界: Input Validation and Representation

輸入驗證和表示法問題是由中繼字元、替代編碼和數值表示法引起的。信任輸入會導致安全問題。問題包括：「Buffer Overflows」、「Cross-Site Scripting」攻擊、「SQL Injection」及其他許多問題。

Log Forging (debug)

Abstract

將未經驗證的使用者輸入寫入記錄檔會允許攻擊者偽造記錄項目，或將惡意內容插入到記錄檔中。

Explanation

Log Forging 弱點會在以下情況中出現：

1.資料從不受信任的來源進入應用程式。

2.將資料寫入應用程式或系統記錄檔。

一般來說，應用程式會使用記錄檔來儲存事件或交易的歷史記錄，以便之後進行檢閱、統計資料蒐集或除錯之用。根據應用程式的本質而定，檢閱記錄檔的工作可在需要時手動執行，或者自動執行，方法為使用工具自動選取重要事件或帶有某種傾向資訊的記錄檔。

如果攻擊者可以提供資料給會持續逐字記錄內容的應用程式，則可能會妨礙或是誤導記錄檔的解讀。在大多數理想的情況下，攻擊者可能會藉由向應用程式提供包含適當字元的輸入，而將錯誤的項目插入記錄檔。如果記錄檔是自動化處理的，那麼攻擊者就有可能藉由破壞檔案格式或插入預期外字元的方式，使檔案無法使用。更猛烈的惡意攻擊甚至可能導致記錄檔的統計資料產生偏差。藉由偽造或其他方式，毀損的記錄檔可用來掩護攻擊者的追蹤，或甚至授意第三方執行惡意行為 [1]。最糟糕的情況是，攻擊者可能會在記錄檔中插入程式碼或其他指令，並利用記錄檔處理公用程式的弱點進行破壞 [2]。

範例 1：以下 REST 端點嘗試從一個要求物件中讀取整數值。如果這個值無法解析成一個整數，那麼就會記錄此輸入並附帶一則錯誤訊息，說明發生哪些情況。


@HttpGet
global static void doGet() {
    RestRequest req = RestContext.request;
    String val = req.params.get('val');
    try {
        Integer i = Integer.valueOf(val);
        ...
    } catch (TypeException e) {
        System.Debug(LoggingLevel.INFO, 'Failed to parse val: '+val);
    }
}

如果使用者提交用於 val 的字串「twenty-one」，則會記錄以下項目：


Failed to parse val: twenty-one

不過，如果攻擊者傳遞了字串「twenty-one%0a%0aUser+logged+out%3dbadguy」，則會記錄以下項目：


Failed to parse val: twenty-one

User logged out=badguy

您可以清楚發現，攻擊者可使相同的機制來插入任意記錄檔項目。

References

[1] A. Muffet The night the log was forged.

[2] G. Hoglund, G. McGraw Exploiting Software Addison-Wesley

[3] Standards Mapping - Common Weakness Enumeration CWE ID 117

[4] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020

[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754

[6] Standards Mapping - FIPS200 AU, SI

[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1

[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3

[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-24 Fail in Known State (P1), SI-10 Information Input Validation (P1)

[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-24 Fail in Known State, SI-10 Information Input Validation

[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.1 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.1 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 7.3.1 Log Protection Requirements (L2 L3), 7.3.2 Log Protection Requirements (L2 L3)

[13] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs

[14] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation

[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1

[16] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input

[17] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws

[18] Standards Mapping - OWASP Top 10 2010 A1 Injection

[19] Standards Mapping - OWASP Top 10 2013 A1 Injection

[20] Standards Mapping - OWASP Top 10 2017 A1 Injection

[21] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1, Requirement 10.5.2

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2, Requirement 10.5.2

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1, Requirement 10.5.2

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1, Requirement 10.5.2

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1, Requirement 10.5.2

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1, Requirement 10.5.2

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1, Requirement 10.5.2

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 10.3.2

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 10.3.2

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 8.4 - Activity Tracking

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 8.4 - Activity Tracking, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 8.4 - Activity Tracking, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation

