1464 个项目已找到
弱点

Missing XML Validation

Abstract
解析 XML 时,无法启用验证会给攻击者提供恶意输入的机会。
Explanation
最成功的攻击往往会从违反程序员的假设开始。不经过 DTD 或 XML schema 的验证,就直接接受 XML 文档,这样一来,程序员就会为攻击者打开了一扇大门,可以向程序提供无法预测、不合理或是恶意的输入。当然,XML 解析器不可能验证文档中出现的所有内容;任何解析器都无法完全理解数据的全部语意。然而,解析器可以进行完整而彻底的检查文档结构,从而保证处理文档的代码在内容安排上的合理性。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 112
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [3] CWE ID 020
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [3] CWE ID 020
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [4] CWE ID 020
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [4] CWE ID 020
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [6] CWE ID 020
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310, CCI-002385, CCI-002754
[9] Standards Mapping - FIPS200 SI
[10] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[13] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3), 13.3.1 SOAP Web Service Verification Requirements (L1 L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[16] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[18] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[19] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[20] Standards Mapping - OWASP Top 10 2010 A1 Injection
[21] Standards Mapping - OWASP Top 10 2013 A1 Injection
[22] Standards Mapping - OWASP Top 10 2017 A1 Injection
[23] Standards Mapping - OWASP Top 10 2021 A03 Injection
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1, Requirement 6.5.6
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.controlflow.abap.missing_xml_validation
Abstract
解析 XML 时,无法进行校验会给攻击者提供恶意输入的机会。
Explanation
最成功的攻击往往会从违反程序员的假设开始。不经过 DTD 或 XML schema 的校验,就直接接受 XML 文档,这样一来,程序员就会为攻击者打开了一扇大门,可以向程序提供无法预测、不合理或是恶意的输入。当然,XML 解析器不可能校验文档中出现的所有内容;任何解析器都无法完全理解数据的全部语意。然而,解析器可以进行完整而彻底的检查文档结构,从而保证处理文档的代码在内容安排上的合理性。
References
[1] XmlReader Class Microsoft
[2] XmlReaderSettings Class Microsoft
[3] Standards Mapping - Common Weakness Enumeration CWE ID 112
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [3] CWE ID 020
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [3] CWE ID 020
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [4] CWE ID 020
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [4] CWE ID 020
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [6] CWE ID 020
[9] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310, CCI-002385, CCI-002754
[11] Standards Mapping - FIPS200 SI
[12] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[15] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[16] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3), 13.3.1 SOAP Web Service Verification Requirements (L1 L2 L3)
[17] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[18] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[19] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[20] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[21] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[22] Standards Mapping - OWASP Top 10 2010 A1 Injection
[23] Standards Mapping - OWASP Top 10 2013 A1 Injection
[24] Standards Mapping - OWASP Top 10 2017 A1 Injection
[25] Standards Mapping - OWASP Top 10 2021 A03 Injection
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1, Requirement 6.5.6
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.controlflow.dotnet.missing_xml_validation
Abstract
解析 XML 时,无法进行校验会给攻击者提供恶意输入的机会。
Explanation
最成功的攻击往往会从违反程序员的假设开始。不经过 DTD 或 XML schema 的校验,就直接接受 XML 文档,这样一来,程序员就会为攻击者打开了一扇大门,可以向程序提供无法预测、不合理或是恶意的输入。当然,XML 解析器不可能校验文档中出现的所有内容;任何解析器都无法完全理解数据的全部语意。然而,解析器可以进行完整而彻底的检查文档结构,从而保证处理文档的代码在内容安排上的合理性。
References
[1] Xerces parser features The Apache Foundation
[2] XML Validation in J2SE 1.5 Sun Microsystems
[3] Axis User's Guide Apache Software Foundation
[4] IDS16-J. Prevent XML Injection CERT
[5] IDS17-J. Prevent XML External Entity Attacks CERT
[6] INJECT-3: XML and HTML generation requires care Oracle
[7] Standards Mapping - Common Weakness Enumeration CWE ID 112
[8] Standards Mapping - Common Weakness Enumeration Top 25 2019 [3] CWE ID 020
[9] Standards Mapping - Common Weakness Enumeration Top 25 2020 [3] CWE ID 020
[10] Standards Mapping - Common Weakness Enumeration Top 25 2021 [4] CWE ID 020
[11] Standards Mapping - Common Weakness Enumeration Top 25 2022 [4] CWE ID 020
[12] Standards Mapping - Common Weakness Enumeration Top 25 2023 [6] CWE ID 020
[13] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[14] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310, CCI-002385, CCI-002754
[15] Standards Mapping - FIPS200 SI
[16] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[19] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3), 13.3.1 SOAP Web Service Verification Requirements (L1 L2 L3)
[21] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[22] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[24] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[25] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[26] Standards Mapping - OWASP Top 10 2010 A1 Injection
[27] Standards Mapping - OWASP Top 10 2013 A1 Injection
[28] Standards Mapping - OWASP Top 10 2017 A1 Injection
[29] Standards Mapping - OWASP Top 10 2021 A03 Injection
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1, Requirement 6.5.6
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[38] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[41] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[42] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[65] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.controlflow.java.missing_xml_validation

Missing XML Validation: Untyped Response

Abstract
解析 XML 时,无法进行校验会给攻击者提供恶意输入的机会。
Explanation
最成功的攻击往往会从违反程序员的假设开始。不经过 DTD 或 XML schema 的校验,就直接接受 XML 文档,这样一来,程序员就会为攻击者打开了一扇大门,可以向程序提供无法预测、不合理或是恶意的输入。当然,XML 解析器不可能校验文档中出现的所有内容;任何解析器都无法完全理解数据的全部语意。然而,解析器可以进行完整而彻底的检查文档结构,从而保证处理文档的代码在内容安排上的合理性。
References
[1] Xerces parser features The Apache Foundation
[2] XML Validation in J2SE 1.5 Sun Microsystems
[3] Axis User's Guide Apache Software Foundation
[4] IDS16-J. Prevent XML Injection CERT
[5] IDS17-J. Prevent XML External Entity Attacks CERT
[6] INJECT-3: XML and HTML generation requires care Oracle
[7] Standards Mapping - Common Weakness Enumeration CWE ID 112
[8] Standards Mapping - Common Weakness Enumeration Top 25 2019 [3] CWE ID 020
[9] Standards Mapping - Common Weakness Enumeration Top 25 2020 [3] CWE ID 020
[10] Standards Mapping - Common Weakness Enumeration Top 25 2021 [4] CWE ID 020
[11] Standards Mapping - Common Weakness Enumeration Top 25 2022 [4] CWE ID 020
[12] Standards Mapping - Common Weakness Enumeration Top 25 2023 [6] CWE ID 020
[13] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[14] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310, CCI-002385, CCI-002754
[15] Standards Mapping - FIPS200 SI
[16] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[19] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3), 13.3.1 SOAP Web Service Verification Requirements (L1 L2 L3)
[21] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[22] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[24] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[25] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[26] Standards Mapping - OWASP Top 10 2010 A1 Injection
[27] Standards Mapping - OWASP Top 10 2013 A1 Injection
[28] Standards Mapping - OWASP Top 10 2017 A1 Injection
[29] Standards Mapping - OWASP Top 10 2021 A03 Injection
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1, Requirement 6.5.6
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[38] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[41] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[42] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[65] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.controlflow.java.missing_xml_validation_untyped_response

