('text/plain'));
    }, errorHandler);
  }, errorHandler);
}

window.requestFileSystem(window.TEMPORARY, 1024*1024, oninit, errorHandler);
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 730
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-002386
[3] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14
[4] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-4 Security Impact Analysis (P2), CM-6 Configuration Settings (P1), SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-4 Impact Analyses, CM-6 Configuration Settings, SC-5 Denial of Service Protection, SI-10 Information Input Validation
[8] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.1.1 File Upload Requirements (L1 L2 L3)
[10] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[11] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[12] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.4 - Web Software Attack Mitigation
[17] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-002950 CAT II, APSC-DV-003320 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-002950 CAT II, APSC-DV-003320 CAT II
[39] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[40] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.javascript.denial_of_service
Abstract
攻击者可以造成程序崩溃或使合法用户无法进行使用。
Explanation
攻击者可能通过对应用程序发送大量请求,而使它拒绝对合法用户的服务,但是这种攻击形式经常会在网络层就被排除掉了。更加严重的是那些只需要使用少量请求就可以使得攻击者让应用程序过载的 bug。这种 bug 允许攻击者去指定请求使用系统资源的数量,或者是持续使用这些系统资源的时间。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 730
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-002386
[3] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14
[4] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-4 Security Impact Analysis (P2), CM-6 Configuration Settings (P1), SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-4 Impact Analyses, CM-6 Configuration Settings, SC-5 Denial of Service Protection, SI-10 Information Input Validation
[8] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.1.1 File Upload Requirements (L1 L2 L3)
[10] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[11] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[12] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.4 - Web Software Attack Mitigation
[17] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-002950 CAT II, APSC-DV-003320 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-002950 CAT II, APSC-DV-003320 CAT II
[39] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[40] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.php.denial_of_service
Abstract
攻击者可以造成程序崩溃或使合法用户无法进行使用。
Explanation
攻击者可能通过对应用程序发送大量请求,而使它拒绝对合法用户的服务,但是这种攻击形式经常会在网络层就被排除掉了。更加严重的是那些只需要使用少量请求就可以使得攻击者让应用程序过载的 bug。这种 bug 允许攻击者去指定请求使用系统资源的数量,或者是持续使用这些系统资源的时间。

示例 1:通过以下代码,用户可以指定系统将执行进一步处理延迟多长时间。通过指定一个较大的数值,攻击者可以无限期地占用系统。


procedure go_sleep (
usrSleepTime in NUMBER)
is
  dbms_lock.sleep(usrSleepTime);
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 730
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-002386
[3] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14
[4] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-4 Security Impact Analysis (P2), CM-6 Configuration Settings (P1), SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-4 Impact Analyses, CM-6 Configuration Settings, SC-5 Denial of Service Protection, SI-10 Information Input Validation
[8] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.1.1 File Upload Requirements (L1 L2 L3)
[10] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[11] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[12] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.4 - Web Software Attack Mitigation
[17] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-002950 CAT II, APSC-DV-003320 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-002950 CAT II, APSC-DV-003320 CAT II
[39] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[40] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.sql.denial_of_service
Abstract
攻击者可能会引发程序崩溃,也可能导致合法用户无法使用。
Explanation
攻击者可能向应用程序发送大量请求,促使应用程序拒绝向合法用户提供服务,但通常可以在网络层化解大部分泛洪攻击。如果存在缺陷,情况将变得更加糟糕,攻击者通过少量请求即可引发应用程序过载。攻击者可以通过此类缺陷指定请求消耗的系统资源量或资源使用持续时间。

示例 1:以下代码允许用户为 connect 函数指定连接超时的持续时间。如果指定较大的数字,则攻击者可能会无限期地占用 connect 函数。


...
insecure_config_ssl_connection_timeout = {
  'user': username,
  'password': retrievedPassword,
  'host': databaseHost,
  'port': "3306",
  'connection_timeout': connection_timeout
}

mysql.connector.connect(**insecure_config_ssl_connection_timeout)
...
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 730
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-002386
[3] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14
[4] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-4 Security Impact Analysis (P2), CM-6 Configuration Settings (P1), SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-4 Impact Analyses, CM-6 Configuration Settings, SC-5 Denial of Service Protection, SI-10 Information Input Validation
[8] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.1.1 File Upload Requirements (L1 L2 L3)
[10] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[11] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[12] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.4 - Web Software Attack Mitigation
[17] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-002950 CAT II, APSC-DV-003320 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-002950 CAT II, APSC-DV-003320 CAT II
[39] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[40] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.python.denial_of_service
Abstract
攻击者可以造成程序崩溃或使合法用户无法进行使用。
Explanation
攻击者可能通过对应用程序发送大量请求,而使它拒绝对合法用户的服务,但是这种攻击形式经常会在网络层就被排除掉了。更加严重的是那些只需要使用少量请求就可以使得攻击者让应用程序过载的 bug。这种 bug 允许攻击者去指定请求使用系统资源的数量,或者是持续使用这些系统资源的时间。

示例 1:通过以下代码,用户可以指定线程处于休眠状态的时长。通过指定一个较大的数值,攻击者可以无限期地占用该线程。因此,只需少量的请求,攻击者就能耗尽应用程序的线程池。


