281 找到的項目
弱點

Insecure Transport: External Link

Abstract
檔案透過未加密的通道連結到第三方網站。
Explanation
請確保網頁上的超連結僅連結到安全位置,以防止瀏覽網站時發生任何使用者洩漏資訊。即使連結從不安全的通訊協定 (例如 HTTP) 重新導向到安全的通訊協定 (例如 HTTPS),透過未加密通道的初始連線也會讓攻擊者能夠執行 Man-in-the-Middle (MiTM) 攻擊。如此一來,攻擊者就能夠控制頁面,即產生的登陸頁面。

範例:請考慮以下超連結:

<a href="http://www.example.com/index.html"/>


如果攻擊者正在監聽使用者與伺服器之間的網路流量,就可以模擬或操縱 www.example.com 來載入自己的網頁。

第三方網站的連結最初可能不被認為對安全很重要,但是對使用者來說,任何洩漏都可能顯示為來自您網頁上的連結,因此會降低使用者對使用您平台的信任度。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark partial
[6] Standards Mapping - Common Weakness Enumeration CWE ID 297
[7] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287, [25] CWE ID 295
[8] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[9] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[10] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[11] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[12] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001453, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123
[13] Standards Mapping - FIPS200 CM, SC
[14] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[15] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-8 Transmission Confidentiality and Integrity (P1)
[16] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-8 Transmission Confidentiality and Integrity
[17] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management
[18] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[19] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[20] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[23] Standards Mapping - OWASP API 2023 API10 Unsafe Consumption of APIs
[24] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 9.2.1 Server Communications Security Requirements (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[25] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[26] Standards Mapping - OWASP Mobile 2023 M5 Insecure Communication
[27] Standards Mapping - OWASP Mobile 2024 M5 Insecure Communication
[28] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-NETWORK-1, MASVS-PLATFORM-2
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design, Control Objective C.4.1 - Web Software Communications
[40] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[61] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
[62] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.content.html.insecure_transport_external_link

Solidity Misconfiguration: Floating Pragma

Abstract
合約使用浮動 pragma 且 Solidity 編譯器未鎖定至特定版本。
Explanation
開發人員可以指定在建立智慧合約時所使用的相容 Solidity 編譯器版本範圍。但不建議這樣做,因為合約通常僅在一個可用的版本中進行開發和測試。這會給使用已知安全弱點的過時版本編譯器進行編譯留下可乘之機。

範例 1:以下這行程式碼設定了 pragma,這樣智慧合約就不會在 0.4.5 之前的版本中編譯,也無法在 0.5.0 及更高版本的編譯器中發揮效用。


pragma solidity ^0.4.5;
References
[1] Enterprise Ethereum Alliance Source code, pragma, and compilers
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[6] Standards Mapping - Common Weakness Enumeration CWE ID 664
[7] Standards Mapping - Smart Contract Weakness Classification SWC-103
desc.structural.solidity.swc103

System Information Leak

Abstract
顯示系統資料或除錯資訊有助於攻擊者瞭解系統並制訂攻擊計畫。
Explanation
當系統資料或除錯資訊透過輸出串流或記錄功能離開程式時,會發生資訊洩漏。
範例:下列程式碼會將 SAPFTP 版本資訊列印在螢幕上:


...
CALL FUNCTION 'FTP_VERSION'
  ...
  IMPORTING
    EXEPATH     = p
    VERSION     = v
    WORKING_DIR = dir
    RFCPATH     = rfcp
    RFCVERSION  = rfcv
  TABLES
    FTP_TRACE =                 FTP_TRACE.

WRITE: 'exepath: ', p, 'version: ', v, 'working_dir: ', dir, 'rfcpath: ', rfcp, 'rfcversion: ', rfcv.
...


根據選項螢幕的配置,可以將此資訊傾印到螢幕上,也可以直接傳送到印表機。在某些情況下,這個版本資訊正好可以告訴攻擊者這個系統容易受到哪種攻擊。透過相同的方式,錯誤訊息也可以告訴攻擊者系統容易受到哪種攻擊。例如,資料庫錯誤資訊即可揭露應用程式容易受到 SQL injection 攻擊。其他錯誤資訊還可揭露更多關於系統的間接線索。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark partial
[6] Standards Mapping - Common Weakness Enumeration CWE ID 497
[7] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[8] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[9] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-002420
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement
[14] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[15] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization
[16] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.4 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.5 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.1 Unintended Security Disclosure Requirements (L1 L2 L3), 14.3.2 Unintended Security Disclosure Requirements (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3), 14.2.2 Dependency (L1 L2 L3)
[17] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[18] Standards Mapping - OWASP Mobile 2023 M9 Insecure Data Storage
[19] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[20] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.abap.system_information_leak
Abstract
顯示系統資料或除錯資訊有助於攻擊者瞭解系統並制訂攻擊計畫。
Explanation
當系統資料或除錯資訊透過輸出串流或記錄功能離開程式時,會發生資訊洩漏。
範例 1:以下程式碼建構資料庫連線字串,用以建立新的資料庫連線,並將其寫入主控台。


string cs="database=northwind;server=mySQLServer...";
SqlConnection conn=new SqlConnection(cs);
...
Console.Writeline(cs);


視系統配置而定,此資訊可以傾印到主控台、寫入到記錄檔,或是顯示給遠端使用者。例如,使用指令碼機制時,將輸出資訊從「標準錯誤」或「標準輸出」重新導向至檔案或另一個程式的過程是不太有意義的。此外,程式執行所在的系統可能會有遠端記錄機制,例如會將記錄傳送至遠端裝置的「syslog」伺服器。在開發期間,您沒有方法可得知從何處會結束顯示此資訊。

在某些情況下,錯誤訊息會為攻擊者提供系統容易受到哪些確切的攻擊類型影響。例如,資料庫錯誤訊息即可揭露應用程式容易受到 SQL injection 攻擊。其他錯誤訊息還可揭露更多關於系統的間接線索。在 Example 1 中,洩漏的資訊可能會暗示有關作業系統類型、系統上安裝的應用程式,以及管理員在配置程式時所花費的努力等資訊。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark partial
[6] Standards Mapping - Common Weakness Enumeration CWE ID 497
[7] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[8] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[9] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-002420
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement
[14] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[15] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization
[16] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.4 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.5 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.1 Unintended Security Disclosure Requirements (L1 L2 L3), 14.3.2 Unintended Security Disclosure Requirements (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3), 14.2.2 Dependency (L1 L2 L3)
[17] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[18] Standards Mapping - OWASP Mobile 2023 M9 Insecure Data Storage
[19] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[20] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.dotnet.system_information_leak
Abstract
顯示系統資料或除錯資訊有助於攻擊者瞭解系統並制訂攻擊計畫。
Explanation
當系統資料或除錯資訊透過輸出串流或記錄功能離開程式時,會發生資訊洩漏。
範例 1:以下程式碼會將路徑環境變數列印到標準錯誤串流:


  char* path = getenv("PATH");
  ...
  fprintf(stderr, "cannot find exe on path %s\n", path);


根據系統配置,可以將資訊傾印到主控台,寫入記錄檔,或者顯示給遠端使用者。例如,使用指令碼機制時,將輸出資訊從「標準錯誤」或「標準輸出」重新導向至檔案或其他程式的過程是不太有意義的。此外,程式執行所在的系統可能會有遠端記錄機制,例如會將記錄傳送至遠端裝置的「syslog」伺服器。在開發期間,您沒有方法可得知從何處會結束顯示此資訊。

在某些情況下,這個錯誤資訊正好可以告訴攻擊者這個系統被入侵的可能性有多大。例如,資料庫錯誤訊息即可揭露應用程式容易受到 SQL injection 攻擊。其他錯誤訊息還可揭露更多關於系統的間接線索。在 Example 1 中,搜索路徑可能會暗示有關作業系統類型、系統上安裝的應用程式,以及管理員在配置程式時所花費的努力等資訊。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark partial
[6] Standards Mapping - Common Weakness Enumeration CWE ID 497
[7] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[8] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[9] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-002420
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement
[14] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[15] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization
[16] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.4 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.5 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.1 Unintended Security Disclosure Requirements (L1 L2 L3), 14.3.2 Unintended Security Disclosure Requirements (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3), 14.2.2 Dependency (L1 L2 L3)
[17] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[18] Standards Mapping - OWASP Mobile 2023 M9 Insecure Data Storage
[19] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[20] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.cpp.system_information_leak
Abstract
顯示系統資料或除錯資訊有助於攻擊者瞭解系統並制訂攻擊計畫。
Explanation
當系統資料或除錯資訊透過輸出串流或記錄功能離開程式時,會發生資訊洩漏。

範例 1:以下程式碼會將異常寫入標準錯誤串流:


print(Platform.environment["HOME"]);


視系統配置而定,此資訊可以傾印到主控台、寫入到記錄檔,或是顯示給遠端使用者。例如,使用指令碼機制時,將輸出資訊從「標準錯誤」或「標準輸出」重新導向至檔案或其他程式的過程是不太有意義的。此外,程式執行所在的系統可能會有遠端記錄機制,例如會將記錄傳送至遠端裝置的「syslog」伺服器。在開發期間,無從確定此資訊最終可能會顯示在哪裡。

在某些情況下,錯誤訊息會為攻擊者提供系統容易受到哪些確切的攻擊類型影響。例如,資料庫錯誤訊息即可揭露應用程式容易受到 SQL injection 攻擊。其他錯誤訊息還可揭露更多關於系統的間接線索。在 Example 1 中,洩漏的資訊可能會暗示有關作業系統類型、系統上安裝的應用程式,以及管理員在配置程式時所花費的努力等資訊。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark partial
[6] Standards Mapping - Common Weakness Enumeration CWE ID 497
[7] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[8] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[9] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-002420
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement
[14] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[15] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization
[16] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.4 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.5 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.1 Unintended Security Disclosure Requirements (L1 L2 L3), 14.3.2 Unintended Security Disclosure Requirements (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3), 14.2.2 Dependency (L1 L2 L3)
[17] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[18] Standards Mapping - OWASP Mobile 2023 M9 Insecure Data Storage
[19] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[20] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.dart.system_information_leak
Abstract
顯示系統資料或除錯資訊可讓攻擊者使用系統資訊制訂攻擊計畫。
Explanation
當程式透過輸出串流或記錄功能顯示系統資料或除錯資訊時,會發生資訊洩漏。

範例 1:以下程式碼會將路徑環境變數列印到標準錯誤串流:


  path := os.Getenv("PATH")
  ...
  log.Printf("Cannot find exe on path %s\n", path)


視系統配置而定,此資訊可以傾印到主控台、寫入到記錄檔,或是顯示給使用者。有時,攻擊者可以根據錯誤訊息確定應用程式容易受到的確切攻擊類型。例如,資料庫錯誤訊息即可揭露應用程式容易受到 SQL Injection 攻擊。其他錯誤訊息還可揭露更多關於系統的間接線索。在 Example 1 中,搜索路徑可能會暗示有關作業系統類型、系統上安裝的應用程式,以及管理員在配置程式時所花費的努力等資訊。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark partial
[6] Standards Mapping - Common Weakness Enumeration CWE ID 497
[7] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[8] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[9] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-002420
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement
[14] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[15] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization
[16] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.4 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.5 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.1 Unintended Security Disclosure Requirements (L1 L2 L3), 14.3.2 Unintended Security Disclosure Requirements (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3), 14.2.2 Dependency (L1 L2 L3)
[17] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[18] Standards Mapping - OWASP Mobile 2023 M9 Insecure Data Storage
[19] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[20] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.golang.system_information_leak
Abstract
顯示系統資料或除錯資訊有助於攻擊者瞭解系統並制訂攻擊計畫。
Explanation
當系統資料或除錯資訊透過輸出串流或記錄功能離開程式時,會發生資訊洩漏。

範例 1:以下程式碼會將異常寫入標準錯誤串流:


try {
    ...
} catch (Exception e) {
    e.printStackTrace();
}


視系統配置而定,此資訊可以傾印到主控台、寫入到記錄檔,或是顯示給遠端使用者。例如,使用指令碼機制時,將輸出資訊從「標準錯誤」或「標準輸出」重新導向至檔案或其他程式的過程是不太有意義的。此外,程式執行所在的系統可能會有遠端記錄機制,例如會將記錄傳送至遠端裝置的「syslog」伺服器。在開發期間,您沒有方法可得知從何處會結束顯示此資訊。

在某些情況下,錯誤訊息會為攻擊者提供系統容易受到哪些確切的攻擊類型影響。例如,資料庫錯誤訊息即可揭露應用程式容易受到 SQL injection 攻擊。其他錯誤訊息還可揭露更多關於系統的間接線索。在 Example 1 中,洩漏的資訊可能會暗示有關作業系統類型、系統上安裝的應用程式,以及管理員在配置程式時所花費的努力等資訊。

在行動運算環境中,資訊洩漏也是令人擔心的事情。使用行動平台時,會從多種來源下載,並在相同裝置上一起執行應用程式。在金融應用程式旁執行惡意程式碼的可能性很高,因此應用程式作者需要留意向裝置上執行的其他應用程式傳送的訊息中應包括哪些資訊。

範例 2:以下程式碼會向註冊的所有 Android 接收者廣播所捕捉異常的堆疊追蹤。

...
try {
  ...
} catch (Exception e) {
    String exception = Log.getStackTraceString(e);
    Intent i = new Intent();
    i.setAction("SEND_EXCEPTION");
    i.putExtra("exception", exception);
    view.getContext().sendBroadcast(i);
}
...


以下是行動環境中特有的另一種狀況。現在,多數行動裝置執行近距離無線通訊 (NFC) 通訊協定,以使用無線電通訊在裝置之間快速共用資訊。裝置距離極為接近或彼此接觸時,才會實現此通訊。即使將 NFC 的通訊範圍限制在幾公分距離,也可能發生竊聽、資料修改及其他多種類型的攻擊,因為 NFC 本身並不能確保安全通訊。

範例 3:Android 平台提供對 NFC 的支援。以下程式碼建立進入範圍內其他裝置的訊息。

...
public static final String TAG = "NfcActivity";
private static final String DATA_SPLITTER = "__:DATA:__";
private static final String MIME_TYPE = "application/my.applications.mimetype";
...
TelephonyManager tm = (TelephonyManager)Context.getSystemService(Context.TELEPHONY_SERVICE);
String VERSION = tm.getDeviceSoftwareVersion();
...
NfcAdapter nfcAdapter = NfcAdapter.getDefaultAdapter(this);
if (nfcAdapter == null)
  return;

String text = TAG + DATA_SPLITTER + VERSION;
NdefRecord record = new NdefRecord(NdefRecord.TNF_MIME_MEDIA,
            MIME_TYPE.getBytes(), new byte[0], text.getBytes());
NdefRecord[] records = { record };
NdefMessage msg = new NdefMessage(records);
nfcAdapter.setNdefPushMessage(msg, this);
...


NFC 資料交換格式 (NDEF) 訊息包含輸入的資料、URI 或自訂應用程式裝載。若訊息包含應用程式的相關資訊 (例如其名稱、MIME 類型或裝置軟體版本),則可能會向竊聽者洩漏此資訊。
References
[1] Ernst Haselsteiner and Klemens Breitfuss Security in Near Field Communication (NFC): Strengths and Weaknesses
[2] ERR01-J. Do not allow exceptions to expose sensitive information CERT
[3] ENV02-J. Do not trust the values of environment variables CERT
[4] FUNDAMENTALS-4: Establish trust boundaries Oracle
[5] CONFIDENTIAL-1: Purge sensitive information from exceptions Oracle
[6] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[7] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[8] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[9] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[10] Standards Mapping - CIS Kubernetes Benchmark partial
[11] Standards Mapping - Common Weakness Enumeration CWE ID 497
[12] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[13] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[14] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[15] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-002420
[16] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement
[19] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[20] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization
[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.4 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.5 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.1 Unintended Security Disclosure Requirements (L1 L2 L3), 14.3.2 Unintended Security Disclosure Requirements (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3), 14.2.2 Dependency (L1 L2 L3)
[22] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[23] Standards Mapping - OWASP Mobile 2023 M9 Insecure Data Storage
[24] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[25] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[58] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.java.system_information_leak
Abstract
顯示系統資料或除錯資訊可讓攻擊者使用系統資訊制訂攻擊計畫。
Explanation
當系統資料或除錯資訊透過輸出串流或記錄功能離開程式時,會發生資訊洩漏。

範例 1:以下程式碼會將異常寫入 AngularJS 中的瀏覽器主控台:


$log.log(exception);


根據異常來源而定,這可能會將資訊傳送給在用戶端上引起問題的相同使用者,也可能會將資訊傳送給與伺服器端資訊相關的遠端使用者。

在某些情況下,錯誤資訊會清楚地告訴攻擊者系統容易受到哪種攻擊。例如,資料庫錯誤資訊即可揭露應用程式容易受到 SQL injection 攻擊。其他錯誤資訊還可揭露更多關於系統的間接線索。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark partial
[6] Standards Mapping - Common Weakness Enumeration CWE ID 497
[7] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[8] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[9] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-002420
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement
[14] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[15] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization
[16] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.4 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.5 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.1 Unintended Security Disclosure Requirements (L1 L2 L3), 14.3.2 Unintended Security Disclosure Requirements (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3), 14.2.2 Dependency (L1 L2 L3)
[17] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[18] Standards Mapping - OWASP Mobile 2023 M9 Insecure Data Storage
[19] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[20] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.javascript.system_information_leak
Abstract
顯示系統資料或除錯資訊可讓攻擊者使用系統資訊制訂攻擊計畫。
Explanation
當系統資料或除錯資訊透過輸出串流或記錄功能離開程式時,會發生資訊洩漏。

範例 1:以下程式碼會將異常寫入標準輸出串流:


try {
    ...
} catch (e: Exception) {
    e.printStackTrace()
}


根據系統配置,可以將資訊傾印到主控台,寫入記錄檔,或者顯示給遠端使用者。例如,使用指令碼機制時,將輸出資訊從「標準錯誤」或「標準輸出」重新導向至檔案或其他程式的過程是不太有意義的。此外,程式執行所在的系統可能會有遠端記錄機制,例如會將記錄傳送至遠端裝置的「syslog」伺服器。在開發期間,您沒有方法可得知從何處會結束顯示此資訊。

在某些情況下,錯誤訊息會為攻擊者提供系統容易受到哪些確切的攻擊類型影響。例如,資料庫錯誤訊息即可揭露應用程式容易受到 SQL injection 攻擊。其他錯誤訊息還可揭露更多關於系統的間接線索。在 Example 1 中,洩漏的資訊可能會暗示有關作業系統類型、系統上安裝的應用程式,以及管理員在配置程式時所花費的努力等資訊。

在行動運算環境中,資訊洩漏也是令人擔心的事情。使用行動平台時,會從多種來源下載,並在相同裝置上一起執行應用程式。在金融應用程式旁執行惡意程式碼的可能性很高,因此開發人員需要留意向裝置上執行的其他應用程式傳送的訊息中應包括哪些資訊。

範例 2:以下程式碼會向註冊的所有 Android 接收者廣播所捕捉異常的堆疊追蹤。

...
try {
  ...
} catch (e: Exception) {
    val exception = Log.getStackTraceString(e)
    val intent = Intent()
    intent.action = "SEND_EXCEPTION"
    intent.putExtra("exception", exception)
    view.context.sendBroadcast(intent)
}
...


以下是行動環境中特有的另一種狀況。現在,多數行動裝置執行近距離無線通訊 (NFC) 通訊協定,以使用無線電通訊在裝置之間快速共用資訊。裝置距離極為接近或彼此接觸時,才會實現此通訊。即使將 NFC 的通訊範圍限制在幾公分距離,也可能發生竊聽、資料修改及其他多種類型的攻擊,因為 NFC 本身並不能確保安全通訊。

範例 3:Android 平台提供對 NFC 的支援。以下程式碼建立進入範圍內其他裝置的訊息。

...
companion object { 
    const val TAG = "NfcActivity"
    private const val DATA_SPLITTER = "__:DATA:__"
    private const val MIME_TYPE = "application/my.applications.mimetype"
}
...
val tm = Context.getSystemService(Context.TELEPHONY_SERVICE) as TelephonyManager
val VERSION = tm.getDeviceSoftwareVersion();
...
val nfcAdapter = NfcAdapter.getDefaultAdapter(this)

val text: String = "$TAG$DATA_SPLITTER$VERSION"
val record = NdefRecord(NdefRecord.TNF_MIME_MEDIA, MIME_TYPE.getBytes(), ByteArray(0), text.toByteArray())
val records = arrayOf(record)
val msg = NdefMessage(records)
nfcAdapter.setNdefPushMessage(msg, this)
...


NFC 資料交換格式 (NDEF) 訊息包含輸入的資料、URI 或自訂應用程式裝載。若訊息包含應用程式的相關資訊 (例如其名稱、MIME 類型或裝置軟體版本),則可能會向竊聽者洩漏此資訊。
References
[1] Ernst Haselsteiner and Klemens Breitfuss Security in Near Field Communication (NFC): Strengths and Weaknesses
[2] ERR01-J. Do not allow exceptions to expose sensitive information CERT
[3] ENV02-J. Do not trust the values of environment variables CERT
[4] FUNDAMENTALS-4: Establish trust boundaries Oracle
[5] CONFIDENTIAL-1: Purge sensitive information from exceptions Oracle
[6] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[7] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[8] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[9] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[10] Standards Mapping - CIS Kubernetes Benchmark partial
[11] Standards Mapping - Common Weakness Enumeration CWE ID 497
[12] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[13] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[14] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[15] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-002420
[16] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement
[19] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[20] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization
[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.4 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.5 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.1 Unintended Security Disclosure Requirements (L1 L2 L3), 14.3.2 Unintended Security Disclosure Requirements (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3), 14.2.2 Dependency (L1 L2 L3)
[22] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[23] Standards Mapping - OWASP Mobile 2023 M9 Insecure Data Storage
[24] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[25] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[58] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.kotlin.system_information_leak
Abstract
顯示系統資料或除錯資訊有助於攻擊者了解系統並制訂攻擊計畫。
Explanation
當系統資料或除錯資訊透過輸出串流或記錄功能離開程式時,會發生資訊洩漏。

範例:以下程式碼會將裝置識別碼列印到標準錯誤串流:


...
NSString* deviceID = [[UIDevice currentDevice] name];

[deviceID writeToFile:@"/dev/stderr" atomically:NO encoding:NSUTF8StringEncoding error:nil];
...


根據系統配置,可以將資訊傾印到主控台,寫入記錄檔,或者顯示給遠端使用者。例如,使用指令碼機制時,將輸出資訊從「標準錯誤」或「標準輸出」重新導向至檔案或另一個程式的過程是不太有意義的。此外,程式執行所在的系統可能會有遠端記錄機制,此機制會將記錄傳送至遠端裝置。在開發期間,您沒有方法可得知從何處會結束顯示此資訊。

在某些情況下,這個錯誤資訊正好可以告訴攻擊者這個系統被入侵的可能性有多大。例如,資料庫錯誤資訊即可揭露應用程式容易受到 SQL injection 攻擊。其他錯誤資訊還可揭露更多關於系統的間接線索。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark partial
[6] Standards Mapping - Common Weakness Enumeration CWE ID 497
[7] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[8] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[9] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-002420
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement
[14] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[15] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization
[16] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.4 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.5 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.1 Unintended Security Disclosure Requirements (L1 L2 L3), 14.3.2 Unintended Security Disclosure Requirements (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3), 14.2.2 Dependency (L1 L2 L3)
[17] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[18] Standards Mapping - OWASP Mobile 2023 M9 Insecure Data Storage
[19] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[20] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.objc.system_information_leak
Abstract
顯示系統資料或除錯資訊有助於攻擊者瞭解系統並制訂攻擊計畫。
Explanation
當系統資料或除錯資訊透過輸出串流或記錄功能離開程式時,會發生資訊洩漏。

範例 1:以下程式碼會將異常寫入標準錯誤串流:


<?php
    ...
    echo "Server error! Printing the backtrace";
    debug_print_backtrace();
    ...
?>


根據系統配置,可以將資訊傾印到主控台,寫入記錄檔,或者顯示給遠端使用者。例如,使用指令碼機制時,將輸出資訊從「標準錯誤」或「標準輸出」重新導向至檔案或其他程式的過程是不太有意義的。此外,程式執行所在的系統可能會有遠端記錄機制,例如會將記錄傳送至遠端裝置的「syslog」伺服器。在開發期間,您沒有方法可得知從何處會結束顯示此資訊。

在某些情況下,錯誤訊息會為攻擊者提供系統容易受到哪些確切的攻擊類型影響。例如,資料庫錯誤訊息即可揭露應用程式容易受到 SQL injection 攻擊。其他錯誤訊息還可揭露更多關於系統的間接線索。在 Example 1 中,洩漏的資訊可能會暗示有關作業系統類型、系統上安裝的應用程式,以及管理員在配置程式時所花費的努力等資訊。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark partial
[6] Standards Mapping - Common Weakness Enumeration CWE ID 497
[7] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[8] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[9] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-002420
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement
[14] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[15] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization
[16] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.4 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.5 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.1 Unintended Security Disclosure Requirements (L1 L2 L3), 14.3.2 Unintended Security Disclosure Requirements (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3), 14.2.2 Dependency (L1 L2 L3)
[17] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[18] Standards Mapping - OWASP Mobile 2023 M9 Insecure Data Storage
[19] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[20] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.php.system_information_leak
Abstract
顯示系統資料或除錯資訊可讓攻擊者使用系統資訊制訂攻擊計畫。
Explanation
當系統資料或除錯資訊透過輸出串流或記錄功能離開程式時,會發生資訊洩漏。

範例 1:以下程式碼會將異常寫入標準錯誤串流:


...
begin
  log = Logger.new(STDERR)
  ...
rescue Exception
    log.info("Exception: " + $!)
...
end


根據系統配置,可以將資訊傾印到主控台,寫入記錄檔,或者顯示給遠端使用者。例如,使用指令碼機制時,將輸出資訊從「標準錯誤」或「標準輸出」重新導向至檔案或其他程式的過程是不太有意義的。此外,程式執行所在的系統可能會有遠端記錄機制,例如會將記錄傳送至遠端裝置的「syslog」伺服器。在開發期間,您沒有方法可得知從何處會結束顯示此資訊。

在某些情況下,錯誤訊息會為攻擊者提供系統容易受到哪些確切的攻擊類型影響。例如,資料庫錯誤訊息即可揭露應用程式容易受到 SQL injection 攻擊。其他錯誤訊息還可揭露更多關於系統的間接線索。在 Example 1 中,洩漏的資訊可能會暗示有關作業系統類型、系統上安裝的應用程式,以及管理員在配置程式時所花費的努力等資訊。當然,Example 1 中的另一個問題是救援根 Exception 而非特定類型或錯誤/異常,表示它將捕捉到會潛在造成其他不重要負面影響的所有異常。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark partial
[6] Standards Mapping - Common Weakness Enumeration CWE ID 497
[7] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[8] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[9] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-002420
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement
[14] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[15] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization
[16] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.4 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.5 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.1 Unintended Security Disclosure Requirements (L1 L2 L3), 14.3.2 Unintended Security Disclosure Requirements (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3), 14.2.2 Dependency (L1 L2 L3)
[17] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[18] Standards Mapping - OWASP Mobile 2023 M9 Insecure Data Storage
[19] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[20] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.ruby.system_information_leak
Abstract
顯示系統資料或除錯資訊有助於攻擊者了解系統並制訂攻擊計畫。
Explanation
當系統資料或除錯資訊透過輸出串流或記錄功能離開程式時,會發生資訊洩漏。

範例:以下程式碼會將裝置識別碼列印到標準錯誤串流:


...
public struct StderrOutputStream: OutputStreamType {
    public static let stream = StderrOutputStream()
    public func write(string: String) {fputs(string, stderr)}
}

public var errStream = StderrOutputStream.stream

let deviceID = UIDevice.currentDevice().name

println("Device ID: \(deviceID)", &errStream)
...


根據系統配置,可以將資訊傾印到主控台,寫入記錄檔,或者顯示給遠端使用者。例如,使用指令碼機制時,將輸出資訊從「標準錯誤」或「標準輸出」重新導向至檔案或另一個程式的過程是不太有意義的。此外,程式執行所在的系統可能會有遠端記錄機制,此機制會將記錄傳送至遠端裝置。在開發期間,您沒有方法可得知從何處會結束顯示此資訊。

在某些情況下,這個錯誤資訊正好可以告訴攻擊者這個系統被入侵的可能性有多大。例如,資料庫錯誤資訊即可揭露應用程式容易受到 SQL injection 攻擊。其他錯誤資訊還可揭露更多關於系統的間接線索。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark partial
[6] Standards Mapping - Common Weakness Enumeration CWE ID 497
[7] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[8] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[9] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-002420
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement
[14] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[15] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization
[16] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.4 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.5 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.1 Unintended Security Disclosure Requirements (L1 L2 L3), 14.3.2 Unintended Security Disclosure Requirements (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3), 14.2.2 Dependency (L1 L2 L3)
[17] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[18] Standards Mapping - OWASP Mobile 2023 M9 Insecure Data Storage
[19] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[20] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.swift.system_information_leak

Cross-Site Scripting: Persistent

Abstract
傳送未經驗證的資料至網路瀏覽器,會導致瀏覽器執行惡意的程式碼。
Explanation
Cross-site scripting (XSS) 弱點會在以下情況中出現:

1.資料從一個不可信賴的來源進入 Web 應用程式。在 Persistent XSS (也可稱為 Stored XSS) 案例中,不可信賴的來源通常為資料庫或其他後端資料儲存區,而在 Reflected XSS 案例中,來源通常為網頁要求。


2. 未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

範例 1:以下的 ABAP 程式碼片段會根據所給予的識別碼在資料庫中查詢員工,並列印該員工姓名。


...
DATA: BEGIN OF itab_employees,
        eid   TYPE employees-itm,
        name  TYPE employees-name,
      END OF itab_employees,
      itab LIKE TABLE OF itab_employees.
...
itab_employees-eid = '...'.
APPEND itab_employees TO itab.

SELECT *
  FROM employees
  INTO CORRESPONDING FIELDS OF TABLE itab_employees
  FOR ALL ENTRIES IN itab
  WHERE eid = itab-eid.
ENDSELECT.
...
response->append_cdata( 'Employee Name: ').
response->append_cdata( itab_employees-name ).
...
name 值正常運作時,此程式碼也會正常運作,但如果該值不正常運作時,則會完全無法避免程式碼遭受攻擊。這個程式碼之所以較不危險,是因為 name 值是從資料庫中讀取的,且顯然是由應用程式管理這些值的內容。但是,如果 name 的值是從使用者提供的資料中產生,那麼資料庫可能會成為提供惡意內容的管道。如果未對資料庫中儲存的所有資料進行適當的輸入驗證,那麼攻擊者可能在使用者的網路瀏覽器中執行惡意指令。這類型的攻擊稱為 Persistent XSS (或 Stored XSS),其性質特別狡詐,因為間接的資料儲存方式而難以辨別該威脅,且該攻擊影響多個使用者的可能性可能提高。XSS 盜取會從存取提供造訪者訪客留名簿 (guestbook) 的網站開始。攻擊者會在他們的訪客留名簿項目中加入 JavaScript,所有後來前往訪客留名簿頁面的造訪者都可能會執行這些惡意程式碼。

範例 2:以下的 ABAP 程式碼片段會從 HTTP 要求中讀取員工的識別碼 eid,並將識別碼顯示給使用者。


...
eid = request->get_form_field( 'eid' ).
...
response->append_cdata( 'Employee ID: ').
response->append_cdata( eid ).
...


Example 1 所述,如果 eid 只包含標準英數字元,這個程式碼會正確地執行。如果 eid 中有包含中繼字元或來源程式碼中的值,那麼網路瀏覽器就會像顯示 HTTP 回應那樣執行程式碼。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的電腦中輸入會執行惡意程式碼的 URL?其實,真正的危險在於攻擊者會建立惡意的 URL,接著使用電子郵件或社交工程病毒誘騙受害者透過連結前往該 URL。當受害者按下該連結時,他們即不知不覺地透過易受攻擊的 Web 應用程式,將惡意內容資訊帶回他們自己的電腦。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。

如同範例中所示,XSS 的弱點是由 HTTP 回應中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 如 Example 1 所述,應用程式會將危險資料儲存到資料庫或其他可信任的資料儲存區中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。Persistent XSS 攻擊會在以下情況出現:攻擊者把危險內容插入到之後會讀取的資料儲存區中,並包含在動態內容中。從攻擊者的角度來看,插入惡意內容的最佳位置莫過於一個會對很多使用者或特別感興趣的使用者顯示的區域。感興趣的使用者通常會在應用程式中擁有較高的權限,或者會與敏感資料進行互動,且這些資料對攻擊者而言很有利用價值。如果其中一個使用者執行了惡意內容,攻擊者可能會代替使用者去執行需要權限許可的作業,或者取得存取使用者專屬敏感資料的權限。

- 如 Example 2 所述,會直接從 HTTP 要求中讀取資料,並在 HTTP 回應中回傳資料。當攻擊者誘使使用者提供危險內容給易受攻擊的 Web 應用程式,接著這些危險內容就會回傳給使用者並由在網路瀏覽器中執行,這時就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊網站的 URL。網站將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含階段作業資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 應用程式以外的來源會在資料庫或是其他資料記憶體中儲存危險資料,且之後這些危險資料會被當作信賴的資料回讀到應用程式,並會包含在動態內容中。
References
[1] SAP OSS notes 1582870, 1582867 and related notes for ABAP XSS support
[2] SAP OSS Notes 822881, 1600317, 1640092, 1671470 and 1638779 for XSS support in BSPs
[3] Understanding Malicious Content Mitigation for Web Developers CERT
[4] HTML 4.01 Specification W3
[5] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[6] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[7] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[8] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[9] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[10] Standards Mapping - CIS Kubernetes Benchmark complete
[11] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[12] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[13] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[15] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[16] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[17] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[18] Standards Mapping - FIPS200 SI
[19] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[20] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[21] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[22] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[23] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[26] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[27] Standards Mapping - OWASP Top 10 2021 A03 Injection
[28] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[29] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[30] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[31] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[38] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[39] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[41] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[42] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[43] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[44] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[45] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[46] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[65] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[66] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[67] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[68] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.abap.cross_site_scripting_persistent
Abstract
傳送未經驗證的資料至網路瀏覽器,會導致瀏覽器執行惡意的程式碼。
Explanation
Cross-site scripting (XSS) 弱點會在以下情況中出現:

1.資料從一個不可信賴的來源進入 Web 應用程式。在 Persistent XSS (也可稱為 Stored XSS) 案例中,不可信賴的來源通常為資料庫或其他後端資料儲存區,而在 Reflected XSS 案例中,來源通常為網頁要求。


2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

範例 1:以下 ActionScript 程式碼片段會根據所給予的識別碼在資料庫中查詢員工,並列印該員工姓名。


  stmt.sqlConnection = conn;
  stmt.text = "select * from emp where id="+eid;
  stmt.execute();
  var rs:SQLResult = stmt.getResult();
  if (null != rs) {
    var name:String = String(rs.data[0]);
    var display:TextField = new TextField();
    display.htmlText = "Employee Name: " + name;
  }
name 值正常運作時,此程式碼也會正常運作,但如果該值不正常運作時,則會完全無法避免程式碼遭受攻擊。這個程式碼之所以較不危險,是因為 name 值是從資料庫中讀取的,且顯然是由應用程式管理這些值的內容。但是,如果 name 的值是從使用者提供的資料中產生,那麼資料庫可能會成為提供惡意內容的管道。如果未對資料庫中儲存的所有資料進行適當的輸入驗證,那麼攻擊者可能在使用者的網路瀏覽器中執行惡意指令。這類型的攻擊稱為 Persistent XSS (或 Stored XSS),其性質特別狡詐,因為間接的資料儲存方式而難以辨別該威脅,且該攻擊影響多個使用者的可能性可能提高。XSS 盜取會從存取提供造訪者訪客留名簿 (guestbook) 的網站開始。攻擊者會在他們的訪客留名簿項目中加入 JavaScript,所有後來前往訪客留名簿頁面的造訪者都可能會執行這些惡意程式碼。

範例 2:以下 ActionScript 程式碼片段會從 HTTP 要求中讀取員工的識別碼 eid,並將識別碼顯示給使用者。


var params:Object = LoaderInfo(this.root.loaderInfo).parameters;
var eid:String = String(params["eid"]);
...
var display:TextField = new TextField();
display.htmlText = "Employee ID: " + eid;
...


Example 1 所述,如果 eid 只包含標準英數字元,這個程式碼會正確地執行。如果 eid 中有包含中繼字元或來源程式碼中的值,那麼網路瀏覽器就會像顯示 HTTP 回應那樣執行程式碼。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的電腦中輸入會執行惡意程式碼的 URL?其實,真正的危險在於攻擊者會建立惡意的 URL,接著使用電子郵件或社交工程病毒誘騙受害者透過連結前往該 URL。當受害者按下該連結時,他們即不知不覺地透過易受攻擊的 Web 應用程式,將惡意內容資訊帶回他們自己的電腦。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。

如同範例中所示,XSS 的弱點是由 HTTP 回應中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 如 Example 1 所述,應用程式會將危險資料儲存到資料庫或其他可信任的資料儲存區中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。Persistent XSS 攻擊會在以下情況出現:攻擊者把危險內容插入到之後會讀取的資料儲存區中,並包含在動態內容中。從攻擊者的角度來看,插入惡意內容的最佳位置莫過於一個會對很多使用者或特別感興趣的使用者顯示的區域。感興趣的使用者通常會在應用程式中擁有較高的權限,或者會與敏感資料進行互動,且這些資料對攻擊者而言很有利用價值。如果其中一個使用者執行了惡意內容,攻擊者可能會代替使用者去執行需要權限許可的作業,或者取得存取使用者專屬敏感資料的權限。

- 如 Example 2 所述,會直接從 HTTP 要求中讀取資料,並在 HTTP 回應中回傳資料。當攻擊者誘使使用者提供危險內容給易受攻擊的 Web 應用程式,接著這些危險內容就會回傳給使用者並由在網路瀏覽器中執行,這時就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊網站的 URL。網站將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含階段作業資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 應用程式以外的來源會在資料庫或是其他資料記憶體中儲存危險資料,且之後這些危險資料會被當作信賴的資料回讀到應用程式,並會包含在動態內容中。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[10] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[11] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[12] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[13] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[15] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[16] Standards Mapping - FIPS200 SI
[17] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[18] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[19] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[20] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[21] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[22] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[23] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2021 A03 Injection
[26] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[27] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[28] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[29] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[41] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[42] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[43] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[44] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[65] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[66] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.actionscript.cross_site_scripting_persistent
Abstract
將未經驗證的資料傳送到網頁瀏覽器可能會導致執行惡意程式碼。
Explanation
Cross-site scripting (XSS) 弱點會在以下情況中出現:

1.資料從一個不可信賴的來源進入 Web 應用程式。如果是 Persistent XSS,不可信賴的來源大多為資料庫查詢的結果,而如果是 Reflected XSS,來源大多為 Web 要求。

2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。

惡意內容通常為 JavaScript 程式碼片段,但也可以是 HTML、Flash 或瀏覽器可執行的任何其他作用中內容。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

範例 1:以下 Apex 程式碼片段會在資料庫中查詢具有指定 ID 的聯絡人名稱並傳回對應的員工姓名 (之後由 Visualforce 程式碼進行列印)。


...
variable = Database.query('SELECT Name FROM Contact WHERE id = ID');
...