Mule Misconfiguration: Hardcoded Password

Abstract
Anypoint Database Connector 配置包含纯文本密码。
Explanation
硬编码密码允许所有项目开发人员查看密码。这也使解决问题变得困难。在代码投入使用之后,除非对软件进行修补,否则任何人都无法更改密码。如果受密码保护的帐户遭受入侵,系统所有者将必须在安全性和可用性之间做出选择。
References
[1] MuleSoft Database Connector 1.13 - Mule 4
[2] MuleSoft Configuring Properties
[3] MuleSoft Secure Configuration Properties
[4] Standards Mapping - Common Weakness Enumeration CWE ID 259, CWE ID 798
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [20] CWE ID 798
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [16] CWE ID 798
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287, [15] CWE ID 798
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287, [22] CWE ID 798
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199, CCI-002367, CCI-003109
[10] Standards Mapping - FIPS200 IA
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), SA-4 Acquisition Process (P1), SC-28 Protection of Information at Rest (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SA-4 Acquisition Process, SC-28 Protection of Information at Rest
[14] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.3.1 Authenticator Lifecycle Requirements (L1 L2 L3), 2.6.2 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.1 Service Authentication Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.4 Service Authentication Requirements (L2 L3), 3.5.2 Token-based Session Management (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.4.1 Secret Management (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 10.2.3 Malicious Code Search (L3)
[16] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[17] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control, Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control, Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.2.1.2 - Web Software Access Controls
[24] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
desc.configuration.xml.mule_misconfiguration_hardcoded_password

Mule Misconfiguration: Insecure Database Transport

Abstract
创建了一个数据库连接而不强制加密。
Explanation
Mule Database Connector 应该强制进行加密传输并验证数据库服务器证书。如果相关的数据库连接属性未指定或配置错误,则生成的连接会使数据容易遭受未经授权的访问、篡改和潜在的盗窃。
References
[1] MuleSoft LLC, a Salesforce company Database Connector 1.13 - Mule 4
[2] MuleSoft LLC, a Salesforce company Database Connector XML and Maven Support - Mule 4
[3] Standards Mapping - Common Weakness Enumeration CWE ID 311
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001453, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123
[8] Standards Mapping - FIPS200 CM, SC
[9] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), MA-4 Nonlocal Maintenance (P2), SC-8 Transmission Confidentiality and Integrity (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, MA-4 Nonlocal Maintenance, SC-8 Transmission Confidentiality and Integrity
[12] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 9.2.1 Server Communications Security Requirements (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[14] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design, Control Objective C.4.1 - Web Software Communications
[22] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
desc.configuration.xml.mule_misconfiguration_insecure_database_transport

Mule Misconfiguration: Insecure Transport

Abstract
MuleSoft HTTP Listener Connector 未配置为使用 HTTPS 协议。
Explanation
HTTPS 使用 TLS(传输层安全)来加密常规 HTTP 请求和响应。它可以确保任何数据交换的完整性和机密性。

如果未指定协议或设置为 HTTP,则 HTTP Listener Connector 不会对其通信进行加密。这会使数据面临未经授权的访问、篡改和潜在的盗用风险。

示例 1:以下 Mule 配置将 HTTP Listener Connector (listener-connection) 的 protocol 设置为 HTTP。因此,与 HTTP Listener 的连接是不安全的。

    <http:listener-config name="http_listener_config">
        <http:listener-connection host="example.com" port="8080" protocol="HTTP">
...
        </http:listener-connection>
    </http:listener-config>
References
[1] MuleSoft LLC, a Salesforce company Configure HTTP Listener Source - Mule 4
[2] Standards Mapping - Common Weakness Enumeration CWE ID 311
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001453, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123
[4] Standards Mapping - FIPS200 SC
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), MA-4 Nonlocal Maintenance (P2), SC-8 Transmission Confidentiality and Integrity (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, MA-4 Nonlocal Maintenance, SC-8 Transmission Confidentiality and Integrity
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 9.1.1 Communications Security Requirements (L1 L2 L3), 9.2.1 Server Communications Security Requirements (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[10] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[11] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design, Control Objective C.4.1 - Web Software Communications
[18] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
desc.configuration.xml.mule_misconfiguration_insecure_transport

Mule Misconfiguration: Server Identity Verification Disabled

Abstract
Mule 配置指定了没有服务器证书验证检查的 TLS 连接。
Explanation
认证验证对于确认对方的身份以进行安全通信至关重要。tls:context 元素定义了一组 TLS 连接配置。在这些配置中,tls:trust-store 元素指定了一个文件,其中包含来自受信任的证书颁发机构的证书,客户端使用这些证书来验证服务器提供的证书。默认情况下,Mule 运行时引擎会为每个 TLS 连接验证服务器证书。

但是,如果 tls:trust-store 元素的 insecure 属性值为 true,则服务器证书不经验证即被接受。

示例 1:以下 Mule 配置将 insecure 属性设置为 true。因此,Mule 运行时引擎不会验证任何与名为 demoTlsContext 的 TLS 上下文的连接的服务器证书。此类连接易受到中间人攻击。

...
<tls:context name="demoTlsContext">
...
    <tls:trust-store ... insecure="true" ... />
...
<tls:context/>
...
References
[1] MuleSoft LLC, a Salesforce company Configure TLS with Keystores and Truststores
[2] Standards Mapping - Common Weakness Enumeration CWE ID 297
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000185, CCI-001941, CCI-001942, CCI-002418, CCI-002420, CCI-002421, CCI-002422
[8] Standards Mapping - FIPS200 CM, SC
[9] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-2 Identification and Authentication (Organizational Users) (P1), IA-5 Authenticator Management (P1), SC-8 Transmission Confidentiality and Integrity (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-2 Identification and Authentication (Organizational Users), IA-5 Authenticator Management, SC-8 Transmission Confidentiality and Integrity
[12] Standards Mapping - OWASP API 2023 API7 Server Side Request Forgery, API8 Security Misconfiguration
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 9.2.1 Server Communications Security Requirements (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[14] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design, Control Objective C.4.1 - Web Software Communications
[22] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
desc.configuration.xml.mule_misconfiguration_server_identity_verification_disabled

NoSQL Injection: Cosmos DB

Abstract
通过来自不可信数据源的输入构造动态 Azure Cosmos DB 查询,攻击者就能够修改该查询的操作。
Explanation
在以下情况下,Cosmos DB 中会出现 NoSQL Injection 漏洞:

1.数据从一个不可信数据源进入程序。



2.数据用于动态地构造 Cosmos DB 查询。

示例 1:以下代码可动态地构造并执行 Cosmos DB 查询,以便搜索具有特定 ID 的电子邮件。


...
    String userName = User.Identity.Name;
    String emailId = request["emailId"];
    var client = account.CreateCloudTableClient();
    var table = client.GetTableReference("Employee");
    var query = table.CreateQuery<EmployeeEntity>().Where("user == '" + userName + "' AND emailId == '" + emailId "'");
    var results = table.ExecuteQuery(query);
...


查询计划执行以下代码:


    user == "<userName>" && emailId == "<emailId>"


但是,由于该查询是动态构造的,由一个常数查询字符串和一个用户输入字符串连接而成,因此只有在 emailId 不包含单引号字符时,该查询才能正常运行。如果一个用户名为 wiley 的攻击者为 emailId 输入字符串“123' || '4' != '5”,则该查询会变成:


    user == 'wiley' && emailId == '123' || '4' != '5'


如果添加条件 || '4' != '5',where 子句的值将始终为 true,这样无论电子邮件的所有者是谁,该查询都会返回 emails 集合中存储的所有条目。
References
[1] Testing for NoSQL injection OWASP
[2] Standards Mapping - Common Weakness Enumeration CWE ID 89, CWE ID 943
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [6] CWE ID 089
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [6] CWE ID 089
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [6] CWE ID 089
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [3] CWE ID 089
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [3] CWE ID 089
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [3] CWE ID 089
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.4 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.5 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[16] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[18] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[19] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[20] Standards Mapping - OWASP Top 10 2010 A1 Injection
[21] Standards Mapping - OWASP Top 10 2013 A1 Injection
[22] Standards Mapping - OWASP Top 10 2017 A1 Injection
[23] Standards Mapping - OWASP Top 10 2021 A03 Injection
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[36] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 089
[37] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 089
[38] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 089
[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Web Application Security Consortium Version 2.00 SQL Injection (WASC-19)
[63] Standards Mapping - Web Application Security Consortium 24 + 2 SQL Injection
desc.dataflow.dotnet.nosql_injection_cosmos_db

