5 找到的項目

弱點

Server-Side Request Forgery

Abstract

應用程式利用使用者控制的資料啟動與第三方系統的網路連線以製作資源 URI。

Explanation

當攻擊者可以影響應用程式伺服器建立的網路連線時，就會發生 Server-Side Request Forgery。網路連線來自應用程式伺服器的內部　IP，因而攻擊者可以使用此連線略過網路控制措施，並掃描或攻擊原本未暴露的內部資源。

範例 1：在以下範例中，攻擊者可以控制伺服器連線的 URL。


...
PageReference ref = ApexPages.currentPage();
Map<String,String> params = ref.getParameters();
HttpRequest req = new HttpRequest();
req.setEndpoint(params.get('url'));
HTTPResponse res = new Http().send(req);

攻擊者能否劫持網路連線取決於其可以控制的 URI 特定部分，以及用於建立連線的程式庫。例如，控制 URI 配置可讓攻擊者使用不同於 http 或 https 的通訊協定，例如：

- up://
- ldap://
- jar://
- gopher://
- mailto://
- ssh2://
- telnet://
- expect://

攻擊者可以利用這一劫持的網路連線執行下列類型的攻擊：

- 內部網路資源的連接埠掃描。
- 規避防火牆。
- 攻擊應用程式伺服器或內部網路上所執行之易受攻擊的程式。
- 使用插入攻擊或 CSRF 攻擊內部/外部 Web 應用程式。
- 執行 DNS cache poisoning 攻擊。

References

[1] Standards Mapping - Common Weakness Enumeration CWE ID 918

[2] Standards Mapping - Common Weakness Enumeration Top 25 2021 [24] CWE ID 918

[3] Standards Mapping - Common Weakness Enumeration Top 25 2022 [21] CWE ID 918

[4] Standards Mapping - Common Weakness Enumeration Top 25 2023 [19] CWE ID 918

[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754

[6] Standards Mapping - FIPS200 SI

[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)

[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation

[10] Standards Mapping - OWASP API 2023 API7 Server Side Request Forgery

[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.6 Sanitization and Sandboxing Requirements (L1 L2 L3), 12.6.1 SSRF Protection Requirements (L1 L2 L3), 13.1.1 Generic Web Service Security Verification Requirements (L1 L2 L3)

[12] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication

[13] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation

[14] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input

[15] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference

[16] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References

[17] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References

[18] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control

[19] Standards Mapping - OWASP Top 10 2021 A10 Server-Side Request Forgery

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control

[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation

[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation

[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I

[47] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I

[48] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I

[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I

[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I

[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I

[52] Standards Mapping - Web Application Security Consortium Version 2.00 Abuse of Functionality (WASC-42)

desc.dataflow.apex.server_side_request_forgery

Abstract

應用程式利用使用者控制的資料啟動與第三方系統的網路連線以製作資源 URI。

Explanation

當攻擊者可以影響應用程式伺服器建立的網路連線時，就會發生 Server-Side Request Forgery。網路連線來自應用程式伺服器的內部　IP，因而攻擊者可以使用此連線略過網路控制措施，並掃描或攻擊原本未暴露的內部資源。

範例：在以下範例中，攻擊者可以控制伺服器連線的 URL。


string url = Request.Form["url"];
HttpClient client = new HttpClient();
HttpResponseMessage response = await client.GetAsync(url);

攻擊者能否劫持網路連線取決於其可以控制的 URI 特定部分，以及用於建立連線的程式庫。例如，控制 URI 結構描述可讓攻擊者使用不同於 http 或 https 的通訊協定，例如：

- up://
- ldap://
- jar://
- gopher://
- mailto://
- ssh2://
- telnet://
- expect://

攻擊者可以利用這一劫持的網路連線執行下列攻擊：

- 企業內部網資源的連接埠掃描。
- 規避防火牆。
- 攻擊應用程式伺服器或內部網路上所執行之易受攻擊的程式。
- 使用插入式攻擊或 CSRF 攻擊內部/外部 Web 應用程式。
- 使用 file:// 架構存取本地檔案。
- 在 Windows 系統上，file:// 架構及 UNC 路徑可允許攻擊者掃描並存取內部共用內容。
- 執行 DNS cache poisoning 攻擊。

References

[1] Alexander Polyakov SSRF vs. Business critical applications BlackHat 2012

[2] SSRF bible. Cheatsheet ONSec Labs

[3] Standards Mapping - Common Weakness Enumeration CWE ID 918

[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [24] CWE ID 918

[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [21] CWE ID 918

[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [19] CWE ID 918

[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754

[8] Standards Mapping - FIPS200 SI

[9] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)

[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation

[12] Standards Mapping - OWASP API 2023 API7 Server Side Request Forgery

[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.6 Sanitization and Sandboxing Requirements (L1 L2 L3), 12.6.1 SSRF Protection Requirements (L1 L2 L3), 13.1.1 Generic Web Service Security Verification Requirements (L1 L2 L3)

[14] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication

[15] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation

[16] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input

[17] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference

[18] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References

[19] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References

[20] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control

[21] Standards Mapping - OWASP Top 10 2021 A10 Server-Side Request Forgery

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation

[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I

[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I

[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I

[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I

[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I

[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I

[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I

[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I

[54] Standards Mapping - Web Application Security Consortium Version 2.00 Abuse of Functionality (WASC-42)

desc.dataflow.dotnet.server_side_request_forgery

Abstract

應用程式利用使用者控制的資料啟動與第三方系統的網路連線以製作資源 URI。

Explanation


char *url = maliciousInput(); 
CURL *curl = curl_easy_init();
curl_easy_setopt(curl, CURLOPT_URL, url);
CURLcode res = curl_easy_perform(curl);

攻擊者能否劫持網路連線取決於其可以控制的 URI 特定部分，以及用於建立連線的程式庫。例如，控制 URI 配置可讓攻擊者使用不同於 http 或 https 的通訊協定，例如：

- up://
- ldap://
- jar://
- gopher://
- mailto://
- ssh2://
- telnet://
- expect://

攻擊者可以利用這一劫持的網路連線執行下列攻擊：

- 內部網路資源的連接埠掃描。
- 規避防火牆。
- 攻擊應用程式伺服器或內部網路上所執行之易受攻擊的程式。
- 使用插入攻擊或 CSRF 攻擊內部/外部 Web 應用程式。
- 使用 file:// 結構描述存取本機檔案。
- 在 Windows 系統上，使用 file:// 結構描述及 UNC 路徑會使攻擊者能夠掃描並存取內部共用內容。
- 執行 DNS cache poisoning 攻擊。