[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3690.2 CAT II, APP3690.4 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3690.2 CAT II, APP3690.4 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3690.2 CAT II, APP3690.4 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3690.2 CAT II, APP3690.4 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3690.2 CAT II, APP3690.4 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3690.2 CAT II, APP3690.4 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3690.2 CAT II, APP3690.4 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I

[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I

[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I

[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I

[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I

[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I

[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I

[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I

[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002320 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I

[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002320 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I

[56] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)

desc.dataflow.apex.log_forging__debug_

Abstract

將未經驗證的使用者輸入寫入記錄檔會允許攻擊者偽造記錄項目，或將惡意內容插入到記錄檔中。

Explanation

Log Forging 弱點會在以下情況中出現：

1. 資料從不可信賴的來源進入應用程式。

2. 將資料寫入應用程式或系統記錄檔。

一般來說，應用程式會使用記錄檔來儲存事件或交易的歷史記錄，以便之後進行檢閱、統計資料蒐集或除錯之用。根據應用程式的本質而定，檢閱記錄檔的工作可在需要時手動執行，或者自動執行，方法為使用工具自動選取重要事件或帶有某種傾向資訊的記錄檔。

如果攻擊者可以提供資料給會持續逐字記錄內容的應用程式，則可能會妨礙或是誤導記錄檔的解讀。在大多數理想的情況下，攻擊者可能會藉由向應用程式提供包含適當字元的輸入，而將錯誤的項目插入記錄檔。如果記錄檔是自動化處理的，那麼攻擊者就有可能藉由破壞檔案格式或插入預期外字元的方式，使檔案無法使用。更猛烈的惡意攻擊甚至可能導致記錄檔的統計資料產生偏差。藉由偽造或其他方式，毀損的記錄檔可用來掩護攻擊者的追蹤，或甚至授意第三方執行惡意行為 [1]。最糟糕的情況是，攻擊者可能會在記錄檔中插入程式碼或其他指令，並利用記錄檔處理公用程式的弱點進行破壞 [2]。

範例 1： 以下 Web 應用程式程式碼嘗試從一個要求物件中讀取整數值。如果這個值無法解析成一個整數，那麼就會記錄此輸入並附帶一條錯誤訊息，說明發生哪些情況。


  ...
          String val = request.Params["val"];
          try {
                  int value = Int.Parse(val);
          }
          catch (FormatException fe) {
                  log.Info("Failed to parse val = " + val);
          }
  ...

如果使用者提交用於 val 的字串「twenty-one」，則會記錄以下項目：


  INFO: Failed to parse val=twenty-one

不過，如果攻擊者提交字串「twenty-one%0a%0aINFO:+User+logged+out%3dbadguy」，則會記錄以下項目：


  INFO: Failed to parse val=twenty-one

  INFO: User logged out=badguy

您可以清楚地發現，攻擊者可能使用相同的機制來插入任何記錄檔項目。

有人認為在行動環境中，典型的 Web 應用程式弱點 (例如 Log Forging) 不會產生影響，因為使用者為何會攻擊自己呢？但是請謹記，行動平台的本質是從多種來源下載，並在相同裝置上一起執行的應用程式。在金融應用程式旁執行惡意程式碼的可能性很高，這必然會擴大行動應用程式的受攻擊面，將程序之間的通訊包括在內。

範例 2：以下程式碼改寫 Example 1 以適用於 Android 平台。


  ...
          String val = this.Intent.Extras.GetString("val");
          try {
                  int value = Int.Parse(val);
          }
          catch (FormatException fe) {
                  Log.E(TAG, "Failed to parse val = " + val);
          }
  ...

References

[1] A. Muffet The night the log was forged.