<div onclick="this.innerHTML='Hello {!variable}'">Click me!</div>


name 的值進行明確界定時 (例如,僅英數字元),此程式碼會正常運作,但無法檢查惡意資料。即使該值讀取自資料庫,也應該對其進行適當驗證,因為資料庫的內容可能源自於使用者提供的資料。這樣一來,攻擊者可以在使用者的網頁瀏覽器中執行惡意指令,而無需與受害者進行互動 (類似於 Reflected XSS)。此類攻擊稱為 Stored XSS (或 Persistent XSS),可能非常難以偵測,因為資料是以間接方式提供給易受攻擊的函數,並且由於影響多個使用者的可能性,此類攻擊的影響會更強烈。XSS 盜取會從存取提供造訪者訪客留名簿 (guestbook) 的網站開始。攻擊者會在他們的訪客留名簿項目中加入 JavaScript,所有後來前往訪客留名簿頁面的造訪者都可能會執行這些惡意程式碼。

範例 2:以下 Visualforce 程式碼片段會讀取 HTTP 要求參數 username,並向使用者顯示。


<script>
document.write('{!$CurrentPage.parameters.username}')
</script>


此範例中的程式碼旨在僅接收英數文字並加以顯示。但是,如果 username 包含中繼字元或來源程式碼,則會由網頁瀏覽器執行。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的電腦中輸入會執行惡意程式碼的 URL?其實,真正的危險在於攻擊者會建立惡意的 URL,接著使用電子郵件或社交工程病毒誘騙受害者透過連結前往該 URL。當受害者按下該連結時,他們即不知不覺地透過易受攻擊的 Web 應用程式,將惡意內容資訊帶回他們自己的電腦。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。

如同範例中所示,XSS 的弱點是由 HTTP 回應中包含未經驗證資料的程式碼所引起的。有兩種途徑可執行 XSS 攻擊:

- 如 Example 1 所述,資料庫或其他資料儲存區會向應用程式提供將包含在動態內容中的危險資料。從攻擊者的角度來看,儲存惡意內容的最佳位置是可供所有使用者 (尤其是擁有較高權限的使用者) 存取的區域,這些使用者更有可能會處理敏感資訊或執行關鍵作業。

- 如 Example 2 所述,會從 HTTP 要求中讀取資料,並在 HTTP 回應中回傳資料。當攻擊者將危險內容傳遞至易受攻擊的 Web 應用程式,然後回傳給使用者並透過其瀏覽器執行時,會出現 Reflected XSS。傳遞惡意內容最常用的機制就是,將惡意內容當作參數包含在公開發佈的 URL 中,或者以電子郵件方式直接傳送給受害者。透過此方式修改的 URL 是許多釣魚架構的核心,其中攻擊者會誘騙受害者造訪該 URL。當網站回傳內容給使用者後便會加以執行,並且可執行多個動作,例如轉送隱私、敏感的資訊、在受害者電腦上執行未經授權的作業等。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] Salesforce Developers Technical Library Secure Coding Guidelines - Cross Site Scripting
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[5] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[6] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[7] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[8] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[9] Standards Mapping - CIS Kubernetes Benchmark complete
[10] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[11] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[12] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[13] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[15] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[16] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[17] Standards Mapping - FIPS200 SI
[18] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[19] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[20] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[21] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[22] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[23] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[26] Standards Mapping - OWASP Top 10 2021 A03 Injection
[27] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[28] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[29] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[30] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[38] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[41] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[42] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[43] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[44] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[45] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[65] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[66] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[67] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.apex.cross_site_scripting_persistent
Abstract
傳送未經驗證的資料至網路瀏覽器,會導致瀏覽器執行惡意的程式碼。
Explanation
Cross-site scripting (XSS) 弱點會在以下情況中出現:

1.資料從一個不可信賴的來源進入 Web 應用程式。在 Persistent XSS (也可稱為 Stored XSS) 案例中,不可信賴的來源通常為資料庫或其他後端資料儲存區,而在 Reflected XSS 案例中,來源通常為網頁要求。


2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

範例 1:以下的 ASP.NET 網頁表單使用指定的員工識別碼向資料庫查詢員工,並列印出與識別碼相對應的名字。

<script runat="server">
...
string query = "select * from emp where id=" + eid;
sda = new SqlDataAdapter(query, conn);
DataTable dt = new DataTable();
sda.Fill(dt);
string name = dt.Rows[0]["Name"];
...
EmployeeName.Text = name;
</script>


其中,EmployeeName 是定義如下的表單控制項:


<form runat="server">
   ...
   <asp:Label id="EmployeeName" runat="server">
   ...
</form>
範例 2:以下 ASP.NET 程式碼片段的功能與之前的 Example 1 相當,不過卻是以程式設計方式來實作所有的表單元素。

protected System.Web.UI.WebControls.Label EmployeeName;
...
string query = "select * from emp where id=" + eid;
sda = new SqlDataAdapter(query, conn);
DataTable dt = new DataTable();
sda.Fill(dt);
string name = dt.Rows[0]["Name"];
...
EmployeeName.Text = name;
name 值正常運作時,這些程式碼範例也會正常運作,但如果該值不正常運作時,則會完全無法避免程式碼遭受攻擊。這個程式碼之所以較不危險,是因為 name 值是從資料庫中讀取的,且顯然是由應用程式管理這些值的內容。但是,如果 name 的值是從使用者提供的資料中產生,那麼資料庫可能會成為提供惡意內容的管道。如果未對資料庫中儲存的所有資料進行適當的輸入驗證,那麼攻擊者可能在使用者的網路瀏覽器中執行惡意指令。這類型的攻擊稱為 Persistent XSS (或 Stored XSS),其性質特別狡詐,因為間接的資料儲存方式而難以辨別該威脅,且該攻擊影響多個使用者的可能性可能提高。XSS 盜取會從存取提供造訪者訪客留名簿 (guestbook) 的網站開始。攻擊者會在他們的訪客留名簿項目中加入 JavaScript,所有後來前往訪客留名簿頁面的造訪者都可能會執行這些惡意程式碼。

範例 3:以下 ASP.NET 網頁表單會從 HTTP 要求讀取員工識別碼,然後顯示給使用者。

<script runat="server">
...
EmployeeID.Text = Login.Text;
...
</script>


其中,LoginEmployeeID 是定義如下的表單控制項:


<form runat="server">
   <asp:TextBox runat="server" id="Login"/>
   ...
   <asp:Label runat="server" id="EmployeeID"/>
</form>
範例 4:以下的 ASP.NET 程式碼片段會示範以程式設計方式來實作 Example 3

protected System.Web.UI.WebControls.TextBox Login;
protected System.Web.UI.WebControls.Label EmployeeID;
...
EmployeeID.Text = Login.Text;


Example 1Example 2 所述,如果 Login 只包含標準英數字元,這些範例就會正確運作。如果 Login 中有包含中繼字元或來源程式碼中的值,那麼網路瀏覽器就會像顯示 HTTP 回應那樣執行程式碼。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的電腦中輸入會執行惡意程式碼的 URL? 真正的危險是攻擊者會建立惡意的 URL,然後使用電子郵件或社交工程技倆來誘騙受害者按下連結。當受害者按下該連結時,他們即不知不覺地透過易受攻擊的 Web 應用程式,將惡意內容資訊帶回他們自己的電腦。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。

如同範例中所示,XSS 的弱點是由 HTTP 回應中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 如 Example 1Example 2 所述,應用程式會將危險資料儲存到資料庫或其他可信任的資料儲存區中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。Persistent XSS 攻擊會在以下情況出現:攻擊者把危險內容插入到之後會讀取的資料儲存區中,並包含在動態內容中。從攻擊者的角度來看,插入惡意內容的最佳位置莫過於一個會對很多使用者或特別感興趣的使用者顯示的區域。感興趣的使用者通常會在應用程式中擁有較高的權限,或者會與敏感資料進行互動,且這些資料對攻擊者而言很有利用價值。如果其中一個使用者執行了惡意內容,攻擊者可能會代替使用者去執行需要權限許可的作業,或者取得存取使用者專屬敏感資料的權限。

- 如 Example 3Example 4 所述,會直接從 HTTP 要求中讀取資料,並在 HTTP 回應中回傳資料。當攻擊者誘使使用者提供危險內容給易受攻擊的 Web 應用程式,接著這些危險內容就會回傳給使用者並由在網路瀏覽器中執行,這時就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊網站的 URL。網站將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含階段作業資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 應用程式以外的來源會在資料庫或是其他資料記憶體中儲存危險資料,且之後這些危險資料會被當作信賴的資料回讀到應用程式,並會包含在動態內容中。

有許多現代的 Web 架構提供執行使用者輸入驗證的機制 (包括 ASP.NET 要求驗證和 WCF)。為了突顯未驗證的輸入來源,Fortify 安全編碼檢查規則會降低 Fortify Static Code Analyzer 所報告之問題的攻擊可能性,並在使用框架驗證機制時提供支援證據的指標,以動態重新排列其優先順序。如果是 ASP.NET 要求驗證,我們也會針對何時明確停用驗證提供證據。我們將此功能稱為「內容相關性排名」。為了進一步協助 Fortify 使用者進行稽核程序,Fortify Software 安全研發團隊提供了資料驗證專案範本,該範本會依據套用到其輸入來源的驗證機制,按資料夾對問題進行分組。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] Anti-Cross Site Scripting Library MSDN
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[5] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[6] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[7] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[8] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[9] Standards Mapping - CIS Kubernetes Benchmark complete
[10] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[11] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[12] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[13] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[15] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[16] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[17] Standards Mapping - FIPS200 SI
[18] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[19] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[20] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[21] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[22] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[23] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[26] Standards Mapping - OWASP Top 10 2021 A03 Injection
[27] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[28] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[29] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[30] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[38] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[41] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[42] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[43] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[44] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[45] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[65] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[66] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[67] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.dotnet.cross_site_scripting_persistent
Abstract
傳送未經驗證的資料至網路瀏覽器,會導致瀏覽器執行惡意的程式碼。
Explanation
Cross-site scripting (XSS) 弱點會在以下情況中出現:

1.資料從一個不可信賴的來源進入 Web 應用程式。在 Persistent XSS (也可稱為 Stored XSS) 案例中,不可信賴的來源通常為資料庫或其他後端資料儲存區,而在 Reflected XSS 案例中,來源通常為網頁要求。

2. 在未對包含資料的動態內容進行驗證的情況下,便將其傳送至某個網路瀏覽器。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

範例 1: 以下的程式碼片段,根據所給予的識別碼在資料庫中查詢員工,並列印該員工姓名。


...
EXEC SQL
  SELECT NAME
  INTO :ENAME
  FROM EMPLOYEE
  WHERE ID = :EID
END-EXEC.

EXEC CICS
  WEB SEND
  FROM(ENAME)
  ...
END-EXEC.
...
ENAME 值正常運作時,此範例中的程式碼也會正常運作,但如果該值不正常運作時,則會完全無法避免程式碼遭受攻擊。此外,這個程式碼之所以看似不那麼危險,是因為 ENAME 的值是從資料庫中讀取的,而顯然這些內容是由應用程式管理的。但是,如果 ENAME 的值是從使用者提供的資料中產生,那麼資料庫可能會成為提供惡意內容的管道。如果未對資料庫中儲存的所有資料進行適當的輸入驗證,那麼攻擊者可能在使用者的網路瀏覽器中執行惡意指令。這種類型的攻擊,被稱作 Stored XSS,是特別狡詐的,因為間接的資料儲存方式使得該威脅難以辨別,而且提高了該攻擊會影響到多個使用者的可能性。XSS 盜取會從存取提供造訪者訪客留名簿 (guestbook) 的網站開始。攻擊者會在他們的訪客留名簿項目中加入 JavaScript,所有後來前往訪客留名簿頁面的造訪者都可能會執行這些惡意程式碼。

範例 2: 以下的程式碼片段在 HTML 表單中讀取員工的識別碼 EID,並顯示給使用者。 


...
EXEC CICS
  WEB READ
  FORMFIELD(ID)
  VALUE(EID)
  ...
END-EXEC.

EXEC CICS
  WEB SEND
  FROM(EID)
  ...
END-EXEC.
...


Example 1 所述,如果 EID 只包含標準英數字元,這個程式碼會正確地執行。如果 EID 中有包含中繼字元或來源程式碼中的值,那麼網路瀏覽器就會像顯示 HTTP 回應那樣執行程式碼。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的電腦中輸入會執行惡意程式碼的 URL?其實,真正的危險在於攻擊者會建立惡意的 URL,接著使用電子郵件或社交工程病毒誘騙受害者透過連結前往該 URL。當受害者按下該連結時,他們即不知不覺地透過易受攻擊的 Web 應用程式,將惡意內容資訊帶回他們自己的電腦。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。

如同範例中所示,XSS 的弱點是由 HTTP 回應中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 如 Example 1 所述,應用程式會將危險資料儲存到資料庫或其他可信任的資料儲存區中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。當攻擊者有以下情況時,Stored XSS 攻擊就會出現:

- 如 Example 2 所述,會直接從 HTML 表單中讀取資料,並在 HTTP 回應中回傳資料。當攻擊者誘使使用者提供危險內容給易受攻擊的 Web 應用程式,接著這些危險內容就會回傳給使用者並由在網路瀏覽器中執行,這時就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊網站的 URL。網站將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含階段作業資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 應用程式以外的來源會在資料庫或是其他資料記憶體中儲存危險資料,且之後這些危險資料會被當作信賴的資料回讀到應用程式,並會包含在動態內容中。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[10] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[11] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[12] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[13] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[15] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[16] Standards Mapping - FIPS200 SI
[17] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[18] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[19] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[20] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[21] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[22] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[23] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2021 A03 Injection
[26] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[27] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[28] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[29] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[41] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[42] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[43] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[44] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[65] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[66] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.cobol.cross_site_scripting_persistent
Abstract
傳送未經驗證的資料至網路瀏覽器,會導致瀏覽器執行惡意的程式碼。
Explanation
Cross-site scripting (XSS) 弱點會在以下情況中出現:

1.資料從一個不可信賴的來源進入 Web 應用程式。在 Persistent XSS (也可稱為 Stored XSS) 案例中,不可信賴的來源通常為資料庫或其他後端資料儲存區,而在 Reflected XSS 案例中,來源通常為網頁要求。


2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

範例 1: 以下的 CFML 程式碼片段,根據提供的員工識別碼來查詢資料庫,並列印出該員工的相應姓名。

 
<cfquery name="matchingEmployees" datasource="cfsnippets">
  SELECT name
  FROM Employees 
  WHERE eid = '#Form.eid#'
</cfquery>
<cfoutput>
Employee Name: #name#
</cfoutput>
name 值正常運作時,此範例中的程式碼也會正常運作,但如果該值不正常運作時,則會完全無法避免程式碼遭受攻擊。這個程式碼之所以較不危險,是因為 name 值是從資料庫中讀取的,且顯然是由應用程式管理這些值的內容。但是,如果 name 的值是從使用者提供的資料中產生,那麼資料庫可能會成為提供惡意內容的管道。如果未對資料庫中儲存的所有資料進行適當的輸入驗證,那麼攻擊者可能在使用者的網路瀏覽器中執行惡意指令。這類型的攻擊稱為 Persistent XSS (或 Stored XSS),其性質特別狡詐,因為間接的資料儲存方式而難以辨別該威脅,且該攻擊影響多個使用者的可能性可能提高。XSS 盜取會從存取提供造訪者訪客留名簿 (guestbook) 的網站開始。攻擊者會在他們的訪客留名簿項目中加入 JavaScript,所有後來前往訪客留名簿頁面的造訪者都可能會執行這些惡意程式碼。

範例 2: 以下的 CFML 程式碼片段,會從網路表單中讀取員工識別碼 eid,並將其顯示給使用者。 


<cfoutput>
Employee ID: #Form.eid#
</cfoutput>


Example 1 所述,如果 Form.eid 只包含標準英數字元,這個程式碼會正確地執行。如果 Form.eid 中有包含中繼字元或來源程式碼中的值,那麼網路瀏覽器就會像顯示 HTTP 回應那樣執行程式碼。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的電腦中輸入會執行惡意程式碼的 URL?其實,真正的危險在於攻擊者會建立惡意的 URL,接著使用電子郵件或社交工程病毒誘騙受害者透過連結前往該 URL。當受害者按下該連結時,他們即不知不覺地透過易受攻擊的 Web 應用程式,將惡意內容資訊帶回他們自己的電腦。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。

如同範例中所示,XSS 的弱點是由 HTTP 回應中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 如 Example 1 所述,應用程式會將危險資料儲存到資料庫或其他可信任的資料儲存區中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。Persistent XSS 攻擊會在以下情況出現:攻擊者把危險內容插入到之後會讀取的資料儲存區中,並包含在動態內容中。從攻擊者的角度來看,插入惡意內容的最佳位置莫過於一個會對很多使用者或特別感興趣的使用者顯示的區域。感興趣的使用者通常會在應用程式中擁有較高的權限,或者會與敏感資料進行互動,且這些資料對攻擊者而言很有利用價值。如果其中一個使用者執行了惡意內容,攻擊者可能會代替使用者去執行需要權限許可的作業,或者取得存取使用者專屬敏感資料的權限。

- 如 Example 2 所述,會直接從 HTTP 要求中讀取資料,並在 HTTP 回應中回傳資料。當攻擊者誘使使用者提供危險內容給易受攻擊的 Web 應用程式,接著這些危險內容就會回傳給使用者並由在網路瀏覽器中執行,這時就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊網站的 URL。網站將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含階段作業資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 應用程式以外的來源會在資料庫或是其他資料記憶體中儲存危險資料,且之後這些危險資料會被當作信賴的資料回讀到應用程式,並會包含在動態內容中。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] ColdFusion Developer Center: Security Macromedia
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[5] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[6] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[7] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[8] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[9] Standards Mapping - CIS Kubernetes Benchmark complete
[10] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[11] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[12] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[13] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[15] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[16] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[17] Standards Mapping - FIPS200 SI
[18] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[19] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[20] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[21] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[22] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[23] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[26] Standards Mapping - OWASP Top 10 2021 A03 Injection
[27] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[28] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[29] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[30] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[38] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[41] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[42] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[43] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[44] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[45] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[65] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[66] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[67] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.cfml.cross_site_scripting_persistent
Abstract
傳送未經驗證的資料至網頁瀏覽器,會導致瀏覽器執行惡意程式碼。
Explanation
Cross-Site Scripting (XSS) 弱點會在以下情況中出現:

1.資料從一個不可信賴的來源進入 Web 應用程式。在 Reflected XSS 案例中,不可信賴的來源通常為網頁要求,而在 Persisted XSS (也可稱為 Stored XSS) 案例中,來源通常為資料庫或其他後端資料儲存區。

2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。


範例 1:以下 Go 程式碼片段會從 HTTP 要求中讀取使用者名稱 user,並向使用者顯示。

func someHandler(w http.ResponseWriter, r *http.Request){
  r.parseForm()
  user := r.FormValue("user")
  ...
  fmt.Fprintln(w, "Username is: ", user)
}


如果 user 只包含標準英數字元,則這個範例中的程式碼會正確地執行。如果 user 中有包含中繼字元或來源程式碼中的值,那麼網路瀏覽器就會像顯示 HTTP 回應那樣執行程式碼。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的電腦中輸入會執行惡意程式碼的 URL?其實,真正的危險在於攻擊者會建立惡意的 URL,接著使用電子郵件或社交工程病毒誘騙受害者透過連結前往該 URL。當受害者按下該連結時,他們即不知不覺地透過易受攻擊的 Web 應用程式,將惡意內容資訊帶回他們自己的電腦。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。

範例 2:以下 Go 程式碼片段會查詢資料庫中具有指定 ID 的員工,然後列印相對應的員工姓名。

func someHandler(w http.ResponseWriter, r *http.Request){
  ...
  row := db.QueryRow("SELECT name FROM users WHERE id =" + userid)
  err := row.Scan(&name)
  ...
  fmt.Fprintln(w, "Username is: ", name)
}


Example 1 所述,name 的值正常運作時,此程式碼也會正常運作,但如果該值不正常運作,則會完全無法避免程式碼遭受攻擊。此外,這個程式碼之所以看似不那麼危險,是因為 name 的值是從資料庫中讀取的,而顯然這些內容是由應用程式管理的。但是,如果 name 的值是從使用者提供的資料中產生,那麼資料庫可能會成為提供惡意內容的管道。如果沒有對所有儲存在資料庫中的資料進行適當的輸入驗證,那麼攻擊者即可在使用者的網頁瀏覽器中執行惡意指令。這類型的攻擊稱為 Persistent XSS (或 Stored XSS),其極其隱蔽,會因為間接的資料儲存方式而難以辨別該威脅,並會提高影響多個使用者的可能性。XSS 弱點會從存取提供造訪者訪客留名簿 (guestbook) 的網站開始。攻擊者會在他們的訪客留名簿項目中加入 JavaScript,所有後來前往訪客留名簿頁面的造訪者都可能會執行這些惡意程式碼。

如同範例中所示,XSS 弱點是由 HTTP 回應中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 如 Example 1 所示,會直接從 HTTP 要求中讀取資料,並在 HTTP 回應中回傳資料。當攻擊者誘使使用者提供危險內容給易受攻擊的 Web 應用程式,接著這些危險內容就會回傳給使用者並由網頁瀏覽器執行時,就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊網站的 URL。網站將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含階段作業資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 如 Example 2 所示,應用程式會將危險資料儲存在資料庫或其他可信任的資料存放區中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。Persistent XSS 攻擊會在以下情況出現:攻擊者把危險內容插入到之後會讀取的資料儲存區中,並包含在動態內容中。從攻擊者的角度來看,插入惡意內容的最佳位置莫過於一個會對很多使用者或特別感興趣的使用者顯示的區域。感興趣的使用者通常會在應用程式中擁有較高的權限,或者會與敏感資料進行互動,且這些資料對攻擊者而言很有利用價值。如果其中一個使用者執行了惡意內容,攻擊者可能會代替使用者執行需要權限許可的操作,或者取得存取使用者專屬敏感資料的權限。

- 應用程式以外的來源會在資料庫或是其他資料存放區中儲存危險資料,且之後這些危險資料會被當作信賴的資料回讀到應用程式,並會包含在動態內容中。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[10] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[11] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[12] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[13] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[15] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[16] Standards Mapping - FIPS200 SI
[17] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[18] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[19] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[20] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[21] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[22] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[23] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2021 A03 Injection
[26] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[27] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[28] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[29] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[41] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[42] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[43] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[44] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[65] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[66] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.golang.cross_site_scripting_persistent
Abstract
傳送未經驗證的資料至網路瀏覽器,會導致瀏覽器執行惡意的程式碼。
Explanation
Cross-site scripting (XSS) 弱點會在以下情況中出現:

1.資料從一個不可信賴的來源進入 Web 應用程式。在 Persistent XSS (也可稱為 Stored XSS) 案例中,不可信賴的來源通常為資料庫或其他後端資料儲存區,而在 Reflected XSS 案例中,來源通常為網頁要求。


2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

範例 1:以下 JSP 程式碼片段會在資料庫中查詢具有指定識別碼的員工,並列印相應的員工姓名。


<%...
Statement stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery("select * from emp where id="+eid);
if (rs != null) {
   rs.next();
   String name = rs.getString("name");
}
%>

Employee Name: <%= name %>
name 值正常運作時,此程式碼也會正常運作,但如果該值不正常運作時,則會完全無法避免程式碼遭受攻擊。這個程式碼之所以較不危險,是因為 name 值是從資料庫中讀取的,且顯然是由應用程式管理這些值的內容。但是,如果 name 的值是從使用者提供的資料中產生,那麼資料庫可能會成為提供惡意內容的管道。如果未對資料庫中儲存的所有資料進行適當的輸入驗證,那麼攻擊者可能在使用者的網路瀏覽器中執行惡意指令。這類型的攻擊稱為 Persistent XSS (或 Stored XSS),其性質特別狡詐,因為間接的資料儲存方式而難以辨別該威脅,且該攻擊影響多個使用者的可能性可能提高。XSS 盜取會從存取提供造訪者訪客留名簿 (guestbook) 的網站開始。攻擊者會在他們的訪客留名簿項目中加入 JavaScript,所有後來前往訪客留名簿頁面的造訪者都可能會執行這些惡意程式碼。

範例 2:以下 JSP 程式碼片段會從 HTTP 要求中讀取員工識別碼 eid,並將其向使用者顯示。


<% String eid = request.getParameter("eid"); %>
...
Employee ID: <%= eid %>


Example 1 所述,如果 eid 只包含標準英數字元,這個程式碼會正確地執行。如果 eid 中有包含中繼字元或來源程式碼中的值,那麼網路瀏覽器就會像顯示 HTTP 回應那樣執行程式碼。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的電腦中輸入會執行惡意程式碼的 URL?其實,真正的危險在於攻擊者會建立惡意的 URL,接著使用電子郵件或社交工程病毒誘騙受害者透過連結前往該 URL。當受害者按下該連結時,他們即不知不覺地透過易受攻擊的 Web 應用程式,將惡意內容資訊帶回他們自己的電腦。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。

有人認為在行動環境中,典型的 Web 應用程式弱點 (例如跨網站指令碼) 不會產生影響,因為使用者為何會攻擊自己呢?但是請謹記,行動平台的本質是從多種來源下載,並在相同裝置上一起執行的應用程式。在金融應用程式旁執行惡意程式碼的可能性很高,這必然會擴大行動應用程式的受攻擊面,將程序之間的通訊包括在內。

範例 3:以下程式碼會在 Android 的 WebView 中啟用 JavaScript (預設狀況下停用 JavaScript),並根據從 Android 用意接收的值載入頁面。


...
        WebView webview = (WebView) findViewById(R.id.webview);
        webview.getSettings().setJavaScriptEnabled(true);
        String url = this.getIntent().getExtras().getString("url");
        webview.loadUrl(url);
...


url 的值以 javascript: 開頭,隨後的 JavaScript 程式碼將在網頁範圍中的 WebView 內執行。

如同範例中所示,XSS 的弱點是由 HTTP 回應中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 如 Example 1 所述,應用程式會將危險資料儲存到資料庫或其他可信任的資料儲存區中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。Persistent XSS 攻擊會在以下情況出現:攻擊者把危險內容插入到之後會讀取的資料儲存區中,並包含在動態內容中。從攻擊者的角度來看,插入惡意內容的最佳位置莫過於一個會對很多使用者或特別感興趣的使用者顯示的區域。感興趣的使用者通常會在應用程式中擁有較高的權限,或者會與敏感資料進行互動,且這些資料對攻擊者而言很有利用價值。如果其中一個使用者執行了惡意內容,攻擊者可能會代替使用者去執行需要權限許可的作業,或者取得存取使用者專屬敏感資料的權限。

- 如 Example 2 所述,會直接從 HTTP 要求中讀取資料,並在 HTTP 回應中回傳資料。當攻擊者誘使使用者提供危險內容給易受攻擊的 Web 應用程式,接著這些危險內容就會回傳給使用者並由在網路瀏覽器中執行,這時就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊網站的 URL。網站將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含階段作業資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 如 Example 3 所述,應用程式以外的來源會在資料庫或是其他資料儲存區中儲存危險資料,且之後這些危險資料會被當作信賴的資料回讀到應用程式,並會包含在動態內容中。

有許多現代的 Web 架構提供執行使用者輸入驗證的機制 (包括 Struts 和 Struts 2)。為了突顯未驗證的輸入來源,Fortify 安全編碼檢查規則會降低 Fortify Static Code Analyzer 所報告之問題的攻擊可能性,並在使用框架驗證機制時提供支援證據的指標,以動態重新排列其優先順序。我們將此功能稱為「內容相關性排名」。為了進一步協助 Fortify 使用者進行稽核程序,Fortify Software 安全研發團隊提供了資料驗證專案範本,該範本會依據套用到其輸入來源的驗證機制,按資料夾對問題進行分組。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, and Heng Yin Attacks on WebView in the Android System
[4] Erika Chin and David Wagner Bifocals: Analyzing WebView Vulnerabilities in Android Applications
[5] INJECT-3: XML and HTML generation requires care Oracle
[6] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[7] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[8] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[9] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[10] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[11] Standards Mapping - CIS Kubernetes Benchmark complete
[12] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[13] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[15] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[16] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[17] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[18] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[19] Standards Mapping - FIPS200 SI
[20] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[21] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[22] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[23] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[24] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[26] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[27] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[28] Standards Mapping - OWASP Top 10 2021 A03 Injection
[29] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[30] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[31] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[32] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[38] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[39] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[40] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[41] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[42] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[43] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[44] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[45] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[46] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[47] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[65] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[66] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[67] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[68] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[69] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.java.cross_site_scripting_persistent
Abstract
傳送未經驗證的資料至網路瀏覽器,會導致瀏覽器執行惡意的程式碼。
Explanation
Cross-site scripting (XSS) 弱點會在以下情況中出現:

1.資料從一個不可信賴的來源進入 Web 應用程式。在 Persistent XSS (也可稱為 Stored XSS) 案例中,不可信賴的來源通常為資料庫或其他後端資料儲存區,而在 Reflected XSS 案例中,來源通常為網頁要求。


2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

範例 1:以下 Node.js 程式碼片段會根據所給予的識別碼在資料庫中查詢員工,並列印對應員工的姓名。


var http = require('http');
...

function listener(request, response){
  connection.query('SELECT * FROM emp WHERE eid="' + eid + '"', function(err, rows){
    if (!err && rows.length > 0){
      response.write('<p>Welcome, ' + rows[0].name + '!</p>');
    }
    ...
  });
  ...
}
...
http.createServer(listener).listen(8080);
name 值正常運作時,此程式碼也會正常運作,但如果該值不正常運作時,則會完全無法避免程式碼遭受攻擊。這個程式碼之所以較不危險,是因為 name 值是從資料庫中讀取的,且顯然是由應用程式管理這些值的內容。但是,如果 name 的值是從使用者提供的資料中產生,那麼資料庫可能會成為提供惡意內容的管道。如果未對資料庫中儲存的所有資料進行適當的輸入驗證,那麼攻擊者可能在使用者的網路瀏覽器中執行惡意指令。這類型的攻擊稱為 Persistent XSS (或 Stored XSS),其性質特別狡詐,因為間接的資料儲存方式而難以辨別該威脅,且該攻擊影響多個使用者的可能性可能提高。XSS 盜取會從存取提供造訪者訪客留名簿 (guestbook) 的網站開始。攻擊者會在他們的訪客留名簿項目中加入 JavaScript,所有後來前往訪客留名簿頁面的造訪者都可能會執行這些惡意程式碼。

範例 2:以下 Node.js 程式碼片段會在 HTTP 要求中讀取員工識別碼 eid,並顯示給使用者。


var http = require('http');
var url = require('url');

...

function listener(request, response){
  var eid = url.parse(request.url, true)['query']['eid'];
  if (eid !== undefined){
    response.write('<p>Welcome, ' + eid + '!</p>');
  }
  ...
}
...
http.createServer(listener).listen(8080);


Example 1 所述,如果 eid 只包含標準英數字元,這個程式碼會正確地執行。如果 eid 中有包含中繼字元或來源程式碼中的值,那麼網路瀏覽器就會像顯示 HTTP 回應那樣執行程式碼。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的電腦中輸入會執行惡意程式碼的 URL?其實,真正的危險在於攻擊者會建立惡意的 URL,接著使用電子郵件或社交工程病毒誘騙受害者透過連結前往該 URL。當受害者按下該連結時,他們即不知不覺地透過易受攻擊的 Web 應用程式,將惡意內容資訊帶回他們自己的電腦。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。
如同範例中所示,XSS 的弱點是由 HTTP 回應中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 如 Example 1 所述,應用程式會將危險資料儲存到資料庫或其他可信任的資料儲存區中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。Persistent XSS 攻擊會在以下情況出現:攻擊者把危險內容插入到之後會讀取的資料儲存區中,並包含在動態內容中。從攻擊者的角度來看,插入惡意內容的最佳位置莫過於一個會對很多使用者或特別感興趣的使用者顯示的區域。感興趣的使用者通常會在應用程式中擁有較高的權限,或者會與敏感資料進行互動,且這些資料對攻擊者而言很有利用價值。如果其中一個使用者執行了惡意內容,攻擊者可能會代替使用者去執行需要權限許可的作業,或者取得存取使用者專屬敏感資料的權限。

- 如 Example 2 所述,會直接從 HTTP 要求中讀取資料,並在 HTTP 回應中回傳資料。當攻擊者誘使使用者提供危險內容給易受攻擊的 Web 應用程式,接著這些危險內容就會回傳給使用者並由在網路瀏覽器中執行,這時就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊網站的 URL。網站將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含階段作業資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 應用程式以外的來源會在資料庫或是其他資料記憶體中儲存危險資料,且之後這些危險資料會被當作信賴的資料回讀到應用程式,並會包含在動態內容中。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[10] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[11] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[12] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[13] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[15] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[16] Standards Mapping - FIPS200 SI
[17] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[18] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[19] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[20] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[21] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[22] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[23] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2021 A03 Injection
[26] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[27] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[28] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[29] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[41] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[42] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[43] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[44] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[65] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[66] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.javascript.cross_site_scripting_persistent
Abstract
傳送未經驗證的資料至網路瀏覽器,會導致瀏覽器執行惡意的程式碼。
Explanation
Cross-Site Scripting (XSS) 弱點會在以下情況中出現:

1.資料從一個不可信賴的來源進入 Web 應用程式。在 Persistent XSS (也可稱為 Stored XSS) 案例中,不可信賴的來源通常為資料庫或其他後端資料儲存區,而在 Reflected XSS 案例中,來源通常為網頁要求。


2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

範例 1:以下的程式碼片段,會根據所給予的識別碼在資料庫中查詢員工,並在 servlet 回應中列印對應的員工姓名。


...
val stmt: Statement = conn.createStatement()
val rs: ResultSet = stmt.executeQuery("select * from emp where id=$eid")
rs.next()
val name: String = rs.getString("name")
...
val out: ServletOutputStream = response.getOutputStream()
out.print("Employee Name: $name")
...
out.close()
...
name 值正常運作時,此程式碼也會正常運作,但如果該值不正常運作時,則會完全無法避免程式碼遭受攻擊。這個程式碼之所以較不危險,是因為 name 值是從資料庫中讀取的,且顯然是由應用程式管理這些值的內容。但是,如果 name 的值是從使用者提供的資料中產生,那麼資料庫可能會成為提供惡意內容的管道。如果未對資料庫中儲存的所有資料進行適當的輸入驗證,那麼攻擊者可能在使用者的網路瀏覽器中執行惡意指令。這類型的攻擊稱為 Persistent XSS (或 Stored XSS),其性質特別狡詐,因為間接的資料儲存方式而難以辨別該威脅,且該攻擊影響多個使用者的可能性可能提高。XSS 盜取會從存取提供造訪者訪客留名簿 (guestbook) 的網站開始。攻擊者會在他們的訪客留名簿項目中加入 JavaScript,所有後來前往訪客留名簿頁面的造訪者都可能會執行這些惡意程式碼。

範例 2:以下程式碼會從 HTTP servlet 要求讀取員工識別碼 eid,然後在 servlet 的回應中向使用者顯示其值。


val eid: String = request.getParameter("eid")
...
val out: ServletOutputStream = response.getOutputStream()
out.print("Employee ID: $eid")
...
out.close()
...


Example 1 所述,如果 eid 只包含標準英數字元,這個程式碼會正確地執行。如果 eid 中有包含中繼字元或來源程式碼中的值,那麼網路瀏覽器就會像顯示 HTTP 回應那樣執行程式碼。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的電腦中輸入會執行惡意程式碼的 URL?其實,真正的危險在於攻擊者會建立惡意的 URL,接著使用電子郵件或社交工程病毒誘騙受害者透過連結前往該 URL。當受害者按下該連結時,他們即不知不覺地透過易受攻擊的 Web 應用程式,將惡意內容資訊帶回他們自己的電腦。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。

有人認為在行動環境中,典型的 Web 應用程式弱點 (例如跨網站指令碼) 不會產生影響,因為使用者為何會攻擊自己呢?但是請謹記,行動平台的本質是從多種來源下載,並在相同裝置上一起執行的應用程式。在金融應用程式旁執行惡意程式碼的可能性很高,這必然會擴大行動應用程式的受攻擊面,將程序之間的通訊包括在內。

範例 3:以下程式碼會在 Android 的 WebView 中啟用 JavaScript (JavaScript 預設為停用),並根據從 Android 用意接收的值載入頁面。


...
        val webview = findViewById<View>(R.id.webview) as WebView
        webview.settings.javaScriptEnabled = true
        val url = this.intent.extras!!.getString("url")
        webview.loadUrl(url)
...


url 的值以 javascript: 開頭,隨後的 JavaScript 程式碼將在網頁範圍中的 WebView 內執行。

如同範例中所示,XSS 弱點是由 HTTP 回應中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 如 Example 1 所述,應用程式會將危險資料儲存到資料庫或其他可信任的資料儲存區中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。Persistent XSS 攻擊會在以下情況出現:攻擊者把危險內容插入到之後會讀取的資料儲存區中,並包含在動態內容中。從攻擊者的角度來看,插入惡意內容的最佳位置莫過於一個會對很多使用者或特別感興趣的使用者顯示的區域。感興趣的使用者通常會在應用程式中擁有較高的權限,或者會與敏感資料進行互動,且這些資料對攻擊者而言很有利用價值。如果其中一個使用者執行了惡意內容,攻擊者可能會代替使用者去執行需要權限許可的作業,或者取得存取使用者專屬敏感資料的權限。

- 如 Example 2 所述,會直接從 HTTP 要求中讀取資料,並在 HTTP 回應中回傳資料。當攻擊者誘使使用者提供危險內容給易受攻擊的 Web 應用程式,接著這些危險內容就會回傳給使用者並由在網路瀏覽器中執行,這時就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊網站的 URL。網站將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含階段作業資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 如 Example 3 所述,應用程式以外的來源會在資料庫或是其他資料儲存區中儲存危險資料,且之後這些危險資料會被當作信賴的資料回讀到應用程式,並會包含在動態內容中。


有許多現代的 Web 架構提供執行使用者輸入驗證的機制 (包括 Struts 和 Spring MVC)。為了突顯未驗證的輸入來源,Fortify 安全編碼檢查規則會降低 Fortify Static Code Analyzer 所報告之問題的攻擊可能性,並在使用框架驗證機制時提供支援證據的指標,以動態重新排列其優先順序。我們將此功能稱為「內容相關性排名」。為了進一步協助 Fortify 使用者進行稽核程序,Fortify Software 安全研發團隊提供了資料驗證專案範本,該範本會依據套用到其輸入來源的驗證機制,按資料夾對問題進行分組。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, and Heng Yin Attacks on WebView in the Android System
[4] Erika Chin and David Wagner Bifocals: Analyzing WebView Vulnerabilities in Android Applications
[5] INJECT-3: XML and HTML generation requires care Oracle
[6] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[7] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[8] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[9] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[10] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[11] Standards Mapping - CIS Kubernetes Benchmark complete
[12] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[13] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[15] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[16] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[17] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[18] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[19] Standards Mapping - FIPS200 SI
[20] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[21] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[22] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[23] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[24] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[26] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[27] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[28] Standards Mapping - OWASP Top 10 2021 A03 Injection
[29] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[30] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[31] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[32] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[38] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[39] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[40] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[41] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[42] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[43] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[44] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[45] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[46] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[47] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[65] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[66] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[67] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[68] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[69] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.kotlin.cross_site_scripting_persistent
Abstract
這個方法會傳送未經驗證的資料到網路瀏覽器會導致瀏覽器執行惡意的程式碼。
Explanation
Cross-site scripting (XSS) 弱點會在以下情況中出現:

1. 資料從一個不可信賴的來源進入網頁。在 Persistent XSS (也可稱為 Stored XSS) 案例中,不可信賴的來源通常為資料庫或其他後端資料儲存區,而在 Reflected XSS 案例中,來源通常為使用者元件、URL 架構處理常式或外部通知。


2. 在未對包含資料的動態內容進行驗證的情況下,便將其傳送至某個 UIWebView 元件。


傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

name 值正常運作時,此程式碼也會正常運作,但如果該值不正常運作時,則會完全無法避免程式碼遭受攻擊。此外,這個程式碼之所以看似不那麼危險,是因為 name 的值是從資料庫中讀取的,而顯然這些內容是由應用程式管理的。但是,如果 name 的值是從使用者提供的資料中產生,那麼資料庫可能會成為提供惡意內容的管道。如果未對資料庫中儲存的所有資料進行適當的輸入驗證,那麼攻擊者可能在使用者的網路瀏覽器中執行惡意指令。這類型的攻擊稱為 Persistent XSS (或 Stored XSS),其性質特別狡詐,因為間接的資料儲存方式而難以辨別該威脅,且該攻擊影響多個使用者的可能性可能提高。XSS 盜取會從存取提供造訪者訪客留名簿 (guestbook) 的網站開始。攻擊者會在他們的訪客留名簿項目中加入 JavaScript,所有後來前往訪客留名簿頁面的造訪者都可能會執行這些惡意程式碼。

範例 2:以下 Objective-C 程式碼片段會讀取自訂 URL 架構的文字部份,其會被傳送至應用程式 (myapp://input_to_the_application) 並呼叫之。然後 URL 中不可信賴的資料便會被用來在 UIWebView 元件中攻擊 HTML 輸出。


...
- (BOOL)application:(UIApplication *)application handleOpenURL:(NSURL *)url {

    UIWebView *webView;
    NSString *partAfterSlashSlash = [[url host] stringByReplacingPercentEscapesUsingEncoding:NSUTF8StringEncoding];
    webView = [[UIWebView alloc] initWithFrame:CGRectMake(0.0,0.0,360.0, 480.0)];
    [webView loadHTMLString:partAfterSlashSlash baseURL:nil]

...