  Kernel.sleep(user_input)
示例 2:以下代码从一个文件中读取字符串。因为它在未指定限制的情况下使用 readline() 方法,所以它将读取无限量的输入。攻击者可能会利用这个代码使进程挂起,同时消耗越来越多的内存,甚至可能完全耗尽内存。


  fd = File.new(myFile)
  line = fd.readline
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 730
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-002386
[3] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14
[4] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-4 Security Impact Analysis (P2), CM-6 Configuration Settings (P1), SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-4 Impact Analyses, CM-6 Configuration Settings, SC-5 Denial of Service Protection, SI-10 Information Input Validation
[8] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.1.1 File Upload Requirements (L1 L2 L3)
[10] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[11] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[12] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.4 - Web Software Attack Mitigation
[17] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-002950 CAT II, APSC-DV-003320 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-002950 CAT II, APSC-DV-003320 CAT II
[39] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[40] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.ruby.denial_of_service

Denial of Service: Format String

Abstract
如果允许用户输入控制格式参数,则攻击者能够借此造成异常抛出或信息泄露。
Explanation
攻击者可以修改格式字符串参数,以造成异常抛出。如果未能捕获此异常,则可能导致应用程序崩溃。或者,如果其他参数中使用了敏感信息,攻击者可能会更改格式字符串以泄露此信息。

示例 1:用户可通过以下代码指定 Formatter.format() 的格式字符串参数。


  ...
  Formatter formatter = new Formatter(Locale.US);
  String format = "The customer: %s %s has the balance %4$." + userInput + "f";
  formatter.format(format, firstName, lastName, accountNo, balance);
  ...


此程序的最初设计旨在让用户指定所显示余额的小数点。但在现实情况中,对此并没有限制。如果用户可以指定所有内容,则可能会导致抛出如 java.util.MissingFormatArgumentException 等异常。此外,由于它不在 try 块中,因此可能会造成应用程序故障。
针对此示例,更严重的情况是:如果攻击者可以指定用户输入 "2f %3$s %4$.2",则格式字符串可能会是 "The customer: %s %s has the balance %4$.2f %3$s %4$.2"。这可能会导致敏感的 accountNo 包含在生成的字符串中。
References
[1] IDS06-J. Exclude unsanitized user input from format strings CERT
[2] Standards Mapping - Common Weakness Enumeration CWE ID 730
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[6] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[7] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[8] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[9] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[10] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[11] Standards Mapping - OWASP Top 10 2013 A1 Injection
[12] Standards Mapping - OWASP Top 10 2017 A1 Injection
[13] Standards Mapping - OWASP Top 10 2021 A03 Injection
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[24] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[46] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[47] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.java.denial_of_service_format_string

Denial of Service: Parse Double

Abstract
程序会调用解析 double 类型的方法,这会导致线程被挂起。
Explanation
在实施 java.lang.Double.parseDouble() 及相关方法时出现漏洞,会导致在解析 [2^(-1022) - 2^(-1075) : 2^(-1022) - 2^(-1076)] 范围内的任意数字时挂起线程。此缺陷可被攻击者用于执行拒绝服务 (DoS) 攻击。

例 1:下列代码使用了易受攻击的方法。

Double d = Double.parseDouble(request.getParameter("d"));


攻击者可以发送 d 参数值位于该范围(例如 "0.0222507385850720119e-00306")内的请求,致使程序在处理该请求时被挂起。

该漏洞在 Java 版本 6 Update 23 及更早版本中存在。Java 版本 6 Update 24 或更高版本不存在该漏洞。
References
[1] Rick Regan Java Hangs When Converting 2.2250738585072012e-308
[2] Oracle Security Alert for CVE-2010-4476
[3] Standards Mapping - Common Weakness Enumeration CWE ID 400
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [20] CWE ID 400
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [23] CWE ID 400
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [23] CWE ID 400
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [24] CWE ID 400
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[11] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.1.1 File Upload Requirements (L1 L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[14] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[16] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[17] Standards Mapping - OWASP Top 10 2013 A1 Injection
[18] Standards Mapping - OWASP Top 10 2017 A1 Injection
[19] Standards Mapping - OWASP Top 10 2021 A03 Injection
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.java.denial_of_service_parse_double

Denial of Service: Regular Expression

Abstract
不受信任数据被传递至应用程序并作为正则表达式使用。这会导致线程过度使用 CPU 资源。
Explanation
实施正则表达式评估程序及相关方法时存在漏洞,在评估包含重复分组表达式的正则表达式时,该漏洞会导致线程挂起。此外,攻击者可以利用任何包含相互重叠的替代子表达式的正则表达式。此缺陷可被攻击者用于执行拒绝服务 (DoS) 攻击。
示例 1:

  (e+)+
  ([a-zA-Z]+)*
  (e|ee)+

已知的正则表达式实现方式均无法避免这种漏洞。所有平台和语言都容易受到这种攻击。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 185, CWE ID 730
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310
[3] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[4] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[5] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[6] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[7] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[8] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[19] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[41] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[42] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.abap.denial_of_service_regular_expression
Abstract
不受信数据被传递至应用程序并作为正则表达式使用。这会导致线程过度使用 CPU 资源。
Explanation
实施正则表达式评估程序及相关方法时存在漏洞,在评估包含自重复分组表达式的正则表达式时,该漏洞会导致线程挂起。此外,还可以利用任何包含相互重叠的替代子表达式的正则表达式。此缺陷可被攻击者用于执行拒绝服务 (DoS) 攻击。
示例 1:

  (e+)+
  ([a-zA-Z]+)*
  (e|ee)+

已知的正则表达式实现方式均无法避免这种漏洞。所有平台和语言都容易受到这种攻击。
References
[1] Microsoft Best Practices for Regular Expressions in the .NET Framework
[2] Bryan Sullivan Regular Expression Denial of Service Attacks and Defenses
[3] Standards Mapping - Common Weakness Enumeration CWE ID 185, CWE ID 730
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[7] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[8] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[9] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[10] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[21] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[43] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[44] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.dotnet.denial_of_service_regular_expression
Abstract
不受信任数据被传递至应用程序并作为正则表达式使用。这会导致线程过度使用 CPU 资源。
Explanation
实施正则表达式评估程序及相关方法时存在漏洞,在评估包含自重复分组表达式的正则表达式时,该漏洞会导致线程挂起。此外,还可以利用任何包含相互重叠的替代子表达式的正则表达式。此缺陷可被攻击者用于执行拒绝服务 (DoS) 攻击。
示例 1:

  (e+)+
  ([a-zA-Z]+)*
  (e|ee)+

已知的正则表达式实现方式均无法避免这种漏洞。所有平台和语言都容易受到这种攻击。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 185, CWE ID 730
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310
[3] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[4] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[5] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[6] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[7] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[8] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[19] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[41] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[42] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.dart.denial_of_service_regular_expression
Abstract
不受信任数据被传递至应用程序并作为正则表达式使用。这会导致线程过度使用 CPU 资源。
Explanation
实施正则表达式评估程序及相关方法时存在漏洞,在评估包含重复分组表达式的正则表达式时,该漏洞会导致线程挂起。此外,攻击者可以利用任何包含相互重叠的替代子表达式的正则表达式。此缺陷可被攻击者用于执行拒绝服务 (DoS) 攻击。
示例 1:

  (e+)+
  ([a-zA-Z]+)*
  (e|ee)+

已知的正则表达式实现方式均无法避免这种漏洞。所有平台和语言都容易受到这种攻击。
References
[1] Bryan Sullivan Regular Expression Denial of Service Attacks and Defenses
[2] IDS08-J. Sanitize untrusted data included in a regular expression CERT
[3] DOS-1: Beware of activities that may use disproportionate resources Oracle
[4] Standards Mapping - Common Weakness Enumeration CWE ID 185, CWE ID 730
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[8] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[9] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[11] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[44] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[45] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.golang.denial_of_service_regular_expression
Abstract
不受信数据被传递至应用程序并作为正则表达式使用。这会导致线程过度使用 CPU 资源。
Explanation
实施正则表达式评估程序及相关方法时存在漏洞,在评估包含自重复分组表达式的正则表达式时,该漏洞会导致线程挂起。此外,还可以利用任何包含相互重叠的替代子表达式的正则表达式。此缺陷可被攻击者用于执行拒绝服务 (DoS) 攻击。
示例 1:

  (e+)+
  ([a-zA-Z]+)*
  (e|ee)+

已知的正则表达式实现方式均无法避免这种漏洞。所有平台和语言都容易受到这种攻击。
References
[1] Bryan Sullivan Regular Expression Denial of Service Attacks and Defenses
[2] IDS08-J. Sanitize untrusted data included in a regular expression CERT
[3] DOS-1: Beware of activities that may use disproportionate resources Oracle
[4] Standards Mapping - Common Weakness Enumeration CWE ID 185, CWE ID 730
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[8] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[9] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[11] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[44] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[45] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.java.denial_of_service_regular_expression
Abstract
不受信数据被传递至应用程序并作为正则表达式使用。这会导致线程过度使用 CPU 资源。
Explanation
实施正则表达式评估程序及相关方法时存在漏洞,在评估包含自重复分组表达式的正则表达式时,该漏洞会导致线程挂起。此外,还可以利用任何包含相互重叠的替代子表达式的正则表达式。此缺陷可被攻击者用于执行拒绝服务 (DoS) 攻击。
示例 1:

  (e+)+
  ([a-zA-Z]+)*
  (e|ee)+

已知的正则表达式实现方式均无法避免这种漏洞。所有平台和语言都容易受到这种攻击。
References
[1] Bryan Sullivan Regular Expression Denial of Service Attacks and Defenses
[2] Standards Mapping - Common Weakness Enumeration CWE ID 185, CWE ID 730
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[6] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[7] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[8] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[9] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[20] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[42] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[43] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.javascript.denial_of_service_regular_expression
Abstract
不受信任数据被传递至应用程序并作为正则表达式使用。这会导致线程过度使用 CPU 资源。
Explanation
实施正则表达式评估程序及相关方法时存在漏洞,在评估包含自重复分组表达式的正则表达式时,该漏洞会导致线程挂起。此外,还可以利用任何包含相互重叠的替代子表达式的正则表达式。攻击者可以利用此缺陷执行 Denial of Service (DoS) 攻击。
示例 1:

