1437 找到的項目
弱點

EJB Bad Practices: Use of AWT/Swing

Abstract
程式使用了 AWT/Swing,這違反了企業級 JavaBean 規格。
Explanation
企業級 JavaBeans 編程規範中說明每一個 bean 的提供者必須遵守一系列編程規範,來確保 bean 在 EJB 容器 [1] 中的可移植性和運作方式一致。

在此案例中,程式違背了以下 EJB 規範:

「企業級 bean 禁止使用 AWT 功能來嘗試將資訊輸出至顯示器,或者從鍵盤輸入資訊。」

制定此規範的理由如下所示:

「伺服器不允許應用程式中的程式與伺服器系統上的鍵盤/顯示器進行直接互動。」
References
[1] Jakarta Enterprise Beans 4.0 Eclipse Foundation
[2] Standards Mapping - Common Weakness Enumeration CWE ID 575
desc.structural.java.ejb_bad_practices_use_of_awt_swing

EJB Bad Practices: Use of Class Loader

Abstract
程式使用類別載入器,因此違反了企業級 JavaBeans 規格。
Explanation
企業級 JavaBeans 編程規範中說明每一個 bean 的提供者必須遵守一系列編程規範,來確保 bean 在 EJB 容器 [1] 中的可移植性和運作方式一致。

在此案例中,程式違背了以下 EJB 規範:

「Enterprise Bean 禁止以下內容:嘗試建立類別載入器、設定內容類別載入器、設定安全管理員、建立新的安全管理員、停止 JVM 或者變更輸入、輸出與錯誤串流。」

制定此規範的理由如下所示:

「這些功能是為 Enterprise Bean 容器保留的。允許 Enterprise Bean 使用這些功能會造成一些安全上的問題,並且使得容器無法正確管理執行階段環境。」
References
[1] Jakarta Enterprise Beans 4.0 Eclipse Foundation
[2] Standards Mapping - Common Weakness Enumeration CWE ID 578
desc.structural.java.ejb_bad_practices_use_of_classloader

EJB Bad Practices: Use of java.io

Abstract
程式使用 java.io 套件,因此違反了企業級 JavaBeans 規格。
Explanation
企業級 JavaBeans 編程規範中說明每一個 bean 的提供者必須遵守一系列編程規範,來確保 bean 在 EJB 容器 [1] 中的可移植性和運作方式一致。

在此案例中,程式違背了以下 EJB 規範:

「Enterprise Bean 在使用 Java I/O 套件嘗試存取檔案系統中的檔案與目錄時,應謹慎小心。」

制定此規範的理由如下所示:

「檔案系統 API 並不適合讓商用元件存取資料。檔案可能無法從所有執行個體存取,或者它們的內容在不同執行個體上可能不同,並且協調檔案的更新可能很困難。商用元件應使用資源管理員 API (例如 JDBC) 來儲存資料。」
References
[1] Jakarta Enterprise Beans 4.0 Eclipse Foundation
[2] Standards Mapping - Common Weakness Enumeration CWE ID 576
desc.structural.java.ejb_bad_practices_use_of_java_io

EJB Bad Practices: Use of Sockets

Abstract
程式使用通訊端,因此違反了企業級 JavaBeans 規格。
Explanation
企業級 JavaBeans 編程規範中說明每一個 bean 的提供者必須遵守一系列編程規範,來確保 bean 在 EJB 容器 [1] 中的可移植性和運作方式一致。

在此案例中,程式違背了以下 EJB 規範:

「企業級的 bean 禁止嘗試監聽通訊端、接受通訊端上的連線或使用通訊端來做多點傳送。」

制定此規範的理由如下所示:

「Enterprise Bean 架構允許 Enterprise Bean 執行個體作為網路通訊端用戶端來運作,但是不允許它作為網路伺服器來運作。允許執行個體成為網路伺服器會與 Enterprise Bean 執行個體的基本功能 (為 Enterprise Beans 用戶端提供服務) 相抵觸。」
References
[1] Jakarta Enterprise Beans 4.0 Eclipse Foundation
[2] Standards Mapping - Common Weakness Enumeration CWE ID 577
desc.structural.java.ejb_bad_practices_use_of_sockets

EJB Bad Practices: Use of Synchronization Primitives

Abstract
程式使用了多執行緒同步處理,因此違反了企業級 JavaBean 規格。
Explanation
企業級 JavaBeans 編程規範中說明每一個 bean 的提供者必須遵守一系列編程規範,來確保 bean 在 EJB 容器 [1] 中的可移植性和運作方式一致。

在此案例中,程式違背了以下 EJB 規範:

「Enterprise Bean 禁止使用執行緒同步處理來同步執行多個執行個體,除非它是具有由 Bean 管理並行性的獨立工作階段 Bean。」

制定此規範的理由如下所示:

「這個規則需要確保一致的執行期間語義,因為一些 Enterprise Bean 容器可能會使用單一 JVM 來執行所有 Enterprise Bean 執行個體,其他則可能會跨多個 JVM 來分配執行個體。」
References
[1] Jakarta Enterprise Beans 4.0 Eclipse Foundation
[2] THI01-J. Do not invoke ThreadGroup methods CERT
[3] Standards Mapping - Common Weakness Enumeration CWE ID 574
desc.structural.java.ejb_bad_practices_use_of_synchronization_primitives

