界: Input Validation and Representation

輸入驗證和表示法問題是由中繼字元、替代編碼和數值表示法引起的。信任輸入會導致安全問題。問題包括：「Buffer Overflows」、「Cross-Site Scripting」攻擊、「SQL Injection」及其他許多問題。

Value Shadowing: Server Variable

C#/VB.NET/ASP.NET

Abstract

此程式以不明確的方式存取伺服器變數，這可會使程式易受到攻擊。

Explanation

HttpRequest 類別以陣列存取形式 (例如 Request["myParam"]) 提供對 QueryString、Form、Cookies 或 ServerVariables 集合中變數的程式化存取。存在多個名稱相同的變數時，.NET Framework 會傳回在集合中以下列順序搜尋時第一個出現的變數值：QueryString、Form、Cookies，然後 ServerVariables。因為 QueryString 依搜尋順序第一個出現，因此 QueryString 參數可以取代表單、Cookie 及伺服器變數的值。同樣地，表單值可以取代 Cookies 和 ServerVariables 集合中的變數，而 Cookies 集合的變數可取代 ServerVariables 的變數。
範例 1：以下程式碼檢查 HTTP Referer 表頭伺服器變數，以確認要求在提供內容前是否來自於 www.example.com。


    ...
    if (Request["HTTP_REFERER"].StartsWith("http://www.example.com"))
        ServeContent();
    else
        Response.Redirect("http://www.example.com/");
    ...

假設在造訪 http://www.example.com/ProtectedImages.aspx 時執行 Example 1 中的程式碼。若攻擊者對 URL 做一個直接的要求，則不會設定適當的 Referer 表頭，而要求將失敗。不過，若攻擊者以必要值提交偽造 HTTP_REFERER 參數 (如 http://www.example.com/ProtectedImages.aspx?HTTP_REFERER=http%3a%2f%2fwww.example.com)，則查詢將從 QueryString 傳回值，而不是 ServerVariables，同時檢查也將成功。

References

[1] Microsoft IIS Server Variables

[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310

[3] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)

[4] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation

[5] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6

[6] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6

[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6

[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6

[9] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[10] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[11] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[12] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation

[13] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation

[14] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II

[15] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II

desc.semantic.dotnet.value_shadowing_server_variable