5 找到的項目

弱點

Reflected File Download

Java/JSP

Abstract

應用程式可讓攻擊者製作 URL，以強制下載看似來自受信賴網域的任意內容。

Explanation

反映型檔案下載 (Reflected File Download, RFD) 是一種可讓攻擊者製作網路釣魚 URL 或頁面的弱點，在使用者造訪該 URL 或頁面時便會啟動檔案下載，檔案中包含看似來自受信賴網域的任意內容。因為使用者信任指定的網域，所以他/她可能會開啟所下載的檔案，從而可能導致執行惡意程式碼。

攻擊者若要成功執行 RFD 攻擊，必須滿足下列要求：
- 目標應用程式反映使用者輸入而不進行適當的驗證或編碼。這用於插入承載。
- 目標應用程式允許寬鬆的 URL。攻擊者可能藉此控制所下載檔案的名稱和副檔名。
- 目標應用程式的 Content-Disposition 表頭設定錯誤，從而讓攻擊者可控制 HTTP 回應中的 Content-Type 和/或 Content-Disposition 表頭，或者目標應用程式所包含的 Content-Type 預設並非在瀏覽器中轉譯。

例如，如果應用程式使用 Spring Web MVC ContentNegotiationManager 來動態產生不同的回應格式，則滿足使 RFD 攻擊成為可能所需的條件。

ContentNegotiationManager 設定為根據要求路徑副檔名來決定回應格式，並使用 Java Activation Framework (JAF) 尋找更為符合用戶端所要求之格式的 Content-Type。它還允許用戶端透過在要求的 Accept 表頭中傳送的媒體類型來指定回應內容類型。

範例 1：在以下範例中，應用程式設定為允許路徑副檔名策略和 Java Activation Framework 來決定回應的內容類型：


<bean id="contentNegotiationManager" class="org.springframework.web.accept.ContentNegotiationManagerFactoryBean">
  <property name="favorPathExtension" value="true" />
  <property name="useJaf" value="true" />
</bean>

範例 2：在以下範例中，應用程式設定為允許要求的 Accept 表頭來決定回應的內容類型：


<bean id="contentNegotiationManager" class="org.springframework.web.accept.ContentNegotiationManagerFactoryBean">
  <property name="ignoreAcceptHeader" value="false" />
</bean>

請注意，Spring 4.2.1 中的 ContentNegotiationManagerFactoryBean 屬性預設值如下：

- useJaf：true
- favorPathExtension：true
- ignoreAcceptHeader：falseExample 1 中所顯示的配置可讓攻擊者製作惡意 URL，如：

http://server/some/resource/endpoint/foo.bat?input=payload

以便 ContentNegotiationManager 使用 Java Activation Framework (如果在類別路徑中找到 activation.jar) 嘗試解析指定副檔名的媒體類型，並相應設定回應的 ContentType 表頭。此範例中的副檔名為「.bat」，從而產生 application/x-msdownload 的 Content-Type 表頭 (儘管確切的 Content-Type 可能依據伺服器 OS 和 JAF 組態而有所不同)。因此，一旦受害者造訪此惡意 URL，他/她的機器便會自動開始下載包含攻擊者控制內容的「.bat」檔案。如果隨後執行此檔案，受害者機器便會執行攻擊者承載所指定的任意指令。

References

[1] Oren Hafif Reflected File Download - A New Web Attack Vector

[2] Alvaro Munoz Reflected File Download in Spring MVC

[3] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 233

[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079

[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079

[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079

[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079

[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079

[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754

[10] Standards Mapping - FIPS200 SI

[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)

[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation

[14] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization

[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 8.1.3 General Data Protection (L2 L3)

[16] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection

[17] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input

[18] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws

[19] Standards Mapping - OWASP Top 10 2010 A1 Injection

[20] Standards Mapping - OWASP Top 10 2013 A1 Injection

[21] Standards Mapping - OWASP Top 10 2017 A1 Injection

[22] Standards Mapping - OWASP Top 10 2021 A03 Injection

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.6

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation

[34] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079

[35] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079

[36] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079

[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I

[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I

[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I

[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I

[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I

[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I

[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I

[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I

[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I

[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I

[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I

[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I

[58] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)

desc.config.java.reflected_file_download

Undefined Behavior

C/C++

Abstract

未定義函數運作方式，除非將其控制參數設為某特定值。

Explanation

Linux Standard Base Specification 2.0.1 for libc 對一些內部函數的引數設定某些限制 [1]。如果函數參數不滿足這些約束條件的話，就無法成功定義此函數運作方式。