Encoding Confusion: BiDi Control Characters

Abstract
原始程式碼中的雙向控制字元可導致 Trojan Source 攻擊。
Explanation
包含 Unicode 雙向覆寫控制字元的原始程式碼可能是內部威脅攻擊的徵兆。攻擊者可透過 C、C++、C#、Go、Java、JavaScript、Python 和 Rust 等程式設計語言的供應鏈來運用這種攻擊。Nicholas Boucher 和 Ross Anderson 已發佈數種變體攻擊,包括以下各項:Early Returns、Commenting-Out 和 Stretched Strings。
範例 1:以下程式碼顯示一個控制字元,其存在於 C 原始程式碼檔案中,會導致 Early Return 攻擊:

#include <stdio.h>

int main() {
	/* Nothing to see here; newline RLI /*/ return 0 ;
	printf("Do we get here?\n");
	return 0;
}

Example 1 中,從右到左隔離 (RLI) Unicode 雙向控制字元導致程式碼被視為以下內容:

#include <stdio.h>

int main() {
	/* Nothing to see here; newline; return 0 /*/
	printf("Do we get here?\n");
	return 0;
}

需要特別注意的是,開發人員在易受攻擊的編輯器/檢視器中執行程式碼檢閱時,不會明顯看到易受攻擊的編譯器將處理的內容。特別是修改程序流程的 early return 陳述式。
References
[1] Nicholas Boucher, and R. Anderson Trojan Source: Invisible Vulnerabilities
[2] Standards Mapping - Common Weakness Enumeration CWE ID 451
[3] Standards Mapping - OWASP Top 10 2017 A1 Injection
[4] Standards Mapping - OWASP Top 10 2021 A03 Injection
[5] Standards Mapping - Smart Contract Weakness Classification SWC-130
desc.regex.universal.encoding_confusion_bidi_control_characters

Experimental API

Abstract
這個應用程式使用的是實驗性程式庫。
Explanation
這個程式庫被視為實驗性,在您瞭解所從事為何之後才可將其用於生產環境。
desc.semantic.scala.experimental_api

Expression Language Injection: Spring

Abstract
評估未驗證的 SpEL 運算式可能會導致遠端程式碼執行。
Explanation
Spring 運算式語言 (簡稱 SpEL) 是一種功能強大的運算式語言,可在執行階段支援查詢和操作物件圖形。該語言語法與 Unified EL 類似,但可提供額外的功能,尤其是方法呼叫和基本字串範本功能。
允許評估未驗證的運算式,將會允許攻擊者執行任意程式碼。

範例 1:該應用程式使用由使用者所控制的未驗證的資料來建立與評估 SpEL 運算式:


String expression = request.getParameter("input");
SpelExpressionParser parser = new SpelExpressionParser();
SpelExpression expr = parser.parseRaw(expression);
範例 2:該應用程式可在執行雙重 SpEL 評估的 Spring 標籤中使用由使用者所控制的未驗證的資料。


    <spring:message text="" code="${param['message']}"></spring:message>
References
[1] Dan Amodio Remote Code with Expression Language Injection
[2] Expression Language Injection OWASP
[3] CVE-2011-2730 Red Hat
[4] Standards Mapping - Common Weakness Enumeration CWE ID 94, CWE ID 95, CWE ID 917
[5] Standards Mapping - Common Weakness Enumeration Top 25 2019 [18] CWE ID 094
[6] Standards Mapping - Common Weakness Enumeration Top 25 2020 [17] CWE ID 094
[7] Standards Mapping - Common Weakness Enumeration Top 25 2021 [25] CWE ID 077
[8] Standards Mapping - Common Weakness Enumeration Top 25 2022 [17] CWE ID 077, [25] CWE ID 094
[9] Standards Mapping - Common Weakness Enumeration Top 25 2023 [16] CWE ID 077, [23] CWE ID 094
[10] Standards Mapping - Common Weakness Enumeration Top 25 2024 [11] CWE ID 094, [13] CWE ID 077
[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[12] Standards Mapping - FIPS200 SI
[13] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[14] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[15] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[16] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.4 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.5 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.8 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[17] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[18] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[19] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[20] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[21] Standards Mapping - OWASP Top 10 2010 A1 Injection
[22] Standards Mapping - OWASP Top 10 2013 A1 Injection
[23] Standards Mapping - OWASP Top 10 2017 A1 Injection
[24] Standards Mapping - OWASP Top 10 2021 A03 Injection
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[37] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 094
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[60] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.java.expression_language_injection_spring

External Content: Content Delivery Network

Abstract
如依賴 CDN 直接提供必要程式碼給使用者,可能會導致執行惡意程式碼。
Explanation
使用 CDN 來執行依賴應用程式的 JavaScript,透過從應用程式擁有的伺服器執行 JavaScript 可提供許多優點。對應用程式所有者來說,這些優勢包括增加效能並減少需要維護的程式碼。但是,應用程式假設 CDN 會傳遞安全的內容至瀏覽器中。如果攻擊者危及 CDN,則 CDN 將傳遞惡意程式碼至使用者的伺服器。應用程式無法控制使用者瀏覽器現在執行的程式碼,或者透過偵測將其視為惡意程式碼。

範例 1:藉由參照 Microsoft CDN,下列 ASPX 程式碼包含 Microsoft 的 jQuery 程式碼:


...
<script src="http://ajax.microsoft.com/ajax/jquery/jquery-1.4.2.min.js" type="text/javascript"></script>
...
範例 2:下列 ASPX 程式碼可讓 ASP.NET 框架 Script 的要求自動重新導向至 Microsoft Ajax CDN:


...
<asp:ScriptManager
   ID="ScriptManager1"
   EnableCdn="true"
   Runat="Server" />
...
Example 2 中,ScriptManager 控制可配置其 ASPX 頁面,以便自動重新導向所有指令碼要求至適當的 CDN。
References
[1] Content Deliver Network and its Regulation The Journal of China Universities of Posts and Telecommunications
[2] Managed Content Security Delivery radware
[3] Standards Mapping - Common Weakness Enumeration CWE ID 94, CWE ID 98
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [18] CWE ID 094
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [17] CWE ID 094
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [25] CWE ID 094
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [23] CWE ID 094
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [11] CWE ID 094
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.5 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.8 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.9 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.3 File Execution Requirements (L1 L2 L3), 12.3.6 File Execution Requirements (L2 L3), 14.2.4 Dependency (L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[16] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[17] Standards Mapping - OWASP Top 10 2007 A3 Malicious File Execution
[18] Standards Mapping - OWASP Top 10 2010 A1 Injection
[19] Standards Mapping - OWASP Top 10 2013 A1 Injection
[20] Standards Mapping - OWASP Top 10 2017 A1 Injection
[21] Standards Mapping - OWASP Top 10 2021 A03 Injection
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[31] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 094
[32] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 098
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-003300 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.semantic.dotnet.external_content_content_delivery_network

File Based Cross-Zone Scripting

Abstract
載入可在應用程式內容中執行不可信賴之 Script 的檔案是很危險的。
Explanation
當滿足以下條件時,會發生 File Based Cross Zone Scripting:

1. 載入會讓 Script 在應用程式內執行的檔案。

2. 載入的 Script 是視為執行中應用程式的相同來源。

若這兩個條件均符合,即會導致一系列攻擊,特別是如果其他方根據資訊是否來自應用程式內部來判定是否可信賴。

範例 1:以下程式碼使用 Android WebView 以便在本地載入檔案:

...
myWebView.loadUrl("file:///android_asset/www/index.html");
...

Example 1 中,Android WebView 轉譯器會將所有透過 loadUrl() (具有開頭為「file://」的 URL) 載入的程式碼視為位於同一來源。

在從檔案載入時,攻擊者透過以下幾種典型方式來利用 File Based Cross-Zone Scripting 弱點:
- 本地檔案由其他攻擊者所控制,該攻擊者會將 Script 插入檔案。
這取決於檔案權限、檔案位置或檔案可能的儲存位置及載入位置的競賽條件 (會有一個用於執行修改的時間窗口)。

- 檔案可能會召喚外部資源。
當載入的檔案從外部資源擷取 Script 時,可能會發生此情況。

範例 2:以下程式碼會查看外部來源以確定應該執行的 JavaScript。

  <script src="http://www.example.com/js/fancyWidget.js"></script>

Example 2 中,使用不安全的通訊協定會讓惡意動作執行者修改產生的指令碼。或者,可能會執行其他攻擊以將機器重新路由到攻擊者的站台。

- 載入的檔案可能包含 Cross-site scripting 弱點。
如果載入的檔案可插入程式碼,則插入的程式碼可在應用程式內容中執行。沒有必要非要插入 JavaScript,只需插入 HTML 亦可允許塗改或 Denial of Service 攻擊。
References
[1] Erika Chin and David Wagner Bifocals: Analyzing WebView Vulnerabilities in Android Applications
[2] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [1] CWE ID 079
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-2
[17] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[18] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[19] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[20] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[21] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[22] Standards Mapping - OWASP Top 10 2021 A03 Injection
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[35] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[36] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[37] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002560 CAT I
[60] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[61] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.semantic.java.file_based_cross_zone_scripting
Abstract
載入可在應用程式有權限的內容中執行不可信賴之 Script 的本機檔案是很危險的。
Explanation
滿足以下條件時,會發生 File Based Cross Zone Scripting:

1. 載入了會讓 Script 在應用程式內執行的檔案。


2. 載入的 Script 被視為具有與執行中應用程式 (file://) 相同的來源。

若這兩個條件均符合,則可能會導致一系列攻擊,特別是如果其他方根據資訊是否來自應用程式內部來判定是否可信賴。

範例 1:以下程式碼使用 UIWebView.loadRequest(_:) 方法載入本機檔案:

...
NSURL *url = [[NSBundle mainBundle] URLForResource: filename withExtension:extension]; 
[webView loadRequest:[[NSURLRequest alloc] initWithURL:url]];
...


Example 1 中,WebView 引擎會將所有透過 UIWebView.loadRequest(_:) (具有開頭為 file:// 的 URL) 載入的程式碼視為位於有權限的本機檔案來源。

在從檔案載入時,攻擊者透過以下幾種典型方式來利用 File-Based Cross-Zone Scripting 弱點:

- 本機檔案可能受攻擊者控制。例如,攻擊者可能會將檔案傳送給其受害者,然後受害者繼續在易受攻擊的應用程式 (例如:雲端儲存應用程式) 上儲存該檔案
- 本地檔案由其他攻擊者所控制,該攻擊者會將 Script 注入檔案。這取決於檔案權限、檔案位置或檔案可能的儲存位置及載入位置的競賽條件 (會有一個用於執行修改的時間窗口)。
- 檔案可能會召喚外部資源。當載入的檔案從外部資源擷取 Script 時,可能會發生此情況。
- 載入的檔案可能包含 Cross-site scripting 弱點。如果正在載入的檔案包含注入的程式碼,則此程式碼可能會在您的應用程式內容中執行。注入的程式碼不需要為 JavaScript 程式碼,因為注入的 HTML 亦可允許塗改或 Denial of Service 攻擊。

