界: Input Validation and Representation
輸入驗證和表示法問題是由中繼字元、替代編碼和數值表示法引起的。信任輸入會導致安全問題。問題包括:「Buffer Overflows」、「Cross-Site Scripting」攻擊、「SQL Injection」及其他許多問題。
Connection String Parameter Pollution
Abstract
將未經驗證的輸入連結成資料庫連線可能會允許攻擊者覆寫要求參數的值。攻擊者可能可以覆寫現有參數值,插入新的參數或者利用直接接觸得到的變數。
Explanation
Connection String Parameter Pollution (CSPP) 攻擊包含將連線字串參數插入到其他現有參數中。此弱點類似於也會發生參數干擾的 HTTP 環境中的弱點,也許更為人所熟知。不過,它也可以套用於其他位置,如資料庫連線字串。如果應用程式無法正確清除處理使用者輸入,則惡意的使用者可能透過盜取憑證,危及應用程式的邏輯,以執行攻擊,進而擷取整個資料庫。經由提交額外參數到應用程式,且如果這些參數的名稱與現有參數相同,資料庫連線可能以下列其中一種方式反應:
僅可使用第一個參數的資料
可使用最後一個參數的資料
可使用所有參數的資料,並將這些資料串連在一起
這可能取決於所用的驅動程式、資料庫類型,或者甚至是 API 的使用方式。
範例 1:以下程式碼使用來自 HTTP 要求的輸入連線到資料庫:
在此範例中,程式設計師並未考量攻擊者可能提供
"xxx; Integrated Security = true",則連線字串會變成:
"Data Source = myDataSource; Initial Catalog = db; User ID = myUsername; Password = xxx; Integrated Security = true; "
這會讓應用程式使用作業系統帳戶連線到資料庫,應用程式會在該帳戶下執行以避開標準驗證。這會意味著攻擊者可以連線至沒有有效密碼的資料庫,並直接針對資料庫進行查詢。
僅可使用第一個參數的資料
可使用最後一個參數的資料
可使用所有參數的資料,並將這些資料串連在一起
這可能取決於所用的驅動程式、資料庫類型,或者甚至是 API 的使用方式。
範例 1:以下程式碼使用來自 HTTP 要求的輸入連線到資料庫:
...
string password = Request.Form["db_pass"]; //gets POST parameter 'db_pass'
SqlConnection DBconn = new SqlConnection("Data Source = myDataSource; Initial Catalog = db; User ID = myUsername; Password = " + password + ";");
...
在此範例中,程式設計師並未考量攻擊者可能提供
db_pass 參數,例如"xxx; Integrated Security = true",則連線字串會變成:
"Data Source = myDataSource; Initial Catalog = db; User ID = myUsername; Password = xxx; Integrated Security = true; "
這會讓應用程式使用作業系統帳戶連線到資料庫,應用程式會在該帳戶下執行以避開標準驗證。這會意味著攻擊者可以連線至沒有有效密碼的資料庫,並直接針對資料庫進行查詢。
References
[1] Chema Alonso, Manuel Fernandez, Alejandro Martin and Antonio Guzmán Connection String Parameter Pollution Attacks
[2] Eric P. Maurice A New Threat To Web Applications: Connection String Parameter Pollution (CSPP)
[3] Standards Mapping - Common Weakness Enumeration CWE ID 235
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[5] Standards Mapping - FIPS200 SI
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.1 Input Validation Requirements (L1 L2 L3), 8.1.3 General Data Protection (L2 L3)
[10] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[11] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[12] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[13] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[14] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[15] Standards Mapping - OWASP Top 10 2010 A1 Injection
[16] Standards Mapping - OWASP Top 10 2013 A1 Injection
[17] Standards Mapping - OWASP Top 10 2017 A1 Injection
[18] Standards Mapping - OWASP Top 10 2021 A03 Injection
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[30] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 020
[31] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 807
[32] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 807
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[54] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.dotnet.connection_string_parameter_pollution
Abstract
將未經驗證的輸入串聯成資料庫連線可能會允許攻擊者覆寫要求參數的值。攻擊者可能可以覆寫現有參數值、插入新的參數或者利用無法直接接觸的變數。
Explanation
Connection String Parameter Pollution (CSPP) 攻擊包括將連線字串參數插入到其他現有參數中。此弱點類似於也會發生參數干擾的 HTTP 環境中的弱點,後者可能更為人所熟知。不過,它也可以套用於其他位置,如資料庫連線字串。如果應用程式不能妥當清理使用者輸入,則惡意使用者可能透過盜取認證來危及應用程式的邏輯以執行攻擊,進而擷取整個資料庫。透過將名稱與現有參數相同的其他參數提交到應用程式,資料庫可能會以下列其中一種方式反應:
它可能只能使用第一個參數的資料
它可能使用最後一個參數的資料
它可能使用所有參數的資料,並將這些資料串聯在一起
這取決於所用的驅動程式、資料庫類型,甚至是 API 的使用方式。
範例 1:以下程式碼使用來自 HTTP 要求的輸入連線到資料庫:
在此範例中,程式設計師並未考量攻擊者可能提供
"xxx@/attackerdb?foo=",則連線字串變成:
"user:xxx@/attackerdb?foo=/dbname"
這將會使應用程式連線至攻擊者控制器資料庫,讓他控制傳回應用程式的資料。
它可能只能使用第一個參數的資料
它可能使用最後一個參數的資料
它可能使用所有參數的資料,並將這些資料串聯在一起
這取決於所用的驅動程式、資料庫類型,甚至是 API 的使用方式。
範例 1:以下程式碼使用來自 HTTP 要求的輸入連線到資料庫:
...