NoSQL Injection: DynamoDB

Abstract
通过不可信赖的数据源输入构建动态 DynamoDB 查询,攻击者就能够修改语句的含义。
Explanation
发生以下情况时,DynamoDB 中会出现 NoSQL Injection 漏洞:

1.数据从一个不可信数据源进入程序。



2.数据用于动态地构造 DynamoDB 查询。

示例 1:以下代码将动态地构造并执行 DynamoDB 查询,以通过给定的电子邮件地址或用户名来搜索用户及其密码。


    ...
        // "type" parameter expected to be either: "Email" or "Username"
        string type = request["type"];
        string value = request["value"];
        string password = request["password"];
        
        var ddb = new AmazonDynamoDBClient();
    
        var attrValues = new Dictionary<string,AttributeValue>();
        attrValues[":value"] = new AttributeValue(value);
        attrValues[":password"] = new AttributeValue(password);
    
        var scanRequest = new ScanRequest();
        scanRequest.FilterExpression = type + " = :value AND Password = :password";
        scanRequest.TableName = "users";
        scanRequest.ExpressionAttributeValues = attrValues;
    
        var scanResponse = await ddb.ScanAsync(scanRequest);
    ...


查询计划执行以下代码:

Email = :value AND Password = :password


或者 

Username = :value AND Password = :password


但是,由于该查询是动态构造的,由一个常数基本查询字符串和一个用户输入字符串连接而成,因此只有在 type 仅包含任何预期值时,该查询才能正常运行。如果攻击者提供 :value = :value OR :value 等类型值,则该查询会变成:

:value = :value OR :value = :value AND Password = :password


如果添加条件 :value = :value,where 子句的值将始终为 true,这样无论电子邮件的所有者是谁,该查询都会返回 users 集合中存储的所有条目。
References
[1] Testing for NoSQL injection OWASP
[2] Standards Mapping - Common Weakness Enumeration CWE ID 89, CWE ID 943
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [6] CWE ID 089
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [6] CWE ID 089
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [6] CWE ID 089
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [3] CWE ID 089
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [3] CWE ID 089
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [3] CWE ID 089
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.4 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.5 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[16] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[18] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[19] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[20] Standards Mapping - OWASP Top 10 2010 A1 Injection
[21] Standards Mapping - OWASP Top 10 2013 A1 Injection
[22] Standards Mapping - OWASP Top 10 2017 A1 Injection
[23] Standards Mapping - OWASP Top 10 2021 A03 Injection
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[36] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 089
[37] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 089
[38] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 089
[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Web Application Security Consortium Version 2.00 SQL Injection (WASC-19)
[63] Standards Mapping - Web Application Security Consortium 24 + 2 SQL Injection
desc.dataflow.dotnet.nosql_injection_dynamodb
Abstract
通过不可信赖的数据源输入构建动态 DynamoDB 查询,攻击者就能够修改语句的含义。
Explanation
发生以下情况时,DynamoDB 中会出现 NoSQL Injection 漏洞:

1.数据从一个不可信赖的数据源进入程序。



2.数据用于动态地构造 DynamoDB 查询。

示例 1:以下代码将动态地构造并执行 DynamoDB 查询,以通过给定的电子邮件地址或用户名来搜索用户及其密码。


...
    // "type" parameter expected to be either: "Email" or "Username"
    String type = request.getParameter("type")
    String value = request.getParameter("value")
    String password = request.getParameter("password")
    
    DynamoDbClient ddb = DynamoDbClient.create();

    HashMap<String, AttributeValue> attrValues = new HashMap<String,AttributeValue>();
    attrValues.put(":value", AttributeValue.builder().s(value).build());
    attrValues.put(":password", AttributeValue.builder().s(password).build());

    ScanRequest queryReq = ScanRequest.builder()
        .filterExpression(type + " = :value AND Password = :password")
        .tableName("users")
        .expressionAttributeValues(attrValues)
        .build();

    ScanResponse response = ddb.scan(queryReq);
...


查询计划执行以下代码:

Email = :value AND Password = :password


或者 

Username = :value AND Password = :password


但是,由于该查询是动态构造的,由一个常数基本查询字符串和一个用户输入字符串连接而成,因此只有在 type 仅包含任何预期值时,该查询才能正常运行。如果攻击者提供 :value = :value OR :value 等类型值,则该查询会变成:

:value = :value OR :value = :value AND Password = :password


如果添加条件 :value = :value,where 子句的值将始终为 true,这样无论电子邮件的所有者是谁,该查询都会返回 users 集合中存储的所有条目。
References
[1] Testing for NoSQL injection OWASP
[2] Standards Mapping - Common Weakness Enumeration CWE ID 89, CWE ID 943
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [6] CWE ID 089
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [6] CWE ID 089
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [6] CWE ID 089
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [3] CWE ID 089
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [3] CWE ID 089
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [3] CWE ID 089
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.4 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.5 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[16] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[18] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[19] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[20] Standards Mapping - OWASP Top 10 2010 A1 Injection
[21] Standards Mapping - OWASP Top 10 2013 A1 Injection
[22] Standards Mapping - OWASP Top 10 2017 A1 Injection
[23] Standards Mapping - OWASP Top 10 2021 A03 Injection
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[36] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 089
[37] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 089
[38] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 089
[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Web Application Security Consortium Version 2.00 SQL Injection (WASC-19)
[63] Standards Mapping - Web Application Security Consortium 24 + 2 SQL Injection
desc.dataflow.java.nosql_injection_dynamodb

NoSQL Injection: MarsDB

Abstract
通过使用来自不可信来源的输入构建动态 NoSQL 语句,攻击者就能够修改语句的含义或者执行任意 NoSQL 命令。
Explanation

如果用户输入未经适当清理而直接包含在数据库查询中,就会发生 NoSQL 注入错误,这使得攻击者能够操纵查询逻辑并访问未经授权的数据。这种情况可能发生在诸如 $where、$gt、$lt 和 $ne 等运算符上。为了防止此类攻击,请尽可能避免将这些运算符与用户输入一起使用,并始终确保对用户输入进行正确的验证和清理。

示例 1:以下代码可动态地构造并执行 NoSQL 查询,以便搜索与指定名称相匹配的项目。该查询仅会显示条目所有者与当前经过身份验证的用户的名称一致的条目。


    ...
    function getItemsByOwner(username: string) {
      db.items.find({ $where: `this.owner === '${username}'` }).then((orders: any) => {
        console.log(orders);
      }).catch((err: any) => {
        console.error(err);
      });
    }
    ...


如果 `username` 为 `john',则返回 true;如果为 //`,则查询变为:


    db.items.find({ $where: `this.owner === 'john'; return true; //` })


这将返回项目集合中的所有文档。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 89, CWE ID 943
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [6] CWE ID 089
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [6] CWE ID 089
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [6] CWE ID 089
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [3] CWE ID 089
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [3] CWE ID 089
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [3] CWE ID 089
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[9] Standards Mapping - FIPS200 SI
[10] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.4 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.5 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[15] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[17] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[18] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[19] Standards Mapping - OWASP Top 10 2010 A1 Injection
[20] Standards Mapping - OWASP Top 10 2013 A1 Injection
[21] Standards Mapping - OWASP Top 10 2017 A1 Injection
[22] Standards Mapping - OWASP Top 10 2021 A03 Injection
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[35] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 089
[36] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 089
[37] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 089
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Web Application Security Consortium Version 2.00 SQL Injection (WASC-19)
[62] Standards Mapping - Web Application Security Consortium 24 + 2 SQL Injection
desc.dataflow.javascript.nosql_injection

NoSQL Injection: MongoDB

Abstract
通过来自不可信数据源的输入构造动态 MongoDB 查询,攻击者就能够修改语句的含义。
Explanation
发生以下情况时,MongoDB 中会出现 NoSQL Injection 错误:

1. 数据从一个不可信赖的数据源进入程序。



2. 数据用于动态地构造 MongoDB 查询。

示例 1: 以下代码动态地构造并执行 MongoDB 查询,以便搜索具有特定 ID 的电子邮件。


...
    String userName = User.Identity.Name;
    String emailId = request["emailId"];
    var coll = mongoClient.GetDatabase("MyDB").GetCollection<BsonDocument>("emails");
    var docs = coll.Find(new BsonDocument("$where", "this.name == '" + name + "'")).ToList();
...


