界: Time and State

分散式運算與時間和狀態相關。也就是說,為了使多個元件進行通訊,必須共用狀態,並且這一切都需要時間。

大多數的程式設計師將他們的工作擬人化。他們想採用一種控制執行緒來執行整個程式,就像他們必須自己完成這項工作一樣。但是,現代的電腦可以非常快速地切換工作,並且在多核心多 CPU 或分散式系統中,兩個事件可能恰好同時發生。瑕疵急於填補程式設計師在程式執行模型與實際情況之間的差距。這些瑕疵與執行緒、處理序、時間和資訊之間的意外互動有關。這些互動透過共用狀態發生:信號、變數、檔案系統,以及基本上任何可以儲存資訊的項目。

18 找到的項目
弱點
Abstract
將不可序列化的物件當作 HttpSessionState 屬性儲存,會破壞應用程式的可靠性。
Explanation
根據預設,ASP.NET 伺服器會儲存 HttpSessionState 物件,以及在記憶體中它參照的屬性和任何物件。此模型會將作用中的階段作業狀態限制為,僅由單一機器的系統記憶體來提供。為了擴充這些限制的容量,要頻繁的配置伺服器以維持階段作業狀態資訊,如此不僅可擴充容量,還可在多台機器上進行複製以增進整體的效能。為了要維持其階段作業狀態,伺服器必須序列化 HttpSessionState 物件,此作業要求所有儲存在伺服器中的物件皆為可序列化的。

為了使階段作業能夠正確的進行序列化,所有應用程式儲存為階段作業屬性的物件必須聲明 [Serializable] 屬性。此外,如果物件要求自訂的序列化方法,它還必須執行 ISerializable 介面。

範例 1:以下的類別把自己新增至階段作業中,但因為它不可序列化,這個階段作業也就不能正確也序列化。


public class DataGlob {
String GlobName;
String GlobValue;

public void AddToSession(HttpSessionState session) {
session["glob"] = this;
}
}
References
[1] Session State Providers Microsoft Corporation
[2] Underpinnings of the Session State Implementation in ASP.NET Microsoft Corporation
[3] Standards Mapping - Common Weakness Enumeration CWE ID 579
[4] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[5] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management
[6] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[7] Standards Mapping - OWASP Top 10 2010 A3 Broken Authentication and Session Management
[8] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[9] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[10] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.3
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
desc.structural.dotnet.asp_dotnet_bad_practices_non_serializable_object_stored_in_session
Abstract
呼叫 sleep() 的同時還持續鎖定,會降低效能,而且可能造成鎖死。
Explanation
如果多個執行緒嘗試鎖定資源,呼叫 sleep() 的同時還持續鎖定會讓所有其他執行緒等待資源釋放,這會導致效能降低與鎖死。

範例 1:下列程式碼會呼叫 sleep() 並同時持續鎖定。

ReentrantLock rl = new ReentrantLock();
...
rl.lock();
Thread.sleep(500);
...
rl.unlock();
References
[1] LCK09-J. Do not perform operations that can block while holding a lock CERT
[2] Standards Mapping - Common Weakness Enumeration CWE ID 557
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000336, CCI-000366, CCI-001094
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-4 Security Impact Analysis (P2), CM-6 Configuration Settings (P1), SC-5 Denial of Service Protection (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-4 Impact Analyses, CM-6 Configuration Settings, SC-5 Denial of Service Protection
[6] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[8] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[9] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[10] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[11] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[12] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002950 CAT II
[29] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[30] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.java.code_correctness_call_to_sleep_in_lock
Abstract
Double-checked locking 是一種不正確且不能達到預期效果的方法。
Explanation
許多聰穎的人花了大量的時間精神,試圖找出如何使用 double-checked locking 來增進效能。但都沒有人成功。

範例 1:乍看之下,它似乎既能避免不必要的同步處理又能保障執行緒的安全。


if (fitz == null) {
synchronized (this) {
if (fitz == null) {
fitz = new Fitzer();
}
}
}
return fitz;


程式設計師希望保證只分配一個 Fitzer() 物件,但是又不希望每次呼叫此程式碼時都進行一次同步化。這就是所謂的 double-checked locking。

不幸的是,這並沒有用,且可分配多個 Fitzer() 物件。請參閱 Double-Checked Locking is Broken 聲明以取得更多詳細資訊 [1]。
References
[1] D. Bacon et al. The "Double-Checked Locking is Broken" Declaration
[2] LCK10-J. Use a correct form of the double-checked locking idiom CERT
[3] Standards Mapping - Common Weakness Enumeration CWE ID 609
[4] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[8] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[9] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[10] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
desc.structural.java.code_correctness_double_checked_locking
Abstract
如果執行緒沒能在向其他執行緒發訊號後解除 mutex 鎖定,其他執行緒仍會維持鎖定,並在 mutex 繼續等待。
Explanation
在執行緒對其他在 mutex 等待的執行緒發出訊號後,它必須在另一個 pthread_mutex_unlock() 函數能開始執行之前,先呼叫此函數來解除 mutex 鎖定。如果發出訊號的執行緒沒能解除 mutex 鎖定,就不會回傳在第二個執行緒呼叫的 pthread_cond_wait(),而且也不會執行該執行緒。

範例 1:以下程式碼藉由呼叫 pthread_cond_signal(),對一個在 mutex 上等待的執行緒發出訊號,但卻無法解除另一個執行緒在等待的 mutex 鎖定。


...
pthread_mutex_lock(&count_mutex);

// Signal waiting thread
pthread_cond_signal(&count_threshold_cv);
...
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 373
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000336, CCI-000366, CCI-001094
[3] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-4 Security Impact Analysis (P2), CM-6 Configuration Settings (P1), SC-5 Denial of Service Protection (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-4 Impact Analyses, CM-6 Configuration Settings, SC-5 Denial of Service Protection
[6] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[8] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[9] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[10] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[11] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[12] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002950 CAT II
[29] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[30] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.structural.cpp.code_correctness_erroneous_synchronization
Abstract
建立和使用不安全的暫存檔案會使得應用程式和系統資料產生安全性弱點,容易受到攻擊。
Explanation
應用程式需要非常頻繁地呼叫暫存檔案,許多種不同的機制都是為了在 C 程式庫或 Windows(R) API 中建立暫存檔案而存在的。大多函數很容易受到多種形式的攻擊。
範例:以下程式碼會在對從網路收集的直接資料進行處理之前,使用暫存檔案進行儲存。


...
if (tmpnam_r(filename)){
FILE* tmp = fopen(filename,"wb+");
while((recv(sock,recvbuf,DATA_SIZE, 0) > 0)&&(amt!=0))
amt = fwrite(recvbuf,1,DATA_SIZE,tmp);
}
...


