界: Input Validation and Representation

輸入驗證和表示法問題是由中繼字元、替代編碼和數值表示法引起的。信任輸入會導致安全問題。問題包括：「Buffer Overflows」、「Cross-Site Scripting」攻擊、「SQL Injection」及其他許多問題。

2 找到的項目

弱點

Value Shadowing

C#/VB.NET/ASP.NET

Abstract

此程式以不明確的方式存取變數，這可會使程式易受到攻擊。

Explanation

HttpRequest 類別以陣列存取形式 (例如 Request["myParam"]) 提供對 QueryString、Form、Cookies 或 ServerVariables 集合中變數的程式化存取。存在多個名稱相同的變數時，.NET Framework 會傳回在集合中以下列順序搜尋時第一個出現的變數值：QueryString、Form、Cookies，然後 ServerVariables。因為 QueryString 依搜尋順序第一個出現，因此 QueryString 參數可以取代表單、Cookie 及伺服器變數的值。同樣地，表單值可以取代 Cookies 和 ServerVariables 集合中的變數，而 Cookies 集合的變數可取代 ServerVariables 的變數。
範例 1：想像一個金融應用程式暫時在 Cookie 中儲存使用者的電子郵件地址，並當要聯絡使用者時讀取此值。以下程式碼讀取 Cookie 值並將帳戶餘額傳送到指定的電子郵件地址。


...
    String toAddress = Request["email"];        //Expects cookie value
    Double balance = GetBalance(userID);
    SendAccountBalance(toAddress, balance);
...

假設在造訪 http://www.example.com/GetBalance.aspx 時執行 Example 1 中的程式碼。若攻擊者能夠使通過驗證的使用者按下要求 http://www.example.com/GetBalance.aspx?email=evil%40evil.com 的連結，則含有使用者帳戶餘額的電子郵件將會送往 evil@evil.com。

References

[1] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310

[2] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)

[3] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation

[4] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6

[5] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6

[6] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6

[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6

[8] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[9] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[10] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation

[11] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation

[12] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II

desc.semantic.dotnet.value_shadowing

Value Shadowing: Server Variable

C#/VB.NET/ASP.NET

Abstract

此程式以不明確的方式存取伺服器變數，這可會使程式易受到攻擊。

Explanation

HttpRequest 類別以陣列存取形式 (例如 Request["myParam"]) 提供對 QueryString、Form、Cookies 或 ServerVariables 集合中變數的程式化存取。存在多個名稱相同的變數時，.NET Framework 會傳回在集合中以下列順序搜尋時第一個出現的變數值：QueryString、Form、Cookies，然後 ServerVariables。因為 QueryString 依搜尋順序第一個出現，因此 QueryString 參數可以取代表單、Cookie 及伺服器變數的值。同樣地，表單值可以取代 Cookies 和 ServerVariables 集合中的變數，而 Cookies 集合的變數可取代 ServerVariables 的變數。
範例 1：以下程式碼檢查 HTTP Referer 表頭伺服器變數，以確認要求在提供內容前是否來自於 www.example.com。


    ...
    if (Request["HTTP_REFERER"].StartsWith("http://www.example.com"))
        ServeContent();
    else
        Response.Redirect("http://www.example.com/");
    ...

假設在造訪 http://www.example.com/ProtectedImages.aspx 時執行 Example 1 中的程式碼。若攻擊者對 URL 做一個直接的要求，則不會設定適當的 Referer 表頭，而要求將失敗。不過，若攻擊者以必要值提交偽造 HTTP_REFERER 參數 (如 http://www.example.com/ProtectedImages.aspx?HTTP_REFERER=http%3a%2f%2fwww.example.com)，則查詢將從 QueryString 傳回值，而不是 ServerVariables，同時檢查也將成功。

References

[1] Microsoft IIS Server Variables

[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310

[3] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)

[4] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation

[5] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6

[6] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6

[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6

[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6

[9] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[10] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[11] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation

[12] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation

[13] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II

desc.semantic.dotnet.value_shadowing_server_variable