界: Input Validation and Representation
輸入驗證和表示法問題是由中繼字元、替代編碼和數值表示法引起的。信任輸入會導致安全問題。問題包括:「Buffer Overflows」、「Cross-Site Scripting」攻擊、「SQL Injection」及其他許多問題。
Cross-Site Scripting: Content Sniffing
Abstract
傳送未經驗證的資料至網路瀏覽器,可能會導致特定瀏覽器執行惡意的程式碼。
Explanation
Cross-site scripting (XSS) 弱點會在以下情況中出現:
1.資料從一個不可信賴的來源進入 Web 應用程式。在 Reflected XSS 案例中,不可信賴的來源通常為網頁要求,而在 Persisted XSS (也可稱為 Stored XSS) 案例中,來源通常為資料庫或其他後端資料儲存區。
2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。
傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。
要讓瀏覽器將回應呈現為 HTML,或可能執行指令碼的其他文件,需指定
大多數新式瀏覽器在提供具有 MIME 類型 (例如
但要特別注意的是,
因此,
範例 1:以下 JAX-RS 方法會在
如果攻擊者傳送一個要求並將
即使回應清楚指出應該將其視為 JSON 文件,但舊瀏覽器仍可能嘗試將其呈現為 HTML 文件,這會使其易受 Cross-Site Scripting 攻擊。
1.資料從一個不可信賴的來源進入 Web 應用程式。在 Reflected XSS 案例中,不可信賴的來源通常為網頁要求,而在 Persisted XSS (也可稱為 Stored XSS) 案例中,來源通常為資料庫或其他後端資料儲存區。
2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。
傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。
要讓瀏覽器將回應呈現為 HTML,或可能執行指令碼的其他文件,需指定
text/html
MIME 類型。因此,只有回應使用此 MIME 類型或任何其他也會強制瀏覽器以 HTML 呈現回應或可能會執行指令碼 (例如 SVG 影像 (image/svg+xml
)、XML 文件 (application/xml
等)) 的類型時,XSS 才會運作。 大多數新式瀏覽器在提供具有 MIME 類型 (例如
application/octet-stream
) 的回應時,不會呈現 HTML 或執行指令碼。但 Internet Explorer 等部分瀏覽器會執行名為 Content Sniffing
的作業。Content Sniffing 會忽略提供的 MIME 類型,並嘗試依據回應的內容推論正確的 MIME 類型。但要特別注意的是,
text/html
的 MIME 類型只是可能導致 XSS 弱點的一種 MIME 類型。可以執行諸如 SVG 影像 (image/svg+xml
)、XML 文件 (application/xml
) 等指令碼的其他文件,也可能導致 XSS 弱點,無論瀏覽器是否執行 Content Sniffing。 因此,
<html><body><script>alert(1)</script></body></html>
之類的回應可以呈現為 HTML,即使其 content-type
標頭已設為 application/octet-stream
, multipart-mixed
等。範例 1:以下 JAX-RS 方法會在
application/octet-stream
回應中反映使用者資料。
@RestController
public class SomeResource {
@RequestMapping(value = "/test", produces = {MediaType.APPLICATION_OCTET_STREAM_VALUE})
public String response5(@RequestParam(value="name") String name){
return name;
}
}
如果攻擊者傳送一個要求並將
name
參數設為 <html><body><script>alert(1)</script></body></html>
,則伺服器會產生以下回應:
HTTP/1.1 200 OK
Content-Length: 51
Content-Type: application/octet-stream
Connection: Closed
<html><body><script>alert(1)</script></body></html>
即使回應清楚指出應該將其視為 JSON 文件,但舊瀏覽器仍可能嘗試將其呈現為 HTML 文件,這會使其易受 Cross-Site Scripting 攻擊。
References
[1] X-Content-Type-Options Mozilla
[2] MIME Type Detection in Windows Internet Explorer Microsoft
[3] Understanding Malicious Content Mitigation for Web Developers CERT
[4] HTML 4.01 Specification W3
[5] Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, and Heng Yin Attacks on WebView in the Android System
[6] Erika Chin and David Wagner Bifocals: Analyzing WebView Vulnerabilities in Android Applications
[7] INJECT-3: XML and HTML generation requires care Oracle
[8] Standards Mapping - Common Weakness Enumeration CWE ID 82, CWE ID 83, CWE ID 87, CWE ID 692
[9] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[10] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[11] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[12] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[13] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[14] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[15] Standards Mapping - FIPS200 SI
[16] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[20] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[21] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[22] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[23] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[26] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[27] Standards Mapping - OWASP Top 10 2021 A03 Injection
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[39] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 116