password := request.FormValue("db_pass")
db, err := sql.Open("mysql", "user:" + password + "@/dbname")
...
在此範例中,程式設計師並未考量攻擊者可能提供
db_pass 參數,例如:"xxx@/attackerdb?foo=",則連線字串變成:
"user:xxx@/attackerdb?foo=/dbname"
這將會使應用程式連線至攻擊者控制器資料庫,讓他控制傳回應用程式的資料。
References
[1] Chema Alonso, Manuel Fernandez, Alejandro Martin and Antonio Guzmán Connection String Parameter Pollution Attacks
[2] Standards Mapping - Common Weakness Enumeration CWE ID 235
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[4] Standards Mapping - FIPS200 SI
[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.1 Input Validation Requirements (L1 L2 L3), 8.1.3 General Data Protection (L2 L3)
[9] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[10] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[11] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[12] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[13] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[14] Standards Mapping - OWASP Top 10 2010 A1 Injection
[15] Standards Mapping - OWASP Top 10 2013 A1 Injection
[16] Standards Mapping - OWASP Top 10 2017 A1 Injection
[17] Standards Mapping - OWASP Top 10 2021 A03 Injection
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[29] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 020
[30] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 807
[31] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 807
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[53] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.golang.connection_string_parameter_pollution
Abstract
將未經驗證的輸入串連成資料庫連線可能會允許攻擊者覆寫要求參數的值。 攻擊者可能可以覆寫現有參數值、插入新的參數或者利用直接接觸得到的變數。
Explanation
Connection String Parameter Pollution (CSPP) 攻擊包含將連線字串參數插入到其他現有參數中。 此弱點類似於也會發生參數干擾的 HTTP 環境中的弱點,也許更為人所熟知。 不過,它也可以套用於其他位置,如資料庫連線字串。 如果應用程式不能妥當清潔使用者輸入,則惡意使用者可能透過盜取認證來危及應用程式的邏輯,以執行攻擊,進而擷取整個資料庫。 經由提交額外參數到應用程式,且如果這些參數的名稱與現有參數相同,資料庫連線可能以下列其中一種方式反應:
僅可使用第一個參數的資料
可使用最後一個參數的資料
可使用所有參數的資料,並將這些資料串連在一起
這可能取決於所用的驅動程式、資料庫類型,甚至是 API 的使用方式。
範例 1: 以下程式碼使用來自 HTTP 要求的輸入連線到資料庫:
在此範例中,程式設計師並未考量攻擊者可能提供如下
「myPassword@aMongoDBInstance.com/?ssl=false&」,則連線字串會變成 (假設使用者名稱為「scott」):
「mongodb://scott:myPassword@aMongoDBInstance.com/?ssl=false&@aMongoDBInstance.com/?ssl=true」
這會使「@aMongoDBInstance.com/?ssl=true」被當成額外的無效引數來處理,進而在實際上忽略「ssl=true」,並在沒有加密的情況下連線至資料庫。
僅可使用第一個參數的資料
可使用最後一個參數的資料
可使用所有參數的資料,並將這些資料串連在一起
這可能取決於所用的驅動程式、資料庫類型,甚至是 API 的使用方式。
範例 1: 以下程式碼使用來自 HTTP 要求的輸入連線到資料庫:
username = req.field('username')
password = req.field('password')
...
client = MongoClient('mongodb://%s:%s@aMongoDBInstance.com/?ssl=true' % (username, password))
...