查询计划执行以下代码:


    this.owner == "<userName>" && this.emailId == "<emailId>"


但是,由于该查询是动态构造的,由一个常数查询字符串和一个用户输入字符串连接而成,因此只有在 emailId 不包含单引号字符时,该查询才能正常运行。如果一个用户名为 wiley 的攻击者为 emailId 输入字符串“123' || '4' != '5”,则该查询会变成:


    this.owner == 'wiley' && this.emailId == '123' || '4' != '5'


如果添加条件 || '4' != '5',where 子句的值将始终为 true,这样无论电子邮件的所有者是谁,该查询都会返回 emails 集合中存储的所有条目。
References
[1] Testing for NoSQL injection OWASP
[2] Standards Mapping - Common Weakness Enumeration CWE ID 89, CWE ID 943
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [6] CWE ID 089
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [6] CWE ID 089
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [6] CWE ID 089
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [3] CWE ID 089
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [3] CWE ID 089
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [3] CWE ID 089
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.4 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.5 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[16] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[18] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[19] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[20] Standards Mapping - OWASP Top 10 2010 A1 Injection
[21] Standards Mapping - OWASP Top 10 2013 A1 Injection
[22] Standards Mapping - OWASP Top 10 2017 A1 Injection
[23] Standards Mapping - OWASP Top 10 2021 A03 Injection
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[36] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 089
[37] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 089
[38] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 089
[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Web Application Security Consortium Version 2.00 SQL Injection (WASC-19)
[63] Standards Mapping - Web Application Security Consortium 24 + 2 SQL Injection
desc.dataflow.dotnet.nosql_injection_mongodb
Abstract
通过不可信来源的输入构建动态 MongoDB 查询,攻击者就能够修改语句的含义。
Explanation
发生以下情况时,MongoDB 中会出现 NoSQL Injection 错误:

1. 数据从一个不可信赖的数据源进入程序。



2. 数据用于动态地构造 MongoDB 查询。

示例 1: 以下代码动态地构造并执行 MongoDB 查询,以便搜索具有特定 ID 的电子邮件。


...
    String userName = ctx.getAuthenticatedUserName();
    String emailId = request.getParameter("emailId")
    MongoCollection<Document> col = mongoClient.getDatabase("MyDB").getCollection("emails");
    BasicDBObject Query = new BasicDBObject();
    Query.put("$where", "this.owner == \"" + userName + "\" && this.emailId == \"" + emailId + "\"");
    FindIterable<Document> find= col.find(Query);
...


查询计划执行以下代码:


    this.owner == "<userName>" && this.emailId == "<emailId>"


但是,由于这个查询是动态构造的,由一个常数基本查询字符串和一个用户输入字符串连接而成,因此只有在 emailId 不包含双引号字符时,该查询才能正常运行。 如果一个用户名为 wiley 的攻击者为 emailId 输入字符串 123" || "4" != "5,则该查询会变成:


    this.owner == "wiley" && this.emailId == "123" || "4" != "5"


如果添加条件 || "4" != "5",where 子句的值将始终为 true,这样无论电子邮件的所有者是谁,该查询都会返回 emails 集合中存储的所有条目。
References
[1] Testing for NoSQL injection OWASP
[2] Standards Mapping - Common Weakness Enumeration CWE ID 89, CWE ID 943
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [6] CWE ID 089
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [6] CWE ID 089
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [6] CWE ID 089
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [3] CWE ID 089
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [3] CWE ID 089
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [3] CWE ID 089
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.4 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.5 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[16] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[18] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[19] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[20] Standards Mapping - OWASP Top 10 2010 A1 Injection
[21] Standards Mapping - OWASP Top 10 2013 A1 Injection
[22] Standards Mapping - OWASP Top 10 2017 A1 Injection
[23] Standards Mapping - OWASP Top 10 2021 A03 Injection
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[36] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 089
[37] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 089
[38] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 089
[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Web Application Security Consortium Version 2.00 SQL Injection (WASC-19)
[63] Standards Mapping - Web Application Security Consortium 24 + 2 SQL Injection
desc.dataflow.java.nosql_injection_mongodb
Abstract
通过不可信来源的输入构建动态 MongoDB 查询,攻击者就能够修改语句的含义。
Explanation
发生以下情况时,MongoDB 中会出现 NoSQL Injection 错误:

1. 数据从一个不可信赖的数据源进入程序。



2. 数据用于动态地构造 MongoDB 查询。

示例 1: 以下代码动态地构造并执行 MongoDB 查询,以便搜索具有特定 ID 的电子邮件。


...
    userName = req.field('userName')
    emailId = req.field('emaiId')
    results = db.emails.find({"$where", "this.owner == \"" + userName + "\" && this.emailId == \"" + emailId + "\""});
...


查询计划执行以下代码:


    this.owner == "<userName>" && this.emailId == "<emailId>"


但是,由于这个查询是动态构造的,由一个常数基本查询字符串和一个用户输入字符串连接而成,因此只有在 emailId 不包含双引号字符时,该查询才能正常运行。 如果一个用户名为 wiley 的攻击者为 emailId 输入字符串 123" || "4" != "5,则该查询会变成:


    this.owner == "wiley" && this.emailId == "123" || "4" != "5"


如果添加条件 || "4" != "5"where 子句的值将始终为 true,则无论电子邮件的所有者是谁,该查询都会返回 emails 集合中存储的所有条目。
References
[1] Testing for NoSQL injection OWASP
[2] Standards Mapping - Common Weakness Enumeration CWE ID 89, CWE ID 943
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [6] CWE ID 089
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [6] CWE ID 089
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [6] CWE ID 089
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [3] CWE ID 089
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [3] CWE ID 089
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [3] CWE ID 089
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.4 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.5 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[16] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[18] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[19] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[20] Standards Mapping - OWASP Top 10 2010 A1 Injection
[21] Standards Mapping - OWASP Top 10 2013 A1 Injection
[22] Standards Mapping - OWASP Top 10 2017 A1 Injection
[23] Standards Mapping - OWASP Top 10 2021 A03 Injection
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[36] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 089
[37] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 089
[38] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 089
[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Web Application Security Consortium Version 2.00 SQL Injection (WASC-19)
[63] Standards Mapping - Web Application Security Consortium 24 + 2 SQL Injection
desc.dataflow.python.nosql_injection_mongodb

NoSQL Injection: Realm

Abstract
通过不可信数据源的输入构造动态 Realm 查询,攻击者就能够修改语句的含义。
Explanation
在以下情况下,Realm 中会出现 NoSQL Injection 漏洞:

1.数据从一个不可信赖的数据源进入程序。



2.数据用于动态地构造 Realm 查询。

示例 1:以下代码动态地构造并执行 Realm 查询,以便搜索具有特定 ID 的电子邮件。


...
    NSString *emailId = [self getEmailIdFromUser];
    NSString *query = [NSString stringWithFormat:@"id == '%@'", emailId];
    RLMResults<Email *> *emails = [Email objectsInRealm:realm where:query];
...