如果攻擊者控制的檔案是透過 file:// URL 從本機載入,則相同來源策略 (Same Origin Policy) 將允許此檔案中的 Script 存取相同來源的任何其他檔案,這會讓攻擊者存取包含敏感資訊的任何本機檔案。
References
[1] Same-origin policy for file: URIs Mozilla
[2] Old Habits Die Hard: Cross-Zone Scripting in Dropbox & Google Drive Mobile Apps IBM
[3] loadHTMLString(_:baseURL:) API documentation Apple
[4] loadRequest(_:) API documentation Apple
[5] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[6] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[7] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[8] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[9] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[10] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[11] Standards Mapping - Common Weakness Enumeration Top 25 2024 [1] CWE ID 079
[12] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[13] Standards Mapping - FIPS200 SI
[14] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[15] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[16] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[18] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[19] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-2
[20] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[21] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[22] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[23] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2021 A03 Injection
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[38] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[39] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[40] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[41] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002560 CAT I
[63] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[64] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.objc.file_based_cross_zone_scripting
Abstract
載入可在應用程式有權限的內容中執行不可信賴之 Script 的本機檔案是很危險的。
Explanation
滿足以下條件時,會發生 File Based Cross Zone Scripting:

1. 載入了會讓 Script 在應用程式內執行的檔案。


2. 載入的 Script 被視為具有與執行中應用程式 (file://) 相同的來源。

若這兩個條件均符合,則可能會導致一系列攻擊,特別是如果其他方根據資訊是否來自應用程式內部來判定是否可信賴。

範例 1:以下程式碼使用 UIWebView.loadRequest(_:) 方法載入本機檔案:

...
let url = Bundle.main.url(forResource: filename, withExtension: extension)
self.webView!.load(URLRequest(url:url!))
...


Example 1 中,WebView 引擎會將所有透過 UIWebView.loadRequest(_:) (具有開頭為 file:// 的 URL) 載入的程式碼視為位於有權限的本機檔案來源。

在從檔案載入時,攻擊者透過以下幾種典型方式來利用 File-Based Cross-Zone Scripting 弱點:

- 本機檔案可能受攻擊者控制。例如,攻擊者可能會將檔案傳送給其受害者,然後受害者繼續在易受攻擊的應用程式 (例如:雲端儲存應用程式) 上儲存該檔案
- 本地檔案由其他攻擊者所控制,該攻擊者會將 Script 注入檔案。這取決於檔案權限、檔案位置或檔案可能的儲存位置及載入位置的競賽條件 (會有一個用於執行修改的時間窗口)。
- 檔案可能會召喚外部資源。當載入的檔案從外部資源擷取 Script 時,可能會發生此情況。
- 載入的檔案可能包含 Cross-site scripting 弱點。如果正在載入的檔案包含注入的程式碼,則此程式碼可能會在您的應用程式內容中執行。注入的程式碼不需要為 JavaScript 程式碼,因為注入的 HTML 亦可允許塗改或 Denial of Service 攻擊。

如果攻擊者控制的檔案是透過 file:// URL 從本機載入,則相同來源策略 (Same Origin Policy) 將允許此檔案中的 Script 存取相同來源的任何其他檔案,這會讓攻擊者存取包含敏感資訊的任何本機檔案。
References
[1] Same-origin policy for file: URIs Mozilla
[2] Old Habits Die Hard: Cross-Zone Scripting in Dropbox & Google Drive Mobile Apps IBM
[3] loadHTMLString(_:baseURL:) API documentation Apple
[4] loadRequest(_:) API documentation Apple
[5] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[6] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[7] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[8] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[9] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[10] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[11] Standards Mapping - Common Weakness Enumeration Top 25 2024 [1] CWE ID 079
[12] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[13] Standards Mapping - FIPS200 SI
[14] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[15] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[16] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[18] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[19] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-2
[20] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[21] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[22] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[23] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2021 A03 Injection
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[38] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[39] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[40] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[41] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002560 CAT I
[63] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[64] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.swift.file_based_cross_zone_scripting

File Disclosure: Django

Abstract
以使用者輸入建構 FileResponse 實例讓攻擊者能夠下載受保護目錄內的應用程式二位元程式碼,或是檢視其中的任何檔案。
Explanation
以下狀況都會導致檔案洩漏:
1. 資料從一個不可信賴的來源進入程式。


2. 此資料將用於動態地建構路徑。

範例 1:以下程式碼採用不可信賴的資料,並使用該資料來開啟檔案,該檔案隨後會回傳給使用者。


from django.http import FileResponse
...
def file_disclosure(request):
    path = request.GET['returnURL']
    return FileResponse(open(path, 'rb'))
...


如果攻擊者所提供 URL 的要求參數符合敏感檔案位置,他們也會能夠檢視該檔案。例如,"http://www.yourcorp.com/webApp/logic?returnURL=settings.py" 可讓他們檢視應用程式的 "settings.py"。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 552
[2] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[4] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[7] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.12.1 Secure File Upload Architectural Requirements (L2 L3), 12.5.1 File Download Requirements (L1 L2 L3)
[9] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[10] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[11] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[12] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[13] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[14] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[15] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[28] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 073
[29] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002560 CAT I
[44] Standards Mapping - Web Application Security Consortium Version 2.00 URL Redirector Abuse (WASC-38)
desc.dataflow.python.file_disclosure_django

File Disclosure: J2EE

Abstract
以使用者輸入來建構伺服器端重新導向路徑,便可能讓攻擊者下載應用程式二位元程式碼 (包括應用程式類別或 jar 檔案),或是檢視受保護目錄內的任何檔案。
Explanation
以下狀況都可能導致檔案洩露:
1. 資料從一個不可信賴的來源進入程式。


2. 此資料將用於動態地建構路徑。

範例 1:以下程式碼採用不可信賴的資料,並使用該資料來建立在伺服器端轉送中使用的路徑。


...
String returnURL = request.getParameter("returnURL");
	RequestDispatcher rd = request.getRequestDispatcher(returnURL);
	rd.forward();
...
範例 2:以下程式碼採用不可信賴的資料,並使用該資料來建立在伺服器端轉送中使用的路徑。


...
	<% String returnURL = request.getParameter("returnURL"); %>
	<jsp:include page="<%=returnURL%>" />
	...



