界: Input Validation and Representation

輸入驗證和表示法問題是由中繼字元、替代編碼和數值表示法引起的。信任輸入會導致安全問題。問題包括：「Buffer Overflows」、「Cross-Site Scripting」攻擊、「SQL Injection」及其他許多問題。

1 找到的項目

弱點

Reflected File Download

Java/JSP

Abstract

應用程式可讓攻擊者製作 URL，以強制下載看似來自受信賴網域的任意內容。

Explanation

反映型檔案下載 (Reflected File Download, RFD) 是一種可讓攻擊者製作網路釣魚 URL 或頁面的弱點，在使用者造訪該 URL 或頁面時便會啟動檔案下載，檔案中包含看似來自受信賴網域的任意內容。因為使用者信任指定的網域，所以他/她可能會開啟所下載的檔案，從而可能導致執行惡意程式碼。

攻擊者若要成功執行 RFD 攻擊，必須滿足下列要求：
- 目標應用程式反映使用者輸入而不進行適當的驗證或編碼。這用於插入承載。
- 目標應用程式允許寬鬆的 URL。攻擊者可能藉此控制所下載檔案的名稱和副檔名。
- 目標應用程式的 Content-Disposition 表頭設定錯誤，從而讓攻擊者可控制 HTTP 回應中的 Content-Type 和/或 Content-Disposition 表頭，或者目標應用程式所包含的 Content-Type 預設並非在瀏覽器中轉譯。

例如，如果應用程式使用 Spring Web MVC ContentNegotiationManager 來動態產生不同的回應格式，則滿足使 RFD 攻擊成為可能所需的條件。

ContentNegotiationManager 設定為根據要求路徑副檔名來決定回應格式，並使用 Java Activation Framework (JAF) 尋找更為符合用戶端所要求之格式的 Content-Type。它還允許用戶端透過在要求的 Accept 表頭中傳送的媒體類型來指定回應內容類型。

範例 1：在以下範例中，應用程式設定為允許路徑副檔名策略和 Java Activation Framework 來決定回應的內容類型：


<bean id="contentNegotiationManager" class="org.springframework.web.accept.ContentNegotiationManagerFactoryBean">
  <property name="favorPathExtension" value="true" />
  <property name="useJaf" value="true" />
</bean>

範例 2：在以下範例中，應用程式設定為允許要求的 Accept 表頭來決定回應的內容類型：


<bean id="contentNegotiationManager" class="org.springframework.web.accept.ContentNegotiationManagerFactoryBean">
  <property name="ignoreAcceptHeader" value="false" />
</bean>

請注意，Spring 4.2.1 中的 ContentNegotiationManagerFactoryBean 屬性預設值如下：

- useJaf：true
- favorPathExtension：true
- ignoreAcceptHeader：falseExample 1 中所顯示的配置可讓攻擊者製作惡意 URL，如：

http://server/some/resource/endpoint/foo.bat?input=payload

以便 ContentNegotiationManager 使用 Java Activation Framework (如果在類別路徑中找到 activation.jar) 嘗試解析指定副檔名的媒體類型，並相應設定回應的 ContentType 表頭。此範例中的副檔名為「.bat」，從而產生 application/x-msdownload 的 Content-Type 表頭 (儘管確切的 Content-Type 可能依據伺服器 OS 和 JAF 組態而有所不同)。因此，一旦受害者造訪此惡意 URL，他/她的機器便會自動開始下載包含攻擊者控制內容的「.bat」檔案。如果隨後執行此檔案，受害者機器便會執行攻擊者承載所指定的任意指令。

References

[1] Oren Hafif Reflected File Download - A New Web Attack Vector

[2] Alvaro Munoz Reflected File Download in Spring MVC

[3] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 233

[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079

[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079

[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079

[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079

[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079

[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754

[10] Standards Mapping - FIPS200 SI

[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)

[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation

[14] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization

[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 8.1.3 General Data Protection (L2 L3)

[16] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection

[17] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input

[18] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws

[19] Standards Mapping - OWASP Top 10 2010 A1 Injection

[20] Standards Mapping - OWASP Top 10 2013 A1 Injection

[21] Standards Mapping - OWASP Top 10 2017 A1 Injection

[22] Standards Mapping - OWASP Top 10 2021 A03 Injection

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.6

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation

[34] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079

[35] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079

[36] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079

[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I

[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I

[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I

[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I

[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I

[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I

[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I

[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I

[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I

[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I

[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I

[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I

[58] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)

desc.config.java.reflected_file_download