查询计划执行以下代码:


    id == '<emailId value>'


但是,由于该查询是动态构造的,由一个常数基本查询字符串和一个用户输入字符串连接而成,因此只有在 emailId 不包含单引号字符时,该查询才能正常运行。如果攻击者为 123' or '4' != '5 输入字符串 emailId,则该查询会变成:


    id == '123' or '4' != '5'


如果添加条件 or '4' != '5'where 子句的值将始终为 true,则无论电子邮件的所有者是谁,该查询都会返回 emails 集合中存储的所有条目。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 89, CWE ID 943
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [6] CWE ID 089
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [6] CWE ID 089
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [6] CWE ID 089
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [3] CWE ID 089
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [3] CWE ID 089
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [3] CWE ID 089
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[9] Standards Mapping - FIPS200 SI
[10] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.4 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.5 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[15] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[17] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[18] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[19] Standards Mapping - OWASP Top 10 2010 A1 Injection
[20] Standards Mapping - OWASP Top 10 2013 A1 Injection
[21] Standards Mapping - OWASP Top 10 2017 A1 Injection
[22] Standards Mapping - OWASP Top 10 2021 A03 Injection
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[35] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 089
[36] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 089
[37] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 089
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Web Application Security Consortium Version 2.00 SQL Injection (WASC-19)
[62] Standards Mapping - Web Application Security Consortium 24 + 2 SQL Injection
desc.dataflow.objc.nosql_injection_realm
Abstract
通过不可信数据源的输入构造动态 Realm 查询,攻击者就能够修改语句的含义。
Explanation
在以下情况下,Realm 中会出现 NoSQL Injection 漏洞:

1.数据从一个不可信赖的数据源进入程序。



2.数据用于动态地构造 Realm 查询。

示例 1:以下代码动态地构造并执行 Realm 查询,以便搜索具有特定 ID 的电子邮件。


...
    let emailId = getFromUser("emailId")
    let email = realm.objects(Email.self).filter("id == '" + emailId + "'")
...


查询计划执行以下代码:


    id == '<emailId value>'


但是,由于该查询是动态构造的,由一个常数基本查询字符串和一个用户输入字符串连接而成,因此只有在 emailId 不包含单引号字符时,该查询才能正常运行。如果攻击者为 123' or '4' != '5 输入字符串 emailId,则该查询会变成:


    id == '123' or '4' != '5'


如果添加条件 or '4' != '5'filter 子句的值将始终为 true,则无论电子邮件的所有者是谁,该查询都会返回 emails 集合中存储的所有条目。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 89, CWE ID 943
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [6] CWE ID 089
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [6] CWE ID 089
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [6] CWE ID 089
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [3] CWE ID 089
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [3] CWE ID 089
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [3] CWE ID 089
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[9] Standards Mapping - FIPS200 SI
[10] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.4 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.5 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[15] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[17] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[18] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[19] Standards Mapping - OWASP Top 10 2010 A1 Injection
[20] Standards Mapping - OWASP Top 10 2013 A1 Injection
[21] Standards Mapping - OWASP Top 10 2017 A1 Injection
[22] Standards Mapping - OWASP Top 10 2021 A03 Injection
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[35] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 089
[36] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 089
[37] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 089
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Web Application Security Consortium Version 2.00 SQL Injection (WASC-19)
[62] Standards Mapping - Web Application Security Consortium 24 + 2 SQL Injection
desc.dataflow.swift.nosql_injection_realm

Null Dereference

Abstract
程序可能会间接引用一个 null 指针,从而引发 NullException
Explanation
null 指针错误通常是由于违反一个或多个程序员假设而造成的。

大多数 null 指针问题会导致一般软件可靠性问题,但如果攻击者可能有意触发 null 指针间接引用,他们可以使用生成的异常绕过安全逻辑或使应用程序显示调试信息,这些信息在规划后续攻击时十分有用。

示例 1:在以下代码中,程序员假定系统始终会定义一个名为“cmd”的属性。如果攻击者可以控制程序的环境,从而使“cmd”处于未定义状态,则它就会在尝试调用 Trim() 方法时抛出一个 null 指针异常。


string cmd = null;
...
cmd = Environment.GetEnvironmentVariable("cmd");
cmd = cmd.Trim();
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 476
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [14] CWE ID 476
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [13] CWE ID 476
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [15] CWE ID 476
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [11] CWE ID 476
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [12] CWE ID 476
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [21] CWE ID 476
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[9] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[10] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[11] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 1.3
[12] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[15] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization
[16] Standards Mapping - OWASP Application Security Verification Standard 4.0 11.1.7 Business Logic Security Requirements (L2 L3)
[17] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002400 CAT II
[51] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[52] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.dotnet.null_dereference
Abstract
该程序可能会间接引用一个 null 指针,从而造成分段故障。
Explanation
如果不符合程序员的一个或多个假设,则通常会出现 null 指针异常。此问题至少有三种类型:check-after-dereference、dereference-after-check 和 dereference-after-store。如果程序在检查可能为 null 的指针是否为 null 之前间接引用该指针,则会发生 check-after-dereference 错误。如果程序明确检查过 null,并确定该指针为 null,但仍继续间接引用该指针,则会出现 dereference-after-check 错误。此类错误通常是由于错别字或程序员疏忽造成的。如果程序明确将指针设置为 null,但稍后却间接引用该指针,则将出现 dereference-after-store 错误。此错误通常是因为程序员在声明变量时将该变量初始化为 null 所致。

大多数 null 指针问题会导致一般软件可靠性问题,但如果攻击者可能有意触发 null 指针间接引用,他们可以使用生成的异常绕过安全逻辑以发动拒绝服务攻击,或使应用程序显示调试信息,这些信息在规划后续攻击时十分有用。

示例 1:在下列代码中,程序员假设变量 ptr 不是 NULL。当程序员间接引用该指针时,这个假设就会清晰的体现出来。当程序员检查 ptr 是否为 NULL 时,就会与该假设发生矛盾。当在 if 语句中检查时,如果 ptr 可以为 NULL,则在其间接引用时也将为 NULL,并引起 segmentation fault。


ptr->field = val;
...
if (ptr != NULL) {
	...
}
示例 2:在下列代码中,程序员会确认变量 ptrNULL,然后错误地对其进行间接引用。如果在 if 语句中检查 ptr 时其为 NULL,则会发生 null dereference,从而导致分段故障。


if (ptr == null) {
        ptr->field = val;
        ...
}
示例 3:在下列代码中,程序员忘记了字符串 '\0' 实际上为 0 还是 NULL,从而间接引用 null 指针并引发分段故障。


if (ptr == '\0') {
        *ptr = val;
        ...
}
示例 4:在下列代码中,程序员会将变量 ptr 明确设置为 NULL。之后,程序员会间接引用 ptr,而未检查对象是否为 null 值。


*ptr = NULL;
...
ptr->field = val;
...
}
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 476
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [14] CWE ID 476
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [13] CWE ID 476
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [15] CWE ID 476
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [11] CWE ID 476
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [12] CWE ID 476
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [21] CWE ID 476
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[9] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[10] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[11] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 1.3
[12] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[15] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization
[16] Standards Mapping - OWASP Application Security Verification Standard 4.0 11.1.7 Business Logic Security Requirements (L2 L3)
[17] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002400 CAT II
[51] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[52] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.cpp.null_dereference
Abstract
程序可能会间接引用一个 null 指针,从而引发 NullPointerException
Explanation
null 指针错误通常是由于违反一个或多个程序员假设而造成的。

大多数 null 指针问题会导致一般软件可靠性问题,但如果攻击者可能有意触发 null 指针间接引用,他们可以使用生成的异常绕过安全逻辑或使应用程序显示调试信息,这些信息在规划后续攻击时十分有用。

示例 1:在以下代码中,程序员假定系统始终会定义一个名为“cmd”的属性。如果攻击者可以控制程序的环境,从而使“cmd”处于未定义状态,则它就会在尝试调用 trim() 方法时抛出一个 null 指针异常。


String val = null;
...
cmd = System.getProperty("cmd");
if (cmd)
	val = util.translateCommand(cmd);
...
cmd = val.trim();
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 476
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [14] CWE ID 476
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [13] CWE ID 476
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [15] CWE ID 476
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [11] CWE ID 476
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [12] CWE ID 476
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [21] CWE ID 476
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[9] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[10] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[11] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 1.3
[12] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[15] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization
[16] Standards Mapping - OWASP Application Security Verification Standard 4.0 11.1.7 Business Logic Security Requirements (L2 L3)
[17] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002400 CAT II
[51] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[52] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.java.null_dereference