如果攻擊者所提供 URL 的要求參數符合敏感檔案位置,他們也會能夠檢視該檔案。例如,"http://www.yourcorp.com/webApp/logic?returnURL=WEB-INF/applicationContext.xml" 會讓他們能夠檢視應用程式的 applicationContext.xml。
攻擊者在擁有 applicationContext.xml 之後,便可找到並下載 applicationContext.xml 中所參照的配置檔案,甚至也可能下載類別或 jar 檔案。這讓攻擊者能夠取得應用程式的相關敏感資訊,並使其成為其他類型攻擊的目標。
References
[1] Ryan Berg and Dinis Cruz Two Security Vulnerabilities in the Spring Framework's MVC
[2] Standards Mapping - Common Weakness Enumeration CWE ID 552
[3] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[5] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[8] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.12.1 Secure File Upload Architectural Requirements (L2 L3), 12.5.1 File Download Requirements (L1 L2 L3)
[10] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[11] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[12] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[13] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[14] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[15] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[16] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[29] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 073
[30] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002560 CAT I
[45] Standards Mapping - Web Application Security Consortium Version 2.00 URL Redirector Abuse (WASC-38)
desc.dataflow.java.file_disclosure_j2ee

File Disclosure: Spring

Abstract
以使用者輸入來建構伺服器端重新導向路徑,便可能讓攻擊者下載應用程式二位元程式碼 (包括應用程式類別或 jar 檔案),或是檢視受保護目錄內的任何檔案。
Explanation
以下狀況都可能導致檔案洩露:
1. 資料從一個不可信賴的來源進入程式。


2. 此資料將用於動態地建構路徑。

範例 1:以下程式碼採用不可信賴的資料,並使用該資料來建立在伺服器端轉送中使用的路徑。


...
	String returnURL = request.getParameter("returnURL");
	return new ModelAndView(returnURL);
	...


如果攻擊者所提供 URL 的要求參數符合敏感檔案位置,他們也會能夠檢視該檔案。例如,"http://www.yourcorp.com/webApp/logic?returnURL=WEB-INF/applicationContext.xml" 會讓他們能夠檢視應用程式的 applicationContext.xml。
攻擊者在擁有 applicationContext.xml 之後,便可找到並下載 applicationContext.xml 中所參照的配置檔案,甚至也可能下載類別或 jar 檔案。這讓攻擊者能夠取得應用程式的相關敏感資訊,並使其成為其他類型攻擊的目標。
References
[1] Ryan Berg and Dinis Cruz Two Security Vulnerabilities in the Spring Framework's MVC
[2] Standards Mapping - Common Weakness Enumeration CWE ID 552
[3] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[5] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[8] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.12.1 Secure File Upload Architectural Requirements (L2 L3), 12.5.1 File Download Requirements (L1 L2 L3)
[10] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[11] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[12] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[13] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[14] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[15] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[16] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[29] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 073
[30] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002560 CAT I
[45] Standards Mapping - Web Application Security Consortium Version 2.00 URL Redirector Abuse (WASC-38)
desc.dataflow.java.file_disclosure_spring

File Disclosure: Spring Webflow

Abstract
以使用者輸入來建構伺服器端重新導向路徑,便可能讓攻擊者下載應用程式二進位程式碼 (包括應用程式類別或 jar 檔案),或是檢視受保護目錄內的任何檔案。
Explanation
在 Spring Webflow 中,會使用檢視解析程式來將檢視名稱翻譯為實際的轉譯技術。通常,檢視解析程式都會限制使用字首與字尾之檔案的類型及位置。不過,使用要求參數來指定檢視名稱卻能規避這項機制。
範例 1:下列 Spring Webflow 組態使用要求參數來指定檢視名稱。

<webflow:end-state id="finalStep" view="${requestParameters.url}"/>
<webflow:view-state id="showView" view="${requestParameters.test}">

預設的 Spring Webflow 檢視解析程式原本只允許解析 "/WEB-INF/views/" 中的 jsp 檔案。


<bean class="org.springframework.web.servlet.view.
               InternalResourceViewResolver">
    <property name="prefix" value="/WEB-INF/views/" />
    <property name="suffix" value=".jsp" />
</bean>


攻擊者卻可使用下列 URL 來檢視 applicationContext.xml 檔案:"http://www.yourcorp.com/webApp/logic?url=../applicationContext.xml;x="
InternalResourceViewResolver 會採用其所設定的字首,然後串連檢視屬性中傳送的值,並於最後加上字尾。
產生的相對 URL (即 "/WEB-INF/views/../applicationContext.xml;x=.jsp") 將傳遞至伺服器端的要求發送器。分號可讓攻擊者將 ".jsp" 字尾轉換為路徑參數。這種攻擊可以用於揭露 Web 應用程式根目錄下的任何檔案。
References
[1] Ryan Berg and Dinis Cruz Two Security Vulnerabilities in the Spring Framework's MVC
[2] Seth Ladd Expert Spring MVC and Web Flow
[3] Standards Mapping - Common Weakness Enumeration CWE ID 552
[4] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[9] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.12.1 Secure File Upload Architectural Requirements (L2 L3), 12.5.1 File Download Requirements (L1 L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[12] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[13] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[14] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[15] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[16] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[17] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[30] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 073
[31] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002560 CAT I
[46] Standards Mapping - Web Application Security Consortium Version 2.00 URL Redirector Abuse (WASC-38)
desc.configuration.java.file_disclosure_spring_webflow