這程式碼並不容易被注意到,但卻容易受到很多不同的攻擊,因為它建立暫存檔案的方式並不安全。以下各節將詳述由此函數及其它內容所造成的安全弱點。大部分臭名昭著與暫存檔案建立有關的安全問題已在 Unix 作業系統上出現,但是 Windows 應用程式同樣存在著這樣的風險。此章節討論的主題為在 Unix 和 Windows 上建立暫存檔案。

不同系統間使用的方法和運作方式可能是不同的,但是各自造成的基本風險則相差不大。請參閱「建議事項」一節,以瞭解核心安全語言的相關資訊及安全建立暫存檔案的相關建議方法。

設計用來幫助建立暫存檔案的函數可依據其是否是提供檔案名稱或實際開啟新檔,而分成兩個部分。

群組 1 -「唯一的」檔案名稱:

第一組 C 程式庫和 WinAPI 函數是用來幫助建立暫存檔案,其透過產生唯一的檔案名稱來建立要被某程式打開的新暫存檔案。這部分包含了如 tmpnam()tempnam()mktemp() 這樣的 C 程式庫函數以及與其等價的以 _ (下劃線) 開頭的 C++ 文件和 Windows API 中的 GetTempFileName() 函數。這組函數在檔案名稱選擇方面很可能會有 Race Condition 的麻煩。雖然函數保證在選取檔案時,其檔案名稱是唯一的,但是沒有機制能防止其他處理或攻擊者在選取檔案後和應用程式試圖開啟檔案之前的這段時間內,建立一個相同檔案名稱。相比一個由其他程式呼叫相同函數所引發的合法衝突,攻擊者非常有可能建立一個惡意的衝突,因為由這些函數建立的檔案名稱沒有充分的隨機化來使猜測更加困難。

如果建立了特定名稱的檔案,那麼根據這個檔案的開啟方式,現有內容或存取權限都可能保持不變。如果現有檔案內容實質上是惡意的,攻擊者就可以在應用程式從暫存檔案讀取資料時向程式注入危險資料。如果攻擊者預先建立了一個能輕鬆獲取存取權限的檔案,那麼被應用程式儲存在暫存檔案裏的資料將被存取、修改或毀壞。在 Unix 系統上,如果攻擊者預先定義了一個檔案作為另一個重要檔案的連接,那麼更狡猾的攻擊也可能存在。那麼,如果應用程式從檔案截取資料或將資料寫入檔案,它將不知不覺地為攻擊者執行惡意操作。如果程式是以提升過的權限執行,那將是極其嚴重的威脅。

最後,最好的情況就是呼叫 open() 函數並使用 O_CREATO_EXCL 旗標,或者呼叫 CreateFile() 函數並使用 CREATE_NEW 屬性來開啟檔案。如此一來,如果檔案已經存在,那麼檔案建立就會失敗,也可以防範以上所描述的攻擊類型。然而,如果攻擊者可以準確預測一個檔案序列的檔案名稱,那麼應用程式將被強制禁止開啟所需的臨時儲存空間,進而引發 Denial of Service (DoS) 攻擊。如果使用由這些函數產生的一小部分亂數來選擇檔案名稱,那麼這種類型的攻擊將不難實現。

群組 2 -「唯一的」檔案:

C 程式庫函數的第二部分是藉由產生唯一的檔案名稱且開啟該檔案,來解決一些與暫存檔案有關的安全問題。這部分包含了像 tmpfile() 這樣的 C 函數和與之對應的以 _ (下劃線) 開頭的 C++ 函數,以及表現更為出色的 C 程式庫函數 mkstemp()

類似 tmpfile() 的函數構成唯一的檔案名稱,並藉由與傳遞 "wb+" 標記時 fopen() 使用的相同方法開啟檔案,就像讀/寫模式下的二位元檔一樣。如果檔案已存在,tmpfile() 將把檔案大小縮小為 0,藉此緩和前面提到的有關存在於唯一檔案名稱選擇與隨之打開選取檔案之間的 Race Condition 的安全問題。然而,這個運作方式顯然不能解決函數的安全性問題。首先,攻擊者可能使用可能由 tmpfile().開啟的檔案所保存的寬鬆存取權限來預先建立檔案。其次,在 Unix 系統上,如果攻擊者預先建立了一個檔案作為其他重要檔案的一個連接,應用程式可能會使用其被提升的權限去縮小該檔案,這樣就能按照攻擊的意願執行破壞。最後,如果 tmpfile() 建立了一個新檔案,那麼套用在此檔案上的存取權限在不同的作業系統間是不同的;如此一來,應用程式就極易受到攻擊,而攻擊者甚至不需要預先猜測到將被使用的檔案名稱也可進行攻擊。

最後,mkstemp() 函數是建立暫存檔案的安全方式。它將以一個使用者結合一組隨機生成的字元提供的檔案名稱範本的方式,來建立並開啟唯一的檔案。如果它不能建立此檔案,它將回傳 -1 表示失敗。在先進的系統上,是使用模式0600 來開啟檔案,這就意味著這個檔案將免受干擾,除非使用者改變其存取權限。然而,mkstemp() 仍然會受到使用能夠預先推測的檔案名稱的威脅,而且如果攻擊是藉由猜測或預先建立將要使用的檔案名稱的檔案導致 mkstemp() 函數失效的話,將使應用程式極易受到 Denial of Service 攻擊。
References
[1] B. Schneier Yarrow: A secure pseudorandom number generator
[2] CryptLib
[3] Crypto++
[4] BeeCrypt
[5] OpenSSL
[6] CryptoAPI: CryptGenRandom() Microsoft
[7] RtlGenRandom() Microsoft
[8] .NET System.Security.Cryptography: Random Number Generation Microsoft
[9] Standards Mapping - Common Weakness Enumeration CWE ID 377
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001090
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-4 Information in Shared Resources (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-4 Information in Shared System Resources
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.3.1, Requirement 3.5.1
[15] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002380 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002380 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002380 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002380 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002380 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002380 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002380 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002380 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002380 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002380 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002380 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002380 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002380 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002380 CAT II
desc.semantic.cpp.insecure_temporary_file
Abstract
建立和使用不安全的暫存檔案會使得應用程式和系統資料產生安全性弱點,容易受到攻擊。
Explanation
應用程式需要非常頻繁地使用暫存檔案,許多不同機制都是為了建立暫存檔案而存在的。大多函數很容易受到多種形式的攻擊。
範例:以下程式碼使用暫存檔案在它被處理之前用來儲存從網路上收集到的中間資料。


...
try:
tmp_filename = os.tempnam()
tmp_file = open(tmp_filename, 'w')
data = s.recv(4096)
while True:
more = s.recv(4096)
tmp_file.write(more)
if not more:
break
except socket.timeout:
errMsg = "Connection timed-out while connecting"
self.logger.exception(errMsg)
raise Exception
...