如同範例中所示,XSS 的弱點是由 HTTP 內容中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 如 Example 1 所述,應用程式會將危險資料儲存到資料庫或其他可信任的資料儲存區中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。Persistent XSS 攻擊會在以下情況出現:攻擊者把危險內容插入到之後會讀取的資料儲存區中,並包含在動態內容中。從攻擊者的角度來看,插入惡意內容的最佳位置莫過於一個會對很多使用者或特別感興趣的使用者顯示的區域。感興趣的使用者通常會在應用程式中擁有較高的權限,或者會與敏感資料進行互動,且這些資料對攻擊者而言很有利用價值。如果其中一個使用者執行了惡意內容,攻擊者可能會代替使用者去執行需要權限許可的作業,或者取得存取使用者專屬敏感資料的權限。

- 如 Example 2 所述,會直接從自訂 URL 架構讀取資料,並反映於 UIWebView 回應內容中。當攻擊者誘使使用者提供危險內容給易受攻擊的 iOS 應用程式,接著這些危險內容就會回傳給使用者並由在網路瀏覽器中執行,這時就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的自訂架構 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊應用程式的 URL。應用程式將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含工作階段資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 應用程式以外的來源會在資料庫或是其他資料記憶體中儲存危險資料,且之後這些危險資料會被當作信賴的資料回讀到應用程式,並會包含在動態內容中。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] MWR Labs Continued Adventures with iOS UIWebViews
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[5] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[6] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[7] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[8] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[9] Standards Mapping - CIS Kubernetes Benchmark complete
[10] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[11] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[12] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[13] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[15] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[16] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[17] Standards Mapping - FIPS200 SI
[18] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[19] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[20] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[21] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[22] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[23] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[26] Standards Mapping - OWASP Top 10 2021 A03 Injection
[27] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[28] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[29] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[30] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[38] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[41] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[42] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[43] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[44] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[45] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[65] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[66] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[67] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.objc.cross_site_scripting_persistent
Abstract
傳送未經驗證的資料至網路瀏覽器,會導致瀏覽器執行惡意的程式碼。
Explanation
Cross-site scripting (XSS) 弱點會在以下情況中出現:

1.資料從一個不可信賴的來源進入 Web 應用程式。在 Persistent XSS (也可稱為 Stored XSS) 案例中,不可信賴的來源通常為資料庫或其他後端資料儲存區,而在 Reflected XSS 案例中,來源通常為網頁要求。


2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

範例 1:以下的 PHP 程式碼片段,根據提供的員工識別碼來查詢資料庫,並列印出該員工的相應姓名。


<?php...
 $con = mysql_connect($server,$user,$password);
 ...
 $result = mysql_query("select * from emp where id="+eid);
 $row = mysql_fetch_array($result)
 echo 'Employee name: ', mysql_result($row,0,'name');
 ...
?>
name 值正常運作時,此程式碼也會正常運作,但如果該值不正常運作時,則會完全無法避免程式碼遭受攻擊。這個程式碼之所以較不危險,是因為 name 值是從資料庫中讀取的,且顯然是由應用程式管理這些值的內容。但是,如果 name 的值是從使用者提供的資料中產生,那麼資料庫可能會成為提供惡意內容的管道。如果未對資料庫中儲存的所有資料進行適當的輸入驗證,那麼攻擊者可能在使用者的網路瀏覽器中執行惡意指令。這類型的攻擊稱為 Persistent XSS (或 Stored XSS),其性質特別狡詐,因為間接的資料儲存方式而難以辨別該威脅,且該攻擊影響多個使用者的可能性可能提高。XSS 盜取會從存取提供造訪者訪客留名簿 (guestbook) 的網站開始。攻擊者會在他們的訪客留名簿項目中加入 JavaScript,所有後來前往訪客留名簿頁面的造訪者都可能會執行這些惡意程式碼。

範例 2:以下 PHP 程式碼片段會從 HTTP 要求中讀取員工 ID eid,並將 ID 顯示給使用者。


<?php
	$eid = $_GET['eid'];
	...
?>
...
<?php
	echo "Employee ID: $eid";
?>


Example 1 所述,如果 eid 只包含標準英數字元,這個程式碼會正確地執行。如果 eid 中有包含中繼字元或來源程式碼中的值,那麼網路瀏覽器就會像顯示 HTTP 回應那樣執行程式碼。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的電腦中輸入會執行惡意程式碼的 URL?其實,真正的危險在於攻擊者會建立惡意的 URL,接著使用電子郵件或社交工程病毒誘騙受害者透過連結前往該 URL。當受害者按下該連結時,他們即不知不覺地透過易受攻擊的 Web 應用程式,將惡意內容資訊帶回他們自己的電腦。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。

如同範例中所示,XSS 的弱點是由 HTTP 回應中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 如 Example 1 所述,應用程式會將危險資料儲存到資料庫或其他可信任的資料儲存區中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。Persistent XSS 攻擊會在以下情況出現:攻擊者把危險內容插入到之後會讀取的資料儲存區中,並包含在動態內容中。從攻擊者的角度來看,插入惡意內容的最佳位置莫過於一個會對很多使用者或特別感興趣的使用者顯示的區域。感興趣的使用者通常會在應用程式中擁有較高的權限,或者會與敏感資料進行互動,且這些資料對攻擊者而言很有利用價值。如果其中一個使用者執行了惡意內容,攻擊者可能會代替使用者去執行需要權限許可的作業,或者取得存取使用者專屬敏感資料的權限。

- 如 Example 2 所述,會直接從 HTTP 要求中讀取資料,並在 HTTP 回應中回傳資料。當攻擊者誘使使用者提供危險內容給易受攻擊的 Web 應用程式,接著這些危險內容就會回傳給使用者並由在網路瀏覽器中執行,這時就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊網站的 URL。網站將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含階段作業資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 應用程式以外的來源會在資料庫或是其他資料記憶體中儲存危險資料,且之後這些危險資料會被當作信賴的資料回讀到應用程式,並會包含在動態內容中。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[10] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[11] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[12] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[13] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[15] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[16] Standards Mapping - FIPS200 SI
[17] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[18] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[19] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[20] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[21] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[22] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[23] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2021 A03 Injection
[26] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[27] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[28] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[29] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[41] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[42] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[43] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[44] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[65] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[66] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.php.cross_site_scripting_persistent
Abstract
傳送未經驗證的資料至網路瀏覽器,會導致瀏覽器執行惡意的程式碼。
Explanation
Cross-site scripting (XSS) 弱點會在以下情況中出現:

1.資料從一個不可信賴的來源進入 Web 應用程式。在 Persistent XSS (也可稱為 Stored XSS) 案例中,不可信賴的來源通常為資料庫或其他後端資料儲存區,而在 Reflected XSS 案例中,來源通常為網頁要求。


2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

範例 1:以下程式碼片段會在資料庫中查詢具有指定識別碼的員工,並列印相應的員工姓名。


...
SELECT ename INTO name FROM emp WHERE id = eid;
HTP.htmlOpen;
  HTP.headOpen;
    HTP.title ('Employee Information');
  HTP.headClose;
  HTP.bodyOpen;
    HTP.br;
    HTP.print('Employee Name: ' || name || '');
    HTP.br;
  HTP.bodyClose;
HTP.htmlClose;
...
name 值正常運作時,此程式碼也會正常運作,但如果該值不正常運作時,則會完全無法避免程式碼遭受攻擊。這個程式碼之所以較不危險,是因為 name 值是從資料庫中讀取的,且顯然是由應用程式管理這些值的內容。但是,如果 name 的值是從使用者提供的資料中產生,那麼資料庫可能會成為提供惡意內容的管道。如果未對資料庫中儲存的所有資料進行適當的輸入驗證,那麼攻擊者可能在使用者的網路瀏覽器中執行惡意指令。這類型的攻擊稱為 Persistent XSS (或 Stored XSS),其性質特別狡詐,因為間接的資料儲存方式而難以辨別該威脅,且該攻擊影響多個使用者的可能性可能提高。XSS 盜取會從存取提供造訪者訪客留名簿 (guestbook) 的網站開始。攻擊者會在他們的訪客留名簿項目中加入 JavaScript,所有後來前往訪客留名簿頁面的造訪者都可能會執行這些惡意程式碼。

範例 2:以下程式碼片段會從 HTTP 要求中讀取員工識別碼 eid,並向使用者顯示。


...
-- Assume QUERY_STRING looks like EID=EmployeeID
eid := SUBSTR(OWA_UTIL.get_cgi_env('QUERY_STRING'), 5);
HTP.htmlOpen;
  HTP.headOpen;
    HTP.title ('Employee Information');
  HTP.headClose;
  HTP.bodyOpen;
    HTP.br;
    HTP.print('Employee ID: ' || eid || '');
    HTP.br;
  HTP.bodyClose;
HTP.htmlClose;
...


Example 1 所述,如果 eid 只包含標準英數字元,這個程式碼會正確地執行。如果 eid 中有包含中繼字元或來源程式碼中的值,那麼網路瀏覽器就會像顯示 HTTP 回應那樣執行程式碼。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的電腦中輸入會執行惡意程式碼的 URL?其實,真正的危險在於攻擊者會建立惡意的 URL,接著使用電子郵件或社交工程病毒誘騙受害者透過連結前往該 URL。當受害者按下該連結時,他們即不知不覺地透過易受攻擊的 Web 應用程式,將惡意內容資訊帶回他們自己的電腦。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。

如同範例中所示,XSS 的弱點是由 HTTP 回應中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 如 Example 1 所述,應用程式會將危險資料儲存到資料庫或其他可信任的資料儲存區中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。Persistent XSS 攻擊會在以下情況出現:攻擊者把危險內容插入到之後會讀取的資料儲存區中,並包含在動態內容中。從攻擊者的角度來看,插入惡意內容的最佳位置莫過於一個會對很多使用者或特別感興趣的使用者顯示的區域。感興趣的使用者通常會在應用程式中擁有較高的權限,或者會與敏感資料進行互動,且這些資料對攻擊者而言很有利用價值。如果其中一個使用者執行了惡意內容,攻擊者可能會代替使用者去執行需要權限許可的作業,或者取得存取使用者專屬敏感資料的權限。

- 如 Example 2 所述,會直接從 HTTP 要求中讀取資料,並在 HTTP 回應中回傳資料。當攻擊者誘使使用者提供危險內容給易受攻擊的 Web 應用程式,接著這些危險內容就會回傳給使用者並由在網路瀏覽器中執行,這時就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊網站的 URL。網站將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含階段作業資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 應用程式以外的來源會在資料庫或是其他資料記憶體中儲存危險資料,且之後這些危險資料會被當作信賴的資料回讀到應用程式,並會包含在動態內容中。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[10] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[11] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[12] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[13] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[15] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[16] Standards Mapping - FIPS200 SI
[17] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[18] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[19] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[20] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[21] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[22] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[23] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2021 A03 Injection
[26] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[27] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[28] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[29] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[41] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[42] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[43] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[44] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[65] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[66] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.sql.cross_site_scripting_persistent
Abstract
傳送未經驗證的資料至網路瀏覽器,會導致瀏覽器執行惡意的程式碼。
Explanation
Cross-site Scripting (XSS) 弱點會在以下情況中出現:

1.資料從一個不可信賴的來源進入 Web 應用程式。在 Persistent XSS (也可稱為 Stored XSS) 案例中,不可信賴的來源通常為資料庫或其他後端資料儲存區,而在 Reflected XSS 案例中,來源通常為網頁要求。


2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

範例 1:以下的 Python 程式碼片段在 HTTP 要求中讀取員工的識別碼 eid,並顯示給使用者。


	req = self.request()  # fetch the request object
        eid = req.field('eid',None) # tainted request message
	...
	self.writeln("Employee ID:" + eid)


如果 eid 只包含標準英數字元,則這個範例中的程式碼會正確地執行。如果 eid 中有包含中繼字元或來源程式碼中的值,那麼網路瀏覽器就會像顯示 HTTP 回應那樣執行程式碼。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的電腦中輸入會執行惡意程式碼的 URL?其實,真正的危險在於攻擊者會建立惡意的 URL,接著使用電子郵件或社交工程病毒誘騙受害者透過連結前往該 URL。當受害者按下該連結時,他們即不知不覺地透過易受攻擊的 Web 應用程式,將惡意內容資訊帶回他們自己的電腦。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。

範例 2:以下的 Python 程式碼片段,根據所給予的識別碼在資料庫中查詢員工,並列印該員工姓名。


 ...
 cursor.execute("select * from emp where id="+eid)
 row = cursor.fetchone()
 self.writeln('Employee name: ' + row["emp"]')
 ...


Example 1 所述,name 的值正常運作時,此程式碼也會正常運作,但如果該值不正常運作,則會完全無法避免程式碼遭受攻擊。此外,這個程式碼之所以看似不那麼危險,是因為 name 的值是從資料庫中讀取的,而顯然這些內容是由應用程式管理的。但是,如果 name 的值是從使用者提供的資料中產生,那麼資料庫可能會成為提供惡意內容的管道。如果未對資料庫中儲存的所有資料進行適當的輸入驗證,那麼攻擊者可能在使用者的網路瀏覽器中執行惡意指令。這類型的攻擊稱為 Persistent XSS (或 Stored XSS),其性質特別狡詐,因為間接的資料儲存方式而難以辨別該威脅,且該攻擊影響多個使用者的可能性可能提高。XSS 盜取會從存取提供造訪者訪客留名簿 (guestbook) 的網站開始。攻擊者會在他們的訪客留名簿項目中加入 JavaScript,所有後來前往訪客留名簿頁面的造訪者都可能會執行這些惡意程式碼。

如同範例中所示,XSS 的弱點是由 HTTP 回應中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 如 Example 1 所述,會直接從 HTTP 要求中讀取資料,並在 HTTP 回應中回傳資料。當攻擊者誘使使用者提供危險內容給易受攻擊的 Web 應用程式,接著這些危險內容就會回傳給使用者並由在網路瀏覽器中執行,這時就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊網站的 URL。網站將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含階段作業資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 如 Example 2 所述,應用程式會將危險資料儲存到資料庫或其他可信任的資料儲存區中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。Persistent XSS 攻擊會在以下情況出現:攻擊者把危險內容插入到之後會讀取的資料儲存區中,並包含在動態內容中。從攻擊者的角度來看,插入惡意內容的最佳位置莫過於一個會對很多使用者或特別感興趣的使用者顯示的區域。感興趣的使用者通常會在應用程式中擁有較高的權限,或者會與敏感資料進行互動,且這些資料對攻擊者而言很有利用價值。如果其中一個使用者執行了惡意內容,攻擊者可能會代替使用者去執行需要權限許可的作業,或者取得存取使用者專屬敏感資料的權限。

- 應用程式以外的來源會在資料庫或是其他資料記憶體中儲存危險資料,且之後這些危險資料會被當作信賴的資料回讀到應用程式,並會包含在動態內容中。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[10] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[11] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[12] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[13] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[15] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[16] Standards Mapping - FIPS200 SI
[17] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[18] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[19] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[20] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[21] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[22] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[23] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2021 A03 Injection
[26] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[27] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[28] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[29] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[41] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[42] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[43] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[44] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[65] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[66] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.python.cross_site_scripting_persistent
Abstract
傳送未經驗證的資料至網路瀏覽器,會導致瀏覽器執行惡意的程式碼。
Explanation
Cross-site scripting (XSS) 弱點會在以下情況中出現:

1.資料從一個不可信賴的來源進入 Web 應用程式。在 Persistent XSS (也可稱為 Stored XSS) 案例中,不可信賴的來源通常為資料庫或其他後端資料儲存區,而在 Reflected XSS 案例中,來源通常為網頁要求。


2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。
範例 1:以下 Ruby 程式碼片段會查詢資料庫中具有指定識別碼的員工,然後列印相對應的員工姓名。


...
rs = conn.exec_params("select * from emp where id=?", eid)
...
Rack::Response.new.finish do |res|
  ...
  rs.each do |row|
    res.write("Employee name: #{escape(row['name'])}")
    ...
  end
end
...
name 值正常運作時,此程式碼也會正常運作,但如果該值不正常運作時,則會完全無法避免程式碼遭受攻擊。此外,這個程式碼之所以看似不那麼危險,是因為 name 的值是從資料庫中讀取的,而顯然這些內容是由應用程式管理的。但是,如果 name 的值是從使用者提供的資料中產生,那麼資料庫可能會成為提供惡意內容的管道。如果未對資料庫中儲存的所有資料進行適當的輸入驗證,那麼攻擊者可能在使用者的網路瀏覽器中執行惡意指令。這類型的攻擊稱為 Persistent XSS (或 Stored XSS),其性質特別狡詐,因為間接的資料儲存方式而難以辨別該威脅,且該攻擊影響多個使用者的可能性可能提高。XSS 盜取會從存取提供造訪者訪客留名簿 (guestbook) 的網站開始。攻擊者會在他們的訪客留名簿項目中加入 JavaScript,所有後來前往訪客留名簿頁面的造訪者都可能會執行這些惡意程式碼。

其他類型的 XSS 可能不是來自資料庫,而是來自其他可能的使用者輸入位置。傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

範例 2:以下 Ruby 程式碼片段會從 HTTP 要求中讀取員工識別碼 eid,並顯示給使用者。


eid = req.params['eid'] #gets request parameter 'eid'
Rack::Response.new.finish do |res|
  ...
  res.write("Employee ID: #{eid}")
end


Example 1 所述,如果 eid 只包含標準英數字元,則這個範例中的程式碼會正確地執行。如果 eid 中有包含中繼字元或來源程式碼中的值,那麼網路瀏覽器就會像顯示 HTTP 回應那樣執行程式碼。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的電腦中輸入會執行惡意程式碼的 URL?其實,真正的危險在於攻擊者會建立惡意的 URL,接著使用電子郵件或社交工程病毒誘騙受害者透過連結前往該 URL。當受害者按下該連結時,他們即不知不覺地透過易受攻擊的 Web 應用程式,將惡意內容資訊帶回他們自己的電腦。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是所謂的 Reflected XSS,不過請注意,如果使用Example 2 中的的 Rack::Request#params(),會同時看到 GETPOST 參數,所以可能容易受到各種類型的攻擊,而不是只會使惡意程式碼附加到 URL 而已。
如同範例中所示,XSS 的弱點是由 HTTP 回應中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 如 Example 1 所述,應用程式會將危險資料儲存到資料庫或其他可信任的資料儲存區中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。Persistent XSS 攻擊會在以下情況出現:攻擊者把危險內容插入到之後會讀取的資料儲存區中,並包含在動態內容中。從攻擊者的角度來看,插入惡意內容的最佳位置莫過於一個會對很多使用者或特別感興趣的使用者顯示的區域。感興趣的使用者通常會在應用程式中擁有較高的權限,或者會與敏感資料進行互動,且這些資料對攻擊者而言很有利用價值。如果其中一個使用者執行了惡意內容,攻擊者可能會代替使用者去執行需要權限許可的作業,或者取得存取使用者專屬敏感資料的權限。

- 如 Example 2 所述,會直接從 HTTP 要求中讀取資料,並在 HTTP 回應中回傳資料。當攻擊者誘使使用者提供危險內容給易受攻擊的 Web 應用程式,接著這些危險內容就會回傳給使用者並由在網路瀏覽器中執行,這時就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊網站的 URL。網站將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含階段作業資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 應用程式以外的來源會在資料庫或是其他資料記憶體中儲存危險資料,且之後這些危險資料會被當作信賴的資料回讀到應用程式,並會包含在動態內容中。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[10] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[11] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[12] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[13] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[15] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[16] Standards Mapping - FIPS200 SI
[17] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[18] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[19] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[20] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[21] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[22] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[23] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2021 A03 Injection
[26] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[27] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[28] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[29] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[41] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[42] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[43] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[44] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[65] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[66] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.ruby.cross_site_scripting_persistent
Abstract
傳送未經驗證的資料至網路瀏覽器,會導致瀏覽器執行惡意的程式碼。
Explanation
Cross-site scripting (XSS) 弱點會在以下情況中出現:

1.資料從一個不可信賴的來源進入 Web 應用程式。在 Persistent XSS (也可稱為 Stored XSS) 案例中,不可信賴的來源通常為資料庫或其他後端資料儲存區,而在 Reflected XSS 案例中,來源通常為網頁要求。


2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

範例: 以下 Play 控制項程式碼片段會從資料庫查詢中讀取員工 ID、eid,並向使用者顯示。


  def getEmployee = Action { implicit request  =>

    val employee = getEmployeeFromDB()
    val eid = employee.id

    if (employee == Null) {
        val html = Html(s"Employee ID ${eid} not found")
        Ok(html) as HTML
    }
    ...
  }
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] INJECT-3: XML and HTML generation requires care Oracle
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[5] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[6] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[7] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[8] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[9] Standards Mapping - CIS Kubernetes Benchmark complete
[10] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[11] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[12] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[13] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[15] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[16] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[17] Standards Mapping - FIPS200 SI
[18] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[19] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[20] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[21] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[22] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[23] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[26] Standards Mapping - OWASP Top 10 2021 A03 Injection
[27] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[28] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[29] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[30] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[38] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[41] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[42] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[43] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[44] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[45] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[65] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[66] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[67] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.scala.cross_site_scripting_persistent
Abstract
這個方法會傳送未經驗證的資料到網路瀏覽器會導致瀏覽器執行惡意的程式碼。
Explanation
Cross-site scripting (XSS) 弱點會在以下情況中出現:

1. 資料從一個不可信賴的來源進入網頁。在 Persistent XSS (也可稱為 Stored XSS) 案例中,不可信賴的來源通常為資料庫或其他後端資料儲存區,而在 Reflected XSS 案例中,來源通常為使用者元件、URL 架構處理常式或外部通知。


2. 在未對包含資料的動態內容進行驗證的情況下,便將其傳送至某個 UIWebView 元件。


傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

name 值正常運作時,此程式碼也會正常運作,但如果該值不正常運作時,則會完全無法避免程式碼遭受攻擊。此外,這個程式碼之所以看似不那麼危險,是因為 name 的值是從資料庫中讀取的,而顯然這些內容是由應用程式管理的。但是,如果 name 的值是從使用者提供的資料中產生,那麼資料庫可能會成為提供惡意內容的管道。如果未對資料庫中儲存的所有資料進行適當的輸入驗證,那麼攻擊者可能在使用者的網路瀏覽器中執行惡意指令。這類型的攻擊稱為 Persistent XSS (或 Stored XSS),其性質特別狡詐,因為間接的資料儲存方式而難以辨別該威脅,且該攻擊影響多個使用者的可能性可能提高。XSS 盜取會從存取提供造訪者訪客留名簿 (guestbook) 的網站開始。攻擊者會在他們的訪客留名簿項目中加入 JavaScript,所有後來前往訪客留名簿頁面的造訪者都可能會執行這些惡意程式碼。

範例 2:以下程式碼會讀取 UITextField 的內容,並在 WKWebView 中將其顯示給使用者:


...
let webView : WKWebView
let inputTextField : UITextField
webView.loadHTMLString(inputTextField.text, baseURL:nil)
...


如果 inputTextField 中的文字只包含標準英數字元,這個範例中的程式碼便會正常運作而不會有問題。如果 inputTextField 中的文字包括中繼字元或原始程式碼,那麼網路瀏覽器就會像顯示 HTTP 回應那樣,可能會將輸入當成程式碼來執行。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的裝置上提供會導致惡意程式碼執行的輸入?真正的危險在於攻擊者可能使用電子郵件或社交工程病毒誘騙受害者執行此類動作。當這樣的誘騙成功,受害者就在不知情的情況下,透過易受攻擊的 Web 應用程式,將惡意內容帶回他們自己的裝置。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。

範例 3:以下 Swift 程式碼片段會讀取自訂 URL 架構的文字部分,其會被傳遞到應用程式 (myapp://input_to_the_application) 並呼叫之。然後 URL 中不可信賴的資料便會被用來在 UIWebView 元件中攻擊 HTML 輸出。


...
func application(app: UIApplication, openURL url: NSURL, options: [String : AnyObject]) -> Bool {
    ...
    let name = getQueryStringParameter(url.absoluteString, "name")
    let html = "Hi \(name)"
    let webView = UIWebView()
    webView.loadHTMLString(html, baseURL:nil)
    ...
}
func getQueryStringParameter(url: String?, param: String) -> String? {
    if let url = url, urlComponents = NSURLComponents(string: url), queryItems = (urlComponents.queryItems as? [NSURLQueryItem]) {
        return queryItems.filter({ (item) in item.name == param }).first?.value!
    }
    return nil
}
...


如同範例中所示,XSS 的弱點是由 HTTP 內容中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 如 Example 1 所述,應用程式會將危險資料儲存到資料庫或其他可信任的資料儲存區中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。Persistent XSS 攻擊會在以下情況出現:攻擊者把危險內容插入到之後會讀取的資料儲存區中,並包含在動態內容中。從攻擊者的角度來看,插入惡意內容的最佳位置莫過於一個會對很多使用者或特別感興趣的使用者顯示的區域。感興趣的使用者通常會在應用程式中擁有較高的權限,或者會與敏感資料進行互動,且這些資料對攻擊者而言很有利用價值。如果其中一個使用者執行了惡意內容,攻擊者可能會代替使用者去執行需要權限許可的作業,或者取得存取使用者專屬敏感資料的權限。

- 如 Example 2 所述,會直接從使用者可控制的 UI 元件讀取資料,並在 HTTP 回應中傳回資料。當攻擊者誘使使用者提供危險內容給易受攻擊的 Web 應用程式,接著這些危險內容就會回傳給使用者並由在網路瀏覽器中執行,這時就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊網站的 URL。網站將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含階段作業資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 如 Example 3 所述,目標應用程式以外的來源會使用目標應用程式的自訂 URL 架構提出 URL 要求,之後來自此 URL 要求的未驗證資料會被當作信賴的資料讀回到應用程式,並會包含在動態內容中。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] MWR Labs Continued Adventures with iOS UIWebViews
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[5] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[6] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[7] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[8] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[9] Standards Mapping - CIS Kubernetes Benchmark complete
[10] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[11] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[12] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[13] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[15] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[16] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[17] Standards Mapping - FIPS200 SI
[18] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[19] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[20] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[21] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[22] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[23] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[26] Standards Mapping - OWASP Top 10 2021 A03 Injection
[27] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[28] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[29] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[30] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[38] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[41] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[42] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[43] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[44] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[45] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[65] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[66] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[67] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.swift.cross_site_scripting_persistent
Abstract
傳送未經驗證的資料至網路瀏覽器,會導致瀏覽器執行惡意的程式碼。
Explanation
Cross-site scripting (XSS) 弱點會在以下情況中出現:

1.資料從一個不可信賴的來源進入 Web 應用程式。在 Persistent XSS (也可稱為 Stored XSS) 案例中,不可信賴的來源通常為資料庫或其他後端資料儲存區,而在 Reflected XSS 案例中,來源通常為網頁要求。


2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

範例 1:以下的 ASP 程式碼片段會在資料庫中查詢具有指定識別碼的員工,並列印相應的員工姓名。


        ...
        eid = Request("eid")
        strSQL = "Select * from emp where id=" & eid
        objADORecordSet.Open strSQL, strConnect, adOpenDynamic, adLockOptimistic, adCmdText
        while not objRec.EOF
                Response.Write "Employee Name:" & objADORecordSet("name")
                objADORecordSet.MoveNext
        Wend
        ...
name 值正常運作時,此程式碼也會正常運作,但如果該值不正常運作時,則會完全無法避免程式碼遭受攻擊。這個程式碼之所以較不危險,是因為 name 值是從資料庫中讀取的,且顯然是由應用程式管理這些值的內容。但是,如果 name 的值是從使用者提供的資料中產生,那麼資料庫可能會成為提供惡意內容的管道。如果未對資料庫中儲存的所有資料進行適當的輸入驗證,那麼攻擊者可能在使用者的網路瀏覽器中執行惡意指令。這類型的攻擊稱為 Persistent XSS (或 Stored XSS),其性質特別狡詐,因為間接的資料儲存方式而難以辨別該威脅,且該攻擊影響多個使用者的可能性可能提高。XSS 盜取會從存取提供造訪者訪客留名簿 (guestbook) 的網站開始。攻擊者會在他們的訪客留名簿項目中加入 JavaScript,所有後來前往訪客留名簿頁面的造訪者都可能會執行這些惡意程式碼。

範例 2:以下的 ASP 程式碼片段會從 HTTP 要求中讀取員工識別碼 eid,並向使用者顯示。


	...
	eid = Request("eid")
	Response.Write "Employee ID:" & eid & "<br/>"
	..


Example 1 所述,如果 eid 只包含標準英數字元,這個程式碼會正確地執行。如果 eid 中有包含中繼字元或來源程式碼中的值,那麼網路瀏覽器就會像顯示 HTTP 回應那樣執行程式碼。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的電腦中輸入會執行惡意程式碼的 URL?其實,真正的危險在於攻擊者會建立惡意的 URL,接著使用電子郵件或社交工程病毒誘騙受害者透過連結前往該 URL。當受害者按下該連結時,他們即不知不覺地透過易受攻擊的 Web 應用程式,將惡意內容資訊帶回他們自己的電腦。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。

如同範例中所示,XSS 的弱點是由 HTTP 回應中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 如 Example 1 所述,應用程式會將危險資料儲存到資料庫或其他可信任的資料儲存區中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。Persistent XSS 攻擊會在以下情況出現:攻擊者把危險內容插入到之後會讀取的資料儲存區中,並包含在動態內容中。從攻擊者的角度來看,插入惡意內容的最佳位置莫過於一個會對很多使用者或特別感興趣的使用者顯示的區域。感興趣的使用者通常會在應用程式中擁有較高的權限,或者會與敏感資料進行互動,且這些資料對攻擊者而言很有利用價值。如果其中一個使用者執行了惡意內容,攻擊者可能會代替使用者去執行需要權限許可的作業,或者取得存取使用者專屬敏感資料的權限。

- 如 Example 2 所述,會直接從 HTTP 要求中讀取資料,並在 HTTP 回應中回傳資料。當攻擊者誘使使用者提供危險內容給易受攻擊的 Web 應用程式,接著這些危險內容就會回傳給使用者並由在網路瀏覽器中執行,這時就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊網站的 URL。網站將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含階段作業資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 應用程式以外的來源會在資料庫或是其他資料記憶體中儲存危險資料,且之後這些危險資料會被當作信賴的資料回讀到應用程式,並會包含在動態內容中。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[10] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[11] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[12] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[13] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[15] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[16] Standards Mapping - FIPS200 SI
[17] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[18] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[19] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[20] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[21] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[22] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[23] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2021 A03 Injection
[26] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[27] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[28] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[29] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[41] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[42] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[43] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[44] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[65] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[66] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.vb.cross_site_scripting_persistent

Cross-Site Scripting: Reflected

Abstract
傳送未經驗證的資料至網路瀏覽器,會導致瀏覽器執行惡意的程式碼。
Explanation
Cross-site scripting (XSS) 弱點會在以下情況中出現:

1.資料從一個不可信賴的來源進入 Web 應用程式。在 Reflected XSS 案例中,不可信賴的來源通常為網頁要求,而在 Persisted XSS (也可稱為 Stored XSS) 案例中,來源通常為資料庫或其他後端資料儲存區。


2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

範例 1:以下的 ABAP 程式碼片段會從 HTTP 要求中讀取員工的識別碼 eid,並將識別碼顯示給使用者。


...
eid = request->get_form_field( 'eid' ).
...
response->append_cdata( 'Employee ID: ').
response->append_cdata( eid ).
...


如果 eid 只包含標準英數字元,則這個範例中的程式碼會正確地執行。如果 eid 中有包含中繼字元或來源程式碼中的值,那麼網路瀏覽器就會像顯示 HTTP 回應那樣執行程式碼。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的電腦中輸入會執行惡意程式碼的 URL?其實,真正的危險在於攻擊者會建立惡意的 URL,接著使用電子郵件或社交工程病毒誘騙受害者透過連結前往該 URL。當受害者按下該連結時,他們即不知不覺地透過易受攻擊的 Web 應用程式,將惡意內容資訊帶回他們自己的電腦。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。

範例 2:以下的 ABAP 程式碼片段會根據所給予的識別碼在資料庫中查詢員工,並列印該員工姓名。


...
DATA: BEGIN OF itab_employees,
        eid   TYPE employees-itm,
        name  TYPE employees-name,
      END OF itab_employees,
      itab LIKE TABLE OF itab_employees.
...
itab_employees-eid = '...'.
APPEND itab_employees TO itab.

SELECT *
  FROM employees
  INTO CORRESPONDING FIELDS OF TABLE itab_employees
  FOR ALL ENTRIES IN itab
  WHERE eid = itab-eid.
ENDSELECT.
...
response->append_cdata( 'Employee Name: ').
response->append_cdata( itab_employees-name ).
...


Example 1 所述,name 的值正常運作時,此程式碼也會正常運作,但如果該值不正常運作,則會完全無法避免程式碼遭受攻擊。此外,這個程式碼之所以看似不那麼危險,是因為 name 的值是從資料庫中讀取的,而顯然這些內容是由應用程式管理的。但是,如果 name 的值是從使用者提供的資料中產生,那麼資料庫可能會成為提供惡意內容的管道。如果未對資料庫中儲存的所有資料進行適當的輸入驗證,那麼攻擊者可能在使用者的網路瀏覽器中執行惡意指令。這類型的攻擊稱為 Persistent XSS (或 Stored XSS),其性質特別狡詐,因為間接的資料儲存方式而難以辨別該威脅,且該攻擊影響多個使用者的可能性可能提高。XSS 盜取會從存取提供造訪者訪客留名簿 (guestbook) 的網站開始。攻擊者會在他們的訪客留名簿項目中加入 JavaScript,所有後來前往訪客留名簿頁面的造訪者都可能會執行這些惡意程式碼。

如同範例中所示,XSS 的弱點是由 HTTP 回應中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 如 Example 1 所述,會直接從 HTTP 要求中讀取資料,並在 HTTP 回應中回傳資料。當攻擊者誘使使用者提供危險內容給易受攻擊的 Web 應用程式,接著這些危險內容就會回傳給使用者並由在網路瀏覽器中執行,這時就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊網站的 URL。網站將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含階段作業資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 如 Example 2 所述,應用程式會將危險資料儲存到資料庫或其他可信任的資料儲存區中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。Persistent XSS 攻擊會在以下情況出現:攻擊者把危險內容插入到之後會讀取的資料儲存區中,並包含在動態內容中。從攻擊者的角度來看,插入惡意內容的最佳位置莫過於一個會對很多使用者或特別感興趣的使用者顯示的區域。感興趣的使用者通常會在應用程式中擁有較高的權限,或者會與敏感資料進行互動,且這些資料對攻擊者而言很有利用價值。如果其中一個使用者執行了惡意內容,攻擊者可能會代替使用者去執行需要權限許可的作業,或者取得存取使用者專屬敏感資料的權限。

- 應用程式以外的來源會在資料庫或是其他資料記憶體中儲存危險資料,且之後這些危險資料會被當作信賴的資料回讀到應用程式,並會包含在動態內容中。
References
[1] SAP OSS notes 1582870, 1582867 and related notes for ABAP XSS support
[2] SAP OSS Notes 822881, 1600317, 1640092, 1671470 and 1638779 for XSS support in BSPs
[3] Understanding Malicious Content Mitigation for Web Developers CERT
[4] HTML 4.01 Specification W3
[5] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[6] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[7] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[8] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[9] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[10] Standards Mapping - CIS Kubernetes Benchmark complete
[11] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[12] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[13] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[15] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[16] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[17] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[18] Standards Mapping - FIPS200 SI
[19] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[20] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[21] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[22] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[23] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[26] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[27] Standards Mapping - OWASP Top 10 2021 A03 Injection
[28] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[29] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[30] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[31] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[38] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[39] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[41] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[42] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[43] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[44] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[45] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[46] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[65] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[66] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[67] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[68] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.abap.cross_site_scripting_reflected
Abstract
傳送未經驗證的資料至網路瀏覽器,會導致瀏覽器執行惡意的程式碼。
Explanation
Cross-site scripting (XSS) 弱點會在以下情況中出現:

1.資料從一個不可信賴的來源進入 Web 應用程式。在 Reflected XSS 案例中,不可信賴的來源通常為網頁要求,而在 Persisted XSS (也可稱為 Stored XSS) 案例中,來源通常為資料庫或其他後端資料儲存區。


2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

範例 1:以下 ActionScript 程式碼片段會從 HTTP 要求中讀取員工的識別碼 eid,並將識別碼顯示給使用者。


var params:Object = LoaderInfo(this.root.loaderInfo).parameters;
var eid:String = String(params["eid"]);
...
var display:TextField = new TextField();
display.htmlText = "Employee ID: " + eid;
...


如果 eid 只包含標準英數字元,則這個範例中的程式碼會正確地執行。如果 eid 中有包含中繼字元或來源程式碼中的值,那麼網路瀏覽器就會像顯示 HTTP 回應那樣執行程式碼。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的電腦中輸入會執行惡意程式碼的 URL?其實,真正的危險在於攻擊者會建立惡意的 URL,接著使用電子郵件或社交工程病毒誘騙受害者透過連結前往該 URL。當受害者按下該連結時,他們即不知不覺地透過易受攻擊的 Web 應用程式,將惡意內容資訊帶回他們自己的電腦。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。

範例 2:以下 ActionScript 程式碼片段會根據所給予的識別碼在資料庫中查詢員工,並列印該員工姓名。


  stmt.sqlConnection = conn;
  stmt.text = "select * from emp where id="+eid;
  stmt.execute();
  var rs:SQLResult = stmt.getResult();
  if (null != rs) {
    var name:String = String(rs.data[0]);
    var display:TextField = new TextField();
    display.htmlText = "Employee Name: " + name;
  }


Example 1 所述,name 的值正常運作時,此程式碼也會正常運作,但如果該值不正常運作,則會完全無法避免程式碼遭受攻擊。此外,這個程式碼之所以看似不那麼危險,是因為 name 的值是從資料庫中讀取的,而顯然這些內容是由應用程式管理的。但是,如果 name 的值是從使用者提供的資料中產生,那麼資料庫可能會成為提供惡意內容的管道。如果未對資料庫中儲存的所有資料進行適當的輸入驗證,那麼攻擊者可能在使用者的網路瀏覽器中執行惡意指令。這類型的攻擊稱為 Persistent XSS (或 Stored XSS),其性質特別狡詐,因為間接的資料儲存方式而難以辨別該威脅,且該攻擊影響多個使用者的可能性可能提高。XSS 盜取會從存取提供造訪者訪客留名簿 (guestbook) 的網站開始。攻擊者會在他們的訪客留名簿項目中加入 JavaScript,所有後來前往訪客留名簿頁面的造訪者都可能會執行這些惡意程式碼。

如同範例中所示,XSS 的弱點是由 HTTP 回應中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 如 Example 1 所述,會直接從 HTTP 要求中讀取資料,並在 HTTP 回應中回傳資料。當攻擊者誘使使用者提供危險內容給易受攻擊的 Web 應用程式,接著這些危險內容就會回傳給使用者並由在網路瀏覽器中執行,這時就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊網站的 URL。網站將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含階段作業資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 如 Example 2 所述,應用程式會將危險資料儲存到資料庫或其他可信任的資料儲存區中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。Persistent XSS 攻擊會在以下情況出現:攻擊者把危險內容插入到之後會讀取的資料儲存區中,並包含在動態內容中。從攻擊者的角度來看,插入惡意內容的最佳位置莫過於一個會對很多使用者或特別感興趣的使用者顯示的區域。感興趣的使用者通常會在應用程式中擁有較高的權限,或者會與敏感資料進行互動,且這些資料對攻擊者而言很有利用價值。如果其中一個使用者執行了惡意內容,攻擊者可能會代替使用者去執行需要權限許可的作業,或者取得存取使用者專屬敏感資料的權限。

- 應用程式以外的來源會在資料庫或是其他資料記憶體中儲存危險資料,且之後這些危險資料會被當作信賴的資料回讀到應用程式,並會包含在動態內容中。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[10] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[11] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[12] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[13] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[15] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[16] Standards Mapping - FIPS200 SI
[17] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[18] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[19] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[20] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[21] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[22] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[23] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2021 A03 Injection
[26] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[27] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[28] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[29] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[41] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[42] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[43] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[44] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[65] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[66] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.actionscript.cross_site_scripting_reflected
Abstract
將未經驗證的資料傳送到網頁瀏覽器可能會導致執行惡意程式碼。
Explanation
Cross-site scripting (XSS) 弱點會在以下情況中出現:

1. 資料從一個不可信賴的來源進入 Web 應用程式。如果是 Reflected XSS,不可信賴的來源大多為 Web 要求;如果是 Persistent XSS (也可稱為 Stored XSS),來源大多為資料庫查詢結果。

2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。

惡意內容通常為 JavaScript 程式碼片段,但也可以是 HTML、Flash 或瀏覽器可執行的任何其他作用中內容。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。


範例 1:以下 Visualforce 程式碼片段會讀取 HTTP 要求參數 username,並向使用者顯示。


<script>
document.write('{!$CurrentPage.parameters.username}')
</script>


此範例中的程式碼旨在僅接收英數文字並加以顯示。但是,如果 username 包含中繼字元或來源程式碼,則會由網頁瀏覽器執行。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的電腦中輸入會執行惡意程式碼的 URL?其實,真正的危險在於攻擊者會建立惡意的 URL,接著使用電子郵件或社交工程病毒誘騙受害者透過連結前往該 URL。當受害者按下該連結時,他們即不知不覺地透過易受攻擊的 Web 應用程式,將惡意內容資訊帶回他們自己的電腦。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。

範例 2:以下 Apex 程式碼片段會在資料庫中查詢具有指定 ID 的聯絡人名稱並傳回對應的員工姓名 (之後由 Visualforce 程式碼進行列印)。


...
variable = Database.query('SELECT Name FROM Contact WHERE id = ID');
...