[2] G. Hoglund, G. McGraw Exploiting Software Addison-Wesley

[3] IDS03-J. Do not log unsanitized user input CERT

[4] Standards Mapping - Common Weakness Enumeration CWE ID 117

[5] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020

[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754

[7] Standards Mapping - FIPS200 AU, SI

[8] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1

[10] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3

[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-24 Fail in Known State (P1), SI-10 Information Input Validation (P1)

[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-24 Fail in Known State, SI-10 Information Input Validation

[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.1 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.1 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 7.3.1 Log Protection Requirements (L2 L3), 7.3.2 Log Protection Requirements (L2 L3)

[14] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs

[15] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation

[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1

[17] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input

[18] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws

[19] Standards Mapping - OWASP Top 10 2010 A1 Injection

[20] Standards Mapping - OWASP Top 10 2013 A1 Injection

[21] Standards Mapping - OWASP Top 10 2017 A1 Injection

[22] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1, Requirement 10.5.2

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2, Requirement 10.5.2

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1, Requirement 10.5.2

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1, Requirement 10.5.2

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1, Requirement 10.5.2

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1, Requirement 10.5.2

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1, Requirement 10.5.2

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 10.3.2

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 10.3.2

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 8.4 - Activity Tracking

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 8.4 - Activity Tracking, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation

[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 8.4 - Activity Tracking, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation

[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3690.2 CAT II, APP3690.4 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3690.2 CAT II, APP3690.4 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3690.2 CAT II, APP3690.4 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3690.2 CAT II, APP3690.4 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3690.2 CAT II, APP3690.4 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3690.2 CAT II, APP3690.4 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3690.2 CAT II, APP3690.4 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I

[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I

[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I

[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I

[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I

[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I

[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I

[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I

[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I

[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002320 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I

[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002320 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I

[57] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)

desc.dataflow.dotnet.log_forging__debug_

Abstract

將未經驗證的使用者輸入寫入記錄檔會允許攻擊者偽造記錄項目，或將惡意內容插入到記錄檔中。

Explanation

Log Forging 弱點會在以下情況中出現：

1.資料從不可信賴的來源進入應用程式。

2.將資料寫入應用程式或系統記錄檔。

一般來說，應用程式會使用記錄檔來儲存事件或交易的歷史記錄，以便之後進行檢閱、統計資料蒐集或除錯之用。根據應用程式的本質而定，檢閱記錄檔的工作可在需要時手動執行，或者自動執行，方法為使用工具自動選取重要事件或帶有某種傾向資訊的記錄檔。

如果攻擊者可以提供資料給會持續逐字記錄內容的應用程式，則可能會妨礙或是誤導記錄檔的解讀。在大多數理想的情況下，攻擊者可能會藉由向應用程式提供包含適當字元的輸入，而將錯誤的項目插入記錄檔。如果記錄檔是自動化處理的，那麼攻擊者就可以藉由破壞檔案格式或插入預期外字元的方式，來使檔案無法使用。更猛烈的惡意攻擊甚至可能導致記錄檔的統計資料產生偏差。藉由偽造或其他方式，攻擊者可能使用毀損的記錄檔來掩護其追蹤，或甚至授意第三方執行惡意行為 [1]。最糟糕的情況是，攻擊者可能會在記錄檔中插入程式碼或其他指令，並利用記錄檔處理公用程式的弱點進行破壞 [2]。

範例 1：以下 Web 應用程式程式碼嘗試從一個要求物件中讀取整數值。如果這個值無法解析成一個整數，那麼就會記錄此輸入並附帶一則錯誤訊息，說明發生哪些情況。


...
    var idValue string

    idValue = req.URL.Query().Get("id")
    num, err := strconv.Atoi(idValue)

    if err != nil {
        sysLog.Debug("Failed to parse value: " + idValue)
    }
...

如果使用者提交用於 val 的字串「twenty-one」，則會記錄以下項目：


INFO: Failed to parse val=twenty-one

不過，如果攻擊者提交字串「twenty-one%0a%0aINFO:+User+logged+out%3dbadguy」，則會記錄以下項目：


INFO: Failed to parse val=twenty-one

INFO: User logged out=badguy

您可以清楚發現，攻擊者可使相同的機制來插入任何記錄檔項目。