  (e+)+
  ([a-zA-Z]+)*
  (e|ee)+

已知的正则表达式实现方式均无法避免这种漏洞。所有平台和语言都容易受到这种攻击。
References
[1] Bryan Sullivan Regular Expression Denial of Service Attacks and Defenses
[2] IDS08-J. Sanitize untrusted data included in a regular expression CERT
[3] DOS-1: Beware of activities that may use disproportionate resources Oracle
[4] Standards Mapping - Common Weakness Enumeration CWE ID 185, CWE ID 730
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[8] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[9] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[11] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[44] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[45] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.kotlin.denial_of_service_regular_expression
Abstract
不受信数据被传递至应用程序并作为正则表达式使用。这会导致线程过度使用 CPU 资源。
Explanation
实施正则表达式评估程序及相关方法时存在漏洞,在评估包含自重复分组表达式的正则表达式时,该漏洞会导致线程挂起。此外,还可以利用任何包含相互重叠的替代子表达式的正则表达式。此缺陷可被攻击者用于执行拒绝服务 (DoS) 攻击。
示例 1:如果在已知易受攻击的代码中使用以下正则表达式,则可能发生拒绝服务攻击:

  (e+)+
  ([a-zA-Z]+)*
  (e|ee)+


依赖具有缺陷的正则表达式的问题代码示例如下:


NSString *regex = @"^(e+)+$";
NSPredicate *pred = [NSPRedicate predicateWithFormat:@"SELF MATCHES %@", regex];
if ([pred evaluateWithObject:mystring]) {
  //do something
}


大多数正则表达式解析器在计算正则表达式时都会构建 Nondeterministic Finite Automaton (NFA) 结构。在找到完全匹配之前,NFA 会尝试所有可能的匹配。在上例中,如果攻击者提供匹配字符串“eeeeZ”,则正则表达式解析器必须进行 16 次内部求值才能发现匹配项。如果攻击者使用 16 个“e”(“eeeeeeeeeeeeeeeeZ”)作为匹配字符串,则正则表达式解析器必须进行 65536 (2^16) 次计算。通过增加连续的匹配字符数,攻击者可以轻易地消耗计算资源。已知的正则表达式实现方式均无法避免这种漏洞。所有平台和语言都容易受到这种攻击。
References
[1] Bryan Sullivan Regular Expression Denial of Service Attacks and Defenses
[2] Standards Mapping - Common Weakness Enumeration CWE ID 185, CWE ID 730
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[6] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[7] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[8] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[9] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[20] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[42] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[43] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.objc.denial_of_service_regular_expression
Abstract
不受信数据被传递至应用程序并作为正则表达式使用。这会导致线程过度使用 CPU 资源。
Explanation
实施正则表达式评估程序及相关方法时存在漏洞,在评估包含自重复分组表达式的正则表达式时,该漏洞会导致线程挂起。此外,还可以利用任何包含相互重叠的替代子表达式的正则表达式。此缺陷可被攻击者用于执行拒绝服务 (DoS) 攻击。
示例 1:

  (e+)+
  ([a-zA-Z]+)*
  (e|ee)+

已知的正则表达式实现方式均无法避免这种漏洞。所有平台和语言都容易受到这种攻击。
References
[1] Bryan Sullivan Regular Expression Denial of Service Attacks and Defenses
[2] Standards Mapping - Common Weakness Enumeration CWE ID 185, CWE ID 730
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[6] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[7] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[8] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[9] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[20] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[42] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[43] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.php.denial_of_service_regular_expression
Abstract
不受信任数据被传递至应用程序并作为正则表达式使用。 这会导致线程过度使用 CPU 资源。
Explanation
实施正则表达式评估程序及相关方法时存在漏洞,在评估包含自重复分组表达式的正则表达式时,该漏洞会导致线程挂起。 此外,还可以利用任何包含相互重叠的替代子表达式的正则表达式。 此缺陷可被攻击者用于执行拒绝服务 (DoS) 攻击。
示例 1:

  (e+)+
  ([a-zA-Z]+)*
  (e|ee)+

已知的正则表达式实现方法均无法避免这种攻击。 所有平台和语言都容易受到这种攻击。
References
[1] Bryan Sullivan Regular Expression Denial of Service Attacks and Defenses
[2] Standards Mapping - Common Weakness Enumeration CWE ID 185, CWE ID 730
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[6] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[7] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[8] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[9] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[20] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[42] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[43] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.python.denial_of_service_regular_expression
Abstract
不可信赖数据被传递至应用程序并作为正则表达式使用。这会导致线程过度使用 CPU 资源。
Explanation
实施正则表达式评估程序及相关方法时存在漏洞,该漏洞会导致评估线程在处理嵌套和重复的正则表达式组的重复和交替重叠时挂起。此缺陷可被攻击者用于执行拒绝服务 (DoS) 攻击。
示例 1:

(e+)+
([a-zA-Z]+)*

已知的正则表达式实现方式均无法避免这种漏洞。所有平台和语言都容易受到这种攻击。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 185, CWE ID 730
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310
[3] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[4] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[5] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[6] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[7] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[8] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[19] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[41] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[42] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.ruby.denial_of_service_reqular_expression
Abstract
不受信数据被传递至应用程序并作为正则表达式使用。这会导致线程过度使用 CPU 资源。
Explanation
实施正则表达式评估程序及相关方法时存在漏洞,在评估包含自重复分组表达式的正则表达式时,该漏洞会导致线程挂起。此外,还可以利用任何包含相互重叠的替代子表达式的正则表达式。此缺陷可被攻击者用于执行拒绝服务 (DoS) 攻击。
示例 1:

  (e+)+
  ([a-zA-Z]+)*
  (e|ee)+

已知的正则表达式实现方式均无法避免这种漏洞。所有平台和语言都容易受到这种攻击。
References
[1] Bryan Sullivan Regular Expression Denial of Service Attacks and Defenses
[2] IDS08-J. Sanitize untrusted data included in a regular expression CERT
[3] DOS-1: Beware of activities that may use disproportionate resources Oracle
[4] Standards Mapping - Common Weakness Enumeration CWE ID 185, CWE ID 730
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[8] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[9] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[11] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[44] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[45] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.scala.denial_of_service_regular_expression
Abstract
不受信数据被传递至应用程序并作为正则表达式使用。这会导致线程过度使用 CPU 资源。
Explanation
实施正则表达式评估程序及相关方法时存在漏洞,在评估包含自重复分组表达式的正则表达式时,该漏洞会导致线程挂起。此外,还可以利用任何包含相互重叠的替代子表达式的正则表达式。此缺陷可被攻击者用于执行拒绝服务 (DoS) 攻击。

示例 1:如果在已知易受攻击的代码中使用以下正则表达式,则可能发生拒绝服务攻击:

(e+)+
([a-zA-Z]+)*
(e|ee)+


依赖具有缺陷的正则表达式的问题代码示例如下:


let regex : String = "^(e+)+$"
let pred : NSPredicate = NSPRedicate(format:"SELF MATCHES \(regex)")
if (pred.evaluateWithObject(mystring)) {
  //do something
}


大多数正则表达式解析器在计算正则表达式时都会构建 Nondeterministic Finite Automaton (NFA) 结构。在找到完全匹配之前,NFA 会尝试所有可能的匹配。在Example 1 中,如果攻击者提供了匹配字符串“eeeeZ”,则正则表达式解析器必须经过 16 次内部求值才能识别出匹配项。如果攻击者使用 16 个“e”(“eeeeeeeeeeeeeeeeZ”)作为匹配字符串,则正则表达式解析器必须进行 65536 (2^16) 次计算。通过增加连续的匹配字符数,攻击者可以轻易地消耗计算资源。已知的正则表达式实现方式均无法避免这种漏洞。所有平台和语言都容易受到这种攻击。
References
[1] Bryan Sullivan Regular Expression Denial of Service Attacks and Defenses
[2] Standards Mapping - Common Weakness Enumeration CWE ID 185, CWE ID 730
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[6] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[7] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[8] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[9] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[20] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[42] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[43] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.swift.denial_of_service_regular_expression

Denial of Service: Routing

Abstract
攻击者可能会操纵通配符路由模式,有效地涵盖各种 URL,甚至实现所有 URL 的匹配,这可能会导致发起 Denial of Service (DoS) 攻击。
Explanation
该漏洞是由于 ASP.NET 应用程序中通过 routes.Ignore 方法集成通配符路由模式而产生的。该方法允许外部输入来定义路由行为。具体来说,使用通配符(例如 {*allaspx})为攻击者提供了操纵路由操作的机会。当控制这些通配符模式的输入没有经过仔细验证或清理时,就会出现核心问题。
恶意行为者可以利用此漏洞来策划 DoS 攻击。通过提供包含过于宽松的通配符模式的输入,攻击者可以有效地提示路由系统忽略重要类别的 URL 请求。在最坏的情况下,攻击者可能会提供包含所有 URL 的输入,从而导致广泛的拒绝服务,使得应用程序无法访问。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 730
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-002386
[3] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[4] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[5] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[6] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[7] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[18] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-003320 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-003320 CAT II
[40] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[41] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.dotnet.denial_of_service_routing

Denial of Service: Stack Exhaustion

Abstract
攻击者可以输入经特殊技术处理的数据来修改或定义程序的数据结构实现,从而可能因堆栈耗尽而导致 Denial of Service 攻击。
Explanation
程序直接用于修改或定义其数据结构实现的用户指定数据可能容易受到堆栈耗尽的影响。例如,如果用户可以在递归处理的链接数据结构中创建循环链接,这可能会导致无限递归,从而导致堆栈耗尽。

示例 1:以下代码片段使用 Apache Log4j2 演示了此漏洞。

Marker child = MarkerManager.getMarker("child");
Marker parent = MarkerManager.getMarker("parent");

child.addParents(MarkerManager.getMarker(userInput));
parent.addParents(MarkerManager.getMarker(userInput2)); 
        
String toInfinity = child.toString();


该小程序允许用户将 childparent 的父标记设置为用户定义的标记。如果用户将 child 的父标记设置为 parent,将 parent 的父标记设置为 child,则会在标记数据结构中创建一个循环链接。在包含循环链接的数据结构上运行递归 toString 方法时,程序会抛出堆栈溢出异常并崩溃。这会因堆栈耗尽而导致 Denial of Service 攻击。
References
[1] DOS-1: Beware of activities that may use disproportionate resources Oracle
[2] Standards Mapping - Common Weakness Enumeration CWE ID 730, CWE ID 674
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[6] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[7] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[8] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.3 - Web Software Attack Mitigation
[18] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[40] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[41] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.java.denial_of_service_stack_exhaustion