Object Injection

Abstract
反序列化不可信赖的数据会允许注入任意 PHP 对象,导致程序代表攻击者执行恶意命令。
Explanation
如果不可信赖的数据未经过正确清除即被传递给 unserialize() 函数,则会出现 Object injection 漏洞。攻击者可以将经特殊技术处理的序列化字符串传递到易受攻击的 unserialize() 调用,导致任意 PHP 对象注入应用程序范围。这种漏洞的严重性取决于应用程序范围中可用的类。攻击者会对实施 PHP 幻数方法(如 __wakeup__destruct)的类感兴趣,因为他们可以执行这些方法中的代码。

例 1:以下代码显示了实施 __destruct() 幻数方法并执行定义为类属性的系统命令的 PHP 类。还有使用用户提供的数据对 unserialize() 进行的不安全调用。


...
class SomeAvailableClass {
    public $command=null;
    public function __destruct() {
            system($this->command);
    }
}
...
$user = unserialize($_GET['user']);
...


Example 1 中,应用程序可能预期获得一个序列化的 User 对象,但攻击者实际上可能提供 SomeAvailableClass 的序列化版本,并为其 command 属性提供一个预定义值:


GET REQUEST:  http://server/page.php?user=O:18:"SomeAvailableClass":1:{s:7:"command";s:8:"uname -a";}


一旦没有对 $user 对象的其他引用,析构函数方法将被调用并执行攻击者提供的命令。

攻击者可以使用称为“面向属性编程”的技术链接在调用易受攻击的 unserialize() 时声明的不同类,该技术由 Stefan Esser 在 BlackHat 2010 会议上提出。利用该技术,攻击者可以重复使用现有代码以生成其自己的负载。
References
[1] Johannes Dahse, Nikolai Krein, and Thorsten Holz Code Reuse Attacks in PHP: Automated POP Chain Generation
[2] Stefan Esser Utilizing Code Reuse/ROP in PHP Application Exploits
[3] Standards Mapping - Common Weakness Enumeration CWE ID 502
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [23] CWE ID 502
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [21] CWE ID 502
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [13] CWE ID 502
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [12] CWE ID 502
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [15] CWE ID 502
[9] Standards Mapping - Common Weakness Enumeration Top 25 2024 [16] CWE ID 502
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.5.2 Input and Output Architectural Requirements (L2 L3), 5.5.1 Deserialization Prevention Requirements (L1 L2 L3), 5.5.3 Deserialization Prevention Requirements (L1 L2 L3)
[15] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[16] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2010 A1 Injection
[18] Standards Mapping - OWASP Top 10 2013 A1 Injection
[19] Standards Mapping - OWASP Top 10 2017 A8 Insecure Deserialization
[20] Standards Mapping - OWASP Top 10 2021 A08 Software and Data Integrity Failures
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.5 - Web Software Attack Mitigation
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[56] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.php.object_injection
Abstract
反序列化不可信赖的数据会允许注入任意 Ruby 对象,导致程序代表攻击者执行恶意命令。
Explanation
如果不可信赖的数据未经过正确清除即被传递给类似 YAML.load() 的反序列化数据的函数,则会出现 Object injection 漏洞。只要在反序列化时将类加载到应用程序中,攻击者就可以将经特殊技术处理的序列化字符串传递到易受攻击的 YAML.load() 调用,从而将任意 Ruby 对象注入程序中。这可能带来大量的各种攻击机会,如绕过验证逻辑找到跨站点脚本漏洞,允许通过看似硬编码值来进行 SQL 注入,甚至进行完整的代码执行。

例 1:以下代码显示的 Ruby 类使用其属性来创建 SQL 查询,然后对数据库进行查询。还有使用用户提供的数据对 YAML.load() 进行的不安全调用。


...
class Transaction
  attr_accessor :id
  def initialize(num=nil)
    @id = num.is_a?(Numeric) ? num : nil
  end

  def print_details
    unless @id.nil?
      print $conn.query("SELECT * FROM transactions WHERE id=#{@id}")
    end
  end
end

...
user = YAML.load(params[:user]);
user.print_details
...


Example 1 中,应用程序可能预期获取一个序列化的 User 对象,而该对象也恰好具有一个名为 print_details 的函数,但攻击者可能实际上会提供 Transaction 对象的序列化版本,并为其 @id 属性提供一个预定义值。因此,如下所示的请求可能会允许绕过用于确保 @id 为数值的验证检查


GET REQUEST:  http://server/page?user=!ruby%2Fobject%3ATransaction%0Aid%3A4%20or%205%3D5%0A


如果我们查看其解码版本,我们就会知道 user 参数获分配了 !ruby/object:Transaction\nid:4 or 5=5\n
现在反序列化用户参数将创建一个 Transaction 类型的对象,将 @id 设置为 "4 or 5=5"。当开发人员认为他们将调用 User#print_details() 时,其实现在他们将会调用 Transaction#print_details(),且 Ruby 的字符串插值意味着 SQL 查询将被更改,以执行查询:SELECT * FROM transactions WHERE id=4 or 5=5。由于添加了额外语句,所以查询将评估为 true 并将返回 transactions 表中的所有内容,而不是开发人员所期望的单行。

攻击者可以使用称为“面向属性编程”的技术链接在调用易受攻击的 YAML.load() 时声明的不同类,该技术由 Stefan Esser 在 BlackHat 2010 会议上提出。利用该技术,攻击者可以重复使用现有代码以生成其自己的负载。
References
[1] HD Moore Serialization Mischief in Ruby Land (CVE-2013-0156)
[2] Ruby Ruby Security
[3] Standards Mapping - Common Weakness Enumeration CWE ID 502
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [23] CWE ID 502
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [21] CWE ID 502
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [13] CWE ID 502
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [12] CWE ID 502
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [15] CWE ID 502
[9] Standards Mapping - Common Weakness Enumeration Top 25 2024 [16] CWE ID 502
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.5.2 Input and Output Architectural Requirements (L2 L3), 5.5.1 Deserialization Prevention Requirements (L1 L2 L3), 5.5.3 Deserialization Prevention Requirements (L1 L2 L3)
[15] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[16] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2010 A1 Injection
[18] Standards Mapping - OWASP Top 10 2013 A1 Injection
[19] Standards Mapping - OWASP Top 10 2017 A8 Insecure Deserialization
[20] Standards Mapping - OWASP Top 10 2021 A08 Software and Data Integrity Failures
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.5 - Web Software Attack Mitigation
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[56] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.ruby.object_injection

Object Model Violation: Erroneous clone() Method

Abstract
方法 clone() 应调用 super.clone() 获取新的对象。
Explanation
在所有实现 clone() 的方法中,应通过调用 super.clone() 来获取新对象。如果类没有遵守该约定,那么子类的 clone() 方法将会返回一个错误的对象类型。


例 1:以下两个类显示了由于没有调用 super.clone() 而产生的 bug。由于 Kibitzer 实现 clone() 的方法的缘故,FancyKibitzer 的克隆方法将会返回类型为 Kibitzer 而非 FancyKibitzer 的对象。


public class Kibitzer implements Cloneable {
  public Object clone() throws CloneNotSupportedException {
    Object returnMe = new Kibitzer();
    ...
  }
}

public class FancyKibitzer extends Kibitzer
                           implements Cloneable {
  public Object clone() throws CloneNotSupportedException {
    Object returnMe = super.clone();
    ...
  }
}
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 580
desc.structural.java.object_model_violation_erroneous_clone_method

Object Model Violation: Just One of Equals() and GetHashCode() Defined

Abstract
这个类仅替代了 Equals()GetHashCode() 中的一个。
Explanation
.NET 对象预期执行一系列与等式相关的不变式。其中的一个常量是相同的对象必须具有相同的哈希码。换句话说,如果 a.Equals(b) == true,那么 a.GetHashCode() == b.GetHashCode()