在此範例中,程式設計師並未考量攻擊者可能提供如下
password 參數:「myPassword@aMongoDBInstance.com/?ssl=false&」,則連線字串會變成 (假設使用者名稱為「scott」):
「mongodb://scott:myPassword@aMongoDBInstance.com/?ssl=false&@aMongoDBInstance.com/?ssl=true」
這會使「@aMongoDBInstance.com/?ssl=true」被當成額外的無效引數來處理,進而在實際上忽略「ssl=true」,並在沒有加密的情況下連線至資料庫。
References
[1] Chema Alonso, Manuel Fernandez, Alejandro Martin and Antonio Guzmán Connection String Parameter Pollution Attacks
[2] Standards Mapping - Common Weakness Enumeration CWE ID 235
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[4] Standards Mapping - FIPS200 SI
[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.1 Input Validation Requirements (L1 L2 L3), 8.1.3 General Data Protection (L2 L3)
[9] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[10] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[11] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[12] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[13] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[14] Standards Mapping - OWASP Top 10 2010 A1 Injection
[15] Standards Mapping - OWASP Top 10 2013 A1 Injection
[16] Standards Mapping - OWASP Top 10 2017 A1 Injection
[17] Standards Mapping - OWASP Top 10 2021 A03 Injection
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[29] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 020
[30] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 807
[31] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 807
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[53] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.python.connection_string_parameter_pollution
Abstract
將未經驗證的輸入連結成資料庫連線可能會允許攻擊者覆寫要求參數的值。攻擊者可能可以覆寫現有參數值,插入新的參數或者利用直接接觸得到的變數。
Explanation
Connection String Parameter Pollution (CSPP) 攻擊包含將連線字串參數插入到其他現有參數中。此弱點類似於也會發生參數干擾的 HTTP 環境中的弱點,也許更為人所熟知。不過,它也可以套用於其他位置,如資料庫連線字串。如果應用程式無法正確清除處理使用者輸入,則惡意的使用者可能透過盜取憑證,危及應用程式的邏輯,以執行攻擊,進而擷取整個資料庫。經由提交額外參數到應用程式,且如果這些參數的名稱與現有參數相同,資料庫連線可能以下列其中一種方式反應:
僅可使用第一個參數的資料
可使用最後一個參數的資料
可使用所有參數的資料,並將這些資料串連在一起
這可能取決於所用的驅動程式、資料庫類型,或者甚至是 API 的使用方式。
範例 1:以下程式碼使用來自 HTTP 要求的輸入連線到資料庫:
在此範例中,程式設計師並未考量攻擊者可能提供
「myevilsite.com%20port%3D4444%20sslmode%3Ddisable」,則連線字串會變成 (假設使用者名稱為「scott」且密碼為「5up3RS3kR3t」):
「dbname=app_development user=scott password=5up3RS3kR3t host=myevilsite.com port=4444 sslmode=disable」
這將會對「myevilsite.com」執行查詢,然後於連接埠 4444 連線到此網站,以停用 SSL。這可能意味著,攻擊者可以盜取使用者「scott」的憑證,然後使用此憑證在其機器和真實資料庫之間執行 man-in-the-middle 攻擊,或者只是登入真實資料庫,直接對資料庫執行查詢。
僅可使用第一個參數的資料
可使用最後一個參數的資料
可使用所有參數的資料,並將這些資料串連在一起
這可能取決於所用的驅動程式、資料庫類型,或者甚至是 API 的使用方式。
範例 1:以下程式碼使用來自 HTTP 要求的輸入連線到資料庫:
hostname = req.params['host'] #gets POST parameter 'host'
...
conn = PG::Connection.new("connect_timeout=20 dbname=app_development user=#{user} password=#{password} host=#{hostname}")
...
在此範例中,程式設計師並未考量攻擊者可能提供
host 參數,例如「myevilsite.com%20port%3D4444%20sslmode%3Ddisable」,則連線字串會變成 (假設使用者名稱為「scott」且密碼為「5up3RS3kR3t」):
「dbname=app_development user=scott password=5up3RS3kR3t host=myevilsite.com port=4444 sslmode=disable」
這將會對「myevilsite.com」執行查詢,然後於連接埠 4444 連線到此網站,以停用 SSL。這可能意味著,攻擊者可以盜取使用者「scott」的憑證,然後使用此憑證在其機器和真實資料庫之間執行 man-in-the-middle 攻擊,或者只是登入真實資料庫,直接對資料庫執行查詢。
References
[1] Chema Alonso, Manuel Fernandez, Alejandro Martin and Antonio Guzmán Connection String Parameter Pollution Attacks
[2] Eric P. Maurice A New Threat To Web Applications: Connection String Parameter Pollution (CSPP)
[3] Standards Mapping - Common Weakness Enumeration CWE ID 235
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[5] Standards Mapping - FIPS200 SI
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.1 Input Validation Requirements (L1 L2 L3), 8.1.3 General Data Protection (L2 L3)
[10] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[11] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[12] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[13] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[14] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[15] Standards Mapping - OWASP Top 10 2010 A1 Injection
[16] Standards Mapping - OWASP Top 10 2013 A1 Injection
[17] Standards Mapping - OWASP Top 10 2017 A1 Injection
[18] Standards Mapping - OWASP Top 10 2021 A03 Injection
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[30] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 020
[31] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 807
[32] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 807
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[54] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.ruby.connection_string_parameter_pollution