這程式碼並不容易被注意到,但卻容易受到很多不同的攻擊,因為它建立暫存檔案的方式並不安全。以下各節將詳述由此函數及其它內容所造成的安全弱點。大部分臭名昭著與暫存檔案建立有關的安全問題已在 Unix 作業系統上出現,但是 Windows 應用程式同樣存在著這樣的風險。

不同系統間使用的方法和運作方式可能是不同的,但是各自造成的基本風險則相差不大。請參閱「建議事項」一節,以瞭解核心安全語言的相關資訊及安全建立暫存檔案的相關建議方法。

設計用來幫助建立暫存檔案的函數可依據其是否是提供檔案名稱或實際開啟新檔,而分成兩個部分。

群組 1 -「唯一的」檔案名稱:

第一組函數是用來幫助建立暫存檔案,這組函數透過產生唯一的檔案名稱來建立稍後程式會開啟的新暫存檔案。這組函數在檔案名稱選擇方面很可能會有 Race Condition 的麻煩。雖然函數保證在選取檔案時,其檔案名稱是唯一的,但是沒有機制能防止其他處理或攻擊者在選取檔案後和應用程式試圖開啟檔案之前的這段時間內,建立一個相同檔案名稱。相比一個由其他程式呼叫相同函數所引發的合法衝突,攻擊者非常有可能建立一個惡意的衝突,因為由這些函數建立的檔案名稱沒有充分的隨機化來使猜測更加困難。

如果建立了特定名稱的檔案,那麼根據這個檔案的開啟方式,現有內容或存取權限都可能保持不變。如果現有檔案內容實質上是惡意的,攻擊者就可以在應用程式從暫存檔案讀取資料時向程式插入危險資料。如果攻擊者預先建立了一個能輕鬆獲取存取權限的檔案,那麼被應用程式儲存在暫存檔案裏的資料將被存取、修改或毀壞。在 Unix 系統上,如果攻擊者預先定義了一個檔案做為另一個重要檔案的連接,那麼更狡猾的攻擊也可能存在。那麼,如果應用程式從檔案截取資料或將資料寫入檔案,它將不知不覺地為攻擊者執行惡意操作。如果程式是以提升過的權限執行,那將是極其嚴重的威脅。

最後,最好的情況就是呼叫 open() 函數並使用 os.O_CREATos.O_EXCL 旗標來開啟檔案。如此一來,如果檔案已經存在,那麼檔案建立就會失敗,也可以防範以上所描述的攻擊類型。然而,如果攻擊者可以準確預測一個檔案序列的檔案名稱,那麼應用程式將被強制禁止開啟所需的臨時儲存空間,進而引發 Denial of Service (DoS) 攻擊。如果使用由這些函數產生的一小部分亂數來選擇檔案名稱,那麼這種類型的攻擊將不難實現。

群組 2 -「唯一的」檔案:

函數的第二部分是藉由產生唯一的檔案名稱並開啟該檔案,來嘗試解決一些與暫存檔案有關的安全問題。這一部分包含諸如 tmpfile() 的函數。

類似 tmpfile() 的函數構成唯一的檔案名稱,並藉由與傳遞 "wb+" 標記時 open() 使用的相同方法開啟檔案,就像讀/寫模式下的二位元檔一樣。如果檔案已存在,tmpfile() 將把檔案大小縮小為 0,藉此緩和前面提到的有關存在於唯一檔案名稱選擇與隨之打開選取檔案之間的 Race Condition 的安全問題。然而,這個運作方式顯然不能解決函數的安全性問題。首先,攻擊者可能使用可能由 tmpfile().開啟的檔案所保存的寬鬆存取權限來預先建立檔案。其次,在 Unix 系統上,如果攻擊者預先建立了一個檔案作為其他重要檔案的一個連接,應用程式可能會使用其被提升的權限去縮小該檔案,這樣就能按照攻擊的意願執行破壞。最後,如果 tmpfile() 建立了一個新檔案,那麼套用在此檔案上的存取權限在不同的作業系統間是不同的;如此一來,應用程式就極易受到攻擊,而攻擊者甚至不需要預先猜測到將被使用的檔案名稱也可進行攻擊。
References
[1] B. Schneier Yarrow: A secure pseudorandom number generator
[2] Python Library Reference: os Python
[3] Python Library Reference: tempfile Python
[4] Symlink race WikiPedia
[5] Time of check to time of use WikiPedia
[6] Standards Mapping - Common Weakness Enumeration CWE ID 377
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001090
[8] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-4 Information in Shared Resources (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-4 Information in Shared System Resources
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.3.1, Requirement 3.5.1
[12] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002380 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002380 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002380 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002380 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002380 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002380 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002380 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002380 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002380 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002380 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002380 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002380 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002380 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002380 CAT II
desc.semantic.python.insecure_temporary_file
Abstract
該方法設定永遠不會過期的階段作業。
Explanation
開啟階段作業時間愈久,攻擊者威脅使用者帳戶的機率就愈大。階段作業仍為作用中時,攻擊者可能會暴力破解使用者密碼、破解使用者的無線加密金鑰,或是從開啟的瀏覽器控制階段作業。如果足夠大量的階段作業正在執行,較長的階段作業逾時時間也會導致無法釋放記憶體,最後造成阻斷服務。