[40] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[62] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[63] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.java.cross_site_scripting_content_sniffing
Abstract
傳送未經驗證的資料至網路瀏覽器,可能會導致特定瀏覽器執行惡意的程式碼。
Explanation
Cross-site scripting (XSS) 弱點會在以下情況中出現:
1.資料從一個不可信賴的來源進入 Web 應用程式。在 Reflected XSS 案例中,不可信賴的來源通常為網頁要求,而在 Persisted XSS (也可稱為 Stored XSS) 案例中,來源通常為資料庫或其他後端資料儲存區。
2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。
傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。
要讓瀏覽器將回應呈現為 HTML,或可能執行指令碼的其他文件,需指定
在使用 MIME 類型 (例如
可以執行諸如 SVG 影像 (
因此,
範例 1:下列 AWS Lambda 函數會在
如果攻擊者傳送一個要求並將
即使回應清楚指出應該將其視為 JSON 文件,但舊瀏覽器仍可能嘗試將其呈現為 HTML 文件,這會使其易受 Cross-Site Scripting 攻擊。
1.資料從一個不可信賴的來源進入 Web 應用程式。在 Reflected XSS 案例中,不可信賴的來源通常為網頁要求,而在 Persisted XSS (也可稱為 Stored XSS) 案例中,來源通常為資料庫或其他後端資料儲存區。
2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。
傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。
要讓瀏覽器將回應呈現為 HTML,或可能執行指令碼的其他文件,需指定
text/html
MIME 類型。因此,只有回應使用此 MIME 類型或任何其他也會強制瀏覽器以 HTML 呈現回應或可能會執行指令碼 (例如 SVG 影像 (image/svg+xml
)、XML 文件 (application/xml
等)) 的類型時,XSS 才會運作。 在使用 MIME 類型 (例如
application/json
) 提供回應給大多數現代瀏覽器時,這些瀏覽器並不會呈現 HTML,也不會執行指令碼。但 Internet Explorer 等部分瀏覽器會執行名為 Content Sniffing
的作業。Content Sniffing 會忽略提供的 MIME 類型,並嘗試依據回應的內容推論正確的 MIME 類型。但要特別注意的是,text/html
的 MIME 類型只是可能導致 XSS 弱點的一種 MIME 類型。可以執行諸如 SVG 影像 (
image/svg+xml
)、XML 文件 (application/xml
) 等指令碼的其他文件,也可能導致 XSS 弱點,無論瀏覽器是否執行 Content Sniffing。 因此,
<html><body><script>alert(1)</script></body></html>
之類的回應可以呈現為 HTML,即使其 content-type
標頭已設為 application/json
。範例 1:下列 AWS Lambda 函數會在
application/json
回應中反映使用者資料。
def mylambda_handler(event, context):
name = event['name']
response = {
"statusCode": 200,
"body": "{'name': name}",
"headers": {
'Content-Type': 'application/json',
}
}
return response
如果攻擊者傳送一個要求並將
name
參數設為 <html><body><script>alert(1)</script></body></html>
,則伺服器會產生以下回應:
HTTP/1.1 200 OK
Content-Length: 88
Content-Type: application/json
Connection: Closed
{'name': '<html><body><script>alert(1)</script></body></html>'}
即使回應清楚指出應該將其視為 JSON 文件,但舊瀏覽器仍可能嘗試將其呈現為 HTML 文件,這會使其易受 Cross-Site Scripting 攻擊。
References
[1] X-Content-Type-Options Mozilla
[2] MIME Type Detection in Windows Internet Explorer Microsoft
[3] Understanding Malicious Content Mitigation for Web Developers CERT
[4] HTML 4.01 Specification W3
[5] Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, and Heng Yin Attacks on WebView in the Android System
[6] Erika Chin and David Wagner Bifocals: Analyzing WebView Vulnerabilities in Android Applications
[7] INJECT-3: XML and HTML generation requires care Oracle
[8] Standards Mapping - Common Weakness Enumeration CWE ID 82, CWE ID 83, CWE ID 87, CWE ID 692
[9] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[10] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[11] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[12] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[13] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[14] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[15] Standards Mapping - FIPS200 SI
[16] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[20] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[21] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[22] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[23] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[26] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[27] Standards Mapping - OWASP Top 10 2021 A03 Injection
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[39] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 116
[40] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[62] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[63] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.python.cross_site_scripting_content_sniffing