界: API Abuse
API 就像是呼叫者與被呼叫者之間簽訂的規定。最常見的 API 濫用形式是由呼叫者這一當事方未能遵守此規定所造成的。例如,如果程式在呼叫 chroot() 後無法呼叫 chdir(),即違反規範如何以安全方式變更使用中根目錄的規定。程式庫濫用的另一個好例子是期待被呼叫者向呼叫者傳回值得信賴的 DNS 資訊。在這種情況下,呼叫者是透過對其行為做出某些假設 (傳回值可用於驗證目的) 來濫用被呼叫者 API。另一方也可能違反呼叫者與被呼叫者間的規定。例如,如果編碼器衍生出子類別 SecureRandom 並傳回一個非隨機值,則違反了規定。
Often Misused: File Upload
Abstract
允許使用者上傳檔案可能會使攻擊者在伺服器執行已插入的危險內容或惡意程式碼。
Explanation
不論撰寫程式所使用的語言為何,毀壞性最大的攻擊通常都包含了遠端程式碼的執行,攻擊者可藉此在程式的上下文環境中成功的執行惡意程式碼。若攻擊者能夠上傳檔案至一個可從網路存取的目錄,並將這些檔案傳遞至程式碼解譯器 (例如 JSP/ASPX/PHP),則他們可能會造成這些檔案內包含的惡意程式碼在伺服器上執行。
下列程式碼收到上傳檔案並將其指派給
範例 1:
即使程式將上傳的檔案儲存於無法從 Web 存取的目錄下,攻擊者仍然可能透過向伺服器環境引入惡意內容中來發動其他攻擊。若程式容易有 Path Manipulation、Command Injection 或 Dangerous File Inclusion 的弱點,則攻擊者可能會上傳含有惡意內容的檔案並利用另一項弱點,使程式讀取或執行該檔。
下列程式碼收到上傳檔案並將其指派給
posted 物件。FileUpload 屬於 System.Web.UI.HtmlControls.HtmlInputFile 類型。範例 1:
HttpPostedFile posted = FileUpload.PostedFile;
即使程式將上傳的檔案儲存於無法從 Web 存取的目錄下,攻擊者仍然可能透過向伺服器環境引入惡意內容中來發動其他攻擊。若程式容易有 Path Manipulation、Command Injection 或 Dangerous File Inclusion 的弱點,則攻擊者可能會上傳含有惡意內容的檔案並利用另一項弱點,使程式讀取或執行該檔。
References
[1] Alla Bezroutchko Secure file upload in PHP web applications
[2] Standards Mapping - Common Weakness Enumeration CWE ID 434
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [16] CWE ID 434
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [15] CWE ID 434
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [10] CWE ID 434
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [10] CWE ID 434
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [10] CWE ID 434
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [10] CWE ID 434
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.2.1 File Integrity Requirements (L2 L3), 12.5.2 File Download Requirements (L1 L2 L3), 13.1.5 Generic Web Service Security Verification Requirements (L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[16] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2007 A3 Malicious File Execution
[18] Standards Mapping - OWASP Top 10 2010 A1 Injection
[19] Standards Mapping - OWASP Top 10 2013 A1 Injection
[20] Standards Mapping - OWASP Top 10 2017 A1 Injection
[21] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.4 - Web Software Attack Mitigation
[34] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 434
[35] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 434
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-003300 CAT II
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.semantic.dotnet.often_misused_file_upload
Abstract
允許使用者上傳檔案可能會使攻擊者在伺服器執行已插入的危險內容或惡意程式碼。
Explanation
不論撰寫程式所使用的語言為何,毀壞性最大的攻擊通常都包含了遠端程式碼的執行,攻擊者可藉此在程式的上下文環境中成功的執行惡意程式碼。若攻擊者能夠上傳檔案至一個可從網路存取的目錄,並將這些檔案傳遞至程式碼解譯器 (例如 JSP/ASPX/PHP),則他們可能會造成這些檔案內包含的惡意程式碼在伺服器上執行。
範例 1:以下的 Spring MVC 控制項類別具有可用來處理上傳檔案的參數。
即使程式將上傳的檔案儲存於無法從 Web 存取的目錄下,攻擊者仍然可能透過向伺服器環境引入惡意內容中來發動其他攻擊。若程式容易有 Path Manipulation、Command Injection 或 Dangerous File Inclusion 的弱點,則攻擊者可能會上傳含有惡意內容的檔案並利用另一項弱點,使程式讀取或執行該檔。
範例 1:以下的 Spring MVC 控制項類別具有可用來處理上傳檔案的參數。
@Controller
public class MyFormController {
...