範例 1:以下範例中的程式碼為未活動時間間隔上限設定了負值,導致階段作業無限期地處於作用中狀態。

...
HttpSession sesssion = request.getSession(true);
sesssion.setMaxInactiveInterval(-1);
...
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 613
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000879, CCI-002361
[3] Standards Mapping - FIPS200 IA
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-12 Session Termination (P2), MA-4 Nonlocal Maintenance (P2)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-12 Session Termination
[6] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.8.1 Single or Multi Factor One Time Verifier Requirements (L1 L2 L3), 2.8.6 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.3.1 Session Logout and Timeout Requirements (L1 L2 L3), 3.3.2 Session Logout and Timeout Requirements (L1 L2 L3), 3.3.4 Session Logout and Timeout Requirements (L2 L3), 3.6.1 Re-authentication from a Federation or Assertion (L3), 3.6.2 Re-authentication from a Federation or Assertion (L3)
[7] Standards Mapping - OWASP Mobile 2014 M9 Improper Session Handling
[8] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[9] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management
[10] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[11] Standards Mapping - OWASP Top 10 2010 A3 Broken Authentication and Session Management
[12] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[13] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[14] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.3, Requirement 8.5.15
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7, Requirement 8.5.15
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8, Requirement 8.5.15
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10, Requirement 8.1.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10, Requirement 8.1.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10, Requirement 8.1.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10, Requirement 8.1.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 8.2.8
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.3 - Authentication and Access Control
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.3 - Authentication and Access Control
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls, Control Objective C.2.3.2 - Web Software Access Controls
[26] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3415 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3415 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3415 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3415 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3415 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3415 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3415 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[47] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Session Expiration (WASC-47)
[48] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Session Expiration
desc.structural.java.j2ee_bad_practices_insufficient_session_expiration
Abstract
Web 應用程式不應嘗試關閉自身的容器。
Explanation
讓 Web 應用程式嘗試關閉自身的容器是不對的。呼叫終結方法可能是殘餘除錯程式碼的一部分,或是從非 J2EE 應用程式所匯入程式碼的一部分。
References
[1] ERR09-J. Do not allow untrusted code to terminate the JVM CERT
[2] Standards Mapping - Common Weakness Enumeration CWE ID 382
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[6] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[8] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[9] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[10] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[11] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[12] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[29] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[30] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.semantic.java.j2ee_badpractices_jvm_termination
Abstract
將不可序列化的物件當作 HttpSession 屬性儲存,會破壞應用程式的可靠性。
Explanation
為了提高應用程式的可靠性和性能,一個 J2EE 應用程式能利用多個 JVM。為使終端使用者把多個 JVM 看作單個應用程式,J2EE 容器可以在多個 JVM 之間複製 HttpSession 物件,所以當一個 JVM 不可用時,另一個 JVM 可以在不中斷應用程式流程的情況下接替它。

為了使階段作業複製能夠正常運作,應用程式在階段作業中儲存為屬性的值必須執行 Serializable 介面。

範例 1:下面的這個類別會把自己增加至階段作業中,但由於物件是不可序列化的,因此不能複製此階段作業。


public class DataGlob {
String globName;
String globValue;

public void addToSession(HttpSession session) {
session.setAttribute("glob", this);
}
}
References
[1] The Java Servlet Specification Sun Microsystems
[2] The java.io.Serializable Interface Oracle
[3] MSC08-J. Do not store non-serializable objects as attributes in an HTTP session CERT
[4] Standards Mapping - Common Weakness Enumeration CWE ID 579
[5] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[6] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management
[7] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[8] Standards Mapping - OWASP Top 10 2010 A3 Broken Authentication and Session Management
[9] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[10] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[11] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.3
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
desc.structural.java.j2ee_bad_practices_non_serializable_object_stored_in_session
Abstract
在某些情況下,會禁止在 Web 應用程式中進行執行緒管理,且執行緒管理非常容易發生錯誤。
Explanation
在某些情況下,J2EE 標準會禁止在 Web 應用程式中進行執行緒管理,且執行緒管理非常容易發生錯誤。管理執行緒非常困難,並且可能會以無法預測的方式干擾應用程式容器的運作。即使容器沒有受到干擾,執行緒管理通常還是會發生錯誤,例如無法偵測並診斷鎖死 (deadlock)、Race Condition 及其他同步錯誤。
References
[1] Java 2 Platform Enterprise Edition Specification, v1.4 Sun Microsystems
[2] Standards Mapping - Common Weakness Enumeration CWE ID 383
[3] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
desc.semantic.java.j2ee_badpractices_threads
Abstract
設定的回撥可能造成競爭情形。
Explanation
Node.js 可讓開發人員將回撥指派給 IO 封鎖的事件。這能夠帶來更好的效能,因為回撥會異步執行,以便主應用程式不會遭到 IO 的封鎖。但是,當回撥以外的內容仰賴回撥內的程式碼才能首先執行時,這可能會反過來造成競爭情形。

範例 1:以下程式碼會對照用於驗證的資料庫來檢查使用者。

 
...
var authenticated = true;
...
database_connect.query('SELECT * FROM users WHERE name == ? AND password = ? LIMIT 1', userNameFromUser, passwordFromUser, function(err, results){
if (!err && results.length > 0){
authenticated = true;
}else{
authenticated = false;
}
});

if (authenticated){
//do something privileged stuff
authenticatedActions();
}else{
sendUnathenticatedMessage();
}


在此範例中,我們將會呼叫後端資料庫來確認使用者的登入憑證,且如果確認,我們會將變數設為 true,否則會設為 false。很遺憾,由於回撥遭到 IO 封鎖,因此將會異步執行, 並可能在對 if (authenticated) 進行檢查後執行,而由於預設值為 true,因此無論使用者是否確實得到驗證,回撥都將進入 if 陳述式。
References
[1] Kristopher Kowal Documentation for q
[2] Piotr Pelczar Asynchronous programming done right.
[3] Standards Mapping - Common Weakness Enumeration CWE ID 362, CWE ID 367
[4] Standards Mapping - Common Weakness Enumeration Top 25 2022 [22] CWE ID 362
[5] Standards Mapping - Common Weakness Enumeration Top 25 2023 [21] CWE ID 362
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000366, CCI-003178
[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-6 Configuration Settings (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-6 Configuration Settings
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.11.2 Business Logic Architectural Requirements (L2 L3), 1.11.3 Business Logic Architectural Requirements (L3), 1.11.2 Business Logic Architectural Requirements (L2 L3), 1.11.3 Business Logic Architectural Requirements (L3), 11.1.6 Business Logic Security Requirements (L2 L3)
[11] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.3 - Terminal Software Attack Mitigation
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.3 - Terminal Software Attack Mitigation
[20] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 362
[21] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 362
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3630.1 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3630.1 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3630.1 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3630.1 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3630.1 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3630.1 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3630.1 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001995 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001995 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001995 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001995 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001995 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001995 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001995 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001995 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001995 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001995 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001995 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001995 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001995 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001995 CAT II
desc.structural.javascript.race_condition
Abstract
應用程式會從共用儲存區安裝應用程式,允許惡意應用程式取代要安裝的套件。
Explanation
應用程式會從共用儲存區安裝應用程式,任何具有外部儲存區讀取/寫入權限的應用程式都可以寫入該儲存區。 由於競爭情形,監控資料夾的惡意應用程式可針對替代 APK 檔案交換已下載的 APK 檔案,其中將使用安裝程序而非合法更新。

範例 1: 下列程式碼會從共用儲存區安裝應用程式:


Intent intent = new Intent(Intent.ACTION_VIEW);
intent.setDataAndType(Uri.fromFile(new File(Environment.getExternalStorageDirectory() + "/download/" + "app.apk")), "application/vnd.android.package-archive");
intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
startActivity(intent);
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 362, CWE ID 367
[2] Standards Mapping - Common Weakness Enumeration Top 25 2022 [22] CWE ID 362
[3] Standards Mapping - Common Weakness Enumeration Top 25 2023 [21] CWE ID 362
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000366, CCI-003178
[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-6 Configuration Settings (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-6 Configuration Settings
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.11.2 Business Logic Architectural Requirements (L2 L3), 1.11.3 Business Logic Architectural Requirements (L3), 11.1.6 Business Logic Security Requirements (L2 L3)
[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-RESILIENCE-2
[11] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.3 - Terminal Software Attack Mitigation
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.3 - Terminal Software Attack Mitigation
[20] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 362
[21] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 362
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3630.1 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3630.1 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3630.1 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3630.1 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3630.1 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3630.1 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3630.1 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001995 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001995 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001995 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001995 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001995 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001995 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001995 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001995 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001995 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001995 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001995 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001995 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001995 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001995 CAT II
desc.dataflow.java.race_condition_app_download
Abstract
在檢查檔案屬性和使用檔案的期間內,能夠被用來發動擴大權限的攻擊。
Explanation
File access race condition (也稱為 time-of-check)、time-of-use (TOCTOU) race conditions,在以下情況中出現:

1. 程式檢查檔案特性時,根據名稱來參照檔案。

2.程式稍後會使用相同的檔案名稱執行檔案系統作業,並假設先前檢查的屬性並未變更。
範例 1:以下程式碼來自一個安裝了 setuid root 的程式。程式代表無權限使用者執行了特定的檔案操作,並使用存取檢查來確保它不使用其根權限執行目前使用者不應該執行的操作。程式使用 access() 系統呼叫來檢查在程式開啟檔案和執行必要操作之前,執行程式的使用者是否具有權限去存取這些指定的檔案。


if (!access(file,W_OK)) {
f = fopen(file,"w+");
operate(f);
...
}
else {
fprintf(stderr,"Unable to open file %s.\n",file);
}
access() 呼叫的運作方式在意料之中,而且,如果執行程式的使用者具有必要的權限來編輯檔案,那麼就會回傳 0,其他情況則會回傳-1。無論怎樣,因為 access()fopen() 都是對檔案名稱進行操作,而不是對檔案控制碼進行操作,所以當 file 變數傳送到 fopen() 的時候,就不能保證這個變數仍然能夠像傳送到 access() 的時候那樣參照磁碟上相同的檔案。如果攻擊者在 access() 呼叫之後,用指向不同檔案的一個象徵連結來取代 file,程式就會使用它的根權限對檔進行操作,即使這個檔案攻擊者在其他情況下是無法篡改的。藉由欺騙程式去執行其他情況下不被允許的操作,攻擊者就能取得權限的提高。

這種形式的弱點具有 root 權限,因而沒有受到程式的限制。如果應用程式有能力執行攻擊者在其他情況下不被允許的任何操作,那麼這個程式就是一個可能的攻擊目標。

導致這種攻擊的弱點的間隙是在這段時間內,檔案特性經過測試到檔案被使用為止。即使檔案的使用緊接在測試之後,現代的作業系統也無法確認在程式佔用 CPU 前所執行的程式碼數量。攻擊者有多種技術來延長機會時間的長度,以便更容易地發動攻擊。然而,即使機會時間很短,攻擊企圖也可能一而再地重複,直到成功。

範例 2:以下程式碼會建立檔案,然後變更該檔案的所有者。


fd = creat(FILE, 0644); /* Create file */
if (fd == -1)
return;
if (chown(FILE, UID, -1) < 0) { /* Change file owner */
...
}


此程式碼假設對 chown() 呼叫所操作的檔案與對 creat() 的呼叫所建立的檔案相同,但實際上未必如此。由於 chown() 是針對檔案名稱 (而非檔案控制碼) 進行操作,因此攻擊者可能會使用並非由攻擊者所擁有的檔案連結來取代檔案。隨後,對 chown() 的呼叫會為攻擊者提供所連結檔案的擁有權。
References
[1] J. Viega, G. McGraw Building Secure Software Addison-Wesley
[2] Standards Mapping - Common Weakness Enumeration CWE ID 362, CWE ID 367
[3] Standards Mapping - Common Weakness Enumeration Top 25 2022 [22] CWE ID 362
[4] Standards Mapping - Common Weakness Enumeration Top 25 2023 [21] CWE ID 362
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000366, CCI-003178
[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), CM-6 Configuration Settings (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, CM-6 Configuration Settings
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.11.2 Business Logic Architectural Requirements (L2 L3), 1.11.3 Business Logic Architectural Requirements (L3), 11.1.6 Business Logic Security Requirements (L2 L3)
[11] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.3 - Terminal Software Attack Mitigation
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.3 - Terminal Software Attack Mitigation
[20] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 362
[21] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 362
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3630.1 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3630.1 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3630.1 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3630.1 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3630.1 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3630.1 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3630.1 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001995 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001995 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001995 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001995 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001995 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001995 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001995 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001995 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001995 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001995 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001995 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001995 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001995 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001410 CAT II, APSC-DV-001995 CAT II
desc.controlflow.cpp.file_access_race_condition
Abstract
在檢查檔案屬性和使用檔案的期間內,能夠被用來發動擴大權限的攻擊。
Explanation
File access race condition (也稱為 time-of-check)、time-of-use (TOCTOU) race conditions,在以下情況中出現:

1.程式檢查檔案特性時,根據名稱來參照檔案。

2.程式稍後會使用相同的檔案名稱執行檔案系統作業,並假設先前檢查的屬性並未變更。
範例:以下程式呼叫 CBL_CHECK_FILE_EXIST 常式,以在建立檔案之前先檢查檔案是否存在,並執行必要的操作。


CALL "CBL_CHECK_FILE_EXIST" USING
filename
file-details
RETURNING status-code
END-CALL

IF status-code NOT = 0
MOVE 3 to access-mode
MOVE 0 to deny-mode
MOVE 0 to device

CALL "CBL_CREATE_FILE" USING
filename
access-mode
deny-mode
device
file-handle
RETURNING status-code
END-CALL
END-IF
CBL_CHECK_FILE_EXIST 呼叫的運作方式在意料之中,並傳回一個非零值,表示該檔案不存在。不過,因為 CBL_CHECK_FILE_EXISTCBL_CREATE_FILE 都是對檔案名稱進行操作,而不是對檔案控制碼進行操作,所以當 filename 變數傳遞到 CBL_CREATE_FILE 的時候,就不能保證這個變數仍然能夠像傳遞到 CBL_CHECK_FILE_EXIST 的時候那樣參照磁碟上相同的檔案。如果攻擊者在 CBL_CHECK_FILE_EXIST 呼叫後建立 filenameCBL_CREATE_FILE 的呼叫將會失敗,進而導致程式認為該檔案是空的,但實際上它包含由攻擊者控制的資料。