<div onclick="this.innerHTML='Hello {!variable}'">Click me!</div>


Example 1 所述,對 name 的值進行明確界定時 (例如,僅英數字元),此程式碼會正常運作,但無法檢查惡意資料。即使該值讀取自資料庫,也應該對其進行適當驗證,因為資料庫的內容可能源自於使用者提供的資料。這樣一來,攻擊者可以在使用者的網頁瀏覽器中執行惡意指令,而無需與受害者進行互動 (類似於 Reflected XSS)。此類攻擊稱為 Stored XSS (或 Persistent XSS),可能非常難以偵測,因為資料是以間接方式提供給易受攻擊的函數,並且由於影響多個使用者的可能性,此類攻擊的影響會更強烈。XSS 盜取會從存取提供造訪者訪客留名簿 (guestbook) 的網站開始。攻擊者會在他們的訪客留名簿項目中加入 JavaScript,所有後來前往訪客留名簿頁面的造訪者都可能會執行這些惡意程式碼。

如同範例中所示,XSS 的弱點是由 HTTP 回應中包含未經驗證資料的程式碼所引起的。有兩種途徑可執行 XSS 攻擊:

- 如 Example 1 所述,會從 HTTP 要求中讀取資料,並在 HTTP 回應中回傳資料。當攻擊者將危險內容傳遞至易受攻擊的 Web 應用程式,然後回傳給使用者並透過其瀏覽器執行時,會出現 Reflected XSS。傳遞惡意內容最常用的機制就是,將惡意內容當作參數包含在公開發佈的 URL 中,或者以電子郵件方式直接傳送給受害者。透過此方式修改的 URL 是許多釣魚架構的核心,其中攻擊者會誘騙受害者造訪該 URL。當網站回傳內容給使用者後便會加以執行,並且可執行多個動作,例如轉送隱私、敏感的資訊、在受害者電腦上執行未經授權的作業等。

- 如 Example 2 所述,資料庫或其他資料儲存區會向應用程式提供將包含在動態內容中的危險資料。從攻擊者的角度來看,儲存惡意內容的最佳位置是可供所有使用者 (尤其是擁有較高權限的使用者) 存取的區域,這些使用者更有可能會處理敏感資訊或執行關鍵作業。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] Salesforce Developers Technical Library Secure Coding Guidelines - Cross Site Scripting
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[5] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[6] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[7] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[8] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[9] Standards Mapping - CIS Kubernetes Benchmark complete
[10] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[11] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[12] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[13] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[15] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[16] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[17] Standards Mapping - FIPS200 SI
[18] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[19] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[20] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[21] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[22] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[23] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[26] Standards Mapping - OWASP Top 10 2021 A03 Injection
[27] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[28] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[29] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[30] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[38] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[41] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[42] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[43] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[44] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[45] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[65] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[66] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[67] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.apex.cross_site_scripting_reflected
Abstract
傳送未經驗證的資料至網路瀏覽器,會導致瀏覽器執行惡意的程式碼。
Explanation
Cross-site scripting (XSS) 弱點會在以下情況中出現:

1.資料從一個不可信賴的來源進入 Web 應用程式。在 Reflected XSS 案例中,不可信賴的來源通常為網頁要求,而在 Persisted XSS (也可稱為 Stored XSS) 案例中,來源通常為資料庫或其他後端資料儲存區。


2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

範例 1:以下 ASP.NET 網頁表單會從 HTTP 要求讀取員工識別碼,然後顯示給使用者。

<script runat="server">
...
EmployeeID.Text = Login.Text;
...
</script>


其中,LoginEmployeeID 是定義如下的表單控制項:


<form runat="server">
   <asp:TextBox runat="server" id="Login"/>
   ...
   <asp:Label runat="server" id="EmployeeID"/>
</form>
範例 2:以下的 ASP.NET 程式碼片段會示範以程式設計方式來實作 Example 1

protected System.Web.UI.WebControls.TextBox Login;
protected System.Web.UI.WebControls.Label EmployeeID;
...
EmployeeID.Text = Login.Text;


如果 Login 只包含標準英數字元,則這些範例中的程式碼都會正確地運作。如果 Login 中有包含中繼字元或來源程式碼中的值,那麼網路瀏覽器就會像顯示 HTTP 回應那樣執行程式碼。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的電腦中輸入會執行惡意程式碼的 URL? 真正的危險是攻擊者會建立惡意的 URL,然後使用電子郵件或社交工程技倆來誘騙受害者按下連結。當受害者按下該連結時,他們即不知不覺地透過易受攻擊的 Web 應用程式,將惡意內容資訊帶回他們自己的電腦。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。

範例 3:以下的 ASP.NET 網頁表單使用指定的員工識別碼向資料庫查詢員工,並列印出與識別碼相對應的名字。

<script runat="server">
...
string query = "select * from emp where id=" + eid;
sda = new SqlDataAdapter(query, conn);
DataTable dt = new DataTable();
sda.Fill(dt);
string name = dt.Rows[0]["Name"];
...
EmployeeName.Text = name;
</script>


其中,EmployeeName 是定義如下的表單控制項:


<form runat="server">
   ...
   <asp:Label id="EmployeeName" runat="server">
   ...
</form>
範例 4:以下 ASP.NET 程式碼片段的功能與之前的 Example 3 相當,不過卻是以程式設計方式來實作所有的表單元素。

protected System.Web.UI.WebControls.Label EmployeeName;
...
string query = "select * from emp where id=" + eid;
sda = new SqlDataAdapter(query, conn);
DataTable dt = new DataTable();
sda.Fill(dt);
string name = dt.Rows[0]["Name"];
...
EmployeeName.Text = name;


Example 1Example 2 所述,name 值正常運作時,這些程式碼範例便會正確執行,不然就會完全無法避免攻擊。此外,這些程式碼之所以較不危險,是因為 name 值是從資料庫中讀取的,其內容顯然都由應用程式管理。但是,如果 name 的值是從使用者提供的資料中產生,那麼資料庫可能會成為提供惡意內容的管道。如果未對資料庫中儲存的所有資料進行適當的輸入驗證,那麼攻擊者可能在使用者的網路瀏覽器中執行惡意指令。這類型的攻擊稱為 Persistent XSS (或 Stored XSS),其性質特別狡詐,因為間接的資料儲存方式而難以辨別該威脅,且該攻擊影響多個使用者的可能性可能提高。XSS 盜取會從存取提供造訪者訪客留名簿 (guestbook) 的網站開始。攻擊者會在他們的訪客留名簿項目中加入 JavaScript,所有後來前往訪客留名簿頁面的造訪者都可能會執行這些惡意程式碼。

如同範例中所示,XSS 的弱點是由 HTTP 回應中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 如 Example 1Example 2 所述,會直接從 HTTP 要求中讀取資料,並在 HTTP 回應中回傳資料。當攻擊者誘使使用者提供危險內容給易受攻擊的 Web 應用程式,接著這些危險內容就會回傳給使用者並由在網路瀏覽器中執行,這時就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊網站的 URL。網站將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含階段作業資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 如 Example 3Example 4 所述,應用程式會將危險資料儲存到資料庫或其他可信任的資料儲存區中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。Persistent XSS 攻擊會在以下情況出現:攻擊者把危險內容插入到之後會讀取的資料儲存區中,並包含在動態內容中。從攻擊者的角度來看,插入惡意內容的最佳位置莫過於一個會對很多使用者或特別感興趣的使用者顯示的區域。感興趣的使用者通常會在應用程式中擁有較高的權限,或者會與敏感資料進行互動,且這些資料對攻擊者而言很有利用價值。如果其中一個使用者執行了惡意內容,攻擊者可能會代替使用者去執行需要權限許可的作業,或者取得存取使用者專屬敏感資料的權限。

- 應用程式以外的來源會在資料庫或是其他資料記憶體中儲存危險資料,且之後這些危險資料會被當作信賴的資料回讀到應用程式,並會包含在動態內容中。

有許多現代的 Web 架構提供執行使用者輸入驗證的機制 (包括 ASP.NET 要求驗證和 WCF)。為了突顯未驗證的輸入來源,Fortify 安全編碼檢查規則會降低 Fortify Static Code Analyzer 所報告之問題的攻擊可能性,並在使用框架驗證機制時提供支援證據的指標,以動態重新排列其優先順序。如果是 ASP.NET 要求驗證,我們也會針對何時明確停用驗證提供證據。我們將此功能稱為「內容相關性排名」。為了進一步協助 Fortify 使用者進行稽核程序,Fortify Software 安全研發團隊提供了資料驗證專案範本,該範本會依據套用到其輸入來源的驗證機制,按資料夾對問題進行分組。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] Anti-Cross Site Scripting Library MSDN
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[5] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[6] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[7] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[8] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[9] Standards Mapping - CIS Kubernetes Benchmark complete
[10] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[11] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[12] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[13] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[15] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[16] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[17] Standards Mapping - FIPS200 SI
[18] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[19] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[20] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[21] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[22] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[23] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[26] Standards Mapping - OWASP Top 10 2021 A03 Injection
[27] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[28] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[29] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[30] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[38] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[41] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[42] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[43] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[44] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[45] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[65] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[66] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[67] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.dotnet.cross_site_scripting_reflected
Abstract
傳送未經驗證的資料至網路瀏覽器,會導致瀏覽器執行惡意的程式碼。
Explanation
Cross-site scripting (XSS) 弱點會在以下情況中出現:

1.資料從一個不可信賴的來源進入 Web 應用程式。在 Reflected XSS 案例中,不可信賴的來源通常為網頁要求,而在 Persisted XSS (也可稱為 Stored XSS) 案例中,來源通常為資料庫或其他後端資料儲存區。

2. 在未對包含資料的動態內容進行驗證的情況下,便將其傳送至某個網路瀏覽器。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

範例 1: 以下的程式碼片段在 HTML 表單中讀取員工的識別碼 EID,並顯示給使用者。 


...
EXEC CICS
  WEB READ
  FORMFIELD(ID)
  VALUE(EID)
  ...
END-EXEC.

EXEC CICS
  WEB SEND
  FROM(EID)
  ...
END-EXEC.
...


如果 EID 只包含標準英數字元,則這個範例中的程式碼會正確地執行。如果 EID 中有包含中繼字元或來源程式碼中的值,那麼網路瀏覽器就會像顯示 HTTP 回應那樣執行程式碼。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的電腦中輸入會執行惡意程式碼的 URL?其實,真正的危險在於攻擊者會建立惡意的 URL,接著使用電子郵件或社交工程病毒誘騙受害者透過連結前往該 URL。當受害者按下該連結時,他們即不知不覺地透過易受攻擊的 Web 應用程式,將惡意內容資訊帶回他們自己的電腦。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。

範例 2: 以下的程式碼片段,根據所給予的識別碼在資料庫中查詢員工,並列印該員工姓名。


...
EXEC SQL
  SELECT NAME
  INTO :ENAME
  FROM EMPLOYEE
  WHERE ID = :EID
END-EXEC.

EXEC CICS
  WEB SEND
  FROM(ENAME)
  ...
END-EXEC.
...


Example 1 所述,ENAME 的值正常運作時,此程式碼也會正常運作,但如果該值不正常運作,則會完全無法避免程式碼遭受攻擊。此外,這個程式碼之所以看似不那麼危險,是因為 ENAME 的值是從資料庫中讀取的,而顯然這些內容是由應用程式管理的。但是,如果 ENAME 的值是從使用者提供的資料中產生,那麼資料庫可能會成為提供惡意內容的管道。如果未對資料庫中儲存的所有資料進行適當的輸入驗證,那麼攻擊者可能在使用者的網路瀏覽器中執行惡意指令。這種類型的攻擊,被稱作 Stored XSS,是特別狡詐的,因為間接的資料儲存方式使得該威脅難以辨別,而且提高了該攻擊會影響到多個使用者的可能性。XSS 盜取會從存取提供造訪者訪客留名簿 (guestbook) 的網站開始。攻擊者會在他們的訪客留名簿項目中加入 JavaScript,所有後來前往訪客留名簿頁面的造訪者都可能會執行這些惡意程式碼。

如同範例中所示,XSS 的弱點是由 HTTP 回應中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 如 Example 1 所述,會直接從 HTML 表單中讀取資料,並在 HTTP 回應中回傳資料。當攻擊者誘使使用者提供危險內容給易受攻擊的 Web 應用程式,接著這些危險內容就會回傳給使用者並由在網路瀏覽器中執行,這時就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊網站的 URL。網站將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含階段作業資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 如 Example 2 所述,應用程式會將危險資料儲存到資料庫或其他可信任的資料儲存區中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。當攻擊者有以下情況時,Stored XSS 攻擊就會出現:

- 應用程式以外的來源會在資料庫或是其他資料記憶體中儲存危險資料,且之後這些危險資料會被當作信賴的資料回讀到應用程式,並會包含在動態內容中。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[10] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[11] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[12] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[13] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[15] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[16] Standards Mapping - FIPS200 SI
[17] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[18] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[19] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[20] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[21] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[22] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[23] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2021 A03 Injection
[26] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[27] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[28] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[29] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[41] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[42] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[43] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[44] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[65] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[66] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.cobol.cross_site_scripting_reflected
Abstract
傳送未經驗證的資料至網路瀏覽器,會導致瀏覽器執行惡意的程式碼。
Explanation
Cross-site scripting (XSS) 弱點會在以下情況中出現:

1.資料從一個不可信賴的來源進入 Web 應用程式。在 Reflected XSS 案例中,不可信賴的來源通常為網頁要求,而在 Persisted XSS (也可稱為 Stored XSS) 案例中,來源通常為資料庫或其他後端資料儲存區。


2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

範例 1: 以下的 CFML 程式碼片段,會從網路表單中讀取員工識別碼 eid,並將其顯示給使用者。 


<cfoutput>
Employee ID: #Form.eid#
</cfoutput>


如果 Form.eid 只包含標準英數字元,則這個範例中的程式碼會正確地執行。如果 Form.eid 中有包含中繼字元或來源程式碼中的值,那麼網路瀏覽器就會像顯示 HTTP 回應那樣執行程式碼。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的電腦中輸入會執行惡意程式碼的 URL?其實,真正的危險在於攻擊者會建立惡意的 URL,接著使用電子郵件或社交工程病毒誘騙受害者透過連結前往該 URL。當受害者按下該連結時,他們即不知不覺地透過易受攻擊的 Web 應用程式,將惡意內容資訊帶回他們自己的電腦。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。

範例 2: 以下的 CFML 程式碼片段,根據提供的員工識別碼來查詢資料庫,並列印出該員工的相應姓名。

 
<cfquery name="matchingEmployees" datasource="cfsnippets">
  SELECT name
  FROM Employees 
  WHERE eid = '#Form.eid#'
</cfquery>
<cfoutput>
Employee Name: #name#
</cfoutput>


Example 1 所述,name 的值正常運作時,此程式碼也會正常運作,但如果該值不正常運作,則會完全無法避免程式碼遭受攻擊。此外,這個程式碼之所以看似不那麼危險,是因為 name 的值是從資料庫中讀取的,而顯然這些內容是由應用程式管理的。但是,如果 name 的值是從使用者提供的資料中產生,那麼資料庫可能會成為提供惡意內容的管道。如果未對資料庫中儲存的所有資料進行適當的輸入驗證,那麼攻擊者可能在使用者的網路瀏覽器中執行惡意指令。這類型的攻擊稱為 Persistent XSS (或 Stored XSS),其性質特別狡詐,因為間接的資料儲存方式而難以辨別該威脅,且該攻擊影響多個使用者的可能性可能提高。XSS 盜取會從存取提供造訪者訪客留名簿 (guestbook) 的網站開始。攻擊者會在他們的訪客留名簿項目中加入 JavaScript,所有後來前往訪客留名簿頁面的造訪者都可能會執行這些惡意程式碼。

如同範例中所示,XSS 的弱點是由 HTTP 回應中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 如 Example 1 所述,會直接從 HTTP 要求中讀取資料,並在 HTTP 回應中回傳資料。當攻擊者誘使使用者提供危險內容給易受攻擊的 Web 應用程式,接著這些危險內容就會回傳給使用者並由在網路瀏覽器中執行,這時就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊網站的 URL。網站將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含階段作業資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 如 Example 2 所述,應用程式會將危險資料儲存到資料庫或其他可信任的資料儲存區中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。Persistent XSS 攻擊會在以下情況出現:攻擊者把危險內容插入到之後會讀取的資料儲存區中,並包含在動態內容中。從攻擊者的角度來看,插入惡意內容的最佳位置莫過於一個會對很多使用者或特別感興趣的使用者顯示的區域。感興趣的使用者通常會在應用程式中擁有較高的權限,或者會與敏感資料進行互動,且這些資料對攻擊者而言很有利用價值。如果其中一個使用者執行了惡意內容,攻擊者可能會代替使用者去執行需要權限許可的作業,或者取得存取使用者專屬敏感資料的權限。

- 應用程式以外的來源會在資料庫或是其他資料記憶體中儲存危險資料,且之後這些危險資料會被當作信賴的資料回讀到應用程式,並會包含在動態內容中。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] ColdFusion Developer Center: Security Macromedia
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[5] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[6] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[7] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[8] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[9] Standards Mapping - CIS Kubernetes Benchmark complete
[10] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[11] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[12] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[13] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[15] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[16] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[17] Standards Mapping - FIPS200 SI
[18] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[19] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[20] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[21] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[22] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[23] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[26] Standards Mapping - OWASP Top 10 2021 A03 Injection
[27] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[28] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[29] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[30] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[38] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[41] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[42] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[43] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[44] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[45] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[65] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[66] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[67] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.cfml.cross_site_scripting_reflected
Abstract
傳送未經驗證的資料至網頁瀏覽器,會導致瀏覽器執行惡意程式碼。
Explanation
Cross-Site Scripting (XSS) 弱點會在以下情況中出現:

1.資料從一個不可信賴的來源進入 Web 應用程式。在 Reflected XSS 案例中,不可信賴的來源通常為網頁要求,而在 Persisted XSS (也可稱為 Stored XSS) 案例中,來源通常為資料庫或其他後端資料儲存區。

2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。


範例 1:以下 Go 程式碼片段會從 HTTP 要求中讀取使用者名稱 user,並向使用者顯示。

func someHandler(w http.ResponseWriter, r *http.Request){
  r.parseForm()
  user := r.FormValue("user")
  ...
  fmt.Fprintln(w, "Username is: ", user)
}


如果 user 只包含標準英數字元,則這個範例中的程式碼會正確地執行。如果 user 中有包含中繼字元或來源程式碼中的值,那麼網路瀏覽器就會像顯示 HTTP 回應那樣執行程式碼。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的電腦中輸入會執行惡意程式碼的 URL?其實,真正的危險在於攻擊者會建立惡意的 URL,接著使用電子郵件或社交工程病毒誘騙受害者透過連結前往該 URL。當受害者按下該連結時,他們即不知不覺地透過易受攻擊的 Web 應用程式,將惡意內容資訊帶回他們自己的電腦。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。

範例 2:以下 Go 程式碼片段會查詢資料庫中具有指定 ID 的員工,然後列印相對應的員工姓名。

func someHandler(w http.ResponseWriter, r *http.Request){
  ...
  row := db.QueryRow("SELECT name FROM users WHERE id =" + userid)
  err := row.Scan(&name)
  ...
  fmt.Fprintln(w, "Username is: ", name)
}


Example 1 所述,name 的值正常運作時,此程式碼也會正常運作,但如果該值不正常運作,則會完全無法避免程式碼遭受攻擊。此外,這個程式碼之所以看似不那麼危險,是因為 name 的值是從資料庫中讀取的,而顯然這些內容是由應用程式管理的。但是,如果 name 的值是從使用者提供的資料中產生,那麼資料庫可能會成為提供惡意內容的管道。如果沒有對所有儲存在資料庫中的資料進行適當的輸入驗證,那麼攻擊者即可在使用者的網頁瀏覽器中執行惡意指令。這類型的攻擊稱為 Persistent XSS (或 Stored XSS),其極其隱蔽,會因為間接的資料儲存方式而難以辨別該威脅,並會提高影響多個使用者的可能性。XSS 弱點會從存取提供造訪者訪客留名簿 (guestbook) 的網站開始。攻擊者會在他們的訪客留名簿項目中加入 JavaScript,所有後來前往訪客留名簿頁面的造訪者都可能會執行這些惡意程式碼。

如同範例中所示,XSS 弱點是由 HTTP 回應中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 如 Example 1 所示,會直接從 HTTP 要求中讀取資料,並在 HTTP 回應中回傳資料。當攻擊者誘使使用者提供危險內容給易受攻擊的 Web 應用程式,接著這些危險內容就會回傳給使用者並由網頁瀏覽器執行時,就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊網站的 URL。網站將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含階段作業資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 如 Example 2 所示,應用程式會將危險資料儲存在資料庫或其他可信任的資料存放區中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。Persistent XSS 攻擊會在以下情況出現:攻擊者把危險內容插入到之後會讀取的資料儲存區中,並包含在動態內容中。從攻擊者的角度來看,插入惡意內容的最佳位置莫過於一個會對很多使用者或特別感興趣的使用者顯示的區域。感興趣的使用者通常會在應用程式中擁有較高的權限,或者會與敏感資料進行互動,且這些資料對攻擊者而言很有利用價值。如果其中一個使用者執行了惡意內容,攻擊者可能會代替使用者執行需要權限許可的操作,或者取得存取使用者專屬敏感資料的權限。

- 應用程式以外的來源會在資料庫或是其他資料存放區中儲存危險資料,且之後這些危險資料會被當作信賴的資料回讀到應用程式,並會包含在動態內容中。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[10] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[11] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[12] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[13] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[15] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[16] Standards Mapping - FIPS200 SI
[17] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[18] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[19] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[20] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[21] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[22] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[23] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2021 A03 Injection
[26] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[27] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[28] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[29] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[41] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[42] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[43] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[44] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[65] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[66] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.golang.cross_site_scripting_reflected
Abstract
傳送未經驗證的資料至網路瀏覽器,會導致瀏覽器執行惡意的程式碼。
Explanation
Cross-site scripting (XSS) 弱點會在以下情況中出現:

1.資料從一個不可信賴的來源進入 Web 應用程式。在 Reflected XSS 案例中,不可信賴的來源通常為網頁要求,而在 Persisted XSS (也可稱為 Stored XSS) 案例中,來源通常為資料庫或其他後端資料儲存區。


2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

範例 1:以下 JSP 程式碼片段會從 HTTP 要求中讀取員工識別碼 eid,並將其向使用者顯示。


<% String eid = request.getParameter("eid"); %>
...
Employee ID: <%= eid %>


如果 eid 只包含標準英數字元,則這個範例中的程式碼會正確地執行。如果 eid 中有包含中繼字元或來源程式碼中的值,那麼網路瀏覽器就會像顯示 HTTP 回應那樣執行程式碼。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的電腦中輸入會執行惡意程式碼的 URL?其實,真正的危險在於攻擊者會建立惡意的 URL,接著使用電子郵件或社交工程病毒誘騙受害者透過連結前往該 URL。當受害者按下該連結時,他們即不知不覺地透過易受攻擊的 Web 應用程式,將惡意內容資訊帶回他們自己的電腦。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。

範例 2:以下 JSP 程式碼片段會在資料庫中查詢具有指定識別碼的員工,並列印相應的員工姓名。


<%...
Statement stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery("select * from emp where id="+eid);
if (rs != null) {
   rs.next();
   String name = rs.getString("name");
}
%>

Employee Name: <%= name %>


Example 1 所述,name 的值正常運作時,此程式碼也會正常運作,但如果該值不正常運作,則會完全無法避免程式碼遭受攻擊。此外,這個程式碼之所以看似不那麼危險,是因為 name 的值是從資料庫中讀取的,而顯然這些內容是由應用程式管理的。但是,如果 name 的值是從使用者提供的資料中產生,那麼資料庫可能會成為提供惡意內容的管道。如果未對資料庫中儲存的所有資料進行適當的輸入驗證,那麼攻擊者可能在使用者的網路瀏覽器中執行惡意指令。這類型的攻擊稱為 Persistent XSS (或 Stored XSS),其性質特別狡詐,因為間接的資料儲存方式而難以辨別該威脅,且該攻擊影響多個使用者的可能性可能提高。XSS 盜取會從存取提供造訪者訪客留名簿 (guestbook) 的網站開始。攻擊者會在他們的訪客留名簿項目中加入 JavaScript,所有後來前往訪客留名簿頁面的造訪者都可能會執行這些惡意程式碼。

有人認為在行動環境中,典型的 Web 應用程式弱點 (例如跨網站指令碼) 不會產生影響,因為使用者為何會攻擊自己呢?但是請謹記,行動平台的本質是從多種來源下載,並在相同裝置上一起執行的應用程式。在金融應用程式旁執行惡意程式碼的可能性很高,這必然會擴大行動應用程式的受攻擊面,將程序之間的通訊包括在內。

範例 3:以下程式碼會在 Android 的 WebView 中啟用 JavaScript (預設狀況下停用 JavaScript),並根據從 Android 用意接收的值載入頁面。


...
	WebView webview = (WebView) findViewById(R.id.webview);
  	webview.getSettings().setJavaScriptEnabled(true);
        String url = this.getIntent().getExtras().getString("url");
        webview.loadUrl(url);
...


url 的值以 javascript: 開頭,隨後的 JavaScript 程式碼將在網頁範圍中的 WebView 內執行。

如同範例中所示,XSS 的弱點是由 HTTP 回應中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 如 Example 1 所述,會直接從 HTTP 要求中讀取資料,並在 HTTP 回應中回傳資料。當攻擊者誘使使用者提供危險內容給易受攻擊的 Web 應用程式,接著這些危險內容就會回傳給使用者並由在網路瀏覽器中執行,這時就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊網站的 URL。網站將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含階段作業資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 如 Example 2 所述,應用程式會將危險資料儲存到資料庫或其他可信任的資料儲存區中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。Persistent XSS 攻擊會在以下情況出現:攻擊者把危險內容插入到之後會讀取的資料儲存區中,並包含在動態內容中。從攻擊者的角度來看,插入惡意內容的最佳位置莫過於一個會對很多使用者或特別感興趣的使用者顯示的區域。感興趣的使用者通常會在應用程式中擁有較高的權限,或者會與敏感資料進行互動,且這些資料對攻擊者而言很有利用價值。如果其中一個使用者執行了惡意內容,攻擊者可能會代替使用者去執行需要權限許可的作業,或者取得存取使用者專屬敏感資料的權限。

- 如 Example 3 所述,應用程式以外的來源會在資料庫或是其他資料儲存區中儲存危險資料,且之後這些危險資料會被當作信賴的資料回讀到應用程式,並會包含在動態內容中。

有許多現代的 Web 架構提供執行使用者輸入驗證的機制 (包括 Struts 和 Struts 2)。為了突顯未驗證的輸入來源,Fortify 安全編碼檢查規則會降低 Fortify Static Code Analyzer 所報告之問題的攻擊可能性,並在使用框架驗證機制時提供支援證據的指標,以動態重新排列其優先順序。我們將此功能稱為「內容相關性排名」。為了進一步協助 Fortify 使用者進行稽核程序,Fortify Software 安全研發團隊提供了資料驗證專案範本,該範本會依據套用到其輸入來源的驗證機制,按資料夾對問題進行分組。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, and Heng Yin Attacks on WebView in the Android System
[4] Erika Chin and David Wagner Bifocals: Analyzing WebView Vulnerabilities in Android Applications
[5] INJECT-3: XML and HTML generation requires care Oracle
[6] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[7] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[8] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[9] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[10] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[11] Standards Mapping - CIS Kubernetes Benchmark complete
[12] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[13] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[15] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[16] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[17] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[18] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[19] Standards Mapping - FIPS200 SI
[20] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[21] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[22] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[23] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[24] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[26] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[27] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[28] Standards Mapping - OWASP Top 10 2021 A03 Injection
[29] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[30] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[31] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[32] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[38] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[39] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[40] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[41] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[42] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[43] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[44] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[45] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[46] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[47] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[65] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[66] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[67] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[68] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[69] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.java.cross_site_scripting_reflected
Abstract
傳送未經驗證的資料至網路瀏覽器,會導致瀏覽器執行惡意的程式碼。
Explanation
Cross-site scripting (XSS) 弱點會在以下情況中出現:

1.資料從一個不可信賴的來源進入 Web 應用程式。在 Reflected XSS 案例中,不可信賴的來源通常為網頁要求,而在 Persisted XSS (也可稱為 Stored XSS) 案例中,來源通常為資料庫或其他後端資料儲存區。


2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

範例 1:以下 Node.js 程式碼片段會在 HTTP 要求中讀取員工識別碼 eid,並顯示給使用者。


var http = require('http');
var url = require('url');

...

function listener(request, response){
  var eid = url.parse(request.url, true)['query']['eid'];
  if (eid !== undefined){
    response.write('<p>Welcome, ' + eid + '!</p>');
  }
  ...
}
...
http.createServer(listener).listen(8080);


如果 eid 只包含標準英數字元,則這個範例中的程式碼會正確地執行。如果 eid 中有包含中繼字元或來源程式碼中的值,那麼網路瀏覽器就會像顯示 HTTP 回應那樣執行程式碼。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的電腦中輸入會執行惡意程式碼的 URL?其實,真正的危險在於攻擊者會建立惡意的 URL,接著使用電子郵件或社交工程病毒誘騙受害者透過連結前往該 URL。當受害者按下該連結時,他們即不知不覺地透過易受攻擊的 Web 應用程式,將惡意內容資訊帶回他們自己的電腦。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。

範例 2:以下 Node.js 程式碼片段會根據所給予的識別碼在資料庫中查詢員工,並列印對應員工的姓名。


var http = require('http');
...

function listener(request, response){
  connection.query('SELECT * FROM emp WHERE eid="' + eid + '"', function(err, rows){
    if (!err && rows.length > 0){
      response.write('<p>Welcome, ' + rows[0].name + '!</p>');
    }
    ...
  });
  ...
}
...
http.createServer(listener).listen(8080);


Example 1 所述,name 的值正常運作時,此程式碼也會正常運作,但如果該值不正常運作,則會完全無法避免程式碼遭受攻擊。此外,這個程式碼之所以看似不那麼危險,是因為 name 的值是從資料庫中讀取的,而顯然這些內容是由應用程式管理的。但是,如果 name 的值是從使用者提供的資料中產生,那麼資料庫可能會成為提供惡意內容的管道。如果未對資料庫中儲存的所有資料進行適當的輸入驗證,那麼攻擊者可能在使用者的網路瀏覽器中執行惡意指令。這類型的攻擊稱為 Persistent XSS (或 Stored XSS),其性質特別狡詐,因為間接的資料儲存方式而難以辨別該威脅,且該攻擊影響多個使用者的可能性可能提高。XSS 盜取會從存取提供造訪者訪客留名簿 (guestbook) 的網站開始。攻擊者會在他們的訪客留名簿項目中加入 JavaScript,所有後來前往訪客留名簿頁面的造訪者都可能會執行這些惡意程式碼。

如同範例中所示,XSS 的弱點是由 HTTP 回應中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 如 Example 1 所述,會直接從 HTTP 要求中讀取資料,並在 HTTP 回應中回傳資料。當攻擊者誘使使用者提供危險內容給易受攻擊的 Web 應用程式,接著這些危險內容就會回傳給使用者並由在網路瀏覽器中執行,這時就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊網站的 URL。網站將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含階段作業資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 如 Example 2 所述,應用程式會將危險資料儲存到資料庫或其他可信任的資料儲存區中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。Persistent XSS 攻擊會在以下情況出現:攻擊者把危險內容插入到之後會讀取的資料儲存區中,並包含在動態內容中。從攻擊者的角度來看,插入惡意內容的最佳位置莫過於一個會對很多使用者或特別感興趣的使用者顯示的區域。感興趣的使用者通常會在應用程式中擁有較高的權限,或者會與敏感資料進行互動,且這些資料對攻擊者而言很有利用價值。如果其中一個使用者執行了惡意內容,攻擊者可能會代替使用者去執行需要權限許可的作業,或者取得存取使用者專屬敏感資料的權限。

- 應用程式以外的來源會在資料庫或是其他資料記憶體中儲存危險資料,且之後這些危險資料會被當作信賴的資料回讀到應用程式,並會包含在動態內容中。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[10] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[11] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[12] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[13] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[15] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[16] Standards Mapping - FIPS200 SI
[17] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[18] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[19] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[20] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[21] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[22] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[23] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2021 A03 Injection
[26] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[27] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[28] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[29] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[41] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[42] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[43] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[44] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[65] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[66] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.javascript.cross_site_scripting_reflected
Abstract
傳送未經驗證的資料至網路瀏覽器,會導致瀏覽器執行惡意的程式碼。
Explanation
Cross-Site Scripting (XSS) 弱點會在以下情況中出現:

1.資料從一個不可信賴的來源進入 Web 應用程式。在 Reflected XSS 案例中,不可信賴的來源通常為網頁要求,而在 Persisted XSS (也可稱為 Stored XSS) 案例中,來源通常為資料庫或其他後端資料存放區。


2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

範例 1:以下程式碼會從 HTTP servlet 要求讀取員工識別碼 eid,然後在 servlet 的回應中向使用者顯示其值。


val eid: String = request.getParameter("eid")
...
val out: ServletOutputStream = response.getOutputStream()
out.print("Employee ID: $eid")
...
out.close()
...


如果 eid 只包含標準英數字元,則這個範例中的程式碼會正確地執行。如果 eid 中有包含中繼字元或來源程式碼中的值,那麼網路瀏覽器就會像顯示 HTTP 回應那樣執行程式碼。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的電腦中輸入會執行惡意程式碼的 URL?其實,真正的危險在於攻擊者會建立惡意的 URL,接著使用電子郵件或社交工程病毒誘騙受害者透過連結前往該 URL。當受害者按下該連結時,他們即不知不覺地透過易受攻擊的 Web 應用程式,將惡意內容資訊帶回他們自己的電腦。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。

範例 2:以下的程式碼片段,會根據所給予的識別碼在資料庫中查詢員工,並在 servlet 的回應中列印對應的員工姓名。


val stmt: Statement = conn.createStatement()
val rs: ResultSet = stmt.executeQuery("select * from emp where id=$eid")
rs.next()
val name: String = rs.getString("name")
...
val out: ServletOutputStream = response.getOutputStream()
out.print("Employee Name: $name")
...
out.close()
...


Example 1 所述,name 的值正常運作時,此程式碼也會正常運作,但如果該值不正常運作,則會完全無法避免程式碼遭受攻擊。此外,這個程式碼之所以看似不那麼危險,是因為 name 的值是從資料庫中讀取的,而顯然這些內容是由應用程式管理的。但是,如果 name 的值是從使用者提供的資料中產生,那麼資料庫可能會成為提供惡意內容的管道。如果未對資料庫中儲存的所有資料進行適當的輸入驗證,那麼攻擊者可能在使用者的網路瀏覽器中執行惡意指令。這類型的攻擊稱為 Persistent XSS (或 Stored XSS),其性質特別狡詐,因為間接的資料儲存方式而難以辨別該威脅,且該攻擊影響多個使用者的可能性可能提高。XSS 盜取會從存取提供造訪者訪客留名簿 (guestbook) 的網站開始。攻擊者會在他們的訪客留名簿項目中加入 JavaScript,所有後來前往訪客留名簿頁面的造訪者都可能會執行這些惡意程式碼。

有人認為在行動環境中,典型的 Web 應用程式弱點 (例如跨網站指令碼) 不會產生影響,因為使用者為何會攻擊自己呢?但是請謹記,行動平台的本質是從多種來源下載,並在相同裝置上一起執行的應用程式。在金融應用程式旁執行惡意程式碼的可能性很高,這必然會擴大行動應用程式的受攻擊面,將程序之間的通訊包括在內。

範例 3:以下程式碼會在 Android 的 WebView 中啟用 JavaScript (JavaScript 預設為停用),並根據從 Android 用意接收的值載入頁面。


...
        val webview = findViewById<View>(R.id.webview) as WebView
        webview.settings.javaScriptEnabled = true
        val url = this.intent.extras!!.getString("url")
        webview.loadUrl(url)
...


url 的值以 javascript: 開頭,隨後的 JavaScript 程式碼將在網頁範圍中的 WebView 內執行。

如同範例中所示,XSS 弱點是由 HTTP 回應中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 如 Example 1 所述,會直接從 HTTP 要求中讀取資料,並在 HTTP 回應中回傳資料。當攻擊者誘使使用者提供危險內容給易受攻擊的 Web 應用程式,接著這些危險內容就會回傳給使用者並由在網路瀏覽器中執行,這時就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊網站的 URL。網站將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含階段作業資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 如 Example 2 所述,應用程式會將危險資料儲存到資料庫或其他可信任的資料儲存區中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。Persistent XSS 攻擊會在以下情況出現:攻擊者把危險內容插入到之後會讀取的資料儲存區中,並包含在動態內容中。從攻擊者的角度來看,插入惡意內容的最佳位置莫過於一個會對很多使用者或特別感興趣的使用者顯示的區域。感興趣的使用者通常會在應用程式中擁有較高的權限,或者會與敏感資料進行互動,且這些資料對攻擊者而言很有利用價值。如果其中一個使用者執行了惡意內容,攻擊者可能會代替使用者去執行需要權限許可的作業,或者取得存取使用者專屬敏感資料的權限。

- 如 Example 3 所述,應用程式以外的來源會在資料庫或是其他資料儲存區中儲存危險資料,且之後這些危險資料會被當作信賴的資料回讀到應用程式,並會包含在動態內容中。


有許多現代的 Web 架構提供執行使用者輸入驗證的機制 (包括 Struts 和 Spring MVC)。為了突顯未驗證的輸入來源,Fortify 安全編碼檢查規則會降低 Fortify Static Code Analyzer 所報告之問題的攻擊可能性,並在使用框架驗證機制時提供支援證據的指標,以動態重新排列其優先順序。我們將此功能稱為「內容相關性排名」。為了進一步協助 Fortify 使用者進行稽核程序,Fortify Software 安全研發團隊提供了資料驗證專案範本,該範本會依據套用到其輸入來源的驗證機制,按資料夾對問題進行分組。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, and Heng Yin Attacks on WebView in the Android System
[4] Erika Chin and David Wagner Bifocals: Analyzing WebView Vulnerabilities in Android Applications
[5] INJECT-3: XML and HTML generation requires care Oracle
[6] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[7] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[8] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[9] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[10] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[11] Standards Mapping - CIS Kubernetes Benchmark complete
[12] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[13] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[15] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[16] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[17] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[18] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[19] Standards Mapping - FIPS200 SI
[20] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[21] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[22] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[23] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[24] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[26] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[27] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[28] Standards Mapping - OWASP Top 10 2021 A03 Injection
[29] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[30] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[31] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[32] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[38] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[39] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[40] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[41] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[42] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[43] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[44] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[45] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[46] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[47] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[65] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[66] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[67] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[68] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[69] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.kotlin.cross_site_scripting_reflected
Abstract
這個方法會傳送未經驗證的資料到網路瀏覽器會導致瀏覽器執行惡意的程式碼。
Explanation
Cross-site scripting (XSS) 弱點會在以下情況中出現:

1. 資料從一個不可信賴的來源進入網頁。在 Reflected XSS 案例中,不可信賴的來源通常為使用者元件、URL 架構處理常式或通知,而在 Persistent XSS (也可稱為 Stored XSS) 案例中,來源通常為資料庫或其他後端資料儲存區。


2. 在未對包含資料的動態內容進行驗證的情況下,便將其傳送至某個 UIWebView 元件。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。


範例 1:以下 Objective-C 程式碼片段會讀取自訂 URL 架構的文字部份,其會被傳送至應用程式 (myapp://input_to_the_application) 並呼叫之。然後 URL 中不可信賴的資料便會被用來在 UIWebView 元件中攻擊 HTML 輸出。


- (BOOL)application:(UIApplication *)application handleOpenURL:(NSURL *)url {

    UIWebView *webView;
    NSString *partAfterSlashSlash = [[url host] stringByReplacingPercentEscapesUsingEncoding:NSUTF8StringEncoding];
    webView = [[UIWebView alloc] initWithFrame:CGRectMake(0.0,0.0,360.0, 480.0)];
    [webView loadHTMLString:partAfterSlashSlash baseURL:nil]

...