Denial of Service: StringBuilder

Abstract
将不受信任的数据附加到使用默认支持数组大小进行初始化的 StringBuilderStringBuffer 实例会导致 JVM 过度使用堆内存空间。
Explanation
将用户控制的数据附加到使用默认支持字符数组大小 (16) 进行初始化的 StringBuilderStringBuffer 实例,会导致应用程序在调整基础数组的大小以适应用户数据时占用大量堆内存。将数据附加到 StringBuilderStringBuffer 实例上时,实例将确定支持字符数组是否有足够的可用空间来存储数据。如果数据不合适,StringBuilderStringBuffer 实例将会创建新的数组,其容量至少为以前数组大小的两倍,而旧数组在进行回收之前,将继续留在堆中。攻击者可以利用此实现详细信息执行 Denial of Service (DoS) 攻击。

示例 1:用户控制的数据附加到使用默认构造函数进行初始化的 StringBuilder 实例。

    ...
    StringBuilder sb = new StringBuilder();
    final String lineSeparator = System.lineSeparator();
    String[] labels = request.getParameterValues("label");
    for (String label : labels) {
        sb.append(label).append(lineSeparator);
    }
    ...
References
[1] DOS-1: Beware of activities that may use disproportionate resources Oracle
[2] MSC05-J. Do not exhaust heap space CERT
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[6] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[7] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[8] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[9] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[21] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 754
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[23] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[44] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
desc.dataflow.java.denial_of_service_stringbuilder
Abstract
将不受信任的数据附加到使用默认支持数组大小进行初始化的 StringBuilderStringBuffer 实例会导致 JVM 过度使用堆内存空间。
Explanation
将用户控制的数据附加到使用默认支持字符数组大小 (16) 进行初始化的 StringBuilderStringBuffer 实例,会导致应用程序在调整基础数组的大小以适应用户数据时占用大量堆内存。将数据附加到 StringBuilderStringBuffer 实例上时,实例将确定支持字符数组是否有足够的可用空间来存储数据。如果数据不合适,StringBuilderStringBuffer 实例将会创建新的数组,其容量至少为以前数组大小的两倍,而旧数组在进行回收之前,将继续留在堆中。攻击者可以利用此实现详细信息执行 Denial of Service (DoS) 攻击。

示例 1:用户控制的数据附加到使用默认构造函数进行初始化的 StringBuilder 实例。

    ...
    val sb = StringBuilder()
    val labels = request.getParameterValues("label")
    for (label in labels) {
        sb.appendln(label)
    }
    ...
References
[1] DOS-1: Beware of activities that may use disproportionate resources Oracle
[2] MSC05-J. Do not exhaust heap space CERT
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[6] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[7] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[8] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[9] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[21] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 754
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[23] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[44] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
desc.dataflow.kotlin.denial_of_service_stringbuilder

Deserialization Bad Practice: Deny List

Abstract
基于防止对已知错误类(拒绝列表)进行反序列化而执行的防御反序列化可能会允许攻击者绕过这种防护且使其失效。
Explanation
该应用程序实施了一种称为“前瞻反序列化”的防御性反序列化技术,使应用程序可以在实际反序列化类之前一窥其反序列化之后的结果。



新的小工具链、封装程序包或类可通过在其反序列化回调中执行嵌套反序列化来轻松绕过该拒绝列表。
References
[1] Fortify Software Security Research The perils of Java deserialization
[2] Fortify Application Defender
[3] Oracle Java Serialization
[4] IBM Look-ahead Java deserialization
[5] OWASP Deserialization of untrusted data
[6] Standards Mapping - Common Weakness Enumeration CWE ID 502
[7] Standards Mapping - Common Weakness Enumeration Top 25 2019 [23] CWE ID 502
[8] Standards Mapping - Common Weakness Enumeration Top 25 2020 [21] CWE ID 502
[9] Standards Mapping - Common Weakness Enumeration Top 25 2021 [13] CWE ID 502
[10] Standards Mapping - Common Weakness Enumeration Top 25 2022 [12] CWE ID 502
[11] Standards Mapping - Common Weakness Enumeration Top 25 2023 [15] CWE ID 502
[12] Standards Mapping - Common Weakness Enumeration Top 25 2024 [16] CWE ID 502
[13] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001764, CCI-001774, CCI-002754
[14] Standards Mapping - FIPS200 SI
[15] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-7 Least Functionality (P1), SI-10 Information Input Validation (P1)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-7 Least Functionality, SI-10 Information Input Validation
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.5.2 Input and Output Architectural Requirements (L2 L3), 5.5.1 Deserialization Prevention Requirements (L1 L2 L3), 5.5.3 Deserialization Prevention Requirements (L1 L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[20] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[21] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[22] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[23] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[24] Standards Mapping - OWASP Top 10 2010 A1 Injection
[25] Standards Mapping - OWASP Top 10 2013 A1 Injection
[26] Standards Mapping - OWASP Top 10 2017 A8 Insecure Deserialization
[27] Standards Mapping - OWASP Top 10 2021 A08 Software and Data Integrity Failures
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.5 - Web Software Attack Mitigation
[40] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 116
[41] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[63] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.semantic.java.deserialization_bad_practice_deny_list