File Disclosure: Struts

Abstract
以使用者輸入來建構伺服器端重新導向路徑,便可能讓攻擊者下載應用程式二位元程式碼 (包括應用程式類別或 jar 檔案),或是檢視受保護目錄內的任何檔案。
Explanation
以下狀況都可能導致檔案洩露:
1. 資料從一個不可信賴的來源進入程式。


2. 此資料將用於動態地建構路徑。

範例 1:以下程式碼採用不可信賴的資料,並使用該資料來建立在伺服器端轉送中使用的路徑。


...
	String returnURL = request.getParameter("returnURL");
	return new ActionForward(returnURL);
	...


如果攻擊者所提供 URL 的要求參數符合敏感檔案位置,他們也會能夠檢視該檔案。例如,"http://www.yourcorp.com/webApp/logic?returnURL=WEB-INF/applicationContext.xml" 會讓他們能夠檢視應用程式的 applicationContext.xml。
攻擊者在擁有 applicationContext.xml 之後,便可找到並下載 applicationContext.xml 中所參照的配置檔案,甚至也可能下載類別或 jar 檔案。這會讓攻擊者能夠取得應用程式的相關敏感資訊,並使其成為其他類型攻擊的目標。
References
[1] Ryan Berg and Dinis Cruz Two Security Vulnerabilities in the Spring Framework's MVC
[2] Standards Mapping - Common Weakness Enumeration CWE ID 552
[3] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[5] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[8] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.12.1 Secure File Upload Architectural Requirements (L2 L3), 12.5.1 File Download Requirements (L1 L2 L3)
[10] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[11] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[12] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[13] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[14] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[15] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[16] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[29] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 073
[30] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002560 CAT I
[45] Standards Mapping - Web Application Security Consortium Version 2.00 URL Redirector Abuse (WASC-38)
desc.dataflow.java.file_disclosure_struts

File Permission Manipulation

Abstract
允許使用者輸入直接修改檔案權限,可能會使攻擊者能夠存取原本應受保護的系統資源。
Explanation
當遇到下列狀況時會發生檔案權限操作錯誤:

1.攻擊者可指定在檔案系統上修改權限的操作中所使用的路徑。

2.攻擊者可指定檔案系統上的作業所指派的權限。

範例 1:下列程式碼使用來自系統環境變數的輸入設定檔案權限。如果攻擊者能夠修改系統環境變數,就能使用程式取得程式所操縱檔案的存取權。如果程式也存在 Path Manipulation 弱點,則攻擊者可能會使用這個弱點存取系統上的任意檔案。


    permissions := strconv.Atoi(os.Getenv("filePermissions"));
    fMode := os.FileMode(permissions)
    os.chmod(filePath, fMode);
    ...
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 264, CWE ID 732
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [15] CWE ID 732
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [16] CWE ID 732
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [22] CWE ID 732
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165
[6] Standards Mapping - FIPS200 AC
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[10] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 4.3.3 Other Access Control Considerations (L2 L3), 7.3.3 Log Protection Requirements (L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[13] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[15] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[28] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 732
[29] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 732
[30] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 732
[31] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[46] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.golang.file_permission_manipulation
Abstract
允許使用者輸入直接修改檔案權限,可能使攻擊者能夠存取其他受保護的系統資源。
Explanation
當遇到下列狀況時會發生檔案權限操作錯誤:

1.攻擊者能夠指定在檔案系統上修改權限的作業中所使用的路徑。

2.攻擊者能夠指定檔案系統上的作業所指派的權限。

範例 1:以下程式碼使用來自系統屬性的輸入,設定預設權限遮罩。如果攻擊者能夠修改系統屬性,就能使用程式取得程式所操縱檔案的存取權。如果程式也存在 Path Manipulation 弱點,則攻擊者可能會使用這個弱點存取系統上的任意檔案。


  String permissionMask = System.getProperty("defaultFileMask");
  Path filePath = userFile.toPath();
  ...
  Set<PosixFilePermission> perms = PosixFilePermissions.fromString(permissionMask);
  Files.setPosixFilePermissions(filePath, perms);
...
References
[1] FIO01-J. Create files with appropriate access permissions CERT
[2] Standards Mapping - Common Weakness Enumeration CWE ID 264, CWE ID 732
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [15] CWE ID 732
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [16] CWE ID 732
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [22] CWE ID 732
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165
[7] Standards Mapping - FIPS200 AC
[8] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[11] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 4.3.3 Other Access Control Considerations (L2 L3), 7.3.3 Log Protection Requirements (L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[14] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[16] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[29] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 732
[30] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 732
[31] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 732
[32] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[47] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.java.file_permission_manipulation
Abstract
允許使用者輸入直接修改檔案權限,可能使攻擊者能夠存取其他受保護的系統資源。
Explanation
當遇到下列狀況時會發生檔案權限操作錯誤:

1.攻擊者能夠指定在檔案系統上修改權限的作業中所使用的路徑。

2.攻擊者能夠指定檔案系統上的作業所指派的權限。

範例 1:以下程式碼旨在當使用者透過 FTP 上傳網頁時,設定適當的檔案權限。程式使用來自 HTTP 要求的輸入,以將檔案標示為外部使用者可檢視的狀態。


	$rName = $_GET['publicReport'];
	chmod("/home/". authenticateUser . "/public_html/" . rName,"0755");
...