Example 1 所述,name 的值正常運作時,此程式碼也會正常運作,但如果該值不正常運作,則會完全無法避免程式碼遭受攻擊。此外,這個程式碼之所以看似不那麼危險,是因為 name 的值是從資料庫中讀取的,而顯然這些內容是由應用程式管理的。但是,如果 name 的值是從使用者提供的資料中產生,那麼資料庫可能會成為提供惡意內容的管道。如果未對資料庫中儲存的所有資料進行適當的輸入驗證,那麼攻擊者可能在使用者的網路瀏覽器中執行惡意指令。這類型的攻擊稱為 Persistent XSS (或 Stored XSS),其性質特別狡詐,因為間接的資料儲存方式而難以辨別該威脅,且該攻擊影響多個使用者的可能性可能提高。XSS 盜取會從存取提供造訪者訪客留名簿 (guestbook) 的網站開始。攻擊者會在他們的訪客留名簿項目中加入 JavaScript,所有後來前往訪客留名簿頁面的造訪者都可能會執行這些惡意程式碼。

如同範例中所示,XSS 的弱點是由 HTTP 內容中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 如 Example 1 所述,會直接從自訂 URL 架構讀取資料,並反映於 UIWebView 回應內容中。當攻擊者誘使使用者提供危險內容給易受攻擊的 iOS 應用程式,接著這些危險內容就會回傳給使用者並由在網路瀏覽器中執行,這時就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的自訂架構 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊應用程式的 URL。應用程式將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含工作階段資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 如 Example 2 所述,應用程式會將危險資料儲存到資料庫或其他可信任的資料儲存區中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。Persistent XSS 攻擊會在以下情況出現:攻擊者把危險內容插入到之後會讀取的資料儲存區中,並包含在動態內容中。從攻擊者的角度來看,插入惡意內容的最佳位置莫過於一個會對很多使用者或特別感興趣的使用者顯示的區域。感興趣的使用者通常會在應用程式中擁有較高的權限,或者會與敏感資料進行互動,且這些資料對攻擊者而言很有利用價值。如果其中一個使用者執行了惡意內容,攻擊者可能會代替使用者去執行需要權限許可的作業,或者取得存取使用者專屬敏感資料的權限。

- 應用程式以外的來源會在資料庫或是其他資料記憶體中儲存危險資料,且之後這些危險資料會被當作信賴的資料回讀到應用程式,並會包含在動態內容中。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] MWR Labs Continued Adventures with iOS UIWebViews
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[5] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[6] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[7] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[8] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[9] Standards Mapping - CIS Kubernetes Benchmark complete
[10] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[11] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[12] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[13] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[15] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[16] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[17] Standards Mapping - FIPS200 SI
[18] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[19] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[20] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[21] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[22] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[23] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[26] Standards Mapping - OWASP Top 10 2021 A03 Injection
[27] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[28] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[29] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[30] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[38] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[41] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[42] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[43] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[44] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[45] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[65] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[66] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[67] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.objc.cross_site_scripting_reflected
Abstract
傳送未經驗證的資料至網路瀏覽器,會導致瀏覽器執行惡意的程式碼。
Explanation
Cross-site scripting (XSS) 弱點會在以下情況中出現:

1.資料從一個不可信賴的來源進入 Web 應用程式。在 Reflected XSS 案例中,不可信賴的來源通常為網頁要求,而在 Persisted XSS (也可稱為 Stored XSS) 案例中,來源通常為資料庫或其他後端資料儲存區。


2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

範例 1:以下 PHP 程式碼片段會從 HTTP 要求中讀取員工 ID eid,並將 ID 顯示給使用者。


<?php
	$eid = $_GET['eid'];
	...
?>
...
<?php
	echo "Employee ID: $eid";
?>


如果 eid 只包含標準英數字元,則這個範例中的程式碼會正確地執行。如果 eid 中有包含中繼字元或來源程式碼中的值,那麼網路瀏覽器就會像顯示 HTTP 回應那樣執行程式碼。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的電腦中輸入會執行惡意程式碼的 URL?其實,真正的危險在於攻擊者會建立惡意的 URL,接著使用電子郵件或社交工程病毒誘騙受害者透過連結前往該 URL。當受害者按下該連結時,他們即不知不覺地透過易受攻擊的 Web 應用程式,將惡意內容資訊帶回他們自己的電腦。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。

範例 2:以下的 PHP 程式碼片段,根據提供的員工識別碼來查詢資料庫,並列印出該員工的相應姓名。


<?php...
 $con = mysql_connect($server,$user,$password);
 ...
 $result = mysql_query("select * from emp where id="+eid);
 $row = mysql_fetch_array($result)
 echo 'Employee name: ', mysql_result($row,0,'name');
 ...
?>


Example 1 所述,name 的值正常運作時,此程式碼也會正常運作,但如果該值不正常運作,則會完全無法避免程式碼遭受攻擊。此外,這個程式碼之所以看似不那麼危險,是因為 name 的值是從資料庫中讀取的,而顯然這些內容是由應用程式管理的。但是,如果 name 的值是從使用者提供的資料中產生,那麼資料庫可能會成為提供惡意內容的管道。如果未對資料庫中儲存的所有資料進行適當的輸入驗證,那麼攻擊者可能在使用者的網路瀏覽器中執行惡意指令。這類型的攻擊稱為 Persistent XSS (或 Stored XSS),其性質特別狡詐,因為間接的資料儲存方式而難以辨別該威脅,且該攻擊影響多個使用者的可能性可能提高。XSS 盜取會從存取提供造訪者訪客留名簿 (guestbook) 的網站開始。攻擊者會在他們的訪客留名簿項目中加入 JavaScript,所有後來前往訪客留名簿頁面的造訪者都可能會執行這些惡意程式碼。

如同範例中所示,XSS 的弱點是由 HTTP 回應中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 如 Example 1 所述,會直接從 HTTP 要求中讀取資料,並在 HTTP 回應中回傳資料。當攻擊者誘使使用者提供危險內容給易受攻擊的 Web 應用程式,接著這些危險內容就會回傳給使用者並由在網路瀏覽器中執行,這時就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊網站的 URL。網站將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含階段作業資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 如 Example 2 所述,應用程式會將危險資料儲存到資料庫或其他可信任的資料儲存區中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。Persistent XSS 攻擊會在以下情況出現:攻擊者把危險內容插入到之後會讀取的資料儲存區中,並包含在動態內容中。從攻擊者的角度來看,插入惡意內容的最佳位置莫過於一個會對很多使用者或特別感興趣的使用者顯示的區域。感興趣的使用者通常會在應用程式中擁有較高的權限,或者會與敏感資料進行互動,且這些資料對攻擊者而言很有利用價值。如果其中一個使用者執行了惡意內容,攻擊者可能會代替使用者去執行需要權限許可的作業,或者取得存取使用者專屬敏感資料的權限。

- 應用程式以外的來源會在資料庫或是其他資料記憶體中儲存危險資料,且之後這些危險資料會被當作信賴的資料回讀到應用程式,並會包含在動態內容中。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[10] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[11] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[12] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[13] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[15] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[16] Standards Mapping - FIPS200 SI
[17] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[18] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[19] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[20] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[21] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[22] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[23] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2021 A03 Injection
[26] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[27] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[28] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[29] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[41] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[42] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[43] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[44] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[65] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[66] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.php.cross_site_scripting_reflected
Abstract
傳送未經驗證的資料至網路瀏覽器,會導致瀏覽器執行惡意的程式碼。
Explanation
Cross-site scripting (XSS) 弱點會在以下情況中出現:

1.資料從一個不可信賴的來源進入 Web 應用程式。在 Reflected XSS 案例中,不可信賴的來源通常為網頁要求,而在 Persisted XSS (也可稱為 Stored XSS) 案例中,來源通常為資料庫或其他後端資料儲存區。


2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

範例 1:以下程式碼片段會從 HTTP 要求中讀取員工識別碼 eid,並向使用者顯示。


...
-- Assume QUERY_STRING looks like EID=EmployeeID
eid := SUBSTR(OWA_UTIL.get_cgi_env('QUERY_STRING'), 5);
HTP.htmlOpen;
  HTP.headOpen;
    HTP.title ('Employee Information');
  HTP.headClose;
  HTP.bodyOpen;
    HTP.br;
    HTP.print('Employee ID: ' || eid || '');
    HTP.br;
  HTP.bodyClose;
HTP.htmlClose;
...


如果 eid 只包含標準英數字元,則這個範例中的程式碼會正確地執行。如果 eid 中有包含中繼字元或來源程式碼中的值,那麼網路瀏覽器就會像顯示 HTTP 回應那樣執行程式碼。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的電腦中輸入會執行惡意程式碼的 URL?其實,真正的危險在於攻擊者會建立惡意的 URL,接著使用電子郵件或社交工程病毒誘騙受害者透過連結前往該 URL。當受害者按下該連結時,他們即不知不覺地透過易受攻擊的 Web 應用程式,將惡意內容資訊帶回他們自己的電腦。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。

範例 2:以下程式碼片段會在資料庫中查詢具有指定識別碼的員工,並列印相應的員工姓名。


...
SELECT ename INTO name FROM emp WHERE id = eid;
HTP.htmlOpen;
  HTP.headOpen;
    HTP.title ('Employee Information');
  HTP.headClose;
  HTP.bodyOpen;
    HTP.br;
    HTP.print('Employee Name: ' || name || '');
    HTP.br;
  HTP.bodyClose;
HTP.htmlClose;
...


Example 1 所述,name 的值正常運作時,此程式碼也會正常運作,但如果該值不正常運作,則會完全無法避免程式碼遭受攻擊。此外,這個程式碼之所以看似不那麼危險,是因為 name 的值是從資料庫中讀取的,而顯然這些內容是由應用程式管理的。但是,如果 name 的值是從使用者提供的資料中產生,那麼資料庫可能會成為提供惡意內容的管道。如果未對資料庫中儲存的所有資料進行適當的輸入驗證,那麼攻擊者可能在使用者的網路瀏覽器中執行惡意指令。這類型的攻擊稱為 Persistent XSS (或 Stored XSS),其性質特別狡詐,因為間接的資料儲存方式而難以辨別該威脅,且該攻擊影響多個使用者的可能性可能提高。XSS 盜取會從存取提供造訪者訪客留名簿 (guestbook) 的網站開始。攻擊者會在他們的訪客留名簿項目中加入 JavaScript,所有後來前往訪客留名簿頁面的造訪者都可能會執行這些惡意程式碼。

如同範例中所示,XSS 的弱點是由 HTTP 回應中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 如 Example 1 所述,會直接從 HTTP 要求中讀取資料,並在 HTTP 回應中回傳資料。當攻擊者誘使使用者提供危險內容給易受攻擊的 Web 應用程式,接著這些危險內容就會回傳給使用者並由在網路瀏覽器中執行,這時就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊網站的 URL。網站將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含階段作業資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 如 Example 2 所述,應用程式會將危險資料儲存到資料庫或其他可信任的資料儲存區中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。Persistent XSS 攻擊會在以下情況出現:攻擊者把危險內容插入到之後會讀取的資料儲存區中,並包含在動態內容中。從攻擊者的角度來看,插入惡意內容的最佳位置莫過於一個會對很多使用者或特別感興趣的使用者顯示的區域。感興趣的使用者通常會在應用程式中擁有較高的權限,或者會與敏感資料進行互動,且這些資料對攻擊者而言很有利用價值。如果其中一個使用者執行了惡意內容,攻擊者可能會代替使用者去執行需要權限許可的作業,或者取得存取使用者專屬敏感資料的權限。

- 應用程式以外的來源會在資料庫或是其他資料記憶體中儲存危險資料,且之後這些危險資料會被當作信賴的資料回讀到應用程式,並會包含在動態內容中。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[10] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[11] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[12] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[13] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[15] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[16] Standards Mapping - FIPS200 SI
[17] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[18] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[19] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[20] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[21] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[22] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[23] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2021 A03 Injection
[26] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[27] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[28] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[29] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[41] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[42] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[43] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[44] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[65] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[66] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.sql.cross_site_scripting_reflected
Abstract
傳送未經驗證的資料至網路瀏覽器,會導致瀏覽器執行惡意的程式碼。
Explanation
Cross-site Scripting (XSS) 弱點會在以下情況中出現:

1.資料從一個不可信賴的來源進入 Web 應用程式。在 Reflected XSS 案例中,不可信賴的來源通常為網頁要求,而在 Persisted XSS (也可稱為 Stored XSS) 案例中,來源通常為資料庫或其他後端資料儲存區。


2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

範例 1:以下的 Python 程式碼片段在 HTTP 要求中讀取員工的識別碼 eid,並顯示給使用者。


	req = self.request()  # fetch the request object
        eid = req.field('eid',None) # tainted request message
	...
	self.writeln("Employee ID:" + eid)


如果 eid 只包含標準英數字元,則這個範例中的程式碼會正確地執行。如果 eid 中有包含中繼字元或來源程式碼中的值,那麼網路瀏覽器就會像顯示 HTTP 回應那樣執行程式碼。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的電腦中輸入會執行惡意程式碼的 URL?其實,真正的危險在於攻擊者會建立惡意的 URL,接著使用電子郵件或社交工程病毒誘騙受害者透過連結前往該 URL。當受害者按下該連結時,他們即不知不覺地透過易受攻擊的 Web 應用程式,將惡意內容資訊帶回他們自己的電腦。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。

範例 2:以下的 Python 程式碼片段,根據所給予的識別碼在資料庫中查詢員工,並列印該員工姓名。


 ...
 cursor.execute("select * from emp where id="+eid)
 row = cursor.fetchone()
 self.writeln('Employee name: ' + row["emp"]')
 ...


Example 1 所述,name 的值正常運作時,此程式碼也會正常運作,但如果該值不正常運作,則會完全無法避免程式碼遭受攻擊。此外,這個程式碼之所以看似不那麼危險,是因為 name 的值是從資料庫中讀取的,而顯然這些內容是由應用程式管理的。但是,如果 name 的值是從使用者提供的資料中產生,那麼資料庫可能會成為提供惡意內容的管道。如果未對資料庫中儲存的所有資料進行適當的輸入驗證,那麼攻擊者可能在使用者的網路瀏覽器中執行惡意指令。這類型的攻擊稱為 Persistent XSS (或 Stored XSS),其性質特別狡詐,因為間接的資料儲存方式而難以辨別該威脅,且該攻擊影響多個使用者的可能性可能提高。XSS 盜取會從存取提供造訪者訪客留名簿 (guestbook) 的網站開始。攻擊者會在他們的訪客留名簿項目中加入 JavaScript,所有後來前往訪客留名簿頁面的造訪者都可能會執行這些惡意程式碼。

如同範例中所示,XSS 的弱點是由 HTTP 回應中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 如 Example 1 所述,會直接從 HTTP 要求中讀取資料,並在 HTTP 回應中回傳資料。當攻擊者誘使使用者提供危險內容給易受攻擊的 Web 應用程式,接著這些危險內容就會回傳給使用者並由在網路瀏覽器中執行,這時就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊網站的 URL。網站將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含階段作業資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 如 Example 2 所述,應用程式會將危險資料儲存到資料庫或其他可信任的資料儲存區中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。Persistent XSS 攻擊會在以下情況出現:攻擊者把危險內容插入到之後會讀取的資料儲存區中,並包含在動態內容中。從攻擊者的角度來看,插入惡意內容的最佳位置莫過於一個會對很多使用者或特別感興趣的使用者顯示的區域。感興趣的使用者通常會在應用程式中擁有較高的權限,或者會與敏感資料進行互動,且這些資料對攻擊者而言很有利用價值。如果其中一個使用者執行了惡意內容,攻擊者可能會代替使用者去執行需要權限許可的作業,或者取得存取使用者專屬敏感資料的權限。

- 應用程式以外的來源會在資料庫或是其他資料記憶體中儲存危險資料,且之後這些危險資料會被當作信賴的資料回讀到應用程式,並會包含在動態內容中。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[10] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[11] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[12] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[13] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[15] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[16] Standards Mapping - FIPS200 SI
[17] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[18] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[19] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[20] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[21] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[22] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[23] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2021 A03 Injection
[26] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[27] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[28] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[29] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[41] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[42] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[43] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[44] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[65] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[66] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.python.cross_site_scripting_reflected
Abstract
傳送未經驗證的資料至網路瀏覽器,會導致瀏覽器執行惡意的程式碼。
Explanation
Cross-site scripting (XSS) 弱點會在以下情況中出現:

1.資料從一個不可信賴的來源進入 Web 應用程式。在 Reflected XSS 案例中,不可信賴的來源通常為網頁要求,而在 Persisted XSS (也可稱為 Stored XSS) 案例中,來源通常為資料庫或其他後端資料儲存區。


2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

範例 1:以下 Ruby 程式碼片段會從 HTTP 要求中讀取員工識別碼 eid,並顯示給使用者。


eid = req.params['eid'] #gets request parameter 'eid'
Rack::Response.new.finish do |res|
  ...
  res.write("Employee ID: #{eid}")
end


如果 eid 只包含標準英數字元,則這個範例中的程式碼會正確地執行。如果 eid 中有包含中繼字元或來源程式碼中的值,那麼網路瀏覽器就會像顯示 HTTP 回應那樣執行程式碼。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的電腦中輸入會執行惡意程式碼的 URL?其實,真正的危險在於攻擊者會建立惡意的 URL,接著使用電子郵件或社交工程病毒誘騙受害者透過連結前往該 URL。當受害者按下該連結時,他們即不知不覺地透過易受攻擊的 Web 應用程式,將惡意內容資訊帶回他們自己的電腦。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是所謂的 Reflected XSS,不過請注意,如果使用Example 1 中的的 Rack::Request#params(),會同時看到 GETPOST 參數,所以可能容易受到各種類型的攻擊,而不是只會使惡意程式碼附加到 URL 而已。

範例 2:以下 Ruby 程式碼片段會查詢資料庫中具有指定識別碼的員工,然後列印相對應的員工姓名。


...
rs = conn.exec_params("select * from emp where id=?", eid)
...
Rack::Response.new.finish do |res|
  ...
  rs.each do |row|
    res.write("Employee name: #{escape(row['name'])}")
    ...
  end
end
...


Example 1 所述,name 的值正常運作時,此程式碼也會正常運作,但如果該值不正常運作,則會完全無法避免程式碼遭受攻擊。此外,這個程式碼之所以看似不那麼危險,是因為 name 的值是從資料庫中讀取的,而顯然這些內容是由應用程式管理的。但是,如果 name 的值是從使用者提供的資料中產生,那麼資料庫可能會成為提供惡意內容的管道。如果未對資料庫中儲存的所有資料進行適當的輸入驗證,那麼攻擊者可能在使用者的網路瀏覽器中執行惡意指令。這類型的攻擊稱為 Persistent XSS (或 Stored XSS),其性質特別狡詐,因為間接的資料儲存方式而難以辨別該威脅,且該攻擊影響多個使用者的可能性可能提高。XSS 盜取會從存取提供造訪者訪客留名簿 (guestbook) 的網站開始。攻擊者會在他們的訪客留名簿項目中加入 JavaScript,所有後來前往訪客留名簿頁面的造訪者都可能會執行這些惡意程式碼。

如同範例中所示,XSS 的弱點是由 HTTP 回應中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 如 Example 1 所述,會直接從 HTTP 要求中讀取資料,並在 HTTP 回應中回傳資料。當攻擊者誘使使用者提供危險內容給易受攻擊的 Web 應用程式,接著這些危險內容就會回傳給使用者並由在網路瀏覽器中執行,這時就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊網站的 URL。網站將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含階段作業資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 如 Example 2 所述,應用程式會將危險資料儲存到資料庫或其他可信任的資料儲存區中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。Persistent XSS 攻擊會在以下情況出現:攻擊者把危險內容插入到之後會讀取的資料儲存區中,並包含在動態內容中。從攻擊者的角度來看,插入惡意內容的最佳位置莫過於一個會對很多使用者或特別感興趣的使用者顯示的區域。感興趣的使用者通常會在應用程式中擁有較高的權限,或者會與敏感資料進行互動,且這些資料對攻擊者而言很有利用價值。如果其中一個使用者執行了惡意內容,攻擊者可能會代替使用者去執行需要權限許可的作業,或者取得存取使用者專屬敏感資料的權限。

- 應用程式以外的來源會在資料庫或是其他資料記憶體中儲存危險資料,且之後這些危險資料會被當作信賴的資料回讀到應用程式,並會包含在動態內容中。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[10] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[11] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[12] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[13] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[15] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[16] Standards Mapping - FIPS200 SI
[17] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[18] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[19] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[20] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[21] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[22] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[23] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2021 A03 Injection
[26] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[27] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[28] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[29] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[41] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[42] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[43] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[44] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[65] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[66] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.ruby.cross_site_scripting_reflected
Abstract
傳送未經驗證的資料至網路瀏覽器,會導致瀏覽器執行惡意的程式碼。
Explanation
Cross-site scripting (XSS) 弱點會在以下情況中出現:

1.資料從一個不可信賴的來源進入 Web 應用程式。在 Reflected XSS 案例中,不可信賴的來源通常為網頁要求,而在 Persisted XSS (也可稱為 Stored XSS) 案例中,來源通常為資料庫或其他後端資料儲存區。


2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

範例 1:以下 Play 控制項程式碼片段會從 HTTP 要求中讀取員工 ID eid,並向使用者顯示。


  def getEmployee = Action { implicit request  =>
    val eid = request.getQueryString("eid")

    val employee = getEmployee(eid)

    if (employee == Null) {
        val html = Html(s"Employee ID ${eid} not found")
        Ok(html) as HTML
    }
    ...
  }


如果 eid 只包含標準英數字元,則這個範例中的程式碼會正確地執行。如果 eid 中有包含中繼字元或來源程式碼中的值,那麼網路瀏覽器就會像顯示 HTTP 回應那樣執行程式碼。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的電腦中輸入會執行惡意程式碼的 URL?其實,真正的危險在於攻擊者會建立惡意的 URL,接著使用電子郵件或社交工程病毒誘騙受害者透過連結前往該 URL。當受害者按下該連結時,他們即不知不覺地透過易受攻擊的 Web 應用程式,將惡意內容資訊帶回他們自己的電腦。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, and Heng Yin Attacks on WebView in the Android System
[4] Erika Chin and David Wagner Bifocals: Analyzing WebView Vulnerabilities in Android Applications
[5] INJECT-3: XML and HTML generation requires care Oracle
[6] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[7] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[8] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[9] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[10] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[11] Standards Mapping - CIS Kubernetes Benchmark complete
[12] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[13] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[15] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[16] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[17] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[18] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[19] Standards Mapping - FIPS200 SI
[20] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[21] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[22] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[23] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[24] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[26] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[27] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[28] Standards Mapping - OWASP Top 10 2021 A03 Injection
[29] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[30] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[31] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[32] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[38] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[39] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[40] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[41] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[42] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[43] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[44] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[45] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[46] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[47] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[65] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[66] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[67] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[68] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[69] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.scala.cross_site_scripting_reflected
Abstract
這個方法會傳送未經驗證的資料到網路瀏覽器會導致瀏覽器執行惡意的程式碼。
Explanation
Cross-site scripting (XSS) 弱點會在以下情況中出現:

1. 資料從一個不可信賴的來源進入網頁。在 Reflected XSS 案例中,不可信賴的來源通常為使用者元件、URL 架構處理常式或通知,而在 Persistent XSS (也可稱為 Stored XSS) 案例中,來源通常為資料庫或其他後端資料儲存區。


2. 在未對包含資料的動態內容進行驗證的情況下,便將其傳送至 WKWebView 元件。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

範例 1:以下程式碼會讀取 UITextField 的內容,並在 WKWebView 中將其顯示給使用者:


...
let webView : WKWebView
let inputTextField : UITextField
webView.loadHTMLString(inputTextField.text, baseURL:nil)
...


如果 inputTextField 中的文字只包含標準英數字元,這個範例中的程式碼便會正常運作而不會有問題。如果 inputTextField 中的文字包括中繼字元或原始程式碼,那麼網路瀏覽器就會像顯示 HTTP 回應那樣,可能會將輸入當成程式碼來執行。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的裝置上提供會導致惡意程式碼執行的輸入?真正的危險在於攻擊者可能使用電子郵件或社交工程病毒誘騙受害者執行此類動作。當這樣的誘騙成功,受害者就在不知情的情況下,透過易受攻擊的 Web 應用程式,將惡意內容帶回他們自己的裝置。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。

範例 2:以下 Swift 程式碼片段會讀取自訂 URL 架構的文字部分,其會被傳遞到應用程式 (myapp://input_to_the_application) 並呼叫之。然後 URL 中不可信賴的資料便會被用來在 UIWebView 元件中攻擊 HTML 輸出。


func application(app: UIApplication, openURL url: NSURL, options: [String : AnyObject]) -> Bool {
    ...
    let name = getQueryStringParameter(url.absoluteString, "name")
    let html = "Hi \(name)"
    let webView = UIWebView()
    webView.loadHTMLString(html, baseURL:nil)
    ...
}
func getQueryStringParameter(url: String?, param: String) -> String? {
    if let url = url, urlComponents = NSURLComponents(string: url), queryItems = (urlComponents.queryItems as? [NSURLQueryItem]) {
        return queryItems.filter({ (item) in item.name == param }).first?.value!
    }
    return nil
}


Example 2 所述,name 的值正常運作時,此程式碼也會正常運作,但如果該值不正常運作,則會完全無法避免程式碼遭受攻擊。此外,這個程式碼之所以看似不那麼危險,是因為 name 的值是從資料庫中讀取的,而顯然這些內容是由應用程式管理的。但是,如果 name 的值是從使用者提供的資料中產生,那麼資料庫可能會成為提供惡意內容的管道。如果未對資料庫中儲存的所有資料進行適當的輸入驗證,那麼攻擊者可能在使用者的網路瀏覽器中執行惡意指令。這類型的攻擊稱為 Persistent XSS (或 Stored XSS),其性質特別狡詐,因為間接的資料儲存方式而難以辨別該威脅,且該攻擊影響多個使用者的可能性可能提高。XSS 盜取會從存取提供造訪者訪客留名簿 (guestbook) 的網站開始。攻擊者會在他們的訪客留名簿項目中加入 JavaScript,所有後來前往訪客留名簿頁面的造訪者都可能會執行這些惡意程式碼。

如同範例中所示,XSS 的弱點是由 HTTP 內容中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 如 Example 1 所述,會直接從使用者可控制的 UI 元件讀取資料,並在 HTTP 回應中傳回資料。當攻擊者誘使使用者提供危險內容給易受攻擊的 Web 應用程式,接著這些危險內容就會回傳給使用者並由在網路瀏覽器中執行,這時就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊網站的 URL。網站將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含階段作業資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 如 Example 2 所述,目標應用程式以外的來源會使用目標應用程式的自訂 URL 架構提出 URL 要求,之後來自此 URL 要求的未驗證資料會被當作信賴的資料讀回到應用程式,並會包含在動態內容中。

- 如 Example 3 所述,應用程式會將危險資料儲存到資料庫或其他可信任的資料儲存區中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。Persistent XSS 攻擊會在以下情況出現:攻擊者把危險內容插入到之後會讀取的資料儲存區中,並包含在動態內容中。從攻擊者的角度來看,插入惡意內容的最佳位置莫過於一個會對很多使用者或特別感興趣的使用者顯示的區域。感興趣的使用者通常會在應用程式中擁有較高的權限,或者會與敏感資料進行互動,且這些資料對攻擊者而言很有利用價值。如果其中一個使用者執行了惡意內容,攻擊者可能會代替使用者去執行需要權限許可的作業,或者取得存取使用者專屬敏感資料的權限。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] MWR Labs Continued Adventures with iOS UIWebViews
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[5] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[6] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[7] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[8] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[9] Standards Mapping - CIS Kubernetes Benchmark complete
[10] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[11] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[12] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[13] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[15] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[16] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[17] Standards Mapping - FIPS200 SI
[18] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[19] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[20] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[21] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[22] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[23] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[26] Standards Mapping - OWASP Top 10 2021 A03 Injection
[27] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[28] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[29] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[30] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[38] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[41] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[42] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[43] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[44] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[45] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[65] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[66] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[67] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.swift.cross_site_scripting_reflected
Abstract
傳送未經驗證的資料至網路瀏覽器,會導致瀏覽器執行惡意的程式碼。
Explanation
Cross-site scripting (XSS) 弱點會在以下情況中出現:

1.資料從一個不可信賴的來源進入 Web 應用程式。在 Reflected XSS 案例中,不可信賴的來源通常為網頁要求,而在 Persisted XSS (也可稱為 Stored XSS) 案例中,來源通常為資料庫或其他後端資料儲存區。


2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

範例 1:以下的 ASP 程式碼片段會從 HTTP 要求中讀取員工識別碼 eid,並向使用者顯示。


	...
	eid = Request("eid")
	Response.Write "Employee ID:" & eid & "<br/>"
	..


如果 eid 只包含標準英數字元,則這個範例中的程式碼會正確地執行。如果 eid 中有包含中繼字元或來源程式碼中的值,那麼網路瀏覽器就會像顯示 HTTP 回應那樣執行程式碼。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的電腦中輸入會執行惡意程式碼的 URL?其實,真正的危險在於攻擊者會建立惡意的 URL,接著使用電子郵件或社交工程病毒誘騙受害者透過連結前往該 URL。當受害者按下該連結時,他們即不知不覺地透過易受攻擊的 Web 應用程式,將惡意內容資訊帶回他們自己的電腦。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。

範例 2:以下的 ASP 程式碼片段會在資料庫中查詢具有指定識別碼的員工,並列印相應的員工姓名。


	...
	eid = Request("eid")
	strSQL = "Select * from emp where id=" & eid
	objADORecordSet.Open strSQL, strConnect, adOpenDynamic, adLockOptimistic, adCmdText
	while not objRec.EOF
		Response.Write "Employee Name:" & objADORecordSet("name")
		objADORecordSet.MoveNext
	Wend
	...


Example 1 所述,name 的值正常運作時,此程式碼也會正常運作,但如果該值不正常運作,則會完全無法避免程式碼遭受攻擊。此外,這個程式碼之所以看似不那麼危險,是因為 name 的值是從資料庫中讀取的,而顯然這些內容是由應用程式管理的。但是,如果 name 的值是從使用者提供的資料中產生,那麼資料庫可能會成為提供惡意內容的管道。如果未對資料庫中儲存的所有資料進行適當的輸入驗證,那麼攻擊者可能在使用者的網路瀏覽器中執行惡意指令。這類型的攻擊稱為 Persistent XSS (或 Stored XSS),其性質特別狡詐,因為間接的資料儲存方式而難以辨別該威脅,且該攻擊影響多個使用者的可能性可能提高。XSS 盜取會從存取提供造訪者訪客留名簿 (guestbook) 的網站開始。攻擊者會在他們的訪客留名簿項目中加入 JavaScript,所有後來前往訪客留名簿頁面的造訪者都可能會執行這些惡意程式碼。

如同範例中所示,XSS 的弱點是由 HTTP 回應中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 如 Example 1 所述,會直接從 HTTP 要求中讀取資料,並在 HTTP 回應中回傳資料。當攻擊者誘使使用者提供危險內容給易受攻擊的 Web 應用程式,接著這些危險內容就會回傳給使用者並由在網路瀏覽器中執行,這時就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊網站的 URL。網站將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含階段作業資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 如 Example 2 所述,應用程式會將危險資料儲存到資料庫或其他可信任的資料儲存區中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。Persistent XSS 攻擊會在以下情況出現:攻擊者把危險內容插入到之後會讀取的資料儲存區中,並包含在動態內容中。從攻擊者的角度來看,插入惡意內容的最佳位置莫過於一個會對很多使用者或特別感興趣的使用者顯示的區域。感興趣的使用者通常會在應用程式中擁有較高的權限,或者會與敏感資料進行互動,且這些資料對攻擊者而言很有利用價值。如果其中一個使用者執行了惡意內容,攻擊者可能會代替使用者去執行需要權限許可的作業,或者取得存取使用者專屬敏感資料的權限。

- 應用程式以外的來源會在資料庫或是其他資料記憶體中儲存危險資料,且之後這些危險資料會被當作信賴的資料回讀到應用程式,並會包含在動態內容中。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[10] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[11] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[12] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[13] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[15] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[16] Standards Mapping - FIPS200 SI
[17] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[18] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[19] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[20] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[21] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[22] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[23] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2021 A03 Injection
[26] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[27] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[28] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[29] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[41] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[42] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[43] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[44] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[65] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[66] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.vb.cross_site_scripting_reflected

Cross-Site Scripting: Poor Validation

Abstract
如果依賴 HTML、XML 和其他類型的編碼來驗證使用者輸入,可能會導致瀏覽器執行惡意程式碼。
Explanation
使用特定編碼函數模組 (例如 cl_http_utility=>escape_html) 可防止部分,但不是所有的 Cross-Site Scripting 攻擊。根據資料出現的內容,以 HTML 編碼的基本 <、>、& 和 ",以及以 XML 編碼的 <、>、&、" 和 ' 以外的字元,可能會有中繼意義。依賴類似編碼函數模組等同於使用安全性較差的拒絕清單來防止 Cross-Site Scripting 攻擊,並且可能會允許攻擊者插入隨後會在瀏覽器中執行的惡意程式碼。因為並非隨時都可以準確識別其中靜態顯示資料的內容,所以即使套用編碼,Fortify Secure Coding Rulepack 還是會報告 Cross-Site Scripting 發現,並將其顯示為 Cross-Site Scripting: Poor Validation 問題。

Cross-site scripting (XSS) 弱點會在以下情況中出現:

1. 資料從一個不可信賴的來源進入 Web 應用程式。如果是 Reflected XSS,不可信賴的來源大多為 Web 要求;如果是 Persistent XSS (也可稱為 Stored XSS),來源大多為資料庫查詢結果。


2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

範例 1:以下的 ABAP 程式碼片段在 HTTP 要求中讀取員工的識別碼 eid,使用 HTML 加以編碼並顯示給使用者。


...
eid = request->get_form_field( 'eid' ).
...
CALL METHOD cl_http_utility=>escape_html
  EXPORTING
    UNESCAPED = eid
    KEEP_NUM_CHAR_REF = '-'
  RECEIVING
    ESCAPED = e_eid.
...
response->append_cdata( 'Employee ID: ').
response->append_cdata( e_eid ).
...


如果 eid 只包含標準英數字元,則這個範例中的程式碼會正確地執行。如果 eid 中有包含中繼字元或來源程式碼中的值,那麼網路瀏覽器就會像顯示 HTTP 回應那樣執行程式碼。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的電腦中輸入會執行惡意程式碼的 URL?其實,真正的危險在於攻擊者會建立惡意的 URL,接著使用電子郵件或社交工程病毒誘騙受害者透過連結前往該 URL。當受害者按下該連結時,他們即不知不覺地透過易受攻擊的 Web 應用程式,將惡意內容資訊帶回他們自己的電腦。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。

範例 2:以下的 ABAP 程式碼片段會在資料庫中查詢具有所指定識別碼的員工,並列印相應 HTML 編碼的員工姓名。


...
DATA: BEGIN OF itab_employees,
        eid   TYPE employees-itm,
        name  TYPE employees-name,
      END OF itab_employees,
      itab LIKE TABLE OF itab_employees.
...
itab_employees-eid = '...'.
APPEND itab_employees TO itab.

SELECT *
  FROM employees
  INTO CORRESPONDING FIELDS OF TABLE itab_employees
  FOR ALL ENTRIES IN itab
  WHERE eid = itab-eid.
ENDSELECT.
...
CALL METHOD cl_http_utility=>escape_html
  EXPORTING
    UNESCAPED = itab_employees-name
    KEEP_NUM_CHAR_REF = '-'
  RECEIVING
    ESCAPED = e_name.
...
response->append_cdata( 'Employee Name: ').
response->append_cdata( e_name ).
...


Example 1 所述,name 的值正常運作時,此程式碼也會正常運作,但如果該值不正常運作,則會完全無法避免程式碼遭受攻擊。此外,這個程式碼之所以看似不那麼危險,是因為 name 的值是從資料庫中讀取的,而顯然這些內容是由應用程式管理的。但是,如果 name 的值是從使用者提供的資料中產生,那麼資料庫可能會成為提供惡意內容的管道。如果未對資料庫中儲存的所有資料進行適當的輸入驗證,那麼攻擊者可能在使用者的網路瀏覽器中執行惡意指令。這類型的攻擊稱為 Persistent XSS (或 Stored XSS),其性質特別狡詐,因為間接的資料儲存方式而難以辨別該威脅,且該攻擊影響多個使用者的可能性可能提高。XSS 盜取會從存取提供造訪者訪客留名簿 (guestbook) 的網站開始。攻擊者會在他們的訪客留名簿項目中加入 JavaScript,所有後來前往訪客留名簿頁面的造訪者都可能會執行這些惡意程式碼。

如同範例中所示,XSS 的弱點是由 HTTP 回應中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 如 Example 1 所述,會直接從 HTTP 要求中讀取資料,並在 HTTP 回應中回傳資料。當攻擊者誘使使用者提供危險內容給易受攻擊的 Web 應用程式,接著這些危險內容就會回傳給使用者並由在網路瀏覽器中執行,這時就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊網站的 URL。網站將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含階段作業資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 如 Example 2 所述,應用程式會將危險資料儲存到資料庫或其他可信任的資料儲存區中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。Persistent XSS 攻擊會在以下情況出現:攻擊者把危險內容插入到之後會讀取的資料儲存區中,並包含在動態內容中。從攻擊者的角度來看,插入惡意內容的最佳位置莫過於一個會對很多使用者或特別感興趣的使用者顯示的區域。感興趣的使用者通常會在應用程式中擁有較高的權限,或者會與敏感資料進行互動,且這些資料對攻擊者而言很有利用價值。如果其中一個使用者執行了惡意內容,攻擊者可能會代替使用者去執行需要權限許可的作業,或者取得存取使用者專屬敏感資料的權限。

- 應用程式以外的來源會在資料庫或是其他資料記憶體中儲存危險資料,且之後這些危險資料會被當作信賴的資料回讀到應用程式,並會包含在動態內容中。
References
[1] SAP OSS notes 1582870, 1582867 and related notes for ABAP XSS support
[2] SAP OSS Notes 822881, 1600317, 1640092, 1671470 and 1638779 for XSS support in BSPs
[3] Understanding Malicious Content Mitigation for Web Developers CERT
[4] HTML 4.01 Specification W3
[5] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[6] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[7] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[8] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[9] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[10] Standards Mapping - CIS Kubernetes Benchmark complete
[11] Standards Mapping - Common Weakness Enumeration CWE ID 82, CWE ID 83, CWE ID 87, CWE ID 692
[12] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[13] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[15] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[16] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[17] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[18] Standards Mapping - FIPS200 SI
[19] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[20] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[21] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[22] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[23] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[26] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[27] Standards Mapping - OWASP Top 10 2021 A03 Injection
[28] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[29] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[30] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[31] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[38] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[39] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[41] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[42] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[43] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 116
[44] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[65] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[66] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.abap.cross_site_scripting_poor_validation
Abstract
如果依賴 HTML、XML 和其他類型的編碼來驗證使用者輸入,可能會導致瀏覽器執行惡意程式碼。
Explanation
使用特定編碼功能可防止部分,但不是所有的 Cross-Site Scripting 攻擊。根據資料出現的內容,以 HTML 編碼的基本 <、>、& 和 ",以及以 XML 編碼的 <、>、&、" 和 ' 以外的字元,可能會有中繼意義。依賴這類編碼功能等同於使用安全性較差的拒絕清單來防止 Cross-Site Scripting 攻擊,並且可能會允許攻擊者插入隨後會在瀏覽器中執行的惡意程式碼。因為並非隨時都可以準確識別其中靜態顯示資料的內容,所以即使套用編碼,Fortify Secure Coding Rulepack 還是會報告 Cross-Site Scripting 發現,並將其顯示為 Cross-Site Scripting: Poor Validation 問題。

Cross-site scripting (XSS) 弱點會在以下情況中出現:

1.資料從一個不可信賴的來源進入 Web 應用程式。在 Reflected XSS 案例中,不可信賴的來源通常為網頁要求,而在 Persisted XSS (也可稱為 Stored XSS) 案例中,來源通常為資料庫或其他後端資料儲存區。


2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

範例 1:以下的 ActionScript 程式碼片段在 HTTP 要求中讀取員工的識別碼 eid,使用 HTML 加以編碼並顯示給使用者。


var params:Object = LoaderInfo(this.root.loaderInfo).parameters;
var eid:String = String(params["eid"]);
...
var display:TextField = new TextField();
display.htmlText = "Employee ID: " + escape(eid);
...