@RequestMapping("/test")
public String uploadFile (org.springframework.web.multipart.MultipartFile file) {
...
} ...
}
即使程式將上傳的檔案儲存於無法從 Web 存取的目錄下,攻擊者仍然可能透過向伺服器環境引入惡意內容中來發動其他攻擊。若程式容易有 Path Manipulation、Command Injection 或 Dangerous File Inclusion 的弱點,則攻擊者可能會上傳含有惡意內容的檔案並利用另一項弱點,使程式讀取或執行該檔。
References
[1] Alla Bezroutchko Secure file upload in PHP web applications
[2] Standards Mapping - Common Weakness Enumeration CWE ID 434
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [16] CWE ID 434
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [15] CWE ID 434
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [10] CWE ID 434
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [10] CWE ID 434
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [10] CWE ID 434
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [10] CWE ID 434
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.2.1 File Integrity Requirements (L2 L3), 12.5.2 File Download Requirements (L1 L2 L3), 13.1.5 Generic Web Service Security Verification Requirements (L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[16] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2007 A3 Malicious File Execution
[18] Standards Mapping - OWASP Top 10 2010 A1 Injection
[19] Standards Mapping - OWASP Top 10 2013 A1 Injection
[20] Standards Mapping - OWASP Top 10 2017 A1 Injection
[21] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.4 - Web Software Attack Mitigation
[34] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 434
[35] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 434
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-003300 CAT II
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.structural.java.often_misused_file_upload_spring
Abstract
允許使用者上傳檔案可能會使攻擊者在伺服器執行已插入的危險內容或惡意程式碼。
Explanation
不論撰寫程式所使用的語言為何,毀壞性最大的攻擊通常都包含了遠端程式碼的執行,攻擊者可藉此在程式的上下文環境中成功的執行惡意程式碼。如果允許攻擊者上傳檔案到可由 Web 存取的目錄上,並將這些檔案傳送至 PHP 解譯器,他們便能使這些檔案中包含的惡意程式碼在伺服器中執行。
範例 1:以下程式碼會處理上傳的檔案,並將其移至 Web 根目錄下的目錄中。攻擊者可能上傳惡意的 PHP 來源檔到此程式中,且稍後從伺服器要求這些檔案,這樣會使 PHP 解譯器執行這些檔案。
即使程式將上傳的檔案儲存於無法從 Web 存取的目錄下,攻擊者仍然可能透過向伺服器環境引入惡意內容中來發動其他攻擊。如果程式容易出現 path manipulation、command injection 或 remote include 弱點,則攻擊者可能會上傳包含惡意內容的檔案,並利用另一個弱點使程式讀取或執行該檔案。
範例 1:以下程式碼會處理上傳的檔案,並將其移至 Web 根目錄下的目錄中。攻擊者可能上傳惡意的 PHP 來源檔到此程式中,且稍後從伺服器要求這些檔案,這樣會使 PHP 解譯器執行這些檔案。
<?php
$udir = 'upload/'; // Relative path under Web root
$ufile = $udir . basename($_FILES['userfile']['name']);
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $ufile)) {
echo "Valid upload received\n";
} else {
echo "Invalid upload rejected\n";
} ?>
即使程式將上傳的檔案儲存於無法從 Web 存取的目錄下,攻擊者仍然可能透過向伺服器環境引入惡意內容中來發動其他攻擊。如果程式容易出現 path manipulation、command injection 或 remote include 弱點,則攻擊者可能會上傳包含惡意內容的檔案,並利用另一個弱點使程式讀取或執行該檔案。
References
[1] M. Achour et al. PHP Manual
[2] Alla Bezroutchko Secure file upload in PHP web applications
[3] Standards Mapping - Common Weakness Enumeration CWE ID 434
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [16] CWE ID 434
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [15] CWE ID 434
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [10] CWE ID 434
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [10] CWE ID 434
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [10] CWE ID 434
[9] Standards Mapping - Common Weakness Enumeration Top 25 2024 [10] CWE ID 434
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[11] Standards Mapping - FIPS200 SI
[12] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.2.1 File Integrity Requirements (L2 L3), 12.5.2 File Download Requirements (L1 L2 L3), 13.1.5 Generic Web Service Security Verification Requirements (L2 L3)