然而,如果攻擊者提供一個惡意的值給 publicReport,如「../../localuser/public_html/.htpasswd」,應用程式會指定攻擊者可讀取那個檔案。

範例 2:以下程式碼使用組態設定檔案的輸入設定預設權限遮罩。如果攻擊者能修改組態設定檔案,就能使用程式取得程式所操縱檔案的存取權。如果程式也存在 Path Manipulation 弱點,則攻擊者可能會使用這個弱點存取系統上的任意檔案。


...
$mask = $CONFIG_TXT['perms'];
chmod($filename,$mask);
...
References
[1] G. Hoglund, G. McGraw Exploiting Software Addison-Wesley
[2] Standards Mapping - Common Weakness Enumeration CWE ID 264, CWE ID 732
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [15] CWE ID 732
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [16] CWE ID 732
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [22] CWE ID 732
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165
[7] Standards Mapping - FIPS200 AC
[8] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[11] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 4.3.3 Other Access Control Considerations (L2 L3), 7.3.3 Log Protection Requirements (L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[14] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[16] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[29] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 732
[30] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 732
[31] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 732
[32] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[47] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.php.file_permission_manipulation
Abstract
允許使用者輸入直接修改檔案權限,可能使攻擊者能夠存取其他受保護的系統資源。
Explanation
當遇到下列狀況時會發生檔案權限操作錯誤:

1. 攻擊者能夠指定在檔案系統上修改權限的作業中所使用的路徑。

2. 攻擊者能夠指定檔案系統上的作業所指派的權限。

範例 1: 下列程式碼使用來自系統環境變數的輸入設定檔案權限。 如果攻擊者能夠修改系統環境變數,就能使用程式取得程式所操縱檔案的存取權。 如果程式也存在 Path Manipulation 弱點,則攻擊者可能會使用這個弱點存取系統上的任意檔案。


    permissions = os.getenv("filePermissions");
    os.chmod(filePath, permissions);
    ...
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 264, CWE ID 732
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [15] CWE ID 732
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [16] CWE ID 732
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [22] CWE ID 732
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165
[6] Standards Mapping - FIPS200 AC
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[10] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 4.3.3 Other Access Control Considerations (L2 L3), 7.3.3 Log Protection Requirements (L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[13] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[15] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[28] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 732
[29] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 732
[30] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 732
[31] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[46] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.python.file_permission_manipulation
Abstract
允許使用者輸入直接修改檔案權限,可能使攻擊者能夠存取其他受保護的系統資源。
Explanation
當遇到下列狀況時會發生檔案權限操作錯誤:

1. 攻擊者能夠指定在檔案系統上修改權限的作業中所使用的路徑。

2. 攻擊者能夠指定檔案系統上的作業所指派的權限。

範例 1:以下程式碼旨在當使用者透過 FTP 上傳網頁時,設定適當的檔案權限。程式使用來自 HTTP 要求的輸入,以將檔案標示為外部使用者可檢視的狀態。


...
  rName = req['publicReport']
  File.chmod("/home/#{authenticatedUser}/public_html/#{rName}", "0755")
...


然而,如果攻擊者提供一個惡意的值給 publicReport,如「../../localuser/public_html/.htpasswd」,應用程式會指定攻擊者可讀取那個檔案。

範例 2:以下程式碼使用組態設定檔案的輸入設定預設權限遮罩。如果攻擊者可以更改組態設定檔案,就可能使用程式取得程式所操縱檔案的存取權。如果程式也存在 Path Manipulation 弱點,則攻擊者可能會使用這個弱點存取系統上的任意檔案。


...
mask = config_params['perms']
File.chmod(filename, mask)
...
References
[1] G. Hoglund, G. McGraw Exploiting Software Addison-Wesley
[2] Standards Mapping - Common Weakness Enumeration CWE ID 264, CWE ID 732
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [15] CWE ID 732
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [16] CWE ID 732
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [22] CWE ID 732
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165
[7] Standards Mapping - FIPS200 AC
[8] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[11] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 4.3.3 Other Access Control Considerations (L2 L3), 7.3.3 Log Protection Requirements (L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[14] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[16] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[29] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 732
[30] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 732
[31] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 732
[32] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[47] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.ruby.file_permission_manipulation

Flash Misconfiguration: Overly Permissive Cross-Domain Policy

Abstract
程式會定義過度許可的跨網域策略。
Explanation
依預設,Flash 應用程式需遵守相同來源策略 (Same Origin Policy),它可以確保只有在兩個 SWF 應用程式都來自相同網域時,才可以存取彼此的資料。Adobe Flash 允許開發人員在程式上或透過 crossdomain.xml 組態設定檔案的適當設定來修改策略。但是,變更設定時應特別小心,因為過度允許的跨網域策略會允許惡意應用程式以不適當的方式與受害者應用程式通訊,導致欺騙、資料遭竊取、傳遞和其他攻擊。

範例 1:以下內容是使用萬用字元在程式上指定允許應用程式與哪些網域通訊的範例。


   flash.system.Security.allowDomain("*");