如果 eid 只包含標準英數字元,則這個範例中的程式碼會正確地執行。如果 eid 中有包含中繼字元或來源程式碼中的值,那麼網路瀏覽器就會像顯示 HTTP 回應那樣執行程式碼。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的電腦中輸入會執行惡意程式碼的 URL?其實,真正的危險在於攻擊者會建立惡意的 URL,接著使用電子郵件或社交工程病毒誘騙受害者透過連結前往該 URL。當受害者按下該連結時,他們即不知不覺地透過易受攻擊的 Web 應用程式,將惡意內容資訊帶回他們自己的電腦。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。

範例 2:以下的 ActionScript 程式碼片段會在資料庫中查詢具有所指定識別碼的員工,並列印相應 HTML 編碼的員工姓名。


  stmt.sqlConnection = conn;
  stmt.text = "select * from emp where id="+eid;
  stmt.execute();
  var rs:SQLResult = stmt.getResult();
  if (null != rs) {
    var name:String = String(rs.data[0]);
    var display:TextField = new TextField();
    display.htmlText = "Employee Name: " + escape(name);
  }


Example 1 所述,name 的值正常運作時,此程式碼也會正常運作,但如果該值不正常運作,則會完全無法避免程式碼遭受攻擊。此外,這個程式碼之所以看似不那麼危險,是因為 name 的值是從資料庫中讀取的,而顯然這些內容是由應用程式管理的。但是,如果 name 的值是從使用者提供的資料中產生,那麼資料庫可能會成為提供惡意內容的管道。如果未對資料庫中儲存的所有資料進行適當的輸入驗證,那麼攻擊者可能在使用者的網路瀏覽器中執行惡意指令。這類型的攻擊稱為 Persistent XSS (或 Stored XSS),其性質特別狡詐,因為間接的資料儲存方式而難以辨別該威脅,且該攻擊影響多個使用者的可能性可能提高。XSS 盜取會從存取提供造訪者訪客留名簿 (guestbook) 的網站開始。攻擊者會在他們的訪客留名簿項目中加入 JavaScript,所有後來前往訪客留名簿頁面的造訪者都可能會執行這些惡意程式碼。

如同範例中所示,XSS 的弱點是由 HTTP 回應中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 如 Example 1 所述,會直接從 HTTP 要求中讀取資料,並在 HTTP 回應中回傳資料。當攻擊者誘使使用者提供危險內容給易受攻擊的 Web 應用程式,接著這些危險內容就會回傳給使用者並由在網路瀏覽器中執行,這時就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊網站的 URL。網站將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含階段作業資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 如 Example 2 所述,應用程式會將危險資料儲存到資料庫或其他可信任的資料儲存區中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。Persistent XSS 攻擊會在以下情況出現:攻擊者把危險內容插入到之後會讀取的資料儲存區中,並包含在動態內容中。從攻擊者的角度來看,插入惡意內容的最佳位置莫過於一個會對很多使用者或特別感興趣的使用者顯示的區域。感興趣的使用者通常會在應用程式中擁有較高的權限,或者會與敏感資料進行互動,且這些資料對攻擊者而言很有利用價值。如果其中一個使用者執行了惡意內容,攻擊者可能會代替使用者去執行需要權限許可的作業,或者取得存取使用者專屬敏感資料的權限。

- 應用程式以外的來源會在資料庫或是其他資料記憶體中儲存危險資料,且之後這些危險資料會被當作信賴的資料回讀到應用程式,並會包含在動態內容中。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 82, CWE ID 83, CWE ID 87, CWE ID 692
[10] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[11] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[12] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[13] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[15] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[16] Standards Mapping - FIPS200 SI
[17] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[18] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[19] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[20] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[21] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[22] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[23] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2021 A03 Injection
[26] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[27] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[28] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[29] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[41] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 116
[42] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[63] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[64] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.actionscript.cross_site_scripting_poor_validation
Abstract
將未經驗證的資料傳送到網頁瀏覽器可能會導致執行惡意程式碼。
Explanation
由於在使用者提供的資料與網頁瀏覽器解析器之間存在大量可能的互動,因此並非始終都能適當地評估套用的編碼是否足以防範 XSS 弱點。因此,即使套用編碼,並以 Cross-site scripting 來加以顯示,Fortify Static Code Analyzer 還是會報告 Cross-site scripting 發現:Poor Validation 問題。

Cross-site scripting (XSS) 弱點會在以下情況中出現:

1. 資料從一個不可信賴的來源進入 Web 應用程式。如果是 Reflected XSS,不可信賴的來源大多為 Web 要求;如果是 Persistent XSS (也可稱為 Stored XSS),來源大多為資料庫查詢結果。

2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。

惡意內容通常為 JavaScript 程式碼片段,但也可以是 HTML、Flash 或瀏覽器可執行的任何其他作用中內容。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

範例 1:以下 Apex 程式碼片段會在資料庫中查詢具有指定 ID 的聯絡人名稱並傳回對應的員工姓名 (之後由 Visualforce 程式碼進行列印)。


...
variable = Database.query('SELECT Name FROM Contact WHERE id = ID');
...

<div onclick="this.innerHTML='Hello {!HTMLENCODE(variable)}'">Click me!</div>


儘管使用 HTMLENCODE,此程式碼也不會適當驗證資料庫所提供的資料,並且容易遭到 XSS 攻擊。發生這種情況的原因是,variable 內容由不同機制 (HTML 和 Javascript 解析器) 剖析,因此必須進行兩次編碼。這樣一來,攻擊者可以在使用者的網頁瀏覽器中執行惡意指令,而無需與受害者進行互動 (類似於 Reflected XSS)。此類攻擊稱為 Stored XSS (或 Persistent XSS),可能非常難以偵測,因為資料是以間接方式提供給易受攻擊的函數,並且由於影響多個使用者的可能性,此類攻擊的影響會更強烈。XSS 盜取會從存取提供造訪者訪客留名簿 (guestbook) 的網站開始。攻擊者會在他們的訪客留名簿項目中加入 JavaScript,所有後來前往訪客留名簿頁面的造訪者都可能會執行這些惡意程式碼。

範例 2:以下 Visualforce 程式碼片段會讀取 HTTP 要求參數 username,並向使用者顯示。


<script>
document.write('{!HTMLENCODE($CurrentPage.parameters.username)}')
</script>


此範例中的程式碼旨在僅接收英數文字並加以顯示。但是,如果 username 包含中繼字元或來源程式碼,則會由網頁瀏覽器執行。此外,在此範例中,使用 HTMLENCODE 不足以避免 XSS 攻擊,因為變數由 Javascript 解析器進行處理。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的電腦中輸入會執行惡意程式碼的 URL?其實,真正的危險在於攻擊者會建立惡意的 URL,接著使用電子郵件或社交工程病毒誘騙受害者透過連結前往該 URL。當受害者按下該連結時,他們即不知不覺地透過易受攻擊的 Web 應用程式,將惡意內容資訊帶回他們自己的電腦。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。

如同範例中所示,XSS 的弱點是由 HTTP 回應中包含未經驗證資料的程式碼所引起的。有兩種途徑可執行 XSS 攻擊:

- 如 Example 1 所述,資料庫或其他資料儲存區會向應用程式提供將包含在動態內容中的危險資料。從攻擊者的角度來看,儲存惡意內容的最佳位置是可供所有使用者 (尤其是擁有較高權限的使用者) 存取的區域,這些使用者更有可能會處理敏感資訊或執行關鍵作業。

- 如 Example 2 所述,會從 HTTP 要求中讀取資料,並在 HTTP 回應中回傳資料。當攻擊者將危險內容傳遞至易受攻擊的 Web 應用程式,然後回傳給使用者並透過其瀏覽器執行時,會出現 Reflected XSS。傳遞惡意內容最常用的機制就是,將惡意內容當作參數包含在公開發佈的 URL 中,或者以電子郵件方式直接傳送給受害者。透過此方式修改的 URL 是許多釣魚架構的核心,其中攻擊者會誘騙受害者造訪該 URL。當網站回傳內容給使用者後便會加以執行,並且可執行多個動作,例如轉送隱私、敏感的資訊、在受害者電腦上執行未經授權的作業等。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] Salesforce Developers Technical Library Secure Coding Guidelines - Cross Site Scripting
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[5] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[6] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[7] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[8] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[9] Standards Mapping - CIS Kubernetes Benchmark complete
[10] Standards Mapping - Common Weakness Enumeration CWE ID 82, CWE ID 83, CWE ID 87, CWE ID 692
[11] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[12] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[13] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[15] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[16] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[17] Standards Mapping - FIPS200 SI
[18] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[19] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[20] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[21] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[22] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[23] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[26] Standards Mapping - OWASP Top 10 2021 A03 Injection
[27] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[28] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[29] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[30] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[38] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[41] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[42] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 116
[43] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[64] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[65] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.apex.cross_site_scripting_poor_validation
Abstract
如果依賴 HTML、XML 和其他類型的編碼來驗證使用者輸入,可能會導致瀏覽器執行惡意程式碼。
Explanation
使用特定編碼功能可防止部分,但不是所有的 Cross-Site Scripting 攻擊。根據資料出現的內容,以 HTML 編碼的基本 <、>、& 和 ",以及以 XML 編碼的 <、>、&、" 和 ' 以外的字元,可能會有中繼意義。依賴這類編碼功能等同於使用安全性較差的拒絕清單來防止 Cross-Site Scripting 攻擊,並且可能會允許攻擊者插入隨後會在瀏覽器中執行的惡意程式碼。因為並非隨時都可以準確識別其中靜態顯示資料的內容,所以即使套用編碼,Fortify Secure Coding Rulepack 還是會報告 Cross-Site Scripting 發現,並將其顯示為 Cross-Site Scripting: Poor Validation 問題。

Cross-site scripting (XSS) 弱點會在以下情況中出現:

1.資料從一個不可信賴的來源進入 Web 應用程式。在 Reflected XSS 案例中,不可信賴的來源通常為網頁要求,而在 Persisted XSS (也可稱為 Stored XSS) 案例中,來源通常為資料庫或其他後端資料儲存區。


2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

範例 1:以下的 ASP.NET 程式碼片段會從 HTTP 要求中讀取員工的識別碼,使用 HTML 加以編碼,並將識別碼顯示給使用者。

<script runat="server">
...
EmployeeID.Text = Server.HtmlEncode(Login.Text);
...
</script>


其中,LoginEmployeeID 是定義如下的表單控制項:


<form runat="server">
   <asp:TextBox runat="server" id="Login"/>
   ...
   <asp:Label runat="server" id="EmployeeID"/>
</form>
範例 2:以下的 ASP.NET 程式碼片段執行了與 Example 1 相同的功能,只不過是以程式設計方式進行。

protected System.Web.UI.WebControls.TextBox Login;
protected System.Web.UI.WebControls.Label EmployeeID;
...
EmployeeID.Text = Server.HtmlEncode(Login.Text);


如果 Login 只包含標準英數字元,則這些範例中的程式碼都會正確地執行。如果 Login 中有包含中繼字元或來源程式碼中的值,那麼網路瀏覽器就會像顯示 HTTP 回應那樣執行程式碼。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的電腦中輸入會執行惡意程式碼的 URL? 真正的危險是攻擊者會建立惡意的 URL,然後使用電子郵件或社交工程技倆來誘騙受害者按下連結。當受害者按下該連結時,他們即不知不覺地透過易受攻擊的 Web 應用程式,將惡意內容資訊帶回他們自己的電腦。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。

範例 3:以下的 ASP.NET 程式碼片段使用員工的識別碼來查詢員工資料庫,並列印出與識別碼相對應的 HTML 編碼名字。

<script runat="server">
...
string query = "select * from emp where id=" + eid;
sda = new SqlDataAdapter(query, conn);
DataTable dt = new DataTable();
sda.Fill(dt);
string name = dt.Rows[0]["Name"];
...
EmployeeName.Text = Server.HtmlEncode(name);
</script>


其中,EmployeeName 是定義如下的表單控制項:


<form runat="server">
   ...
   <asp:Label id="EmployeeName" runat="server">
   ...
</form>
範例 4:同樣的,以下 ASP.NET 程式碼片段的功能與之前的 Example 3 相當,不過卻是以程式設計方式來實作所有的表單元素。

protected System.Web.UI.WebControls.Label EmployeeName;
...
string query = "select * from emp where id=" + eid;
sda = new SqlDataAdapter(query, conn);
DataTable dt = new DataTable();
sda.Fill(dt);
string name = dt.Rows[0]["Name"];
...
EmployeeName.Text = Server.HtmlEncode(name);


Example 1Example 2 所述,name 值正常運作時,這些程式碼便會正確執行,不然就會完全無法避免攻擊。此外,這些程式碼範例之所以較不危險,是因為 name 值是從資料庫中讀取的,其內容顯然都由應用程式管理。但是,如果 name 的值是從使用者提供的資料中產生,那麼資料庫可能會成為提供惡意內容的管道。如果未對資料庫中儲存的所有資料進行適當的輸入驗證,那麼攻擊者可能在使用者的網路瀏覽器中執行惡意指令。這類型的攻擊稱為 Persistent XSS (或 Stored XSS),其性質特別狡詐,因為間接的資料儲存方式而難以辨別該威脅,且該攻擊影響多個使用者的可能性可能提高。XSS 盜取會從存取提供造訪者訪客留名簿 (guestbook) 的網站開始。攻擊者會在他們的訪客留名簿項目中加入 JavaScript,所有後來前往訪客留名簿頁面的造訪者都可能會執行這些惡意程式碼。

如同範例中所示,XSS 的弱點是由 HTTP 回應中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 如 Example 1Example 2 所述,會直接從 HTTP 要求中讀取資料,並在 HTTP 回應中回傳資料。當攻擊者誘使使用者提供危險內容給易受攻擊的 Web 應用程式,接著這些危險內容就會回傳給使用者並由在網路瀏覽器中執行,這時就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊網站的 URL。網站將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含階段作業資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 如 Example 3Example 4 所述,應用程式會將危險資料儲存到資料庫或其他可信任的資料儲存區中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。Persistent XSS 攻擊會在以下情況出現:攻擊者把危險內容插入到之後會讀取的資料儲存區中,並包含在動態內容中。從攻擊者的角度來看,插入惡意內容的最佳位置莫過於一個會對很多使用者或特別感興趣的使用者顯示的區域。感興趣的使用者通常會在應用程式中擁有較高的權限,或者會與敏感資料進行互動,且這些資料對攻擊者而言很有利用價值。如果其中一個使用者執行了惡意內容,攻擊者可能會代替使用者去執行需要權限許可的作業,或者取得存取使用者專屬敏感資料的權限。

- 應用程式以外的來源會在資料庫或是其他資料記憶體中儲存危險資料,且之後這些危險資料會被當作信賴的資料回讀到應用程式,並會包含在動態內容中。

有許多現代的 Web 架構提供執行使用者輸入驗證的機制 (包括 ASP.NET 要求驗證和 WCF)。為了突顯未驗證的輸入來源,Fortify 安全編碼檢查規則會降低 Fortify Static Code Analyzer 所報告之問題的攻擊可能性,並在使用框架驗證機制時提供支援證據的指標,以動態重新排列其優先順序。如果是 ASP.NET 要求驗證,我們也會針對何時明確停用驗證提供證據。我們將此功能稱為「內容相關性排名」。為了進一步協助 Fortify 使用者進行稽核程序,Fortify Software 安全研發團隊提供了資料驗證專案範本,該範本會依據套用到其輸入來源的驗證機制,按資料夾對問題進行分組。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] Anti-Cross Site Scripting Library MSDN
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[5] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[6] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[7] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[8] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[9] Standards Mapping - CIS Kubernetes Benchmark complete
[10] Standards Mapping - Common Weakness Enumeration CWE ID 82, CWE ID 83, CWE ID 87, CWE ID 692
[11] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[12] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[13] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[15] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[16] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[17] Standards Mapping - FIPS200 SI
[18] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[19] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[20] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[21] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[22] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[23] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[26] Standards Mapping - OWASP Top 10 2021 A03 Injection
[27] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[28] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[29] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[30] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[38] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[41] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[42] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 116
[43] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[64] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[65] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.dotnet.cross_site_scripting_poor_validation
Abstract
如果依賴 HTML、XML 和其他類型的編碼來驗證使用者輸入,可能會導致瀏覽器執行惡意程式碼。
Explanation
使用特定編碼功能可防止部分,但不是所有的 Cross-Site Scripting 攻擊。根據資料出現的內容,以 HTML 編碼的基本 <、>、& 和 ",以及以 XML 編碼的 <、>、&、" 和 ' 以外的字元,可能會有中繼意義。依賴這類編碼功能等同於使用安全性較差的拒絕清單來防止 Cross-Site Scripting 攻擊,並且可能會允許攻擊者插入隨後會在瀏覽器中執行的惡意程式碼。因為並非隨時都可以準確識別其中靜態顯示資料的內容,所以即使套用編碼,Fortify Secure Coding Rulepack 還是會報告 Cross-Site Scripting 發現,並將其顯示為 Cross-Site Scripting: Poor Validation 問題。

Cross-site scripting (XSS) 弱點會在以下情況中出現:

1. 資料從一個不可信賴的來源進入 Web 應用程式。如果是 Reflected XSS,不可信賴的來源大多為 Web 要求;如果是 Persistent XSS (也可稱為 Stored XSS),來源大多為資料庫查詢結果。


2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

範例 1:以下的程式碼片段會從 HTTP 要求中讀取 text 參數,使用 HTML 加以編碼,並將該參數顯示在 Script 標籤之間的警示方塊中。


	"<script>alert('<CFOUTPUT>HTMLCodeFormat(#Form.text#)</CFOUTPUT>')</script>";


如果 text 只包含標準英數字元,則這個範例中的程式碼會正確地執行。若 text 具有單引號、小括號及分號,則會結束 alert 文字方塊,並在此後執行程式碼。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的電腦中輸入會執行惡意程式碼的 URL?其實,真正的危險在於攻擊者會建立惡意的 URL,接著使用電子郵件或社交工程病毒誘騙受害者透過連結前往該 URL。當受害者按下該連結時,他們即不知不覺地透過易受攻擊的 Web 應用程式,將惡意內容資訊帶回他們自己的電腦。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。

如同範例中所示,XSS 的弱點是由 HTTP 回應中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 如 Example 1 所述,會直接從 HTTP 要求中讀取資料,並在 HTTP 回應中回傳資料。當攻擊者誘使使用者提供危險內容給易受攻擊的 Web 應用程式,接著這些危險內容就會回傳給使用者並由在網路瀏覽器中執行,這時就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊網站的 URL。網站將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含階段作業資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 應用程式會將危險資料儲存到資料庫或其他可信任的資料儲存中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。Persistent XSS 攻擊會在以下情況出現:攻擊者把危險內容插入到之後會讀取的資料記憶體中,並包含在動態內容中。從攻擊者的角度來看,插入惡意內容的最佳位置莫過於一個會對很多使用者或特別感興趣的使用者顯示的區域。感興趣的使用者通常會在應用程式中擁有較高的權限,或者會與敏感資料進行互動,且這些資料對攻擊者而言很有利用價值。如果其中一個使用者執行了惡意內容,攻擊者可能會代替使用者去執行需要權限許可的作業,或者取得存取使用者專屬敏感資料的權限。

- 應用程式以外的來源會在資料庫或是其他資料記憶體中儲存危險資料,且之後這些危險資料會被當作信賴的資料回讀到應用程式,並會包含在動態內容中。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 82, CWE ID 83, CWE ID 87, CWE ID 692
[10] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[11] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[12] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[13] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[15] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[16] Standards Mapping - FIPS200 SI
[17] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[18] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[19] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[20] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[21] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[22] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[23] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2021 A03 Injection
[26] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[27] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[28] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[29] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[41] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 116
[42] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[63] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[64] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.cfml.cross_site_scripting_poor_validation
Abstract
如果依賴 HTML、XML 和其他類型的編碼來驗證使用者輸入,可能會導致瀏覽器執行惡意程式碼。
Explanation
使用特定編碼功能可防止部分,但不是所有的 Cross-Site Scripting 攻擊。根據資料出現的內容,以 HTML 編碼的基本 <、>、& 和 ",以及以 XML 編碼的 <、>、&、" 和 ' 以外的字元,可能會有中繼意義。依賴這類編碼功能等同於使用安全性較差的拒絕清單來防止 Cross-Site Scripting 攻擊,並且可能會允許攻擊者插入隨後會在瀏覽器中執行的惡意程式碼。因為並非隨時都可以準確識別其中靜態顯示資料的內容,所以即使套用編碼,Fortify Secure Coding Rulepack 還是會報告 Cross-Site Scripting 發現,並將其顯示為 Cross-Site Scripting: Poor Validation 問題。

Cross-site scripting (XSS) 弱點會在以下情況中出現:

1.資料從一個不可信賴的來源進入 Web 應用程式。在 Reflected XSS 案例中,不可信賴的來源通常為網頁要求,而在 Persisted XSS (也可稱為 Stored XSS) 案例中,來源通常為資料庫或其他後端資料儲存區。

2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。


範例 1:以下 Go 程式碼片段會從 HTTP 要求中讀取使用者名稱 user,並向使用者顯示。

func someHandler(w http.ResponseWriter, r *http.Request){
  r.parseForm()
  user := r.FormValue("user")
  ...
  fmt.Fprintln(w, "Username is: ", html.EscapeString(user))
}


如果 user 只包含標準英數字元,則這個範例中的程式碼會正確地執行。如果 user 中有包含中繼字元或來源程式碼中的值,那麼網路瀏覽器就會像顯示 HTTP 回應那樣執行程式碼。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的電腦中輸入會執行惡意程式碼的 URL?其實,真正的危險在於攻擊者會建立惡意的 URL,接著使用電子郵件或社交工程病毒誘騙受害者透過連結前往該 URL。當受害者按下該連結時,他們即不知不覺地透過易受攻擊的 Web 應用程式,將惡意內容資訊帶回他們自己的電腦。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。

範例 2:以下 Go 程式碼片段會查詢資料庫中具有指定 ID 的員工,然後列印相對應的員工姓名。

func someHandler(w http.ResponseWriter, r *http.Request){
  ...
  row := db.QueryRow("SELECT name FROM users WHERE id =" + userid)
  err := row.Scan(&name)
  ...
  fmt.Fprintln(w, "Username is: ", html.EscapeString(name))
}


Example 1 所述,name 的值正常運作時,此程式碼也會正常運作,但如果該值不正常運作,則會完全無法避免程式碼遭受攻擊。此外,這個程式碼之所以看似不那麼危險,是因為 name 的值是從資料庫中讀取的,而顯然這些內容是由應用程式管理的。但是,如果 name 的值是從使用者提供的資料中產生,那麼資料庫可能會成為提供惡意內容的管道。如果沒有對所有儲存在資料庫中的資料進行適當的輸入驗證,那麼攻擊者即可在使用者的網頁瀏覽器中執行惡意指令。這類型的攻擊稱為 Persistent XSS (或 Stored XSS),其極其隱蔽,會因為間接的資料儲存方式而難以辨別該威脅,並會提高影響多個使用者的可能性。XSS 弱點會從存取提供造訪者訪客留名簿 (guestbook) 的網站開始。攻擊者會在他們的訪客留名簿項目中加入 JavaScript,所有後來前往訪客留名簿頁面的造訪者都可能會執行這些惡意程式碼。

如同範例中所示,XSS 弱點是由 HTTP 回應中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 如 Example 1 所示,會直接從 HTTP 要求中讀取資料,並在 HTTP 回應中回傳資料。當攻擊者誘使使用者提供危險內容給易受攻擊的 Web 應用程式,接著這些危險內容就會回傳給使用者並由網頁瀏覽器執行時,就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊網站的 URL。網站將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含階段作業資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 如 Example 2 所示,應用程式會將危險資料儲存在資料庫或其他可信任的資料存放區中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。Persistent XSS 攻擊會在以下情況出現:攻擊者把危險內容插入到之後會讀取的資料儲存區中,並包含在動態內容中。從攻擊者的角度來看,插入惡意內容的最佳位置莫過於一個會對很多使用者或特別感興趣的使用者顯示的區域。感興趣的使用者通常會在應用程式中擁有較高的權限,或者會與敏感資料進行互動,且這些資料對攻擊者而言很有利用價值。如果其中一個使用者執行了惡意內容,攻擊者可能會代替使用者執行需要權限許可的操作,或者取得存取使用者專屬敏感資料的權限。

- 應用程式以外的來源會在資料庫或是其他資料存放區中儲存危險資料,且之後這些危險資料會被當作信賴的資料回讀到應用程式,並會包含在動態內容中。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 82, CWE ID 83, CWE ID 87, CWE ID 692
[10] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[11] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[12] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[13] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[15] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[16] Standards Mapping - FIPS200 SI
[17] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[18] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[19] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[20] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[21] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[22] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[23] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2021 A03 Injection
[26] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[27] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[28] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[29] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[41] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 116
[42] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[63] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[64] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.golang.cross_site_scripting_poor_validation
Abstract
如果依賴 HTML、XML 和其他類型的編碼來驗證使用者輸入,可能會導致瀏覽器執行惡意程式碼。
Explanation
使用特定編碼建構,例如具有 escapeXml="true" 屬性 (預設行為) 的 <c:out/> 標籤能夠防止部分,但非全部的 Cross-Site Scripting 攻擊。根據資料出現的內容,以 HTML 編碼的基本 <、>、& 和 ",以及以 XML 編碼的 <、>、&、" 和 ' 以外的字元,可能會有中繼意義。依賴這類編碼建構等同於使用安全性較差的拒絕清單來防止 Cross-Site Scripting 攻擊,並且可能會允許攻擊者插入隨後會在瀏覽器中執行的惡意程式碼。因為並非隨時都可以準確識別其中靜態顯示資料的內容,所以即使已套用編碼,Fortify Static Code Analyzer 還是會報告 Cross-site scripting 發現,並將其顯示為 Cross-Site Scripting: Poor Validation 問題。

Cross-site scripting (XSS) 弱點會在以下情況中出現:

1. 資料從一個不可信賴的來源進入 Web 應用程式。如果是 Reflected XSS,不可信賴的來源大多為 Web 要求;如果是 Persistent XSS (也可稱為 Stored XSS),來源大多為資料庫查詢結果。


2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

範例 1:以下 JSP 程式碼片段會從 HTTP 要求中讀取員工識別碼 eid,並透過 <c:out/> 標籤將其向使用者顯示。


Employee ID: <c:out value="${param.eid}"/>


如果 eid 只包含標準英數字元,則這個範例中的程式碼會正確地執行。如果 eid 中有包含中繼字元或來源程式碼中的值,那麼網路瀏覽器就會像顯示 HTTP 回應那樣執行程式碼。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的電腦中輸入會執行惡意程式碼的 URL?其實,真正的危險在於攻擊者會建立惡意的 URL,接著使用電子郵件或社交工程病毒誘騙受害者透過連結前往該 URL。當受害者按下該連結時,他們即不知不覺地透過易受攻擊的 Web 應用程式,將惡意內容資訊帶回他們自己的電腦。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。

範例 2:以下 JSP 程式碼片段會在資料庫中查詢具有指定識別碼的員工,並透過 <c:out/> 標籤列印相應的員工姓名。


<%...
Statement stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery("select * from emp where id="+eid);
if (rs != null) {
   rs.next();
   String name = rs.getString("name");
}
%>

Employee Name: <c:out value="${name}"/>


Example 1 所述,name 的值正常運作時,此程式碼也會正常運作,但如果該值不正常運作,則會完全無法避免程式碼遭受攻擊。此外,這個程式碼之所以看似不那麼危險,是因為 name 的值是從資料庫中讀取的,而顯然這些內容是由應用程式管理的。但是,如果 name 的值是從使用者提供的資料中產生,那麼資料庫可能會成為提供惡意內容的管道。如果未對資料庫中儲存的所有資料進行適當的輸入驗證,那麼攻擊者可能在使用者的網路瀏覽器中執行惡意指令。這類型的攻擊稱為 Persistent XSS (或 Stored XSS),其性質特別狡詐,因為間接的資料儲存方式而難以辨別該威脅,且該攻擊影響多個使用者的可能性可能提高。XSS 盜取會從存取提供造訪者訪客留名簿 (guestbook) 的網站開始。攻擊者會在他們的訪客留名簿項目中加入 JavaScript,所有後來前往訪客留名簿頁面的造訪者都可能會執行這些惡意程式碼。

有人認為在行動環境中,典型的 Web 應用程式弱點 (例如跨網站指令碼) 不會產生影響,因為使用者為何會攻擊自己呢?但是請謹記,行動平台的本質是從多種來源下載,並在相同裝置上一起執行的應用程式。在金融應用程式旁執行惡意程式碼的可能性很高,這必然會擴大行動應用程式的受攻擊面,將程序之間的通訊包括在內。

範例 3:以下程式碼會在 Android 的 WebView 中啟用 JavaScript (預設狀況下停用 JavaScript),並根據從 Android 用意接收的值載入頁面。


...
        WebView webview = (WebView) findViewById(R.id.webview);
        webview.getSettings().setJavaScriptEnabled(true);
        String url = this.getIntent().getExtras().getString("url");
        webview.loadUrl(URLEncoder.encode(url));
...


url 的值以 javascript: 開頭,隨後的 JavaScript 程式碼將在網頁範圍中的 WebView 內執行。

如同範例中所示,XSS 的弱點是由 HTTP 回應中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 如 Example 1 所述,會直接從 HTTP 要求中讀取資料,並在 HTTP 回應中回傳資料。當攻擊者誘使使用者提供危險內容給易受攻擊的 Web 應用程式,接著這些危險內容就會回傳給使用者並由在網路瀏覽器中執行,這時就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊網站的 URL。網站將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含階段作業資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 如 Example 2 所述,應用程式會將危險資料儲存到資料庫或其他可信任的資料儲存區中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。Persistent XSS 攻擊會在以下情況出現:攻擊者把危險內容插入到之後會讀取的資料儲存區中,並包含在動態內容中。從攻擊者的角度來看,插入惡意內容的最佳位置莫過於一個會對很多使用者或特別感興趣的使用者顯示的區域。感興趣的使用者通常會在應用程式中擁有較高的權限,或者會與敏感資料進行互動,且這些資料對攻擊者而言很有利用價值。如果其中一個使用者執行了惡意內容,攻擊者可能會代替使用者去執行需要權限許可的作業,或者取得存取使用者專屬敏感資料的權限。

- 如 Example 3 所述,應用程式以外的來源會在資料庫或是其他資料儲存區中儲存危險資料,且之後這些危險資料會被當作信賴的資料回讀到應用程式,並會包含在動態內容中。

有許多現代的 Web 架構提供執行使用者輸入驗證的機制 (包括 Struts 和 Struts 2)。為了突顯未驗證的輸入來源,Fortify 安全編碼檢查規則會降低 Fortify Static Code Analyzer 所報告之問題的攻擊可能性,並在使用框架驗證機制時提供支援證據的指標,以動態重新排列其優先順序。我們將此功能稱為「內容相關性排名」。為了進一步協助 Fortify 使用者進行稽核程序,Fortify Software 安全研發團隊提供了資料驗證專案範本,該範本會依據套用到其輸入來源的驗證機制,按資料夾對問題進行分組。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, and Heng Yin Attacks on WebView in the Android System
[4] Erika Chin and David Wagner Bifocals: Analyzing WebView Vulnerabilities in Android Applications
[5] INJECT-3: XML and HTML generation requires care Oracle
[6] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[7] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[8] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[9] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[10] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[11] Standards Mapping - CIS Kubernetes Benchmark complete
[12] Standards Mapping - Common Weakness Enumeration CWE ID 82, CWE ID 83, CWE ID 87, CWE ID 692
[13] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[15] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[16] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[17] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[18] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[19] Standards Mapping - FIPS200 SI
[20] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[21] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[22] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[23] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[24] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[26] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[27] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[28] Standards Mapping - OWASP Top 10 2021 A03 Injection
[29] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[30] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[31] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[32] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[38] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[39] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[40] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[41] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[42] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[43] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[44] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 116
[45] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[65] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[66] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[67] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.java.cross_site_scripting_poor_validation
Abstract
如果依賴 HTML、XML 和其他類型的編碼來驗證使用者輸入,可能會導致瀏覽器執行惡意程式碼。
Explanation
使用特定編碼功能可防止部分,但不是所有的 Cross-Site Scripting 攻擊。根據資料出現的內容,以 HTML 編碼的基本 <、>、& 和 ",以及以 XML 編碼的 <、>、&、" 和 ' 以外的字元,可能會有中繼意義。依賴這類編碼功能等同於使用安全性較差的拒絕清單來防止 Cross-Site Scripting 攻擊,並且可能會允許攻擊者插入隨後會在瀏覽器中執行的惡意程式碼。因為並非隨時都可以準確識別其中靜態顯示資料的內容,所以即使套用編碼,並以 Cross-Site Scripting 來加以顯示,Fortify Secure Coding Rulepacks 還是會報告 Cross-Site Scripting 發現:Poor Validation 問題。

Cross-site scripting (XSS) 弱點會在以下情況中出現:

1.資料從一個不可信賴的來源進入 Web 應用程式。在基於 DOM 的 XSS 案例中,會從 URL 參數或瀏覽器內的其他值來讀取資料,並以用戶端程式碼回寫到頁面中。在 Reflected XSS 案例中,不可信賴的來源通常為網頁要求,而在 Persisted XSS (也可稱為 Stored XSS) 案例中,來源通常為資料庫或其他後端資料儲存區。


2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。在基於 DOM 的 XSS 案例中,一旦受害者的瀏覽器開始剖析 HTML 頁面,就會開始執行惡意內容,且成為建立 DOM (Document Object Model,文件物件模型) 的一部分。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

範例:以下 JavaScript 程式碼片段會從 HTTP 要求中讀取員工識別碼 eid,將識別碼去除,然後顯示給使用者。


<SCRIPT>
var pos=document.URL.indexOf("eid=")+4;
document.write(escape(document.URL.substring(pos,document.URL.length)));
</SCRIPT>



如果 eid 只包含標準英數字元,則這個範例中的程式碼會正確地執行。如果 eid 中有包含中繼字元或來源程式碼中的值,那麼網路瀏覽器就會像顯示 HTTP 回應那樣執行程式碼。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的電腦中輸入會執行惡意程式碼的 URL?其實,真正的危險在於攻擊者會建立惡意的 URL,接著使用電子郵件或社交工程病毒誘騙受害者透過連結前往該 URL。當受害者按下該連結時,他們即不知不覺地透過易受攻擊的 Web 應用程式,將惡意內容資訊帶回他們自己的電腦。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。

如同範例中所示,XSS 的弱點是由 HTTP 回應中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 直接從 HTTP 要求讀取資料,並直接回傳至 HTTP 回應。當攻擊者誘使使用者提供危險內容給易受攻擊的 Web 應用程式,接著這些危險內容就會回傳給使用者並由在網路瀏覽器中執行,這時就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊網站的 URL。網站將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含階段作業資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 應用程式會將危險資料儲存到資料庫或其他可信任的資料儲存中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。Persistent XSS 攻擊會在以下情況出現:攻擊者把危險內容插入到之後會讀取的資料記憶體中,並包含在動態內容中。從攻擊者的角度來看,插入惡意內容的最佳位置莫過於一個會對很多使用者或特別感興趣的使用者顯示的區域。感興趣的使用者通常會在應用程式中擁有較高的權限,或者會與敏感資料進行互動,且這些資料對攻擊者而言很有利用價值。如果其中一個使用者執行了惡意內容,攻擊者可能會代替使用者去執行需要權限許可的作業,或者取得存取使用者專屬敏感資料的權限。

- 應用程式以外的來源會在資料庫或是其他資料記憶體中儲存危險資料,且之後這些危險資料會被當作信賴的資料回讀到應用程式,並會包含在動態內容中。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 82, CWE ID 83, CWE ID 87, CWE ID 692
[10] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[11] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[12] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[13] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[15] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[16] Standards Mapping - FIPS200 SI
[17] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[18] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[19] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[20] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[21] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[22] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[23] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2021 A03 Injection
[26] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[27] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[28] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[29] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[41] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 116
[42] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[63] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[64] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.javascript.cross_site_scripting_poor_validation
Abstract
如果依賴 HTML、XML 和其他類型的編碼來驗證使用者輸入,可能會導致瀏覽器執行惡意程式碼。
Explanation
使用特定編碼建構,例如具有 escapeXml="true" 屬性 (預設行為) 的 <c:out/> 標籤能夠防止部分,但非全部的 Cross-Site Scripting 攻擊。根據資料出現的內容,以 HTML 編碼的基本 <、>、& 和 ",以及以 XML 編碼的 <、>、&、" 和 ' 以外的字元,可能會有中繼意義。依賴這類編碼建構等同於使用安全性較差的拒絕清單來防止 Cross-Site Scripting 攻擊,並且可能會允許攻擊者插入隨後會在瀏覽器中執行的惡意程式碼。因為並非隨時都可以準確識別其中靜態顯示資料的內容,所以即使已套用編碼,Fortify Static Code Analyzer 還是會報告 Cross-site scripting 發現,並將其顯示為 Cross-Site Scripting: Poor Validation 問題。

Cross-Site Scripting (XSS) 弱點會在以下情況中出現:

1.資料從一個不可信賴的來源進入 Web 應用程式。如果是 Reflected XSS,不可信賴的來源大多為 Web 要求,而如果是 Persistent XSS (也可稱為 Stored XSS),來源大多為資料庫查詢結果。


2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。



如果 eid 只包含標準英數字元,則這個範例中的程式碼會正確地執行。如果 eid 中有包含中繼字元或來源程式碼中的值,那麼網路瀏覽器就會像顯示 HTTP 回應那樣執行程式碼。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的電腦中輸入會執行惡意程式碼的 URL?其實,真正的危險在於攻擊者會建立惡意的 URL,接著使用電子郵件或社交工程病毒誘騙受害者透過連結前往該 URL。當受害者按下該連結時,他們即不知不覺地透過易受攻擊的 Web 應用程式,將惡意內容資訊帶回他們自己的電腦。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。



Example 1 所述,name 的值正常運作時,此程式碼也會正常運作,但如果該值不正常運作,則會完全無法避免程式碼遭受攻擊。此外,這個程式碼之所以看似不那麼危險,是因為 name 的值是從資料庫中讀取的,而顯然這些內容是由應用程式管理的。但是,如果 name 的值是從使用者提供的資料中產生,那麼資料庫可能會成為提供惡意內容的管道。如果未對資料庫中儲存的所有資料進行適當的輸入驗證,那麼攻擊者可能在使用者的網路瀏覽器中執行惡意指令。這類型的攻擊稱為 Persistent XSS (或 Stored XSS),其性質特別狡詐,因為間接的資料儲存方式而難以辨別該威脅,且該攻擊影響多個使用者的可能性可能提高。XSS 盜取會從存取提供造訪者訪客留名簿 (guestbook) 的網站開始。攻擊者會在他們的訪客留名簿項目中加入 JavaScript,所有後來前往訪客留名簿頁面的造訪者都可能會執行這些惡意程式碼。

有人認為在行動環境中,典型的 Web 應用程式弱點 (例如跨網站指令碼) 不會產生影響,因為使用者為何會攻擊自己呢?但是請謹記,行動平台的本質是從多種來源下載,並在相同裝置上一起執行的應用程式。在金融應用程式旁執行惡意程式碼的可能性很高,這必然會擴大行動應用程式的受攻擊面,將程序之間的通訊包括在內。

範例 3:以下程式碼會在 Android 的 WebView 中啟用 JavaScript (JavaScript 預設為停用),並根據從 Android 用意接收的值載入頁面。


...
        val webview = findViewById<View>(R.id.webview) as WebView
        webview.settings.javaScriptEnabled = true
        val url = this.intent.extras!!.getString("url")
        webview.loadUrl(URLEncoder.encode(url))
...


url 的值以 javascript: 開頭,隨後的 JavaScript 程式碼將在網頁範圍中的 WebView 內執行。

如同範例中所示,XSS 弱點是由 HTTP 回應中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 如 Example 1 所述,會直接從 HTTP 要求中讀取資料,並在 HTTP 回應中回傳資料。當攻擊者誘使使用者提供危險內容給易受攻擊的 Web 應用程式,接著這些危險內容就會回傳給使用者並由在網路瀏覽器中執行,這時就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊網站的 URL。網站將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含階段作業資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 如 Example 2 所述,應用程式會將危險資料儲存到資料庫或其他可信任的資料儲存區中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。Persistent XSS 攻擊會在以下情況出現:攻擊者把危險內容插入到之後會讀取的資料儲存區中,並包含在動態內容中。從攻擊者的角度來看,插入惡意內容的最佳位置莫過於一個會對很多使用者或特別感興趣的使用者顯示的區域。感興趣的使用者通常會在應用程式中擁有較高的權限,或者會與敏感資料進行互動,且這些資料對攻擊者而言很有利用價值。如果其中一個使用者執行了惡意內容,攻擊者可能會代替使用者去執行需要權限許可的作業,或者取得存取使用者專屬敏感資料的權限。

- 如 Example 3 所述,應用程式以外的來源會在資料庫或是其他資料儲存區中儲存危險資料,且之後這些危險資料會被當作信賴的資料回讀到應用程式,並會包含在動態內容中。


有許多現代的 Web 架構提供執行使用者輸入驗證的機制 (包括 Struts 和 Spring MVC)。為了突顯未驗證的輸入來源,Fortify 安全編碼檢查規則會降低 Fortify Static Code Analyzer 所報告之問題的攻擊可能性,並在使用框架驗證機制時提供支援證據的指標,以動態重新排列其優先順序。我們將此功能稱為「內容相關性排名」。為了進一步協助 Fortify 使用者進行稽核程序,Fortify Software 安全研發團隊提供了資料驗證專案範本,該範本會依據套用到其輸入來源的驗證機制,按資料夾對問題進行分組。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, and Heng Yin Attacks on WebView in the Android System
[4] Erika Chin and David Wagner Bifocals: Analyzing WebView Vulnerabilities in Android Applications
[5] INJECT-3: XML and HTML generation requires care Oracle
[6] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[7] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[8] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[9] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[10] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[11] Standards Mapping - CIS Kubernetes Benchmark complete
[12] Standards Mapping - Common Weakness Enumeration CWE ID 82, CWE ID 83, CWE ID 87, CWE ID 692
[13] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[15] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[16] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[17] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[18] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[19] Standards Mapping - FIPS200 SI
[20] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[21] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[22] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[23] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[24] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[26] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[27] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[28] Standards Mapping - OWASP Top 10 2021 A03 Injection
[29] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[30] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[31] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[32] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[38] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[39] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[40] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[41] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[42] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[43] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[44] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 116
[45] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[65] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[66] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[67] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.kotlin.cross_site_scripting_poor_validation
Abstract
這個方法使用的是 HTML、XML 和其他類型的編碼,但通常不足以防止惡意程式碼存取網頁瀏覽器。
Explanation
使用特定編碼建構 (例如 ESAPI 或 AntiXSS) 可防止部分,但不是所有 Cross-Site Scripting 攻擊。根據資料出現的內容,以 HTML 編碼的基本 <、>、&和",以及以 XML 編碼的 <、>、&、"和'以外的字元,可能會有中繼意義。依賴這類編碼建構等同於使用安全性較差的拒絕清單來防止 Cross-Site Scripting 攻擊,並且可能會允許攻擊者插入隨後會在瀏覽器中執行的惡意程式碼。因為並非隨時都可以準確識別其中靜態顯示資料的內容,所以即使已套用編碼,Fortify Static Code Analyzer 還是會報告 Cross-site scripting 發現,並將其顯示為 Cross-Site Scripting: Poor Validation 問題。

Cross-site scripting (XSS) 弱點會在以下情況中出現:

1. 資料從一個不可信賴的來源進入網頁。在 Reflected XSS 案例中,不可信賴的來源通常為使用者元件、URL 架構處理常式或通知,而在 Persistent XSS (也可稱為 Stored XSS) 案例中,來源通常為資料庫或其他後端資料儲存區。


2.在未對包含資料的動態內容進行驗證的情況下,便將其傳送至某個 UIWebView 元件。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

以下範例突顯了可利用的 XSS 實例,其使用編碼 API 進行編碼:

範例 1:以下 Objective-C 程式碼片段會讀取自訂 URL 架構的文字部份,其會被傳送至應用程式 (myapp://input_to_the_application) 並呼叫之。然後 URL 中不可信賴的資料便會被用來在 UIWebView 元件中攻擊 HTML 輸出。


...
- (BOOL)application:(UIApplication *)application handleOpenURL:(NSURL *)url {
...
    UIWebView *webView;
    NSString *partAfterSlashSlash = [[url host] stringByReplacingPercentEscapesUsingEncoding:NSUTF8StringEncoding];
    NSString *htmlPage = [NSString stringWithFormat: @"%@/%@/%@", @"...<input type=text onclick=\"callFunction('",
                         [DefaultEncoder encodeForHTML:partAfterSlashSlash],
			 @"')\" />"];
    webView = [[UIWebView alloc] initWithFrame:CGRectMake(0.0,0.0,360.0, 480.0)];
    [webView loadHTMLString:htmlPage baseURL:nil];
...