如果未能支持这一常量,当此类对象存储在一个集合中时,可能就会引发一些问题。如果这种类的对象被用作哈希表中的关键值,或者被插入到一个词典中,那么确保相等的对象具有相等的哈希码将至关重要。

例 1:下面的类重写了 Equals(),但没有重写 GetHashCode()


public class Halfway() {
  public override boolean Equals(object obj) {
    ...
  }
}
References
[1] MSDN Library: Equals Method (Object) Microsoft Corporation
[2] MSDN Library: GetHashCode Method (Object) Microsoft Corporation
[3] Standards Mapping - Common Weakness Enumeration CWE ID 581
desc.structural.dotnet.object_model_violation.just_one_of_equals_hashcode_defined

Object Model Violation: Just one of equals() and hashCode() Defined

Abstract
这个类仅替代了 equals()hashCode() 中的一个。
Explanation
Java 对象预期执行一系列与等式相关的不变式。其中的一个常量是相同的对象必须具有相同的哈希码。换句话说,如果 a.equals(b) == true,那么 a.hashCode() == b.hashCode()

如果未能支持这一常量,当此类对象存储在一个集合中时,可能就会引发一些问题。如果将这个类的对象用作哈希表的关键值或是插入到一个 Map 或者 Set 中,那么相等的对象要具有相等的哈希码,这一点十分重要。

例 1:下面的类重写了 equals(),但没有重写 hashCode()


public class halfway() {
  public boolean equals(Object obj) {
    ...
  }
}
References
[1] D. H. Hovermeyer FindBugs User Manual
[2] MET09-J. Classes that define an equals() method must also define a hashCode() method CERT
[3] Standards Mapping - Common Weakness Enumeration CWE ID 581
desc.structural.java.object_model_violation_just_one_of_equals_hashcode_defined

Object Model Violation: Just one of restoreState() and saveState() Defined

Abstract
这个类仅替代了 saveState()restoreState() 中的一个。
Explanation
任何继承 StateHolder 接口的类都必须同时实施 saveState(javax.faces.context.FacesContext)restoreState(javax.faces.context.FacesContext, java.lang.Object),或者同时都不实施。由于这两种方法关系密切,因此,saveState(javax.faces.context.FacesContext)restoreState(javax.faces.context.FacesContext, java.lang.Object) 方法不得驻留在继承层次结构的不同级别中。

示例 1:以下类定义了 saveState(),但未定义 restoreState(),因此无论扩展它的任何类做什么,它都会出错。

public class KibitzState implements StateHolder {
  public Object saveState(FacesContext fc) {
    ...
  }
}
References
[1] Sun Microsystems JavaDoc for StateHolder Interface
[2] Standards Mapping - Common Weakness Enumeration CWE ID 684
desc.structural.java.object_model_violation_just_one_of_restoreState_saveState_defined

Obsolete

Abstract
使用不推荐的或过时的函数可能表示这是一段被忽略的代码。
Explanation
一般而言,随着编程语言的发展,有时一些方法会因下列原因过时:

- 为了改进该编程语言
- 对如何有效、安全地执行操作有了更深一步的了解

- 某些操作的管理规则发生了变化

有的语言会删除一些语句,并通常将其替换为执行相同任务的新语句,这些新语句采用不同但更有效的处理方式。

具体来讲,SAP ABAP 已演变成将 ABAP 对象(面向对象的 ABAP 扩展)包含在内,并在兼容 Unicode 的环境中运行。因此,在类或 Unicode 程序中实施了更严格的语法。过时构造仅由于为了兼容早期版本而仍然可用,且只能在类外部或非 Unicode 程序中使用。所有过时语言元素均存在替代构造,这提高了程序的效率和可读性。过时语法中很多隐式、模糊的类型/长度/内存规范需要在较新的语法中以更精确和清晰的方式指定。建议采用较新的语法编写程序,使其更容易理解、功能更强大、更易于维护。


并非所有函数都会因为存在安全漏洞而被弃用或被取代。然而,出现被弃用的函数通常表示周围代码已经不起作用了,有可能处于不受维护的状况。在过去很长一段时间内,人们并没有将软件安全放在首位,甚至都未曾考虑过。如果程序使用了不推荐的或过时的函数,在其附近就会潜伏着安全问题。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 477
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002617
[3] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 1.5
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-2 Flaw Remediation (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-2 Flaw Remediation
[6] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.6 Configuration Architectural Requirements (L2 L3)
[7] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002610 CAT II
[8] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002610 CAT II
[9] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002610 CAT II
[10] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002610 CAT II
[11] Standards Mapping - Smart Contract Weakness Classification SWC-111
desc.semantic.abap.obsolete
Abstract
使用不推荐的或过时的函数可能表示这是一段被忽略的代码。
Explanation
随着编程语言的发展,一些函数有时会被弃用,原因如下:

- 为了改进该编程语言
- 对如何有效、安全地执行操作有了更深一步的了解

- 某些操作的管理规则发生了变化


在一种编程语言中,旧函数会被新函数所替代,比起旧函数,新函数更能以我们所期望的方式执行任务。
示例 1:以下代码构造一个新的 SqlClientPermission 对象,它规定了用户如何连接到数据库。在此示例中,程序将 false 作为第二个参数传递给构造函数,以控制是否允许用户使用空密码进行连接。将 false 传递给此参数意味着不允许使用空密码。


...
SCP = new SqlClientPermission(pstate, false);
...


然而,因为作为第一个参数传递的 PermissionState 对象代替了任何传递给第二个参数的值,所以这个构造函数允许使用空密码连接到数据库,这与第二个参数相矛盾。要禁止使用空密码,程序应该把 PermissionState.None 传递给构造函数的第一个参数。由于其功能尚不明确,因此不赞成采用 SqlClientPermission 构造函数的“双参数”版本,而建议采用“单参数”版本(与“双参数”版本功能相同但是避免了被误译的风险)。

并非所有函数都会因为存在安全漏洞而被弃用或被取代。然而,出现被弃用的函数通常表示周围代码已经不起作用了,有可能处于不受维护的状况。在过去很长一段时间内,人们并没有将软件安全放在首位,甚至都未曾考虑过。如果程序使用了不推荐的或过时的函数,在其附近就会潜伏着安全问题。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 477
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002617
[3] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 1.5
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-2 Flaw Remediation (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-2 Flaw Remediation
[6] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.6 Configuration Architectural Requirements (L2 L3)
[7] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002610 CAT II
[8] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002610 CAT II
[9] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002610 CAT II
[10] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002610 CAT II
[11] Standards Mapping - Smart Contract Weakness Classification SWC-111
desc.semantic.dotnet.obsolete
Abstract
使用不推荐的或过时的函数可能表示这是一段被忽略的代码。
Explanation
随着编程语言的发展,一些函数有时会被弃用,原因如下:

— 为了改进该编程语言。
— 对操作的有效性、安全性有更深一步的了解。
—某些操作的管理规则发生了变化。

在编程语中,函数会经常被删除或由新的替代函数所取代,因为新的函数能以我们所期望的方式从多种角度执行相同的任务。
示例 1:以下代码使用了已弃用的函数 getpw() 来验证明文密码是否与用户加密密码相匹配。如果密码是有效的,则函数将 result 设为 1;如果无效,将其设为 0。


	...
	getpw(uid, pwdline);
	for (i=0; i<3; i++){
	cryptpw=strtok(pwdline, ":");
		pwdline=0;
	}
result = strcmp(crypt(plainpw,cryptpw), cryptpw) == 0;
	...