使用 * 做為給 allowDomain() 的引數,表示應用程式的資料可以讓其他來自任何網域的 SWF 應用程式存取。
References
[1] Peleus Uhley Creating more secure SWF web applications
[2] Matt Wood and Prajakta Jagdale Auditing Adobe Flash through Static Analysis
[3] Standards Mapping - Common Weakness Enumeration CWE ID 942
[4] Standards Mapping - Common Weakness Enumeration Top 25 2023 [24] CWE ID 863
[5] Standards Mapping - Common Weakness Enumeration Top 25 2024 [18] CWE ID 863
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001368, CCI-001414
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 14.4.6 HTTP Security Headers Requirements (L1 L2 L3), 14.5.3 Validate HTTP Request Header Requirements (L1 L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[12] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[13] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[25] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[40] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.semantic.actionscript.flash_misconfiguration_overly_permissive_cross_domain_policy

Flash Misconfiguration: Overly Permissive Custom Headers Policy

Abstract
程式定義過度允許的自訂表頭原則。
Explanation
依預設,Flash 應用程式需遵守相同來源策略 (Same Origin Policy),它可以確保只有在兩個 SWF 應用程式都來自相同網域時,才可以存取彼此的資料。Adobe Flash 允許開發人員在程式上或透過 crossdomain.xml 組態設定檔案的適當設定來修改策略。從 Flash Player 9,0,124,0 開始,Adobe 也引進了定義 Flash Player 可以在網域間傳送哪些自訂表頭的功能。但是,定義這些設定時應特別小心,因為將過度允許的自訂表頭策略和過度允許的跨網域策略一起套用時,會允許惡意應用程式將其選擇的表頭傳送到目標應用程式,可能會導致多種攻擊,或在不知道如何處理所接收之表頭的應用程式執行中造成錯誤。

範例 1:以下配置顯示了使用萬用字元指定 Flash Player 可以在網域間傳送哪些標頭。


  <cross-domain-policy>
    <allow-http-request-headers-from domain="*" headers="*"/>
  </cross-domain-policy>


使用 * 做為 headers 屬性的值,表示任何表頭都會在網域間傳送。
References
[1] Peleus Uhley Creating more secure SWF web applications
[2] Matt Wood and Prajakta Jagdale Auditing Adobe Flash through Static Analysis
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001368, CCI-001414
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement
[7] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[8] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[9] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[10] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[21] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[36] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.config.actionscript.flash_misconfiguration_overly_permissive_custom_headers_policy

Flash Misconfiguration: Policy Restrictions Bypass

Abstract
程式使用未經驗證的使用者輸入來略過預期的跨網域策略限制。
Explanation
依預設,Flash 應用程式需遵守相同來源策略 (Same Origin Policy),它可以確保只有在兩個 SWF 應用程式都來自相同網域時,才可以存取彼此的資料。Adobe Flash 允許開發人員在程式上或透過 crossdomain.xml 組態設定檔案的適當設定來修改策略。但是,決定誰可以影響設定時應特別小心,因為過度允許的跨網域策略會允許惡意應用程式以不適當的方式與受害者應用程式通訊,導致欺騙、資料遭竊取、傳遞和其他攻擊。Policy restrictions bypass 弱點會在以下情況中出現:

1. 資料從不可信賴的來源進入應用程式。

2. 資料用來載入或修改跨網域策略設定。
範例 1:以下程式碼對載入的 SWF 檔案使用其中一個參數的值,做為載入跨網域策略檔案的來源 URL。


   ...
   var params:Object = LoaderInfo(this.root.loaderInfo).parameters;
   var url:String = String(params["url"]);
   flash.system.Security.loadPolicyFile(url);
   ...
範例 2:以下程式碼對載入的 SWF 檔案使用其中一個參數的值,以定義可信任網域的清單。


   ...
   var params:Object = LoaderInfo(this.root.loaderInfo).parameters;
   var domain:String = String(params["domain"]);
   flash.system.Security.allowDomain(domain);
   ...
References
[1] Peleus Uhley Creating more secure SWF web applications
[2] Matt Wood and Prajakta Jagdale Auditing Adobe Flash through Static Analysis
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001368, CCI-001414
[4] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement
[7] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[8] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[9] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[20] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[35] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.actionscript.flash_misconfiguration_policy_restrictions_bypass

Flash Misconfiguration: Unauthorized Data Access

Abstract
程式允許 HTTP 和 HTTPS SWF 應用程式進行通訊。
Explanation
從 Flash Player 7 開始,透過 HTTP 載入的 SWF 應用程式不允許存取預設透過 HTTPS 載入的 SWF 應用程式。Adobe Flash 允許開發人員在程式上或透過 crossdomain.xml 組態設定檔案的適當設定來修改此限制。但是,定義這些設定時應特別小心,因為 HTTP 載入的 SWF 應用程式容易遭到 man-in-the-middle 攻擊,因此不應該受信賴。

範例 1:以下程式碼會呼叫 allowInsecureDomain(),它會關閉以下限制:防止 HTTP 載入的 SWF 應用程式存取 HTTPS 載入之 SWF 應用程式的資料。


   flash.system.Security.allowInsecureDomain("*");
References
[1] Peleus Uhley Creating more secure SWF web applications
[2] Matt Wood and Prajakta Jagdale Auditing Adobe Flash through Static Analysis
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001368, CCI-001414
[4] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement
[7] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[8] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[9] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[10] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.4, Requirement 6.5.8
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.4, Requirement 6.5.8
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.4, Requirement 6.5.8
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.4, Requirement 6.5.8
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control, Control Objective 6.2 - Sensitive Data Protection
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control, Control Objective 6.2 - Sensitive Data Protection
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective 6.2 - Sensitive Data Protection, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.4.1 - Web Software Communications
[21] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 862
[22] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[37] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.semantic.actionscript.flash_misconfiguration_unauthorized_data_access