Example 1 所述,name 的值正常運作時,此程式碼也會正常運作,但如果該值不正常運作,則會完全無法避免程式碼遭受攻擊。此外,這個程式碼之所以較不危險,是因為 name 的值是從資料庫中讀取的,且為 HTML 編碼。但是,如果 name 的值是從使用者提供的資料中產生,那麼資料庫可能會成為提供惡意內容的管道。如果未對資料庫中儲存的所有資料進行適當的輸入驗證,那麼攻擊者可能在使用者的網路瀏覽器中執行惡意指令。攻擊者支援的攻擊可能會略過編碼字元或將輸入置於不受 HTML 編碼影響的環境中。這類型的攻擊稱為 Persistent XSS (或 Stored XSS),其性質特別狡詐,因為間接的資料儲存方式而難以辨別該威脅,且該攻擊影響多個使用者的可能性可能提高。XSS 盜取會從存取提供造訪者訪客留名簿 (guestbook) 的網站開始。攻擊者會在他們的訪客留名簿項目中加入 JavaScript,所有後來前往訪客留名簿頁面的造訪者都可能會執行這些惡意程式碼。

如同範例中所示,XSS 的弱點是由 HTTP 內容中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 如 Example 1 所述,會直接從自訂 URL 架構讀取資料,並反映於 UIWebView 回應內容中。當攻擊者誘使使用者提供危險內容給易受攻擊的 iOS 應用程式,接著這些危險內容就會回傳給使用者並由在網路瀏覽器中執行,這時就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的自訂架構 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊應用程式的 URL。應用程式將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含工作階段資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 如 Example 2 所述,應用程式會將危險資料儲存到資料庫或其他可信任的資料儲存區中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。Persistent XSS 攻擊會在以下情況出現:攻擊者把危險內容插入到之後會讀取的資料儲存區中,並包含在動態內容中。從攻擊者的角度來看,插入惡意內容的最佳位置莫過於一個會對很多使用者或特別感興趣的使用者顯示的區域。感興趣的使用者通常會在應用程式中擁有較高的權限,或者會與敏感資料進行互動,且這些資料對攻擊者而言很有利用價值。如果其中一個使用者執行了惡意內容,攻擊者可能會代替使用者去執行需要權限許可的作業,或者取得存取使用者專屬敏感資料的權限。

- 應用程式以外的來源會在資料庫或是其他資料記憶體中儲存危險資料,且之後這些危險資料會被當作信賴的資料回讀到應用程式,並會包含在動態內容中。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] MWR Labs Continued Adventures with iOS UIWebViews
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[5] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[6] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[7] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[8] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[9] Standards Mapping - CIS Kubernetes Benchmark complete
[10] Standards Mapping - Common Weakness Enumeration CWE ID 82, CWE ID 83, CWE ID 87, CWE ID 692
[11] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[12] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[13] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[15] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[16] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[17] Standards Mapping - FIPS200 SI
[18] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[19] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[20] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[21] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[22] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[23] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[26] Standards Mapping - OWASP Top 10 2021 A03 Injection
[27] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[28] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[29] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[30] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[38] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[41] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[42] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 116
[43] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[64] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[65] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.objc.cross_site_scripting_poor_validation
Abstract
如果依賴 HTML、XML 和其他類型的編碼來驗證使用者輸入,可能會導致瀏覽器執行惡意程式碼。
Explanation
使用特定編碼函數 (例如htmlspecialchars()htmlentities()) 可防止部分,但不是所有 Cross-Site Scripting 攻擊。根據資料出現的內容,以 HTML 編碼的基本 <、>、&和",以及以 XML 編碼的 <、>、&、"和' (僅限在設定ENT_QUOTES時) 以外的字元,可能會有中繼意義。依賴這類編碼功能等同於使用安全性較差的拒絕清單來防止 Cross-Site Scripting 攻擊,並且可能會允許攻擊者插入隨後會在瀏覽器中執行的惡意程式碼。因為並非隨時都可以準確識別其中靜態顯示資料的內容,所以即使套用編碼,並以 Cross-Site Scripting 來加以顯示,Fortify Secure Coding Rulepacks 還是會報告 Cross-Site Scripting 發現:Poor Validation 問題。

Cross-site scripting (XSS) 弱點會在以下情況中出現:

1. 資料從一個不可信賴的來源進入 Web 應用程式。如果是 Reflected XSS,不可信賴的來源大多為 Web 要求;如果是 Persistent XSS (也可稱為 Stored XSS),來源大多為資料庫查詢結果。


2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

範例 1:以下的程式碼片段會從 HTTP 要求中讀取 text 參數,使用 HTML 加以編碼並將該參數顯示在 Script 標籤之間的警示方塊中。


<?php
    $var=$_GET['text'];
    ...
    $var2=htmlspecialchars($var);
    echo "<script>alert('$var2')</script>";
?>


如果 text 只包含標準英數字元,則這個範例中的程式碼會正確地執行。若 text 具有單引號、小括號及分號,則會結束 alert 文字方塊,並在此後執行程式碼。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的電腦中輸入會執行惡意程式碼的 URL?其實,真正的危險在於攻擊者會建立惡意的 URL,接著使用電子郵件或社交工程病毒誘騙受害者透過連結前往該 URL。當受害者按下該連結時,他們即不知不覺地透過易受攻擊的 Web 應用程式,將惡意內容資訊帶回他們自己的電腦。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。

如同範例中所示,XSS 的弱點是由 HTTP 回應中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 如 Example 1 所述,會直接從 HTTP 要求中讀取資料,並在 HTTP 回應中回傳資料。當攻擊者誘使使用者提供危險內容給易受攻擊的 Web 應用程式,接著這些危險內容就會回傳給使用者並由在網路瀏覽器中執行,這時就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊網站的 URL。網站將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含階段作業資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 應用程式會將危險資料儲存到資料庫或其他可信任的資料儲存中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。Persistent XSS 攻擊會在以下情況出現:攻擊者把危險內容插入到之後會讀取的資料記憶體中,並包含在動態內容中。從攻擊者的角度來看,插入惡意內容的最佳位置莫過於一個會對很多使用者或特別感興趣的使用者顯示的區域。感興趣的使用者通常會在應用程式中擁有較高的權限,或者會與敏感資料進行互動,且這些資料對攻擊者而言很有利用價值。如果其中一個使用者執行了惡意內容,攻擊者可能會代替使用者去執行需要權限許可的作業,或者取得存取使用者專屬敏感資料的權限。

- 應用程式以外的來源會在資料庫或是其他資料記憶體中儲存危險資料,且之後這些危險資料會被當作信賴的資料回讀到應用程式,並會包含在動態內容中。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 82, CWE ID 83, CWE ID 87, CWE ID 692
[10] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[11] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[12] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[13] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[15] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[16] Standards Mapping - FIPS200 SI
[17] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[18] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[19] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[20] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[21] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[22] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[23] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2021 A03 Injection
[26] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[27] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[28] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[29] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[41] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 116
[42] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[63] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[64] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.php.cross_site_scripting_poor_validation
Abstract
如果依賴 HTML、XML 和其他類型的編碼來驗證使用者輸入,可能會導致瀏覽器執行惡意程式碼。
Explanation
使用特定編碼功能可防止部分,但不是所有的 Cross-Site Scripting 攻擊。根據資料出現的內容,以 HTML 編碼的基本 <、>、& 和 ",以及以 XML 編碼的 <、>、&、" 和 ' 以外的字元,可能會有中繼意義。依賴這類編碼功能等同於使用安全性較差的拒絕清單來防止 Cross-Site Scripting 攻擊,並且可能會允許攻擊者插入隨後會在瀏覽器中執行的惡意程式碼。因為並非隨時都可以準確識別其中靜態顯示資料的內容,所以即使套用編碼,Fortify Secure Coding Rulepack 還是會報告 Cross-Site Scripting 發現,並將其顯示為 Cross-Site Scripting: Poor Validation 問題。

Cross-site scripting (XSS) 弱點會在以下情況中出現:

1.資料從一個不可信賴的來源進入 Web 應用程式。在 Reflected XSS 案例中,不可信賴的來源通常為網頁要求,而在 Persisted XSS (也可稱為 Stored XSS) 案例中,來源通常為資料庫或其他後端資料儲存區。


2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

範例 1:以下的程式碼片段在 HTTP 要求中讀取員工的識別碼 eid,使用 URL 加以編碼並顯示給使用者。


...
-- Assume QUERY_STRING looks like EID=EmployeeID
eid := SUBSTR(OWA_UTIL.get_cgi_env('QUERY_STRING'), 5);
HTP.htmlOpen;
  HTP.headOpen;
    HTP.title ('Employee Information');
  HTP.headClose;
  HTP.bodyOpen;
    HTP.br;
    HTP.print('Employee ID: ' || HTMLDB_UTIL.url_encode(eid) || '');
    HTP.br;
  HTP.bodyClose;
HTP.htmlClose;
...


如果 eid 只包含標準英數字元,則這個範例中的程式碼會正確地執行。如果 eid 中有包含中繼字元或來源程式碼中的值,那麼網路瀏覽器就會像顯示 HTTP 回應那樣執行程式碼。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的電腦中輸入會執行惡意程式碼的 URL?其實,真正的危險在於攻擊者會建立惡意的 URL,接著使用電子郵件或社交工程病毒誘騙受害者透過連結前往該 URL。當受害者按下該連結時,他們即不知不覺地透過易受攻擊的 Web 應用程式,將惡意內容資訊帶回他們自己的電腦。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。

範例 2:以下的程式碼片段,根據所給予的識別碼在資料庫中查詢員工,並列印該 URL 編碼的員工姓名。


...
SELECT ename INTO name FROM emp WHERE id = eid;
HTP.htmlOpen;
  HTP.headOpen;
    HTP.title ('Employee Information');
  HTP.headClose;
  HTP.bodyOpen;
    HTP.br;
    HTP.print('Employee Name: ' || HTMLDB_UTIL.url_encode(name) || '');
    HTP.br;
  HTP.bodyClose;
HTP.htmlClose;
...


Example 1 所述,name 的值正常運作時,此程式碼也會正常運作,但如果該值不正常運作,則會完全無法避免程式碼遭受攻擊。此外,這個程式碼之所以看似不那麼危險,是因為 name 的值是從資料庫中讀取的,而顯然這些內容是由應用程式管理的。但是,如果 name 的值是從使用者提供的資料中產生,那麼資料庫可能會成為提供惡意內容的管道。如果未對資料庫中儲存的所有資料進行適當的輸入驗證,那麼攻擊者可能在使用者的網路瀏覽器中執行惡意指令。這類型的攻擊稱為 Persistent XSS (或 Stored XSS),其性質特別狡詐,因為間接的資料儲存方式而難以辨別該威脅,且該攻擊影響多個使用者的可能性可能提高。XSS 盜取會從存取提供造訪者訪客留名簿 (guestbook) 的網站開始。攻擊者會在他們的訪客留名簿項目中加入 JavaScript,所有後來前往訪客留名簿頁面的造訪者都可能會執行這些惡意程式碼。

如同範例中所示,XSS 的弱點是由 HTTP 回應中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 如 Example 1 所述,會直接從 HTTP 要求中讀取資料,並在 HTTP 回應中回傳資料。當攻擊者誘使使用者提供危險內容給易受攻擊的 Web 應用程式,接著這些危險內容就會回傳給使用者並由在網路瀏覽器中執行,這時就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊網站的 URL。網站將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含階段作業資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 如 Example 2 所述,應用程式會將危險資料儲存到資料庫或其他可信任的資料儲存區中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。Persistent XSS 攻擊會在以下情況出現:攻擊者把危險內容插入到之後會讀取的資料儲存區中,並包含在動態內容中。從攻擊者的角度來看,插入惡意內容的最佳位置莫過於一個會對很多使用者或特別感興趣的使用者顯示的區域。感興趣的使用者通常會在應用程式中擁有較高的權限,或者會與敏感資料進行互動,且這些資料對攻擊者而言很有利用價值。如果其中一個使用者執行了惡意內容,攻擊者可能會代替使用者去執行需要權限許可的作業,或者取得存取使用者專屬敏感資料的權限。

- 應用程式以外的來源會在資料庫或是其他資料記憶體中儲存危險資料,且之後這些危險資料會被當作信賴的資料回讀到應用程式,並會包含在動態內容中。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 82, CWE ID 83, CWE ID 87, CWE ID 692
[10] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[11] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[12] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[13] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[15] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[16] Standards Mapping - FIPS200 SI
[17] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[18] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[19] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[20] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[21] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[22] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[23] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2021 A03 Injection
[26] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[27] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[28] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[29] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[41] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 116
[42] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[63] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[64] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.sql.cross_site_scripting_poor_validation
Abstract
如果依賴 HTML、XML 和其他類型的編碼來驗證使用者輸入,可能會導致瀏覽器執行惡意程式碼。
Explanation
使用特定編碼功能可防止部分,但不是所有的 Cross-Site Scripting 攻擊。根據資料出現的內容,以 HTML 編碼的基本 <、>、& 和 ",以及以 XML 編碼的 <、>、&、" 和 ' 以外的字元,可能會有中繼意義。依賴這類編碼功能等同於使用安全性較差的拒絕清單來防止 Cross-Site Scripting 攻擊,並且可能會允許攻擊者插入隨後會在瀏覽器中執行的惡意程式碼。因為並非隨時都可以準確識別其中靜態顯示資料的內容,所以即使套用編碼,Fortify Secure Coding Rulepack 還是會報告 Cross-Site Scripting 發現,並將其顯示為 Cross-Site Scripting: Poor Validation 問題。

Cross-site scripting (XSS) 弱點會在以下情況中出現:

1.資料從一個不可信賴的來源進入 Web 應用程式。在 Reflected XSS 案例中,不可信賴的來源通常為網頁要求,而在 Persisted XSS (也可稱為 Stored XSS) 案例中,來源通常為資料庫或其他後端資料儲存區。


2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

範例 1:以下 Python 程式碼片段會從 HTTP 要求中讀取員工識別碼 eid、使用 HTML 加以編碼,並將識別碼顯示給使用者。


        req = self.request()  # fetch the request object
        eid = req.field('eid',None) # tainted request message
        ...
        self.writeln("Employee ID:" + escape(eid))


如果 eid 只包含標準英數字元,則這個範例中的程式碼會正確地執行。如果 eid 中有包含中繼字元或來源程式碼中的值,那麼網路瀏覽器就會像顯示 HTTP 回應那樣執行程式碼。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的電腦中輸入會執行惡意程式碼的 URL?其實,真正的危險在於攻擊者會建立惡意的 URL,接著使用電子郵件或社交工程病毒誘騙受害者透過連結前往該 URL。當受害者按下該連結時,他們即不知不覺地透過易受攻擊的 Web 應用程式,將惡意內容資訊帶回他們自己的電腦。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。

範例 2:以下 Python 程式碼片段會在資料庫中查詢具有指定識別碼的員工,並列印相應 HTML 編碼的員工姓名。


 ...
 cursor.execute("select * from emp where id="+eid)
 row = cursor.fetchone()
 self.writeln('Employee name: ' + escape(row["emp"]))
 ...


Example 1 所述,name 的值正常運作時,此程式碼也會正常運作,但如果該值不正常運作,則會完全無法避免程式碼遭受攻擊。此外,這個程式碼之所以看似不那麼危險,是因為 name 的值是從資料庫中讀取的,而顯然這些內容是由應用程式管理的。但是,如果 name 的值是從使用者提供的資料中產生,那麼資料庫可能會成為提供惡意內容的管道。如果未對資料庫中儲存的所有資料進行適當的輸入驗證,那麼攻擊者可能在使用者的網路瀏覽器中執行惡意指令。這類型的攻擊稱為 Persistent XSS (或 Stored XSS),其性質特別狡詐,因為間接的資料儲存方式而難以辨別該威脅,且該攻擊影響多個使用者的可能性可能提高。XSS 盜取會從存取提供造訪者訪客留名簿 (guestbook) 的網站開始。攻擊者會在他們的訪客留名簿項目中加入 JavaScript,所有後來前往訪客留名簿頁面的造訪者都可能會執行這些惡意程式碼。

如同範例中所示,XSS 的弱點是由 HTTP 回應中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 如 Example 1 所述,會直接從 HTTP 要求中讀取資料,並在 HTTP 回應中回傳資料。當攻擊者誘使使用者提供危險內容給易受攻擊的 Web 應用程式,接著這些危險內容就會回傳給使用者並由在網路瀏覽器中執行,這時就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊網站的 URL。網站將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含階段作業資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 如 Example 2 所述,應用程式會將危險資料儲存到資料庫或其他可信任的資料儲存區中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。Persistent XSS 攻擊會在以下情況出現:攻擊者把危險內容插入到之後會讀取的資料儲存區中,並包含在動態內容中。從攻擊者的角度來看,插入惡意內容的最佳位置莫過於一個會對很多使用者或特別感興趣的使用者顯示的區域。感興趣的使用者通常會在應用程式中擁有較高的權限,或者會與敏感資料進行互動,且這些資料對攻擊者而言很有利用價值。如果其中一個使用者執行了惡意內容,攻擊者可能會代替使用者去執行需要權限許可的作業,或者取得存取使用者專屬敏感資料的權限。

- 應用程式以外的來源會在資料庫或是其他資料記憶體中儲存危險資料,且之後這些危險資料會被當作信賴的資料回讀到應用程式,並會包含在動態內容中。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 82, CWE ID 83, CWE ID 87, CWE ID 692
[10] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[11] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[12] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[13] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[15] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[16] Standards Mapping - FIPS200 SI
[17] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[18] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[19] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[20] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[21] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[22] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[23] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2021 A03 Injection
[26] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[27] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[28] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[29] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[41] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 116
[42] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[63] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[64] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.python.cross_site_scripting_poor_validation
Abstract
如果依賴 HTML、XML 和其他類型的編碼來驗證使用者輸入,可能會導致瀏覽器執行惡意程式碼。
Explanation
使用特定編碼功能可防止部分,但不是所有的 Cross-Site Scripting 攻擊。根據資料出現的內容,以 HTML 編碼的基本 <、>、& 和 ",以及以 XML 編碼的 <、>、&、" 和 ' 以外的字元,可能會有中繼意義。依賴這類編碼功能等同於使用安全性較差的拒絕清單來防止 Cross-Site Scripting 攻擊,並且可能會允許攻擊者插入隨後會在瀏覽器中執行的惡意程式碼。因為並非隨時都可以準確識別其中靜態顯示資料的內容,所以即使套用編碼,Fortify Secure Coding Rulepack 還是會報告 Cross-Site Scripting 發現,並將其顯示為 Cross-Site Scripting: Poor Validation 問題。

Cross-site scripting (XSS) 弱點會在以下情況中出現:

1.資料從一個不可信賴的來源進入 Web 應用程式。在 Reflected XSS 案例中,不可信賴的來源通常為網頁要求,而在 Persisted XSS (也可稱為 Stored XSS) 案例中,來源通常為資料庫或其他後端資料儲存區。


2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

範例 1:以下的 Ruby 程式碼片段在 HTTP 要求中讀取員工的識別碼 eid,使用 HTML 加以編碼並顯示給使用者。


eid = req.params['eid'] #gets request parameter 'eid'
Rack::Response.new.finish do |res|
  ...
  res.write("Employee ID: #{eid}")
end


如果 eid 只包含標準英數字元,則這個範例中的程式碼會正確地執行。如果 eid 中有包含中繼字元或來源程式碼中的值,那麼網路瀏覽器就會像顯示 HTTP 回應那樣執行程式碼。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的電腦中輸入會執行惡意程式碼的 URL?其實,真正的危險在於攻擊者會建立惡意的 URL,接著使用電子郵件或社交工程病毒誘騙受害者透過連結前往該 URL。當受害者按下該連結時,他們即不知不覺地透過易受攻擊的 Web 應用程式,將惡意內容資訊帶回他們自己的電腦。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是所謂的 Reflected XSS,不過請注意,如果使用Example 1 中的的 Rack::Request#params(),會同時看到 GETPOST 參數,所以可能容易受到各種類型的攻擊,而不是只會使惡意程式碼附加到 URL 而已。

範例 2:以下的 Ruby 程式碼片段會在資料庫中查詢具有所指定識別碼的員工,並列印相應 HTML 編碼的員工姓名。


...
rs = conn.exec_params("select * from emp where id=?", eid)
...
Rack::Response.new.finish do |res|
  ...
  rs.each do |row|
    res.write("Employee name: #{escape(row['name'])}")
    ...
  end
end
...


Example 1 所述,name 的值正常運作時,此程式碼也會正常運作,但如果該值不正常運作,則會完全無法避免程式碼遭受攻擊。此外,這個程式碼之所以看似不那麼危險,是因為 name 的值是從資料庫中讀取的,而顯然這些內容是由應用程式管理的。但是,如果 name 的值是從使用者提供的資料中產生,那麼資料庫可能會成為提供惡意內容的管道。如果未對資料庫中儲存的所有資料進行適當的輸入驗證,那麼攻擊者可能在使用者的網路瀏覽器中執行惡意指令。這類型的攻擊稱為 Persistent XSS (或 Stored XSS),其性質特別狡詐,因為間接的資料儲存方式而難以辨別該威脅,且該攻擊影響多個使用者的可能性可能提高。XSS 盜取會從存取提供造訪者訪客留名簿 (guestbook) 的網站開始。攻擊者會在他們的訪客留名簿項目中加入 JavaScript,所有後來前往訪客留名簿頁面的造訪者都可能會執行這些惡意程式碼。

如同範例中所示,XSS 的弱點是由 HTTP 回應中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 如 Example 1 所述,會直接從 HTTP 要求中讀取資料,並在 HTTP 回應中回傳資料。當攻擊者誘使使用者提供危險內容給易受攻擊的 Web 應用程式,接著這些危險內容就會回傳給使用者並由在網路瀏覽器中執行,這時就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊網站的 URL。網站將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含階段作業資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 如 Example 2 所述,應用程式會將危險資料儲存到資料庫或其他可信任的資料儲存區中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。Persistent XSS 攻擊會在以下情況出現:攻擊者把危險內容插入到之後會讀取的資料儲存區中,並包含在動態內容中。從攻擊者的角度來看,插入惡意內容的最佳位置莫過於一個會對很多使用者或特別感興趣的使用者顯示的區域。感興趣的使用者通常會在應用程式中擁有較高的權限,或者會與敏感資料進行互動,且這些資料對攻擊者而言很有利用價值。如果其中一個使用者執行了惡意內容,攻擊者可能會代替使用者去執行需要權限許可的作業,或者取得存取使用者專屬敏感資料的權限。

- 應用程式以外的來源會在資料庫或是其他資料記憶體中儲存危險資料,且之後這些危險資料會被當作信賴的資料回讀到應用程式,並會包含在動態內容中。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 82, CWE ID 83, CWE ID 87, CWE ID 692
[10] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[11] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[12] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[13] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[15] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[16] Standards Mapping - FIPS200 SI
[17] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[18] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[19] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[20] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[21] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[22] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[23] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2021 A03 Injection
[26] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[27] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[28] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[29] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[41] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 116
[42] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[63] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[64] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.ruby.cross_site_scripting_poor_validation
Abstract
如果依賴 HTML、XML 和其他類型的編碼來驗證使用者輸入,可能會導致瀏覽器執行惡意程式碼。
Explanation
使用特定編碼建構可防止部分,但不是所有的 Cross-Site Scripting 攻擊。根據資料出現的內容,以 HTML 編碼的基本 <、>、& 和 ",以及以 XML 編碼的 <、>、&、" 和 ' 以外的字元,可能會有中繼意義。依賴這類編碼建構等同於使用安全性較差的拒絕清單來防止 Cross-Site Scripting 攻擊,並且可能會允許攻擊者插入隨後會在瀏覽器中執行的惡意程式碼。因為並非隨時都可以準確識別其中靜態顯示資料的內容,所以即使已套用編碼,Fortify Static Code Analyzer 還是會報告 Cross-site scripting 發現,並將其顯示為 Cross-Site Scripting: Poor Validation 問題。

Cross-site scripting (XSS) 弱點會在以下情況中出現:

1. 資料從一個不可信賴的來源進入 Web 應用程式。如果是 Reflected XSS,不可信賴的來源大多為 Web 要求;如果是 Persistent XSS (也可稱為 Stored XSS),來源大多為資料庫查詢結果。


2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

範例: 以下 Play 控制項程式碼片段會從 HTTP 要求讀取員工 ID eid,並向使用者顯示。


  def getEmployee = Action { implicit request  =>
    var eid = request.getQueryString("eid")

    eid = StringEscapeUtils.escapeHtml(eid);    // insufficient validation

    val employee = getEmployee(eid)

    if (employee == Null) {
        val html = Html(s"Employee ID ${eid} not found")
        Ok(html) as HTML
    }
    ...
  }


如果 eid 只包含標準英數字元,則這個範例中的程式碼會正確地執行。如果 eid 中有包含中繼字元或來源程式碼中的值,那麼網路瀏覽器就會像顯示 HTTP 回應那樣執行程式碼。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的電腦中輸入會執行惡意程式碼的 URL?其實,真正的危險在於攻擊者會建立惡意的 URL,接著使用電子郵件或社交工程病毒誘騙受害者透過連結前往該 URL。當受害者按下該連結時,他們即不知不覺地透過易受攻擊的 Web 應用程式,將惡意內容資訊帶回他們自己的電腦。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] INJECT-3: XML and HTML generation requires care Oracle
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[5] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[6] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[7] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[8] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[9] Standards Mapping - CIS Kubernetes Benchmark complete
[10] Standards Mapping - Common Weakness Enumeration CWE ID 82, CWE ID 83, CWE ID 87, CWE ID 692
[11] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[12] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[13] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[15] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[16] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[17] Standards Mapping - FIPS200 SI
[18] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[19] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[20] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[21] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[22] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[23] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[26] Standards Mapping - OWASP Top 10 2021 A03 Injection
[27] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[28] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[29] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[30] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[38] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[41] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[42] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 116
[43] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[64] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[65] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.scala.cross_site_scripting_poor_validation
Abstract
這個方法使用的是 HTML、XML 和其他類型的編碼,但通常不足以防止惡意程式碼存取網頁瀏覽器。
Explanation
使用特定編碼建構 (例如 ESAPI 或 AntiXSS) 可防止部分,但不是所有 Cross-Site Scripting 攻擊。根據資料出現的內容,以 HTML 編碼的基本 <、>、&和",以及以 XML 編碼的 <、>、&、"和'以外的字元,可能會有中繼意義。依賴這類編碼建構等同於使用安全性較差的拒絕清單來防止 Cross-Site Scripting 攻擊,並且可能會允許攻擊者插入隨後會在瀏覽器中執行的惡意程式碼。因為並非隨時都可以準確識別其中靜態顯示資料的內容,所以即使已套用編碼,Fortify Static Code Analyzer 還是會報告 Cross-site scripting 發現,並將其顯示為 Cross-Site Scripting: Poor Validation 問題。

Cross-site scripting (XSS) 弱點會在以下情況中出現:

1. 資料從一個不可信賴的來源進入網頁。在 Reflected XSS 案例中,不可信賴的來源通常為使用者元件、URL 架構處理常式或通知,而在 Persistent XSS (也可稱為 Stored XSS) 案例中,來源通常為資料庫或其他後端資料儲存區。


2. 在未對包含資料的動態內容進行驗證的情況下,便將其傳送至某個 UIWebView 元件。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

以下範例突顯了可利用的 XSS 實例,其使用編碼 API 進行編碼:

範例 1:以下 Swift 程式碼片段會讀取自訂 URL 架構的文字部分,其會被傳遞到應用程式 (myapp://input_to_the_application) 並呼叫之。然後 URL 中不可信賴的資料便會被用來在 UIWebView 元件中攻擊 HTML 輸出。


...
func application(app: UIApplication, openURL url: NSURL, options: [String : AnyObject]) -> Bool {
    ...
    let name = getQueryStringParameter(url.absoluteString, "name")
    let html = "Hi \(name)"
    let webView = UIWebView()
    webView.loadHTMLString(html, baseURL:nil)
    ...
}
func getQueryStringParameter(url: String?, param: String) -> String? {
    if let url = url, urlComponents = NSURLComponents(string: url), queryItems = (urlComponents.queryItems as? [NSURLQueryItem]) {
        return queryItems.filter({ (item) in item.name == param }).first?.value!
    }
    return nil
}
...


Example 1 所述,name 的值正常運作時,此程式碼也會正常運作,但如果該值不正常運作,則會完全無法避免程式碼遭受攻擊。此外,這個程式碼之所以較不危險,是因為 name 的值是從資料庫中讀取的,且為 HTML 編碼。但是,如果 name 的值是從使用者提供的資料中產生,那麼資料庫可能會成為提供惡意內容的管道。如果未對資料庫中儲存的所有資料進行適當的輸入驗證,那麼攻擊者可能在使用者的網路瀏覽器中執行惡意指令。攻擊者支援的攻擊可能會略過編碼字元或將輸入置於不受 HTML 編碼影響的環境中。這類型的攻擊稱為 Persistent XSS (或 Stored XSS),其性質特別狡詐,因為間接的資料儲存方式而難以辨別該威脅,且該攻擊影響多個使用者的可能性可能提高。XSS 盜取會從存取提供造訪者訪客留名簿 (guestbook) 的網站開始。攻擊者會在他們的訪客留名簿項目中加入 JavaScript,所有後來前往訪客留名簿頁面的造訪者都可能會執行這些惡意程式碼。

範例 3:以下程式碼會讀取 UITextField 的內容,並在 WKWebView 中將其顯示給使用者:


...
let webView : WKWebView
let inputTextField : UITextField
webView.loadHTMLString(inputTextField.text, baseURL:nil)
...


如果 inputTextField 中的文字只包含標準英數字元,這個範例中的程式碼便會正常運作而不會有問題。如果 inputTextField 中的文字包括中繼字元或原始程式碼,那麼網路瀏覽器就會像顯示 HTTP 回應那樣,可能會將輸入當成程式碼來執行。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的裝置上提供會導致惡意程式碼執行的輸入?真正的危險在於攻擊者可能使用電子郵件或社交工程病毒誘騙受害者執行此類動作。當這樣的誘騙成功,受害者就在不知情的情況下,透過易受攻擊的 Web 應用程式,將惡意內容帶回他們自己的裝置。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。

如同範例中所示,XSS 的弱點是由 HTTP 內容中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 如 Example 1 所述,會直接從自訂 URL 架構讀取資料,並反映於 UIWebView 回應內容中。當攻擊者誘使使用者提供危險內容給易受攻擊的 iOS 應用程式,接著這些危險內容就會回傳給使用者並由在網路瀏覽器中執行,這時就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的自訂架構 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊應用程式的 URL。應用程式將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含工作階段資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 如 Example 2 所述,應用程式會將危險資料儲存到資料庫或其他可信任的資料儲存區中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。Persistent XSS 攻擊會在以下情況出現:攻擊者把危險內容插入到之後會讀取的資料儲存區中,並包含在動態內容中。從攻擊者的角度來看,插入惡意內容的最佳位置莫過於一個會對很多使用者或特別感興趣的使用者顯示的區域。感興趣的使用者通常會在應用程式中擁有較高的權限,或者會與敏感資料進行互動,且這些資料對攻擊者而言很有利用價值。如果其中一個使用者執行了惡意內容,攻擊者可能會代替使用者去執行需要權限許可的作業,或者取得存取使用者專屬敏感資料的權限。

- 如 Example 3 所述,目標應用程式以外的來源會使用目標應用程式的自訂 URL 架構提出 URL 要求,之後來自此 URL 要求的未驗證資料會被當作信賴的資料讀回到應用程式,並會包含在動態內容中。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] MWR Labs Continued Adventures with iOS UIWebViews
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[5] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[6] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[7] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[8] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[9] Standards Mapping - CIS Kubernetes Benchmark complete
[10] Standards Mapping - Common Weakness Enumeration CWE ID 82, CWE ID 83, CWE ID 87, CWE ID 692
[11] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[12] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[13] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[15] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[16] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[17] Standards Mapping - FIPS200 SI
[18] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[19] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[20] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[21] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[22] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[23] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[26] Standards Mapping - OWASP Top 10 2021 A03 Injection
[27] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[28] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[29] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[30] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[38] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[41] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[42] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 116
[43] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[64] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[65] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.swift.cross_site_scripting_poor_validation
Abstract
如果依賴 HTML、XML 和其他類型的編碼來驗證使用者輸入,可能會導致瀏覽器執行惡意程式碼。
Explanation
使用特定編碼功能可防止部分,但不是所有的 Cross-Site Scripting 攻擊。根據資料出現的內容,以 HTML 編碼的基本 <、>、& 和 ",以及以 XML 編碼的 <、>、&、" 和 ' 以外的字元,可能會有中繼意義。依賴這類編碼功能等同於使用安全性較差的拒絕清單來防止 Cross-Site Scripting 攻擊,並且可能會允許攻擊者插入隨後會在瀏覽器中執行的惡意程式碼。因為並非隨時都可以準確識別其中靜態顯示資料的內容,所以即使套用編碼,Fortify Secure Coding Rulepack 還是會報告 Cross-Site Scripting 發現,並將其顯示為 Cross-Site Scripting: Poor Validation 問題。

Cross-site scripting (XSS) 弱點會在以下情況中出現:

1.資料從一個不可信賴的來源進入 Web 應用程式。在 Reflected XSS 案例中,不可信賴的來源通常為網頁要求,而在 Persisted XSS (也可稱為 Stored XSS) 案例中,來源通常為資料庫或其他後端資料儲存區。


2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

範例 1:以下的 ASP 程式碼片段在 HTTP 要求中讀取員工的識別碼 eid,使用 HTML 加以編碼並顯示給使用者。


        ...
        eid = Request("eid")
        Response.Write "Employee ID:" & Server.HTMLEncode(eid) & "<br/>"
        ..


如果 eid 只包含標準英數字元,則這個範例中的程式碼會正確地執行。如果 eid 中有包含中繼字元或來源程式碼中的值,那麼網路瀏覽器就會像顯示 HTTP 回應那樣執行程式碼。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的電腦中輸入會執行惡意程式碼的 URL?其實,真正的危險在於攻擊者會建立惡意的 URL,接著使用電子郵件或社交工程病毒誘騙受害者透過連結前往該 URL。當受害者按下該連結時,他們即不知不覺地透過易受攻擊的 Web 應用程式,將惡意內容資訊帶回他們自己的電腦。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。

範例 2:以下的 ASP 程式碼片段會在資料庫中查詢具有所指定識別碼的員工,並列印相應 HTML 編碼的員工姓名。


        ...
        eid = Request("eid")
        strSQL = "Select * from emp where id=" & eid
        objADORecordSet.Open strSQL, strConnect, adOpenDynamic, adLockOptimistic, adCmdText
        while not objRec.EOF
                Response.Write "Employee Name:" & Server.HTMLEncode(objADORecordSet("name"))
                objADORecordSet.MoveNext
        Wend
        ...