導致這種攻擊的弱點的間隙是在這段時間內,檔案特性經過測試到檔案被使用為止。即使檔案的使用緊接在測試之後,現代的作業系統也無法確認在程式佔用 CPU 前所執行的程式碼數量。攻擊者有多種技術來延長機會時間的長度,以便更容易地發動攻擊。然而,即使機會時間很短,攻擊企圖也可能一而再地重複,直到成功。

這種類型的弱點可能應用於具有 root 權限的程式,以代表無權限使用者執行特定檔案操作,並使用存取測試來確保它沒有使用其根權限來執行操作,這種權限對目前使用者來說在其他情況下是無法取得的。藉由欺騙程式去執行其他情況下不被允許的操作,攻擊者就可能取得提升的權限。
References
[1] J. Viega, G. McGraw Building Secure Software Addison-Wesley
[2] Standards Mapping - Common Weakness Enumeration CWE ID 362, CWE ID 367
[3] Standards Mapping - Common Weakness Enumeration Top 25 2022 [22] CWE ID 362
[4] Standards Mapping - Common Weakness Enumeration Top 25 2023 [21] CWE ID 362
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000366, CCI-003178
[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), CM-6 Configuration Settings (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, CM-6 Configuration Settings
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.11.2 Business Logic Architectural Requirements (L2 L3), 1.11.3 Business Logic Architectural Requirements (L3), 11.1.6 Business Logic Security Requirements (L2 L3)
[11] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.3 - Terminal Software Attack Mitigation
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.3 - Terminal Software Attack Mitigation
[20] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 362
[21] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 362
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3630.1 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3630.1 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3630.1 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3630.1 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3630.1 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3630.1 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3630.1 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001995 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001995 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001995 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001995 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001995 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001995 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001995 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001995 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001995 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001995 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001995 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001995 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001995 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001410 CAT II, APSC-DV-001995 CAT II
desc.controlflow.cobol.file_access_race_condition
Abstract
java.text.Format 中的 parse()format() 方法有設計上的缺陷,可能導致使用者看見其他使用者的資料。
Explanation
java.text.Format 中的 parse()format() 方法有 race condition,可能導致使用者看見其他使用者的資料。

範例 1:以下程式碼顯示此設計上的缺陷。


public class Common {

private static SimpleDateFormat dateFormat;
...

public String format(Date date) {
return dateFormat.format(date);
}
...

final OtherClass dateFormatAccess=new OtherClass();
...

public void function_running_in_thread1(){
System.out.println("Time in thread 1 should be 12/31/69 4:00 PM, found: "+ dateFormatAccess.format(new Date(0)));
}

public void function_running_in_thread2(){
System.out.println("Time in thread 2 should be around 12/29/09 6:26 AM, found: "+ dateFormatAccess.format(new Date(System.currentTimeMillis())));
}
}


此程式碼在單一使用者的環境下可正常執行,但兩個執行緒同時執行程式碼時,便會產生下列輸出:

Time in thread 1 should be 12/31/69 4:00 PM, found: 12/31/69 4:00 PM
Time in thread 2 should be around 12/29/09 6:26 AM, found: 12/31/69 4:00 PM

在此案例中,因為執行 format() 時發生 race condition,第一個執行緒的日期會在第二個執行緒的輸出中顯示。
References
[1] Bug 4228335 : SimpleDateFormat is not threadsafe Sun Microsystems
[2] The Java Servlet Specification Sun Microsystems
[3] Standards Mapping - Common Weakness Enumeration CWE ID 362, CWE ID 488
[4] Standards Mapping - Common Weakness Enumeration Top 25 2022 [22] CWE ID 362
[5] Standards Mapping - Common Weakness Enumeration Top 25 2023 [21] CWE ID 362
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001090, CCI-003178
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-6 Configuration Settings (P1), SC-4 Information in Shared Resources (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-6 Configuration Settings, SC-4 Information in Shared System Resources
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.11.2 Business Logic Architectural Requirements (L2 L3)
[11] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[12] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 7.3.2
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective B.3.3 - Terminal Software Attack Mitigation
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective B.3.3 - Terminal Software Attack Mitigation
[18] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 362
[19] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 362
[20] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3630.1 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3630.1 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3630.1 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3630.1 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3630.1 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3630.1 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3630.1 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
desc.structural.java.race_condition_format_flaw
Abstract
開發人員正在使用 Windows.Storage.ApplicationData 類別的 RoamingFolderRoamingSettings 屬性。
Explanation
RoamingFolderRoamingSettings 屬性會取得漫遊應用程式資料存放區中的容器,該容器可用於在兩部或多部裝置之間共用資料。透過寫入及讀取儲存在漫遊應用程式資料存放區中的物件,開發人員會增加遭受危害的風險。這包括透過漫遊應用程式資料存放區來共用這些物件的資料、應用程式和系統的保密性、完整性與可用性。

開發人員應先實作必要技術控制措施之後才能使用該功能。
References
[1] ApplicationData.RoamingFolder | roamingFolder property
[2] ApplicationData.RoamingSettings | roamingSettings property
[3] Standards Mapping - Common Weakness Enumeration CWE ID 362, CWE ID 367
[4] Standards Mapping - Common Weakness Enumeration Top 25 2022 [22] CWE ID 362
[5] Standards Mapping - Common Weakness Enumeration Top 25 2023 [21] CWE ID 362
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000366, CCI-003178
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-6 Configuration Settings (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-6 Configuration Settings
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.11.2 Business Logic Architectural Requirements (L2 L3), 1.11.3 Business Logic Architectural Requirements (L3), 11.1.6 Business Logic Security Requirements (L2 L3)
[11] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.3 - Terminal Software Attack Mitigation
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.3 - Terminal Software Attack Mitigation
[20] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 362
[21] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 362
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3630.1 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3630.1 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3630.1 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3630.1 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3630.1 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3630.1 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3630.1 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001995 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001995 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001995 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001995 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001995 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001995 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001995 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001995 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001995 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001995 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001995 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001995 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001995 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001995 CAT II
desc.structural.dotnet.race_condition_roaming_data_access
Abstract
為多重訊號安裝相同的訊號處理常式,會在短期間內連續捉到不同訊號時造成 race condition。
Explanation
每當不可重入函數被安裝為訊號處理常式時,就會出現訊號處理常式的 Race Condition,表示它保留了一些內部狀態,或呼叫其他也同樣如此的函數。這種 Race Condition 在安裝相同函數去處理多重訊號時,會更有可能發生。