尽管代码经常正确地运行,使用 getpw() 函数从安全角度来说是有问题的,因为它可以溢出传递给它的第二个参数的缓冲区。因为这个漏洞,getpw() 已由 getpwuid() 替代,它与 getpw() 执行相同的查找,但返回一个指向静态分配结构的指针来降低风险。

并非所有函数都会因为存在安全漏洞而被弃用或被取代。然而,出现被弃用的函数通常表示周围代码已经不起作用了,有可能处于不受维护的状况。在过去很长一段时间内,人们并没有将软件安全放在首位,甚至都未曾考虑过。如果程序使用了不推荐的或过时的函数,在其附近就会潜伏着安全问题。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 477
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002617
[3] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 1.5
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-2 Flaw Remediation (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-2 Flaw Remediation
[6] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.6 Configuration Architectural Requirements (L2 L3)
[7] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002610 CAT II
[8] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002610 CAT II
[9] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002610 CAT II
[10] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002610 CAT II
[11] Standards Mapping - Smart Contract Weakness Classification SWC-111
desc.semantic.cpp.obsolete
Abstract
使用不推荐使用的或过时的函数可能表示存在忽略的代码或使用了陈旧的 ColdFusion 版本。
Explanation
随着编程语言的发展,有时会弃用些一些方法,原因是:

- 为了改进该编程语言
- 对如何有效、安全地执行操作有了更深一步的了解

- 某些操作的管理规则发生了变化

在某一种编程语言中,人们通常会放弃使用某些方法,转而采用更新的方法。在执行同样的任务时,新方法会采用不同的处理方式,这种方式往往比原有的方法更合理。


并非所有函数都会因为存在安全漏洞而被弃用或被取代。然而,出现被弃用的函数通常表示周围代码已经不起作用了,有可能处于不受维护的状况。在过去很长一段时间内,人们并没有将软件安全放在首位,甚至都未曾考虑过。如果程序使用了不推荐的或过时的函数,在其附近就会潜伏着安全问题。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 477
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002617
[3] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 1.5
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-2 Flaw Remediation (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-2 Flaw Remediation
[6] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.6 Configuration Architectural Requirements (L2 L3)
[7] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002610 CAT II
[8] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002610 CAT II
[9] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002610 CAT II
[10] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002610 CAT II
[11] Standards Mapping - Smart Contract Weakness Classification SWC-111
desc.semantic.cfml.obsolete
Abstract
使用不推荐的或过时的函数可能表示这是一段被忽略的代码。
Explanation
随着编程语言的发展,有时会弃用些一些方法,原因是:

- 为了改进该编程语言
- 对如何有效、安全地执行操作有了更深一
步的了解
- 某些操作的管理规则发生了变化

在某一种编程语言中,人们通常会放弃使用某些方法,转而采用更新的方法。在执行同样的任务时,新方法会采用不同的处理方式,这种方式往往比原有的方法更合理。
示例 1:以下代码根据字节数组和用于指定每个 16 位 Unicode 字符的前 8 位的值构造一个字符串对象。


...
String name = new String(nameBytes, highByte);
...


在此示例中,构造函数可能无法正确地将字节转换为字符,具体取决于使用哪个字符集对以 nameBytes 表示的字符串进行编码。由于用于编码字符串的字符集的演变,此构造函数已被弃用,取而代之的是接受用于编码字节进行转换的 charset 的名称作为其参数之一的构造函数。

并非所有函数都会因为存在安全漏洞而被弃用或被取代。然而,出现被弃用的函数通常表示周围代码已经不起作用了,有可能处于不受维护的状况。在过去很长一段时间内,人们并没有将软件安全放在首位,甚至都未曾考虑过。如果程序使用了不推荐的或过时的函数,在其附近就会潜伏着安全问题。
References
[1] MET02-J. Do not use deprecated or obsolete classes or methods CERT
[2] Standards Mapping - Common Weakness Enumeration CWE ID 477
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002617
[4] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 1.5
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-2 Flaw Remediation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-2 Flaw Remediation
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.6 Configuration Architectural Requirements (L2 L3)
[8] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002610 CAT II
[9] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002610 CAT II
[10] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002610 CAT II
[11] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002610 CAT II
[12] Standards Mapping - Smart Contract Weakness Classification SWC-111
desc.semantic.java.obsolete
Abstract
使用不推荐的或过时的函数可能表示这是一段被忽略的代码。
Explanation
随着编程语言的发展,有时会弃用些一些方法,原因是:

- 为了改进该编程语言
- 对如何有效、安全地执行操作有了更深一步的了解

—某些操作的管理规则发生了变化。

在某一种编程语言中,人们通常会放弃使用某些方法,转而采用更新的方法。在执行同样的任务时,新方法会采用不同的处理方式,这种方式往往比原有的方法更合理。
示例 1:以下代码使用 Digest::HMAC stdlib,由于在发布过程中意外参与,因此在文档中明确不鼓励使用。


require 'digest/hmac'

hmac = Digest::HMAC.new("foo", Digest::RMD160)
...
hmac.update(buf)
...


在此示例中,Digest::HMAC 类在由于偶然纳入版本中而介入时立即被弃用。由于代码是试验性的且未经正确测试,导致类存在不按预期工作的可能性,因此绝对禁止使用该类,尤其是考虑到关系 HMAC 与加密功能有关。

并非所有函数都会因为存在安全漏洞而被弃用或被取代。然而,出现被弃用的函数通常表示周围代码已经不起作用了,有可能处于不受维护的状况。在过去很长一段时间内,人们并没有将软件安全放在首位,甚至都未曾考虑过。如果程序使用了不推荐的或过时的函数,在其附近就会潜伏着安全问题。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 477
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002617
[3] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 1.5
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-2 Flaw Remediation (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-2 Flaw Remediation
[6] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.6 Configuration Architectural Requirements (L2 L3)
[7] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002610 CAT II
[8] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002610 CAT II
[9] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002610 CAT II
[10] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002610 CAT II
[11] Standards Mapping - Smart Contract Weakness Classification SWC-111
desc.structural.ruby.obsolete

Obsolete: Inadequate Pointer Validation

Abstract
函数已过时,不能保证指针是有效的,或引用的内存可以安全使用。
Explanation
不使用 IsBadXXXPtr() 类的函数有多种原因。这些函数是:
1) 非线程安全的。
2) 通常与由于其探测无效内存地址而导致的崩溃有关。
3) 被错误地认为在异常条件中执行正确的错误处理。

示例 1:以下代码使用 IsBadWritePtr() 尝试避免错误的内存写入。

if (IsBadWritePtr(ptr, length))
{
    [handle error]
}


程序员原本希望使用这些函数来检测异常情况,但它们通常导致更多无法修复的问题。
References
[1] Raymond Chen IsBadXxxPtr should really be called CrashProgramRandomly
[2] IsBadWritePtr Function Microsoft
[3] Standards Mapping - Common Weakness Enumeration CWE ID 477
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 1.5
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[8] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[10] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[11] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[12] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002400 CAT II
[33] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[34] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.semantic.cpp.obsolete_inadequate_pointer_validation

Often Misused: Android Permission Check

Abstract
应谨慎使用 checkCallingOrSelfPermission() 或 checkCallingOrSelfUriPermission() 函数,因为它允许调用程序在没有所需权限或没有权限的情况下,通过使用应用程序的权限绕过权限检查。
Explanation
函数 checkCallingOrSelfPermission()checkCallingOrSelfUriPermission() 用来判定调用程序是否具备访问某个服务或给定 URI 所需的权限。但是,由于此类函数可允许缺乏相应权限的恶意应用程序利用您应用程序的权限进行访问,因而应慎重使用。

这意味着没有相应权限的恶意应用程序可以利用您应用程序的权限来避开它的权限检查,以获得对本应拒绝其访问的资源的访问。这可能导致所称的混淆代理人攻击。
References
[1] Designing for Security Android
[2] Context: Android Developers Android
[3] Standards Mapping - Common Weakness Enumeration CWE ID 732
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165
[5] Standards Mapping - FIPS200 AC
[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[9] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.4.5 Access Control Architectural Requirements (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[12] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[14] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[15] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[16] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[18] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[19] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[32] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[56] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[57] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.structural.java.often_misused_android_permission_check