[16] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[17] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[18] Standards Mapping - OWASP Top 10 2007 A3 Malicious File Execution
[19] Standards Mapping - OWASP Top 10 2010 A1 Injection
[20] Standards Mapping - OWASP Top 10 2013 A1 Injection
[21] Standards Mapping - OWASP Top 10 2017 A1 Injection
[22] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.4 - Web Software Attack Mitigation
[35] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 434
[36] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 434
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-003300 CAT II
[59] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.semantic.php.often_misused_file_upload
Abstract
允許使用者上傳檔案可能會使攻擊者在伺服器執行已插入的危險內容或惡意程式碼。
Explanation
不論撰寫程式所使用的語言為何,毀壞性最大的攻擊通常都包含了遠端程式碼的執行,攻擊者可藉此在程式的上下文環境中成功的執行惡意程式碼。如果允許攻擊者上傳檔案到可從 Web 存取的目錄,並導致這些檔案傳送至 Python 解譯器,他們便能使這些檔案中包含的惡意程式碼在伺服器上執行。
範例 1:以下程式碼會處理上傳的檔案,並將其移至 Web 根目錄下的目錄中。攻擊者可能將惡意檔案上傳到此程式,然後從伺服器要求這些檔案。
即使程式將上傳的檔案儲存於無法從 Web 存取的目錄下,攻擊者仍然可能透過向伺服器環境引入惡意內容中來發動其他攻擊。若程式容易有 Path Manipulation、Command Injection 或 Dangerous File Inclusion 的弱點,則攻擊者可能會上傳含有惡意內容的檔案並利用另一項弱點,使程式讀取或執行該檔。
範例 1:以下程式碼會處理上傳的檔案,並將其移至 Web 根目錄下的目錄中。攻擊者可能將惡意檔案上傳到此程式,然後從伺服器要求這些檔案。
from django.core.files.storage import default_storage
from django.core.files.base import File
...
def handle_upload(request):
files = request.FILES
for f in files.values():
path = default_storage.save('upload/', File(f))
...
即使程式將上傳的檔案儲存於無法從 Web 存取的目錄下,攻擊者仍然可能透過向伺服器環境引入惡意內容中來發動其他攻擊。若程式容易有 Path Manipulation、Command Injection 或 Dangerous File Inclusion 的弱點,則攻擊者可能會上傳含有惡意內容的檔案並利用另一項弱點,使程式讀取或執行該檔。
References
[1] Django Foundation File Uploads
[2] Standards Mapping - Common Weakness Enumeration CWE ID 434
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [16] CWE ID 434
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [15] CWE ID 434
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [10] CWE ID 434
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [10] CWE ID 434
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [10] CWE ID 434
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [10] CWE ID 434
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.2.1 File Integrity Requirements (L2 L3), 12.5.2 File Download Requirements (L1 L2 L3), 13.1.5 Generic Web Service Security Verification Requirements (L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[16] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2007 A3 Malicious File Execution
[18] Standards Mapping - OWASP Top 10 2010 A1 Injection
[19] Standards Mapping - OWASP Top 10 2013 A1 Injection
[20] Standards Mapping - OWASP Top 10 2017 A1 Injection
[21] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.4 - Web Software Attack Mitigation
[34] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 434
[35] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 434
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-003300 CAT II
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.structural.python.often_misused_file_upload
Abstract
允許使用者上傳檔案可能會使攻擊者在伺服器執行已插入的危險內容或惡意程式碼。
Explanation
不論撰寫程式所使用的語言為何,毀壞性最大的攻擊通常都包含了遠端程式碼的執行,攻擊者可藉此在程式的上下文環境中成功的執行惡意程式碼。若攻擊者可以上傳檔案至公開執行的目錄,則他們能在伺服器上執行包含在檔案中的惡意程式碼。
即使程式將上傳的檔案儲存於無法公開存取的目錄下,攻擊者仍可透過各種方式將惡意內容導入伺服器環境中以發動攻擊。如果程式容易出現 path manipulation、command injection 或 remote include 弱點,則攻擊者可能會上傳包含惡意內容的檔案,並利用另一個弱點使程式讀取或執行該檔案。
即使程式將上傳的檔案儲存於無法公開存取的目錄下,攻擊者仍可透過各種方式將惡意內容導入伺服器環境中以發動攻擊。如果程式容易出現 path manipulation、command injection 或 remote include 弱點,則攻擊者可能會上傳包含惡意內容的檔案,並利用另一個弱點使程式讀取或執行該檔案。