訊號處理的 Race Condition 很有可能會在以下情況中出現:

1. 程式安裝單一訊號處理常式來處理多個訊號。

2. 兩個被安裝處理常式的不同訊息在短時間內連續收到,導致訊號處理常式的 Race Condition。

範例:以下程式碼為兩個不同的訊號安裝了一個相同且不可重入的信號處理常式。如果攻擊者使訊號在正確時間內發送出去,訊號處理常式會承受 Double Free 弱點威脅。以相同值呼叫 free() 兩次,會導致 Buffer overflow。當程式使用相同引數呼叫 free() 兩次,就會毀損程式中的記憶體管理資料結構。這樣的毀損會使程式當機,或者在某些情況下,還會導致之後兩次的 malloc() 呼叫回傳相同的指標。如果 malloc() 兩次回傳值都相同,且程式之後讓攻擊者控制整個已經寫入雙倍分配記憶體的資料,此程式就變得容易受到 Buffer overflow 攻擊。


void sh(int dummy) {
...
free(global2);
free(global1);
...
}

int main(int argc,char* argv[]) {
...
signal(SIGHUP,sh);
signal(SIGTERM,sh);
...
}
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 362, CWE ID 364
[2] Standards Mapping - Common Weakness Enumeration Top 25 2022 [22] CWE ID 362
[3] Standards Mapping - Common Weakness Enumeration Top 25 2023 [21] CWE ID 362
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000366, CCI-003178
[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 21.5
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 18-7-1
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-6 Configuration Settings (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-6 Configuration Settings
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.11.2 Business Logic Architectural Requirements (L2 L3)
[11] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.3 - Terminal Software Attack Mitigation
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.3 - Terminal Software Attack Mitigation
[20] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 362
[21] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 362
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3630.1 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3630.1 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3630.1 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3630.1 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3630.1 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3630.1 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3630.1 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001995 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001995 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001995 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001995 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001995 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001995 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001995 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001995 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001995 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001995 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001995 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001995 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001995 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001995 CAT II
desc.structural.cpp.race_condition_signal_handling
Abstract
Servlet 成員欄位可能會允許某一使用者看見其他使用者的資料。
Explanation
許多 Servlet 開發人員並不了解 Servlet 都是單一個體。Servlet 只能有一個實例,而且當不同執行緒同時處理多個要求時,都會使用及重複使用該單一實例來處理這些要求。

這種誤解的結果為:由於開發人員使用 Servlet 成員欄位,所以使用者可能會看到其他使用者的資料。換句話說,將使用者資料儲存在 Servlet 成員欄位中會造成資料存取的 race condition。

範例 1:下面的 Servlet 將要求參數的值儲存在成員欄位中,並且接著會將該參數值回傳到回應輸出串流。


public class GuestBook extends HttpServlet {

String name;

protected void doPost (HttpServletRequest req, HttpServletResponse res) {
name = req.getParameter("name");
...
out.println(name + ", thanks for visiting!");
}
}


當這段程式碼在單一使用者環境中正常地運作時,如果兩個使用者幾乎同時存取此 Servlet,可能會導致這兩個要求處理器的執行緒以下列方式插入:

執行緒 1: 將「Dick」指派至 name
執行緒 2: 將「Jane」指派至 name
執行緒 1: 列印「Jane, thanks for visiting!
執行緒 2: 列印「Jane, thanks for visiting!

因此會向第一個使用者顯示第二個使用者的名稱。
References
[1] The Java Servlet Specification Sun Microsystems
[2] Standards Mapping - Common Weakness Enumeration CWE ID 362, CWE ID 488
[3] Standards Mapping - Common Weakness Enumeration Top 25 2022 [22] CWE ID 362
[4] Standards Mapping - Common Weakness Enumeration Top 25 2023 [21] CWE ID 362
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001090, CCI-003178
[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-6 Configuration Settings (P1), SC-4 Information in Shared Resources (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-6 Configuration Settings, SC-4 Information in Shared System Resources
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.11.2 Business Logic Architectural Requirements (L2 L3)
[10] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[11] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.3 - Terminal Software Attack Mitigation
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.3 - Terminal Software Attack Mitigation
[22] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 362
[23] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 362
[24] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3630.1 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3630.1 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3630.1 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3630.1 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3630.1 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3630.1 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3630.1 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[45] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[46] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.structural.java.singleton_member_field_race_condition
Abstract
靜態欄位中儲存的資料庫連線會在執行緒間共享。
Explanation
一個交易資源物件 (例如:資料庫連線) 一次只能與一個交易相關聯。由於這個原因,多個執行緒不應共用一個連線,並且不應該儲存在靜態欄位中。請參閱 J2EE Specification 的第 4.2.3 節以取得更多詳細資訊。

範例 1:

public class ConnectionManager {

private static Connection conn = initDbConn();
...
}
References
[1] Java 2 Platform Enterprise Edition Specification, v1.4 Sun Microsystems
[2] Standards Mapping - Common Weakness Enumeration CWE ID 362, CWE ID 567
[3] Standards Mapping - Common Weakness Enumeration Top 25 2022 [22] CWE ID 362
[4] Standards Mapping - Common Weakness Enumeration Top 25 2023 [21] CWE ID 362
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001090, CCI-003178
[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-6 Configuration Settings (P1), SC-4 Information in Shared Resources (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-6 Configuration Settings, SC-4 Information in Shared System Resources
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.11.2 Business Logic Architectural Requirements (L2 L3)
[10] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.3 - Terminal Software Attack Mitigation
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.3 - Terminal Software Attack Mitigation
[19] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 362
[20] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 362
[21] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3630.1 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3630.1 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3630.1 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3630.1 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3630.1 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3630.1 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3630.1 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001995 CAT II, APSC-DV-002380 CAT II
desc.structural.java.race.dbconn
Abstract
在未使任何現有階段作業識別碼無效的情況下驗證使用者,會讓攻擊者有機會竊取通過驗證的階段作業
Explanation
Session Fixation 弱點會在以下情況中出現:

1.Web 應用程式驗證一個使用者時,事先沒有使現有階段作業失效,而繼續使用已經與使用者相關聯的階段作業。
2.攻擊者可奪取使用者的階段作業識別碼,所以,在使用者驗證之後,攻擊者就可以存取驗證的階段作業。