Directory Restriction

Abstract
chroot() 系统调用的使用不当会让攻击者从 chroot 监牢中逃脱出来。
Explanation
chroot() 系统调用允许程序修改其 file system 根目录的含义。适当地调用 chroot() 后,程序无法访问在新的根目录下定义的目录树之外的任何文件。这样的环境称为 chroot 监牢,通常用来防止攻击者破坏进程,继而访问未经授权的文件。例如,在 chroot 监牢环境中运行多个 FTP 服务器,可以防止攻击者发现新服务器漏洞后下载密码文件或者其他系统中的敏感文件。

chroot() 的使用不当可能会让攻击者从 chroot 监牢中逃脱出来。因为 chroot() 函数的调用不会改变进程当前的工作目录,所以在调用 chroot() 之后,相对路径可能仍然会引用 chroot 监牢之外的 file system 资源。

例 1:考虑以下这段来自(假设的)FTP 服务器的源代码:


chroot("/var/ftproot");
...
fgets(filename, sizeof(filename), network);
localfile = fopen(filename, "r");
while ((len = fread(buf, 1, sizeof(buf), localfile)) != EOF) {
  fwrite(buf, 1, sizeof(buf), network);
}
fclose(localfile);


这段代码负责从网络中读取文件名,然后将相应的文件在本地机器上打开,并通过网络传送内容。这段代码可用来执行 FTP GET 命令。FTP 服务器在其初始化例程中调用 chroot(),试图阻止对 /var/ftproot 之外的文件的访问。但因为服务器没有通过调用 chdir("/") 来更改当前的工作目录,所以攻击者可以请求文件的 "../../../../../etc/passwd”,并获取该系统密码文件的副本。
References
[1] J. Viega, G. McGraw Building Secure Software Addison-Wesley
[2] A. Chuvakin Using Chroot Securely
[3] Standards Mapping - Common Weakness Enumeration CWE ID 243
[4] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14
[6] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage
[7] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-2
[8] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[9] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.semantic.cpp.directory_restriction

Django Bad Practices: Attributes in Deny List

Abstract
应用程序使用拒绝列表来控制表单所显示的属性。当添加新属性时开发人员可能会忘记更新拒绝列表,也可能会不小心将敏感字段暴露给攻击者。
Explanation
应用程序使用 exclude 拒绝列表。这很难维护,而且容易出错。如果开发人员向表单或备份表单的 Model 添加新字段,并忘记了更新 exclude 筛选器,则可能会向攻击者暴露敏感字段。攻击者将能够向任何未排除的字段提交和恶意绑定数据。

示例 1:以下表单显示了一些 User 属性,但对以下用户 id 检验了拒绝列表:


from myapp.models import User
...
class UserForm(ModelForm):
  class Meta:
    model = User
    exclude = ['id']
...


如果使用新的 role 属性更新了 User 模型,但未更新相关联的 UserForm,则 role 属性将显示在表单中。
References
[1] Django Foundation Creating forms from models
[2] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[3] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[4] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
desc.structural.python.django_bad_practices_attributes_in_deny_list

Django Bad Practices: Cookie Stored Sessions

Abstract
在用户注销时,基于 Cookie 的会话不会失效。如果攻击者要查找、偷窃或拦截用户的 cookie,即使用户已经注销,他们也能模拟用户。
Explanation
在 Cookie 中存储会话数据有以下几个问题:

1. 在用户注销时,基于 Cookie 的会话不会失效。如果攻击者要查找、偷窃或拦截用户的 cookie,即使用户已经注销,他们也能模拟用户。

2. 会话 cookie 签名可避免篡改并保证数据的真实性,但这无法阻止 replay 攻击。

3. 会话数据将使用 Django 的加密签名和 SECRET_KEY 设置工具进行存储。如果 SECRET_KEY 泄露,那么攻击者不仅能伪造会话数据,如果应用程序使用 Pickle 将会话数据序列化成 cookie,攻击者还能够生成恶意 Pickle 数据,这些数据一旦反序列化即可执行任意代码。

4. 会话数据已签名但未加密。这意味着,攻击者将能够读取会话数据,但不能对其进行修改。

5. cookie 大小和序列化过程可造成性能问题,具体随站点负载而异。
References
[1] Django Foundation Using cookie-based sessions
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001185
[3] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-10 Non-Repudiation (P2), SC-23 Session Authenticity (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-10 Non-Repudiation, SC-23 Session Authenticity
[6] Standards Mapping - OWASP API 2023 API5 Broken Function Level Authorization
[7] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[8] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002240 CAT I
[9] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002240 CAT I
[10] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002240 CAT I
[11] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002240 CAT I
[12] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002240 CAT I
[13] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002240 CAT I
[14] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002240 CAT I
[15] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002240 CAT I
[16] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002240 CAT I
[17] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002240 CAT I
[18] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002240 CAT I
[19] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002240 CAT I
[20] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002240 CAT I
[21] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002240 CAT I
[22] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000590 CAT II, APSC-DV-002240 CAT I
[23] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.structural.python.django_bad_practices_cookie_stored_sessions