在下列 File System 函數中，必須將 1 值傳送給第一個參數 (版本編號)：


	__xmknod

在下列寬字元字串函數中，必須將 2 值傳送給第三個參數 (群組引數)：


__wcstod_internal
__wcstof_internal
_wcstol_internal
__wcstold_internal
__wcstoul_internal

在下列 File System 函數中，必須將 3 值傳送給第一個參數 (版本編號)：


__xstat
__lxstat
__fxstat
__xstat64
__lxstat64
__fxstat64

References

[1] The Linux Standard Base Specification 2.0.1, Interfaces Definitions for libc.

[2] Standards Mapping - Common Weakness Enumeration CWE ID 475

[3] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3

desc.semantic.cpp.undefined_behavior

Undefined Behavior: File Pointer Dereference

C/C++

Abstract

應用程式使用解除參照系統 FILE 物件的指派。

Explanation

根據使用中的特定 C 編譯器，系統 FILE 物件的位址可能對於將 FILE 物件用作串流十分重要。使用沒有關聯位址的 FILE 物件副本可能會導致未定義的行為，進而導致潛在的系統資訊洩漏、系統當機或惡意動作執行者能夠自行讀取或編輯檔案。

範例 1：以下程式碼顯示一個使用值解除參照及複製的系統 FILE 物件。


FILE *sysfile = fopen(test.file, "w+");
FILE insecureFile = *sysfile;

由於指派 insecureFile 時將 sysfile 解除參照，使用 insecureFile 便可能會導致各種問題。

References

[1] Standards Mapping - Common Weakness Enumeration CWE ID 706

[2] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 22.5

desc.structural.cpp.undefined_behavior_file_pointer_dereference

Undefined Behavior: File Pointer Use After Close

C/C++

Abstract

應用程式在關閉的檔案指標上使用檔案操作。

Explanation

在系統 FILE 物件的關聯串流關閉後對其執行檔案操作，會導致未定義的行為。根據使用中的特定 C 編譯器，檔案操作可能會導致系統當機，甚至可能導致相同或不同檔案的可能修改或讀取。

範例 1：以下程式碼顯示在關閉對應的串流後嘗試讀取系統 FILE 物件。


FILE *sysfile = fopen(test.file, "r+");
res = fclose(sysfile);
if(res == 0){
    printf("%c", getc(sysfile));    
}

由於 getc() 函數在 sysfile 的檔案串流關閉之後執行，因此 getc() 導致未定義的行為，並可能導致系統當機或導致相同或不同檔案的可能修改或讀取。

References

[1] Standards Mapping - Common Weakness Enumeration CWE ID 910

[2] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 22.6

desc.controlflow.cpp.undefined_behavior_file_pointer_use_after_close

Undefined Behavior: Redundant Delete

C/C++

Abstract

明確地刪除受管理的指標會造成程式當機或功能異常。

Explanation

刪除受管理的指標會造成程式當機，或在之後當指標管理程式碼假設該指標有效時造成錯誤。以下範例說明這個錯誤。


  std::auto_ptr<foo> p(new foo);
  foo* rawFoo = p.get();
  delete rawFoo;

此規則唯一的異常是，當受管理的指標類別支援「分離」操作，會讓程式設計師得以控制特定指標的記憶體管理。如果程式在呼叫 delete 前從管理類別分離該指標，管理類別未來將不會再使用該指標。

References

[1] Standards Mapping - Common Weakness Enumeration CWE ID 730

[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094

[3] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)

[4] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection

[5] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service

[6] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9

[7] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II

[8] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II

[9] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II

[10] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II

[11] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II

[12] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II

[13] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II

[14] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II

[15] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II

[16] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II

[17] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II

[18] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II

[19] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II

[28] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)

[29] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service

desc.controlflow.cpp.redundant_delete