在一般情況下,攻擊者會利用 Session Fixation 弱點,在 Web 應用程式中建立一個新的階段作業,並記錄關聯的階段作業識別碼。接著,攻擊者會讓受害者使用該階段作業識別碼驗證伺服器,這樣一來,會讓攻擊者透過作用中的階段作業取得存取使用者帳戶的權限。

有些架構 (例如 Spring Security) 在建立新的階段作業時,會自動使現有階段作業無效。若不採取此行為,應用程式會容易遭受此類攻擊。

範例 1:以下範例顯示受 Spring Security 保護之應用程式的片段,其中 Session Fixation 保護已停用。


<http auto-config="true">
...
<session-management session-fixation-protection="none"/>
</http>


即使是易受攻擊的應用程式,此處說明的特定攻擊是否會成功取決於數個受攻擊者青睞的因素:存取未受監視的公用終端機、讓已受攻擊的網路連線保持繼續運作的能力、被吸引登入公用終端機上易受攻擊應用程式的受害者。在大多數情況下,只要肯花時間,前面兩個因素是可以克服的。只要網站有趣,不難找到使用公用終端機、也有興趣登入到易受攻擊的應用程式的受害者。網站越不受歡迎,那麼使用這個公用終端機的人就會越少,這樣一來,前述攻擊成功的可能性也越低。

攻擊者攻擊 Session Fixation 弱點所面臨的最大挑戰是:誘導受害者使用攻擊者已知的階段作業識別碼來驗證易受攻擊的應用程式。在 Example 1 中,攻擊者使用直接明顯的方法並不高明,對於攻擊知名度較低的網站並不適用。但是,千萬不要過於大意,攻擊者有許多手段來突破上述攻擊的限制。攻擊者最常採用的技術包括:利用目標網站中的 Cross-Site Scripting 或 HTTP Response Splitting 弱點 [1]。透過誘使受害者向一個易受攻擊的應用程式提交惡意要求,讓應用程式將 JavaScript 或者其他程式碼反映到受害者的瀏覽器,這樣一來,攻擊者就可以建立 Cookie,使受害者重新使用受攻擊者控制的階段作業識別碼。

要特別注意的是,通常 Cookie 會與某個已知 URL 相關聯的上層網域繫結在一起。如果多個應用程式位於同一個上層網域 (例如 bank.example.comrecipes.example.com),其中一個應用程式存在弱點,那麼攻擊者便可以透過此弱點設定一個 Cookie,並在其中包含已修改的階段作業識別碼,且該階段作業識別碼可以在 example.com [2] 網域上的所有應用程式中交互使用。

其他攻擊方向還包括 DNS Poisoning 和其他以網路為基礎的攻擊,攻擊者會透過重新指向對有效網站的要求,誘使攻擊者存取惡意網站。一般來說,以網路為基礎的攻擊包括:實際出現在受害者的網路上,或是控制網路上已受攻擊的機器。雖然透過遠端方式發動攻擊比較困難,但是這類攻擊不容忽視。安全性較差的階段作業管理機制 (例如在 Apache Tomcat 中的預設實作),可以將通常儲存在 Cookie 中的階段作業識別碼也指定給 URL。這可讓攻擊者只要透過電子郵件發送惡意 URL,就可以誘使受害者使用修改過的階段作業識別碼。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 384
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001664, CCI-001941, CCI-001942
[3] Standards Mapping - FIPS200 IA
[4] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-10 Concurrent Session Control (P3), IA-2 Identification and Authentication (Organizational Users) (P1), SC-23 Session Authenticity (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-10 Concurrent Session Control, IA-2 Identification and Authentication (Organizational Users), SC-23 Session Authenticity
[7] Standards Mapping - OWASP API 2023 API2 Broken Authentication
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.2.1 Session Binding Requirements (L1 L2 L3), 3.2.3 Session Binding Requirements (L1 L2 L3), 3.3.1 Session Logout and Timeout Requirements (L1 L2 L3)
[9] Standards Mapping - OWASP Mobile 2014 M9 Improper Session Handling
[10] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[11] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management
[12] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[13] Standards Mapping - OWASP Top 10 2010 A3 Broken Authentication and Session Management
[14] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[15] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[16] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.3
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3405 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3405 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3405 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3405 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3405 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3405 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3405 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000010 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[49] Standards Mapping - Web Application Security Consortium Version 2.00 Session Fixation (WASC-37)
[50] Standards Mapping - Web Application Security Consortium 24 + 2 Session Fixation
desc.config.java.session_fixation
Abstract
在未使任何現有階段作業識別碼失效的情況下驗證使用者,會讓攻擊者有機會竊取通過驗證的階段作業。
Explanation
Session Fixation 弱點會在以下情況中出現:

1.Web 應用程式驗證一個使用者時,事先沒有使現有階段作業失效,而繼續使用已經與使用者相關聯的階段作業。

2.攻擊者能夠奪取使用者的階段作業識別碼,所以在使用者驗證後,攻擊者就可以存取驗證的階段作業。

在一般情況下,攻擊者會利用 Session Fixation 弱點,在 Web 應用程式中建立一個新的階段作業,並記錄關聯的階段作業識別碼。接著,攻擊者會讓受害者使用該階段作業識別碼驗證伺服器,這樣一來,會讓攻擊者透過作用中的階段作業取得存取使用者帳戶的權限。

範例 1:以下程式碼停用階段作業 Cookie 的 use_strict_mode 屬性。

ini_set("session.use_strict_mode", "0");
References
[1] D. Whalen The Unofficial Cookie FAQ
[2] The PHP Group PHP Use Strict Mode Documentation
[3] Standards Mapping - Common Weakness Enumeration CWE ID 384
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001664, CCI-001941, CCI-001942
[5] Standards Mapping - FIPS200 IA
[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-10 Concurrent Session Control (P3), IA-2 Identification and Authentication (Organizational Users) (P1), SC-23 Session Authenticity (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-10 Concurrent Session Control, IA-2 Identification and Authentication (Organizational Users), SC-23 Session Authenticity
[9] Standards Mapping - OWASP API 2023 API2 Broken Authentication
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.2.1 Session Binding Requirements (L1 L2 L3), 3.2.3 Session Binding Requirements (L1 L2 L3), 3.3.1 Session Logout and Timeout Requirements (L1 L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M9 Improper Session Handling
[12] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[13] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management
[14] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[15] Standards Mapping - OWASP Top 10 2010 A3 Broken Authentication and Session Management
[16] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[17] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[18] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.3
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3405 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3405 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3405 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3405 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3405 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3405 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3405 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000010 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II
[51] Standards Mapping - Web Application Security Consortium Version 2.00 Session Fixation (WASC-37)
[52] Standards Mapping - Web Application Security Consortium 24 + 2 Session Fixation
desc.structural.php.session_fixation