Django Bad Practices: Overly Broad Host Header Verification

Abstract
如果不验证 Host 标头,攻击者就会有机会发送假的 Host 值,该值可用于跨站请求伪造、缓存中毒攻击和电子邮件中的中毒链接。
Explanation
Django 应用程序设置将“*”指定为 ALLOWED_HOSTS 设置中的条目。此设置被 django.http.HttpRequest.get_host() 用来验证 Host 标头。值“*”将允许在 Host 标头中使用任何主机。攻击者可将其用于缓存中毒攻击或电子邮件中的中毒链接。

例 1:应用程序提供密码重置功能,用户可以提交某个唯一值来证明其身份(如:电子邮件地址),然后用户将收到密码重置邮件,内含设置新密码的页面链接。发送给用户的链接可以使用 Host 值来构建,用来引用提供密码重置功能的网站,从而避免使用硬编码的 URL。例如:


...
def reset_password(request):
  url = "http://%s/new_password/?token=%s" % (request.get_host(), generate_token())
  send_email(reset_link=url)
  redirect("home")
...


攻击者能够通过提交受害者的电子邮件和指向自己所控制服务器的假 Host 标头值来尝试重置受害者的密码。受害者将收到内含密码重置系统链接的电子邮件,如果该受害者决定访问该链接,则会访问攻击者控制的网站,而该网站将提供假表单来收集受害者的凭证。
References
[1] Django Foundation Host header validation
[2] Django Foundation ALLOWED_HOSTS
[3] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[4] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective C.3.1 - Web Software Attack Mitigation
[5] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.structural.python.django_bad_practices_overly_broad_host_header_verification

Django Bad Practices: Pickle Serialized Sessions

Abstract
如果攻击者能够控制会话数据,则经过 Pickle 序列化的会话可导致执行远程代码。
Explanation
如果使用基于 cookie 的会话,并且泄露了 SECRET_KEY,则攻击者将能够在会话 cookie 中存储任意数据,在服务器中对这些数据进行反序列化,就可以执行任意代码。

如果使用基于 cookie 的会话,请格外小心以确保密钥对于任何可能远程访问的系统来说都始终处于完全保密的状态。

例 1:如果 SECRET_KEYsettings.py 配置文件中进行了硬编码,则以下查看方法可使攻击者有机会窃取它。


...
def some_view_method(request):
  url = request.GET['url']
  if "http://" in url:
    content = urllib.urlopen(url)
    return HttpResponse(content)
  ...
Example 1 方法会通过检查 URL 中是否存在“http://”来检查 url 参数是否为有效 URL。恶意攻击者可能会发送以下 URL 来泄露可能包含 SECRET_KEYsettings.py 配置文件:


file://proc/self/cwd/app/settings.py#http://


注:UNIX 系统中的“/proc/self/cwd”指向过程工作目录。这使攻击者无需知道具体位置就能引用文件。
References
[1] Django Foundation Session serialization
[2] Balda Python web frameworks and pickles
[3] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[4] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[5] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.structural.python.django_bad_practices_pickle_serialized_sessions

DNS Spoofing

Abstract
允许外部控制 DNS 设置可能会导致服务中断或应用程序出现意外行为。
Explanation
DNS 欺骗(也称为 DNS 缓存中毒)是一种攻击类型,攻击者破坏 DNS 解析器的缓存,导致其返回错误的 IP 地址。利用 DNS 欺骗,攻击者可以在用户不知情的情况下将用户重定向到恶意网站。在使用 Node.js 的服务器端 JavaScript 环境中,DNS 服务器设置处理不当可能会导致安全漏洞。

示例 1:考虑这样一种情况: Node.js 应用程序允许用户指定自定义 DNS 服务器。如果未正确验证和清理此输入,攻击者可以提供恶意 DNS 服务器并实施 DNS 欺骗攻击。


const dns = require('dns');

// User-controlled input for DNS servers
const customDnsServers = from_user_controlled_input;

// Set custom DNS servers
dns.setServers(customDnsServers);


在此示例中,customDnsServers 变量被赋予一个来自用户控制输入的值。然后此输入用于使用 dns.setServers(customDnsServers) 设置 DNS 服务器。如果攻击者提供恶意 DNS 服务器地址,他们可以指示应用程序使用他们的服务器解析域名,从而返回错误的 IP 地址。
desc.dataflow.javascript.dns_spoofing

Dockerfile Misconfiguration: Default User Privilege

Abstract
Dockerfile 未指定 USER,所以它默认以 root 用户身份运行。
Explanation
Dockerfile 未指定 USER 时,Docker 容器默认以超级用户权限运行。这些超级用户权限会传播给容器内运行的代码,这些权限通常是不必要的。以超级用户权限运行 Docker 容器扩大了攻击面,这可能使攻击者能够执行更严重的漏洞利用。
References
[1] Docker USER instruction
[2] Standards Mapping - Common Weakness Enumeration CWE ID 20
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [3] CWE ID 020
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [3] CWE ID 020
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [4] CWE ID 020
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [4] CWE ID 020
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [6] CWE ID 020
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000017
[10] Standards Mapping - FIPS200 CM
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-2 Account Management (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-2 Account Management
[14] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3)
[16] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[17] Standards Mapping - OWASP Mobile 2024 M2 Inadequate Supply Chain Security
[18] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[19] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[20] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[21] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[22] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[33] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 020
[34] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000330 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000330 CAT II
[36] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.configuration.docker.dockerfile_misconfiguration_default_user_privilege