References
[1] Alla Bezroutchko Secure file upload in PHP web applications
[2] Standards Mapping - Common Weakness Enumeration CWE ID 434
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [16] CWE ID 434
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [15] CWE ID 434
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [10] CWE ID 434
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [10] CWE ID 434
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [10] CWE ID 434
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [10] CWE ID 434
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.2.1 File Integrity Requirements (L2 L3), 12.5.2 File Download Requirements (L1 L2 L3), 13.1.5 Generic Web Service Security Verification Requirements (L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[16] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2007 A3 Malicious File Execution
[18] Standards Mapping - OWASP Top 10 2010 A1 Injection
[19] Standards Mapping - OWASP Top 10 2013 A1 Injection
[20] Standards Mapping - OWASP Top 10 2017 A1 Injection
[21] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.4 - Web Software Attack Mitigation
[34] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 434
[35] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 434
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-003300 CAT II
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.structural.ruby.often_misused_file_upload
Abstract
允許使用者上傳檔案可能會使攻擊者在伺服器執行已插入的危險內容或惡意程式碼。
Explanation
不論撰寫程式所使用的語言為何,毀壞性最大的攻擊通常都包含了遠端程式碼的執行,攻擊者可藉此在程式的上下文環境中成功的執行惡意程式碼。若攻擊者能夠上傳檔案至一個可從網路存取的目錄,並將這些檔案傳遞至程式碼解譯器 (例如 JSP/ASPX/PHP),則他們可能會造成這些檔案內包含的惡意程式碼在伺服器上執行。
即使程式將上傳的檔案儲存於無法從 Web 存取的目錄下,攻擊者仍然可能透過向伺服器環境引入惡意內容中來發動其他攻擊。若程式容易有 Path Manipulation、Command Injection 或 Dangerous File Inclusion 的弱點,則攻擊者可能會上傳含有惡意內容的檔案並利用另一項弱點,使程式讀取或執行該檔。
範例 1:
即使程式將上傳的檔案儲存於無法從 Web 存取的目錄下,攻擊者仍然可能透過向伺服器環境引入惡意內容中來發動其他攻擊。若程式容易有 Path Manipulation、Command Injection 或 Dangerous File Inclusion 的弱點,則攻擊者可能會上傳含有惡意內容的檔案並利用另一項弱點,使程式讀取或執行該檔。
file 類型的 <input> 標籤表示程式接受檔案上傳。範例 1:
<input type="file">
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 434
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [16] CWE ID 434
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [15] CWE ID 434
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [10] CWE ID 434
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [10] CWE ID 434
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [10] CWE ID 434
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [10] CWE ID 434
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[9] Standards Mapping - FIPS200 SI
[10] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.2.1 File Integrity Requirements (L2 L3), 12.5.2 File Download Requirements (L1 L2 L3), 13.1.5 Generic Web Service Security Verification Requirements (L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[15] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[16] Standards Mapping - OWASP Top 10 2007 A3 Malicious File Execution
[17] Standards Mapping - OWASP Top 10 2010 A1 Injection
[18] Standards Mapping - OWASP Top 10 2013 A1 Injection
[19] Standards Mapping - OWASP Top 10 2017 A1 Injection
[20] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.4 - Web Software Attack Mitigation
[33] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 434
[34] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 434
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-003300 CAT II
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.content.html.often_misused_file_upload