Example 1 所述,name 的值正常運作時,此程式碼也會正常運作,但如果該值不正常運作,則會完全無法避免程式碼遭受攻擊。此外,這個程式碼之所以看似不那麼危險,是因為 name 的值是從資料庫中讀取的,而顯然這些內容是由應用程式管理的。但是,如果 name 的值是從使用者提供的資料中產生,那麼資料庫可能會成為提供惡意內容的管道。如果未對資料庫中儲存的所有資料進行適當的輸入驗證,那麼攻擊者可能在使用者的網路瀏覽器中執行惡意指令。這類型的攻擊稱為 Persistent XSS (或 Stored XSS),其性質特別狡詐,因為間接的資料儲存方式而難以辨別該威脅,且該攻擊影響多個使用者的可能性可能提高。XSS 盜取會從存取提供造訪者訪客留名簿 (guestbook) 的網站開始。攻擊者會在他們的訪客留名簿項目中加入 JavaScript,所有後來前往訪客留名簿頁面的造訪者都可能會執行這些惡意程式碼。

如同範例中所示,XSS 的弱點是由 HTTP 回應中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 如 Example 1 所述,會直接從 HTTP 要求中讀取資料,並在 HTTP 回應中回傳資料。當攻擊者誘使使用者提供危險內容給易受攻擊的 Web 應用程式,接著這些危險內容就會回傳給使用者並由在網路瀏覽器中執行,這時就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊網站的 URL。網站將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含階段作業資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 如 Example 2 所述,應用程式會將危險資料儲存到資料庫或其他可信任的資料儲存區中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。Persistent XSS 攻擊會在以下情況出現:攻擊者把危險內容插入到之後會讀取的資料儲存區中,並包含在動態內容中。從攻擊者的角度來看,插入惡意內容的最佳位置莫過於一個會對很多使用者或特別感興趣的使用者顯示的區域。感興趣的使用者通常會在應用程式中擁有較高的權限,或者會與敏感資料進行互動,且這些資料對攻擊者而言很有利用價值。如果其中一個使用者執行了惡意內容,攻擊者可能會代替使用者去執行需要權限許可的作業,或者取得存取使用者專屬敏感資料的權限。

- 應用程式以外的來源會在資料庫或是其他資料記憶體中儲存危險資料,且之後這些危險資料會被當作信賴的資料回讀到應用程式,並會包含在動態內容中。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 82, CWE ID 83, CWE ID 87, CWE ID 692
[10] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[11] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[12] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[13] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[15] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[16] Standards Mapping - FIPS200 SI
[17] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[18] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[19] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[20] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[21] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[22] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[23] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2021 A03 Injection
[26] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[27] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[28] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[29] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[41] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 116
[42] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[63] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[64] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.vb.cross_site_scripting_poor_validation

Key Management: Unencrypted Private Key

Abstract
不應以純文字形式儲存密碼加密或簽署私密金鑰。
Explanation
用於加密或簽署的私密金鑰應視作敏感資料,在儲存之前應使用強式複雜密碼進行加密。這可防止在發生失竊或洩漏時兩種攻擊者以及權限不足的使用者未經授權存取資料。

範例 1:以下程式碼使用未加密的 PEM 格式匯出 RSA 私密金鑰:


from Crypto.PublicKey import RSA

key = RSA.generate(2048)
f = open('mykey.pem','w')
f.write(key.exportKey(format='PEM'))
f.close()
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0
[2] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[6] Standards Mapping - CIS Kubernetes Benchmark partial
[7] Standards Mapping - Common Weakness Enumeration CWE ID 311
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[9] Standards Mapping - FIPS200 IA
[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management
[13] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[14] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[15] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[17] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[20] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.5.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[32] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 259
[33] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[34] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3350 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3350 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3350 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3350 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3350 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3350 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3350 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001820 CAT I, APSC-DV-002010 CAT II, APSC-DV-003100 CAT II
[56] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.structural.python.key_management_unencrypted_private_key
Abstract
不應以純文字形式儲存密碼加密或簽署私密金鑰。
Explanation
用於加密或簽署的私密金鑰應視作敏感資料,在儲存之前應使用強式複雜密碼進行加密。這可防止在發生失竊或洩漏時兩種攻擊者以及權限不足的使用者未經授權存取資料。

範例 1:以下程式碼使用未加密的 PEM 格式匯出 RSA 私密金鑰:


require 'openssl'

key = OpenSSL::PKey::RSA.new 2048
File.open('mykey.pem', 'w') do |file|
  file.write(key.to_pem)
end
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0
[2] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[6] Standards Mapping - CIS Kubernetes Benchmark partial
[7] Standards Mapping - Common Weakness Enumeration CWE ID 311
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[9] Standards Mapping - FIPS200 IA
[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-12 Cryptographic Key Establishment and Management (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-12 Cryptographic Key Establishment and Management
[13] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[14] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[15] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[17] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[20] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.5.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[32] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 259
[33] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[34] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3350 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3350 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3350 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3350 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3350 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3350 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3350 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001820 CAT I, APSC-DV-002010 CAT II, APSC-DV-003100 CAT II
[56] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.structural.ruby.key_management_unencrypted_private_key

Cross-Site Scripting: Content Sniffing

Abstract
傳送未經驗證的資料至網路瀏覽器,可能會導致特定瀏覽器執行惡意的程式碼。
Explanation
Cross-site scripting (XSS) 弱點會在以下情況中出現:

1.資料從一個不可信賴的來源進入 Web 應用程式。在 Reflected XSS 案例中,不可信賴的來源通常為網頁要求,而在 Persisted XSS (也可稱為 Stored XSS) 案例中,來源通常為資料庫或其他後端資料儲存區。


2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

要讓瀏覽器將回應呈現為 HTML,或可能執行指令碼的其他文件,需指定text/htmlMIME 類型。因此,只有回應使用此 MIME 類型或任何其他也會強制瀏覽器以 HTML 呈現回應或可能會執行指令碼 (例如 SVG 影像 (image/svg+xml)、XML 文件 (application/xml 等)) 的類型時,XSS 才會運作。

大多數新式瀏覽器在提供具有 MIME 類型 (例如 application/octet-stream) 的回應時,不會呈現 HTML 或執行指令碼。但 Internet Explorer 等部分瀏覽器會執行名為 Content Sniffing 的作業。Content Sniffing 會忽略提供的 MIME 類型,並嘗試依據回應的內容推論正確的 MIME 類型。
但要特別注意的是,text/html的 MIME 類型只是可能導致 XSS 弱點的一種 MIME 類型。可以執行諸如 SVG 影像 (image/svg+xml)、XML 文件 (application/xml) 等指令碼的其他文件,也可能導致 XSS 弱點,無論瀏覽器是否執行 Content Sniffing。

因此,<html><body><script>alert(1)</script></body></html> 之類的回應可以呈現為 HTML,即使其 content-type 標頭已設為 application/octet-stream, multipart-mixed 等。

範例 1:以下 JAX-RS 方法會在 application/octet-stream 回應中反映使用者資料。


@RestController
public class SomeResource {
    @RequestMapping(value = "/test", produces = {MediaType.APPLICATION_OCTET_STREAM_VALUE})
    public String response5(@RequestParam(value="name") String name){
        return name;
	}
}


如果攻擊者傳送一個要求並將 name參數設為 <html><body><script>alert(1)</script></body></html>,則伺服器會產生以下回應:


HTTP/1.1 200 OK
Content-Length: 51
Content-Type: application/octet-stream
Connection: Closed

<html><body><script>alert(1)</script></body></html>


即使回應清楚指出應該將其視為 JSON 文件,但舊瀏覽器仍可能嘗試將其呈現為 HTML 文件,這會使其易受 Cross-Site Scripting 攻擊。
References
[1] X-Content-Type-Options Mozilla
[2] MIME Type Detection in Windows Internet Explorer Microsoft
[3] Understanding Malicious Content Mitigation for Web Developers CERT
[4] HTML 4.01 Specification W3
[5] Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, and Heng Yin Attacks on WebView in the Android System
[6] Erika Chin and David Wagner Bifocals: Analyzing WebView Vulnerabilities in Android Applications
[7] INJECT-3: XML and HTML generation requires care Oracle
[8] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[9] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[10] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[11] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[12] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[13] Standards Mapping - CIS Kubernetes Benchmark complete
[14] Standards Mapping - Common Weakness Enumeration CWE ID 82, CWE ID 83, CWE ID 87, CWE ID 692
[15] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[16] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[17] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[18] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[19] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[20] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[21] Standards Mapping - FIPS200 SI
[22] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[23] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[24] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[25] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[26] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[27] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[28] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[29] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[30] Standards Mapping - OWASP Top 10 2021 A03 Injection
[31] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[32] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[33] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[34] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[38] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[39] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[40] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[41] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[42] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[43] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[44] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[45] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[46] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 116
[47] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[65] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[66] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[67] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[68] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[69] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.java.cross_site_scripting_content_sniffing
Abstract
傳送未經驗證的資料至網路瀏覽器,可能會導致特定瀏覽器執行惡意的程式碼。
Explanation
Cross-site scripting (XSS) 弱點會在以下情況中出現:

1.資料從一個不可信賴的來源進入 Web 應用程式。在 Reflected XSS 案例中,不可信賴的來源通常為網頁要求,而在 Persisted XSS (也可稱為 Stored XSS) 案例中,來源通常為資料庫或其他後端資料儲存區。


2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

要讓瀏覽器將回應呈現為 HTML,或可能執行指令碼的其他文件,需指定 text/html MIME 類型。因此,只有回應使用此 MIME 類型或任何其他也會強制瀏覽器以 HTML 呈現回應或可能會執行指令碼 (例如 SVG 影像 (image/svg+xml)、XML 文件 (application/xml 等)) 的類型時,XSS 才會運作。

在使用 MIME 類型 (例如 application/json) 提供回應給大多數現代瀏覽器時,這些瀏覽器並不會呈現 HTML,也不會執行指令碼。但 Internet Explorer 等部分瀏覽器會執行名為 Content Sniffing 的作業。Content Sniffing 會忽略提供的 MIME 類型,並嘗試依據回應的內容推論正確的 MIME 類型。但要特別注意的是,text/html 的 MIME 類型只是可能導致 XSS 弱點的一種 MIME 類型。
可以執行諸如 SVG 影像 (image/svg+xml)、XML 文件 (application/xml) 等指令碼的其他文件,也可能導致 XSS 弱點,無論瀏覽器是否執行 Content Sniffing。

因此,<html><body><script>alert(1)</script></body></html> 之類的回應可以呈現為 HTML,即使其 content-type 標頭已設為 application/json

範例 1:下列 AWS Lambda 函數會在 application/json 回應中反映使用者資料。


def mylambda_handler(event, context):
    name = event['name']
    response = {
        "statusCode": 200,
        "body": "{'name': name}",
        "headers": {
            'Content-Type': 'application/json',
        }
    }
    return response


如果攻擊者傳送一個要求並將 name 參數設為 <html><body><script>alert(1)</script></body></html>,則伺服器會產生以下回應:


HTTP/1.1 200 OK
Content-Length: 88
Content-Type: application/json
Connection: Closed

{'name': '<html><body><script>alert(1)</script></body></html>'}


即使回應清楚指出應該將其視為 JSON 文件,但舊瀏覽器仍可能嘗試將其呈現為 HTML 文件,這會使其易受 Cross-Site Scripting 攻擊。
References
[1] X-Content-Type-Options Mozilla
[2] MIME Type Detection in Windows Internet Explorer Microsoft
[3] Understanding Malicious Content Mitigation for Web Developers CERT
[4] HTML 4.01 Specification W3
[5] Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, and Heng Yin Attacks on WebView in the Android System
[6] Erika Chin and David Wagner Bifocals: Analyzing WebView Vulnerabilities in Android Applications
[7] INJECT-3: XML and HTML generation requires care Oracle
[8] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[9] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[10] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[11] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[12] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[13] Standards Mapping - CIS Kubernetes Benchmark complete
[14] Standards Mapping - Common Weakness Enumeration CWE ID 82, CWE ID 83, CWE ID 87, CWE ID 692
[15] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[16] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[17] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[18] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[19] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[20] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[21] Standards Mapping - FIPS200 SI
[22] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[23] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[24] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[25] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[26] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[27] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[28] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[29] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[30] Standards Mapping - OWASP Top 10 2021 A03 Injection
[31] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[32] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[33] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[34] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[38] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[39] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[40] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[41] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[42] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[43] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[44] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[45] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[46] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 116
[47] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[65] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[66] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[67] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[68] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[69] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.python.cross_site_scripting_content_sniffing

Cross-Site Scripting: DOM

Abstract
傳送未經驗證的資料至網路瀏覽器,會導致瀏覽器執行惡意的程式碼。
Explanation
Cross-site scripting (XSS) 弱點會在以下情況中出現:

1.資料從一個不可信賴的來源進入 Web 應用程式。在基於 DOM 的 XSS 案例中,會從 URL 參數或瀏覽器內的其他值來讀取資料,並以用戶端程式碼回寫到頁面中。在 Reflected XSS 案例中,不可信賴的來源通常為網頁要求,而在 Persisted XSS (也可稱為 Stored XSS) 案例中,來源通常為資料庫或其他後端資料儲存區。


2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。在基於 DOM 的 XSS 案例中,一旦受害者的瀏覽器開始剖析 HTML 頁面,就會開始執行惡意內容,且成為建立 DOM (Document Object Model,文件物件模型) 的一部分。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

範例:以下 JavaScript 程式碼片段會從 HTTP 要求中讀取員工 ID eid,並將 ID 顯示給使用者。


String queryString = Window.Location.getQueryString();
int pos = queryString.indexOf("eid=")+4;
HTML output = new HTML();
output.setHTML(queryString.substring(pos, queryString.length()));


如果 eid 只包含標準英數字元,則這個範例中的程式碼會正確地執行。如果 eid 中有包含中繼字元或來源程式碼中的值,那麼網路瀏覽器就會像顯示 HTTP 回應那樣執行程式碼。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的電腦中輸入會執行惡意程式碼的 URL?其實,真正的危險在於攻擊者會建立惡意的 URL,接著使用電子郵件或社交工程病毒誘騙受害者透過連結前往該 URL。當受害者按下該連結時,他們即不知不覺地透過易受攻擊的 Web 應用程式,將惡意內容資訊帶回他們自己的電腦。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。


如同範例中所示,XSS 的弱點是由 HTTP 回應中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 直接從 HTTP 要求讀取資料,並直接回傳至 HTTP 回應。當攻擊者誘使使用者提供危險內容給易受攻擊的 Web 應用程式,接著這些危險內容就會回傳給使用者並由在網路瀏覽器中執行,這時就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊網站的 URL。網站將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含階段作業資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 應用程式會將危險資料儲存到資料庫或其他可信任的資料儲存中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。Persistent XSS 攻擊會在以下情況出現:攻擊者把危險內容插入到之後會讀取的資料記憶體中,並包含在動態內容中。從攻擊者的角度來看,插入惡意內容的最佳位置莫過於一個會對很多使用者或特別感興趣的使用者顯示的區域。感興趣的使用者通常會在應用程式中擁有較高的權限,或者會與敏感資料進行互動,且這些資料對攻擊者而言很有利用價值。如果其中一個使用者執行了惡意內容,攻擊者可能會代替使用者去執行需要權限許可的作業,或者取得存取使用者專屬敏感資料的權限。

- 應用程式以外的來源會在資料庫或是其他資料記憶體中儲存危險資料,且之後這些危險資料會被當作信賴的資料回讀到應用程式,並會包含在動態內容中。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] INJECT-3: XML and HTML generation requires care Oracle
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[5] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[6] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[7] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[8] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[9] Standards Mapping - CIS Kubernetes Benchmark complete
[10] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[11] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[12] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[13] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[15] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[16] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[17] Standards Mapping - FIPS200 SI
[18] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[19] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[20] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[21] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[22] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[23] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[26] Standards Mapping - OWASP Top 10 2021 A03 Injection
[27] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[28] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[29] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[30] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[38] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[41] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[42] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[43] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[44] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[45] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[65] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[66] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[67] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.java.cross_site_scripting_dom
Abstract
傳送未經驗證的資料至網路瀏覽器,會導致瀏覽器執行惡意的程式碼。
Explanation
Cross-site scripting (XSS) 弱點會在以下情況中出現:

1.資料從一個不可信賴的來源進入 Web 應用程式。在基於 DOM 的 XSS 案例中,會從 URL 參數或瀏覽器內的其他值來讀取資料,並以用戶端程式碼回寫到頁面中。在 Reflected XSS 案例中,不可信賴的來源通常為網頁要求,而在 Persisted XSS (也可稱為 Stored XSS) 案例中,來源通常為資料庫或其他後端資料儲存區。


2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。在基於 DOM 的 XSS 案例中,一旦受害者的瀏覽器開始剖析 HTML 頁面,就會開始執行惡意內容,且成為建立 DOM (Document Object Model,文件物件模型) 的一部分。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

範例 1:以下的 JavaScript 程式碼片段會從 URL 讀取員工識別碼 eid 並顯示給使用者。


<SCRIPT>
var pos=document.URL.indexOf("eid=")+4;
document.write(document.URL.substring(pos,document.URL.length));
</SCRIPT>

範例 2:請考慮使用 HTML 表單:


  <div id="myDiv">
    Employee ID: <input type="text" id="eid"><br>
    ...
    <button>Show results</button>
  </div>
  <div id="resultsDiv">
    ...
  </div>


以下的 jQuery 程式碼片段會從表單讀取員工識別碼,並顯示給使用者。


  $(document).ready(function(){
    $("#myDiv").on("click", "button", function(){
      var eid = $("#eid").val();
      $("resultsDiv").append(eid);
      ...
    });
  });


如果文字輸入中的員工識別碼 (識別碼為 eid) 只包含標準英數字元,這些程式碼便會正確地運作。如果 eid 中有包含中繼字元或來源程式碼中的值,那麼網路瀏覽器就會像顯示 HTTP 回應那樣執行程式碼。

範例 3:以下程式碼顯示了 React 應用程式內基於 DOM 的 XSS 範例:


let element = JSON.parse(getUntrustedInput());
ReactDOM.render(<App>
    {element}
</App>);


Example 3 中,如果攻擊者可以控制從 getUntrustedInput() 擷取的整個 JSON 物件,則可能會讓 React 將 element 解譯為元件,因此可以傳遞具有 dangerouslySetInnerHTML 及其自己的控制值的物件 (典型的 Cross-Site Scripting 攻擊)。

一開始,這些似乎不會輕易受到攻擊。畢竟,誰會提供包含在自己電腦上執行的惡意程式碼的輸入?其實,真正的危險在於攻擊者會建立惡意的 URL,接著使用電子郵件或社交工程病毒誘騙受害者透過連結前往該 URL。當受害者按下該連結時,他們即不知不覺地透過易受攻擊的 Web 應用程式,將惡意內容資訊帶回他們自己的電腦。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。

如同範例中所示,XSS 的弱點是由 HTTP 回應中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 直接從 HTTP 要求讀取資料,並直接回傳至 HTTP 回應。當攻擊者誘使使用者提供危險內容給易受攻擊的 Web 應用程式,接著這些危險內容就會回傳給使用者並由在網路瀏覽器中執行,這時就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊網站的 URL。網站將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含階段作業資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 應用程式會將危險資料儲存到資料庫或其他可信任的資料儲存中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。Persistent XSS 攻擊會在以下情況出現:攻擊者把危險內容插入到之後會讀取的資料記憶體中,並包含在動態內容中。從攻擊者的角度來看,插入惡意內容的最佳位置莫過於一個會對很多使用者或特別感興趣的使用者顯示的區域。感興趣的使用者通常會在應用程式中擁有較高的權限,或者會與敏感資料進行互動,且這些資料對攻擊者而言很有利用價值。如果其中一個使用者執行了惡意內容,攻擊者可能會代替使用者去執行需要權限許可的作業,或者取得存取使用者專屬敏感資料的權限。

- 應用程式以外的來源會在資料庫或是其他資料記憶體中儲存危險資料,且之後這些危險資料會被當作信賴的資料回讀到應用程式,並會包含在動態內容中。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] XSS via a spoofed React element Daniel LeCheminant
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[5] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[6] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[7] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[8] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[9] Standards Mapping - CIS Kubernetes Benchmark complete
[10] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[11] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[12] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[13] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[15] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[16] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[17] Standards Mapping - FIPS200 SI
[18] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[19] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[20] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[21] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[22] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[23] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[26] Standards Mapping - OWASP Top 10 2021 A03 Injection
[27] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[28] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[29] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[30] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[38] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[41] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[42] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[43] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[44] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[45] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[65] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[66] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[67] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.javascript.cross_site_scripting_dom

Cross-Site Scripting: Inter-Component Communication (Cloud)

Abstract
傳送未經驗證的資料至網路瀏覽器,會導致瀏覽器執行惡意的程式碼。
Explanation
Cross-site scripting (XSS) 弱點會在以下情況中出現:

1.資料從一個不可信賴的來源進入存放在雲端的 Web 應用程式。如果是 Inter-Component Communication Cloud XSS,不可信賴的來源是指透過雲端主機提供的通訊通道,從雲端應用程式的其他元件接收的資料。


2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

範例 1:以下 ASP.NET 網頁表單會在 Azure Table Service 中查詢員工並列印名稱。

<script runat="server">
...
var retrieveOperation = TableOperation.Retrieve<EmployeeInfo>(partitionKey, rowKey);
var retrievedResult = employeeTable.Execute(retrieveOperation);
var employeeInfo = retrievedResult.Result as EmployeeInfo;
string name = employeeInfo.Name
...
EmployeeName.Text = name;
</script>


其中,EmployeeName 是定義如下的表單控制項:


<form runat="server">
   ...
   <asp:Label id="EmployeeName" runat="server">
   ...
</form>
範例 2:以下 ASP.NET 程式碼片段的功能與之前的 Example 1 相當,不過卻是以程式設計方式來實作所有的表單元素。

protected System.Web.UI.WebControls.Label EmployeeName;
...
var retrieveOperation = TableOperation.Retrieve<EmployeeInfo>(partitionKey, rowKey);
var retrievedResult = employeeTable.Execute(retrieveOperation);
var employeeInfo = retrievedResult.Result as EmployeeInfo;
string name = employeeInfo.Name
...
EmployeeName.Text = name;
Name 值正常運作時,這些程式碼範例也會正常運作,但如果該值不正常運作時,則會完全無法避免程式碼遭受攻擊。這個程式碼之所以較不危險,是因為 Name 值是從雲端提供的儲存服務中讀取的,且顯然是由分散式應用程式管理這些值的內容。但是,如果 Name 的值是從使用者提供的資料中產生,那麼雲端提供的儲存服務可能會成為提供惡意內容的管道。如果未對資料庫中儲存的所有資料進行適當的輸入驗證,那麼攻擊者可能在使用者的網路瀏覽器中執行惡意指令。這種類型的攻擊,被稱作 Inter-Component Communication Cloud XSS,是特別狡詐的,因為間接的資料儲存方式使得該威脅難以辨別,而且提高了該攻擊會影響到多個使用者的可能性。XSS 盜取會從存取提供造訪者訪客留名簿 (guestbook) 的網站開始。攻擊者會在他們的訪客留名簿項目中加入 JavaScript,所有後來前往訪客留名簿頁面的造訪者都可能會執行這些惡意程式碼。

範例 3:以下 ASP.NET 網頁表單會從 HTTP 要求讀取員工識別碼,然後顯示給使用者。

<script runat="server">
...
EmployeeID.Text = Login.Text;
...
</script>


其中,LoginEmployeeID 是定義如下的表單控制項:


<form runat="server">
   <asp:TextBox runat="server" id="Login"/>
   ...
   <asp:Label runat="server" id="EmployeeID"/>
</form>
範例 4:以下的 ASP.NET 程式碼片段會示範以程式設計方式來實作 Example 3

protected System.Web.UI.WebControls.TextBox Login;
protected System.Web.UI.WebControls.Label EmployeeID;
...
EmployeeID.Text = Login.Text;


Example 1Example 2 所述,如果 Login 只包含標準英數字元,這些範例就會正確運作。如果 Login 中有包含中繼字元或來源程式碼中的值,那麼網路瀏覽器就會像顯示 HTTP 回應那樣執行程式碼。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的電腦中輸入會執行惡意程式碼的 URL? 真正的危險是攻擊者會建立惡意的 URL,然後使用電子郵件或社交工程技倆來誘騙受害者按下連結。當受害者按下該連結時,他們即不知不覺地透過易受攻擊的 Web 應用程式,將惡意內容資訊帶回他們自己的電腦。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。

如同範例中所示,XSS 的弱點是由 HTTP 回應中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 如 Example 1Example 2 所述,應用程式會將危險資料儲存到資料庫或其他可信任的資料儲存區中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。Inter-Component Communication Cloud XSS 攻擊會在以下情況出現:攻擊者把危險內容注入到之後會讀取的資料儲存區中,並包含在動態內容中。從攻擊者的角度來看,插入惡意內容的最佳位置莫過於一個會對很多使用者或特別感興趣的使用者顯示的區域。感興趣的使用者通常會在應用程式中擁有較高的權限,或者會與敏感資料進行互動,且這些資料對攻擊者而言很有利用價值。如果其中一個使用者執行了惡意內容,攻擊者可能會代替使用者去執行需要權限許可的作業,或者取得存取使用者專屬敏感資料的權限。

- 如 Example 3Example 4 所述,會直接從 HTTP 要求中讀取資料,並在 HTTP 回應中回傳資料。當攻擊者誘使使用者提供危險內容給易受攻擊的 Web 應用程式,接著這些危險內容就會回傳給使用者並由在網路瀏覽器中執行,這時就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊網站的 URL。網站將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含階段作業資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 應用程式以外的來源會在資料庫或是其他資料記憶體中儲存危險資料,且之後這些危險資料會被當作信賴的資料回讀到應用程式,並會包含在動態內容中。

有許多現代的 Web 架構提供執行使用者輸入驗證的機制 (包括 ASP.NET 要求驗證和 WCF)。為了突顯未驗證的輸入來源,Fortify 安全編碼檢查規則會降低 Fortify Static Code Analyzer 所報告之問題的攻擊可能性,並在使用框架驗證機制時提供支援證據的指標,以動態重新排列其優先順序。如果是 ASP.NET 要求驗證,我們也會針對何時明確停用驗證提供證據。我們將此功能稱為「內容相關性排名」。為了進一步協助 Fortify 使用者進行稽核程序,Fortify Software 安全研發團隊提供了資料驗證專案範本,該範本會依據套用到其輸入來源的驗證機制,按資料夾對問題進行分組。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] Anti-Cross Site Scripting Library MSDN
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[5] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[6] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[7] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[8] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[9] Standards Mapping - CIS Kubernetes Benchmark complete
[10] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[11] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[12] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[13] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[15] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[16] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[17] Standards Mapping - FIPS200 SI
[18] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[19] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[20] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[21] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[22] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[23] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[26] Standards Mapping - OWASP Top 10 2021 A03 Injection
[27] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[28] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[29] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[30] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[38] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[41] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[42] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[43] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[44] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[45] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[65] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[66] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[67] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.dotnet.cross_site_scripting_inter_component_communication__cloud_
Abstract
傳送未經驗證的資料至網路瀏覽器,會導致瀏覽器執行惡意的程式碼。
Explanation
Cross-Site Scripting (XSS) 弱點會在以下情況中出現:

1.資料從一個不可信賴的來源進入存放在雲端的 Web 應用程式。如果是 Inter-Component Communication Cloud XSS,不可信賴的來源是指透過雲端供應商提供之通訊通道,從雲端應用程式的其他元件接收的資料。


2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

範例 1:以下的 Python 程式碼片段在 HTTP 要求中讀取員工識別碼 eid,並顯示給使用者。


	req = self.request()  # fetch the request object
        eid = req.field('eid',None) # tainted request message
	...
	self.writeln("Employee ID:" + eid)


如果 eid 只包含標準英數字元,則這個範例中的程式碼會正確地執行。如果 eid 中有包含中繼字元或來源程式碼中的值,那麼網路瀏覽器就會像顯示 HTTP 回應那樣執行程式碼。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的電腦中輸入會執行惡意程式碼的 URL?其實,真正的危險在於攻擊者會建立惡意的 URL,接著使用電子郵件或社交工程病毒誘騙受害者透過連結前往該 URL。當受害者按下該連結時,他們即不知不覺地透過易受攻擊的 Web 應用程式,將惡意內容資訊帶回他們自己的電腦。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。

範例 2:以下 Python 程式碼片段會查詢資料庫中具有指定識別碼的員工,然後列印相對應的員工姓名。


 ...
 cursor.execute("select * from emp where id="+eid)
 row = cursor.fetchone()
 self.writeln('Employee name: ' + row["emp"]')
 ...


Example 1 所述,name 的值正常運作時,此程式碼也會正常運作,但如果該值不正常運作,則會完全無法避免程式碼遭受攻擊。此外,這個程式碼之所以看似不那麼危險,是因為 name 的值是從資料庫中讀取的,而顯然這些內容是由應用程式管理的。但是,如果 name 的值是從使用者提供的資料中產生,那麼資料庫可能會成為提供惡意內容的管道。如果未對資料庫中儲存的所有資料進行適當的輸入驗證,那麼攻擊者可能在使用者的網路瀏覽器中執行惡意指令。這類型的攻擊稱為 Persistent XSS (或 Stored XSS),其性質特別狡詐,因為間接的資料儲存方式而難以辨別該威脅,且該攻擊影響多個使用者的可能性可能提高。XSS 盜取會從存取提供造訪者訪客留名簿 (guestbook) 的網站開始。攻擊者會在他們的訪客留名簿項目中加入 JavaScript,所有後來前往訪客留名簿頁面的造訪者都可能會執行這些惡意程式碼。

如同範例中所示,XSS 弱點是由 HTTP 回應中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 如 Example 1 所述,會直接從 HTTP 要求中讀取資料,並在 HTTP 回應中回傳資料。當攻擊者誘使使用者提供危險內容給易受攻擊的 Web 應用程式,接著這些危險內容就會回傳給使用者並由在網路瀏覽器中執行,這時就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊網站的 URL。網站將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含階段作業資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 如 Example 2 所述,應用程式會將危險資料儲存到資料庫或其他可信任的資料儲存區中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。Persistent XSS 攻擊會在以下情況出現:攻擊者把危險內容插入到之後會讀取的資料儲存區中,並包含在動態內容中。從攻擊者的角度來看,插入惡意內容的最佳位置莫過於一個會對很多使用者或特別感興趣的使用者顯示的區域。感興趣的使用者通常會在應用程式中擁有較高的權限,或者會與敏感資料進行互動,且這些資料對攻擊者而言很有利用價值。如果其中一個使用者執行了惡意內容,攻擊者可能會代替使用者去執行需要權限許可的作業,或者取得存取使用者專屬敏感資料的權限。

- 應用程式以外的來源會在資料庫或是其他資料存放區中儲存危險資料,且之後這些危險資料會被當作信賴的資料回讀到應用程式,並會包含在動態內容中。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] Anti-Cross Site Scripting Library MSDN
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[5] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[6] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[7] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[8] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[9] Standards Mapping - CIS Kubernetes Benchmark complete
[10] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[11] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[12] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[13] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[15] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[16] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[17] Standards Mapping - FIPS200 SI
[18] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[19] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[20] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[21] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[22] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[23] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[26] Standards Mapping - OWASP Top 10 2021 A03 Injection
[27] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[28] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[29] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[30] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[38] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[41] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[42] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[43] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[44] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[45] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[65] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[66] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[67] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.python.cross_site_scripting_inter_component_communication__cloud_

Access Control: MQ

Abstract
讓使用者輸入控制 MQ 物件描述的欄位可能會造成攻擊者存取或修改受保護的 MQ 資源。
Explanation
開啟 MQ 物件時,如果攻擊者提供數值給應用程式以判斷要執行哪一類型的授權檢查方式,攻擊者試圖開啟無法存取的物件就可能會通過所有 Access Control 檢查。

範例: 以下 COBOL 程式碼片段會從終端機讀取數值,並使用這些數值控制 MQ 物件描述的 MQOD-ALTERNATEUSERIDMQOD-ALTERNATESECURITYID 欄位。


...
10 MQOD.
**    Alternate user identifier
   15 MQOD-ALTERNATEUSERID     PIC X(12).
**    Alternate security identifier
   15 MQOD-ALTERNATESECURITYID PIC X(40).
   ...
...
ACCEPT MQOD-ALTERNATEUSERID.
ACCEPT MQOD-ALTERNATESECURITYID.
CALL 'MQOPEN' USING HCONN, MQOD, OPTS, HOBJ, COMPOCODE REASON.
...


在此範例中,攻擊者可提供數值讓數值通過開啟中 MQ 物件上的 Access Control 檢查。

總之,請勿讓使用者所提供的資料或其他不可信賴的資料控制敏感的值。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 1.0
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark complete
[6] Standards Mapping - Common Weakness Enumeration CWE ID 639
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [24] CWE ID 863
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[9] Standards Mapping - FIPS200 AC
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[13] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[14] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[15] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[16] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[18] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.2 General Access Control Design (L1 L2 L3), 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3)
[20] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[21] Standards Mapping - OWASP Mobile 2023 M3 Insecure Authentication/Authorization
[22] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001410 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.dataflow.cobol.access_control_mq

Formula Injection

Abstract
攻擊者可能會控制寫入試算表的資料,讓他們能夠將目標鎖定為開啟特定試算表處理器上的檔案的使用者。
Explanation
常見的試算表處理器 (例如 Apache OpenOffice Calc 和 Microsoft Office Excel) 支援功能強大的公式運算,這可能允許攻擊者控制試算表以便在基礎系統上執行任意指令或洩露試算表上的敏感資訊。

例如,攻擊者可能會注入下列裝載做為 CSV 欄位的一部分:=cmd|'/C calc.exe'!Z0。如果開啟試算表 (在此範例中為開啟 Windows 小算盤) 的使用者信任文件來源,則會接受由試算表處理器顯示的所有安全性提示並讓裝載執行於其系統之上。

範例:以下範例顯示使用未經處理的使用者控制的資料產生 CSV 回應的 ASP.NET 控制項:


        public void Service()
        {
             string name = HttpContext.Request["name"];

             string data = GenerateCSVFor(name);
             HttpContext.Response.Clear();
             HttpContext.Response.Buffer = true;
             HttpContext.Response.AddHeader("content-disposition", "attachment;filename=file.csv");
             HttpContext.Response.Charset = "";
             HttpContext.Response.ContentType = "application/csv";
             HttpContext.Response.Output.Write(tainted);
             HttpContext.Response.Flush();
             HttpContext.Response.End();
        }
References
[1] Formula Injection Pentest Magazine
[2] Comma Separated Vulnerabilities Context
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[7] Standards Mapping - CIS Google Cloud Computing Platform Benchmark complete
[8] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[9] Standards Mapping - CIS Kubernetes Benchmark complete
[10] Standards Mapping - Common Weakness Enumeration CWE ID 1236
[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[12] Standards Mapping - FIPS200 SI
[13] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[14] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[15] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[16] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[18] Standards Mapping - OWASP Top 10 2010 A1 Injection
[19] Standards Mapping - OWASP Top 10 2013 A1 Injection
[20] Standards Mapping - OWASP Top 10 2017 A1 Injection
[21] Standards Mapping - OWASP Top 10 2021 A03 Injection
[22] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[23] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[24] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.dotnet.formula_injection
Abstract
攻擊者可能會控制寫入試算表的資料,讓他們能夠將目標鎖定為開啟特定試算表處理器上的檔案的使用者。
Explanation
常見的試算表處理器 (例如 Apache OpenOffice Calc 和 Microsoft Office Excel) 支援功能強大的公式運算,這可能允許攻擊者控制試算表以便在基礎系統上執行任意指令或洩露試算表上的敏感資訊。

例如,攻擊者可能會注入下列裝載做為 CSV 欄位的一部分:=cmd|'/C calc.exe'!Z0。如果開啟試算表 (在此範例中為開啟 Windows 小算盤) 的使用者信任文件來源,則會接受由試算表處理器顯示的所有安全性提示並讓裝載執行於其系統之上。

範例:以下範例使用用未經處理的使用者控制的資料寫入 csv 檔案:


    func someHandler(w http.ResponseWriter, r *http.Request){
        r.parseForm()
        foo := r.FormValue("foo")
        ...
        w := csv.NewWriter(file)
        w.Write(foo)
    }
References
[1] Formula Injection Pentest Magazine
[2] Comma Separated Vulnerabilities Context
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[7] Standards Mapping - CIS Google Cloud Computing Platform Benchmark complete
[8] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[9] Standards Mapping - CIS Kubernetes Benchmark complete
[10] Standards Mapping - Common Weakness Enumeration CWE ID 1236
[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[12] Standards Mapping - FIPS200 SI
[13] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[14] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[15] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[16] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[18] Standards Mapping - OWASP Top 10 2010 A1 Injection
[19] Standards Mapping - OWASP Top 10 2013 A1 Injection
[20] Standards Mapping - OWASP Top 10 2017 A1 Injection
[21] Standards Mapping - OWASP Top 10 2021 A03 Injection
[22] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[23] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[24] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.golang.formula_injection
Abstract
攻擊者可能會控制寫入試算表的資料,讓他們能夠將目標鎖定為開啟特定試算表處理器上的檔案的使用者。
Explanation
常見的試算表處理器 (例如 Apache OpenOffice Calc 和 Microsoft Office Excel) 支援功能強大的公式運算,這可能允許攻擊者控制試算表以便在基礎系統上執行任意指令或洩露試算表上的敏感資訊。

例如,攻擊者可能會注入下列裝載做為 CSV 欄位的一部分:=cmd|'/C calc.exe'!Z0。如果開啟試算表 (在此範例中為開啟 Windows 小算盤) 的使用者信任文件來源,則會接受由試算表處理器顯示的所有安全性提示並讓裝載執行於其系統之上。

範例:以下範例顯示使用未經處理的使用者控制的資料產生 CSV 回應的 Spring 控制項:


    @RequestMapping(value = "/api/service.csv")
    public ResponseEntity<String> service(@RequestParam("name") String name) {

        HttpHeaders responseHeaders = new HttpHeaders();
        responseHeaders.add("Content-Type", "application/csv; charset=utf-8");
        responseHeaders.add("Content-Disposition", "attachment;filename=file.csv");

        String data = generateCSVFor(name);

        return new ResponseEntity<>(data, responseHeaders, HttpStatus.OK);
    }
References
[1] Formula Injection Pentest Magazine
[2] Comma Separated Vulnerabilities Context
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[7] Standards Mapping - CIS Google Cloud Computing Platform Benchmark complete
[8] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[9] Standards Mapping - CIS Kubernetes Benchmark complete
[10] Standards Mapping - Common Weakness Enumeration CWE ID 1236
[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[12] Standards Mapping - FIPS200 SI
[13] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[14] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[15] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[16] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[18] Standards Mapping - OWASP Top 10 2010 A1 Injection
[19] Standards Mapping - OWASP Top 10 2013 A1 Injection
[20] Standards Mapping - OWASP Top 10 2017 A1 Injection
[21] Standards Mapping - OWASP Top 10 2021 A03 Injection
[22] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[23] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[24] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.java.formula_injection
Abstract
攻擊者可能會控制寫入試算表的資料,讓他們能夠將目標鎖定為開啟特定試算表處理器上的檔案的使用者。
Explanation
常見的試算表處理器 (例如 Apache OpenOffice Calc 和 Microsoft Office Excel) 支援功能強大的公式運算,這可能允許攻擊者控制試算表以便在基礎系統上執行任意指令或洩漏試算表上的敏感資訊。

例如,攻擊者可能會注入下列裝載做為 CSV 欄位的一部分:=cmd|'/C calc.exe'!Z0。如果開啟試算表 (在此範例中為開啟 Windows 小算盤) 的使用者信任文件來源,則會接受由試算表處理器顯示的所有安全性提示並讓裝載執行於其系統之上。

範例:以下範例顯示使用未經處理的使用者控制的資料產生 CSV 回應的 Spring 控制項:


    @RequestMapping(value = "/api/service.csv")
    fun service(@RequestParam("name") name: String): ResponseEntity<String> {
        val responseHeaders = HttpHeaders()
        responseHeaders.add("Content-Type", "application/csv; charset=utf-8")
        responseHeaders.add("Content-Disposition", "attachment;filename=file.csv")
        val data: String = generateCSVFor(name)
        return ResponseEntity(data, responseHeaders, HttpStatus.OK)
    }
References
[1] Formula Injection Pentest Magazine
[2] Comma Separated Vulnerabilities Context
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[7] Standards Mapping - CIS Google Cloud Computing Platform Benchmark complete
[8] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[9] Standards Mapping - CIS Kubernetes Benchmark complete
[10] Standards Mapping - Common Weakness Enumeration CWE ID 1236
[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[12] Standards Mapping - FIPS200 SI
[13] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[14] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[15] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[16] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[18] Standards Mapping - OWASP Top 10 2010 A1 Injection
[19] Standards Mapping - OWASP Top 10 2013 A1 Injection
[20] Standards Mapping - OWASP Top 10 2017 A1 Injection
[21] Standards Mapping - OWASP Top 10 2021 A03 Injection
[22] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[23] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[24] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.kotlin.formula_injection

Unreleased Resource

Abstract
程式可能會無法釋出系統資源。
Explanation
程式可能會無法釋出系統資源。

資源洩漏至少有兩種常見原因:

- 錯誤條件以及其他異常情況。

- 不確定程式的哪一部份負責釋放資源。

大部分的 Unreleased Resource 問題都會導致一般軟體可靠性問題,但是如果攻擊者蓄意觸發資源洩漏的話,攻擊者就可能會藉由耗盡資源集區的方式來發動 Denial of Service 攻擊。

範例 1:以下方法從來不會關閉它所開啟的檔案控制碼。在 StreamReaderFinalize() 方法最終會呼叫 Close(),但不確定何時會呼叫 Finalize() 方法。事實上,不確定是否會呼叫 Finalize()。在忙碌的環境中,這可能會導致 VM 用盡它所有能使用的檔案控制碼。


private void processFile(string fName) {
	StreamWriter sw = new StreamWriter(fName);
	string line;
	while ((line = sr.ReadLine()) != null)
		processLine(line);
}
範例 2:在正常情況下,以下程式碼會執行資料庫查詢,處理資料庫傳回的結果並關閉分配的 SqlConnection 物件。但是,如果在執行 SQL 或處理結果時發生異常,SqlConnection 物件將不會關閉。如果這種情況時常發生的話,那麼資料庫將會用盡可用指標,並且無法再執行任何 SQL 查詢。


        ...
	SqlConnection conn = new SqlConnection(connString);
	SqlCommand cmd = new SqlCommand(queryString);
	cmd.Connection = conn;
	conn.Open();
	SqlDataReader rdr = cmd.ExecuteReader();
	HarvestResults(rdr);
	conn.Connection.Close();
	...
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 772
[6] Standards Mapping - Common Weakness Enumeration Top 25 2019 [21] CWE ID 772
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 22.1
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[11] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.3 - Web Software Attack Mitigation
[21] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 404
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002310 CAT I, APSC-DV-002400 CAT II
[43] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[44] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.dotnet.unreleased_resource
Abstract
程式可能會無法釋出系統資源。
Explanation
程式可能會無法釋出系統資源。

資源洩漏至少有兩種常見原因:

- 錯誤條件以及其他異常情況。

- 不確定程式的哪一部份負責釋放資源。

大部分的 Unreleased Resource 問題都會導致一般軟體可靠性問題,但是如果攻擊者蓄意觸發資源洩漏的話,攻擊者就可能會藉由耗盡資源集區的方式來發動 Denial of Service。

範例:如果產生錯誤的話,以下函數不會關閉其開啟的檔案控制碼。如果處理是長時間存在的,就會耗盡檔案的處理。


int decodeFile(char* fName)
{
    char buf[BUF_SZ];
    FILE* f = fopen(fName, "r");

    if (!f) {
        printf("cannot open %s\n", fName);
        return DECODE_FAIL;
    } else {
        while (fgets(buf, BUF_SZ, f)) {
            if (!checkChecksum(buf)) {
              return DECODE_FAIL;
            } else {
              decodeBlock(buf);
            }
        }
    }
    fclose(f);
    return DECODE_SUCCESS;
}
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 772
[6] Standards Mapping - Common Weakness Enumeration Top 25 2019 [21] CWE ID 772
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 22.1
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[11] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.3 - Web Software Attack Mitigation
[21] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 404
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002310 CAT I, APSC-DV-002400 CAT II
[43] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[44] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.cpp.unreleased_resource
Abstract
程式可能會無法釋出系統資源。
Explanation
程式可能會無法釋出系統資源。

資源洩漏至少有兩種常見原因:

- 錯誤條件以及其他異常情況。

- 不確定程式的哪一部分負責釋放資源。

大部分的 Unreleased Resource 問題都會導致一般軟體可靠性問題,如果攻擊者蓄意觸發資源洩漏的話,就可能會藉由耗盡資源集區的方式來發動 Denial of Service 攻擊。

範例:如果發生錯誤,以下程式將無法關閉其開啟的檔案控制代碼。如果此處理程序長時間存留,則處理程序可能會耗盡檔案控制代碼。


  CALL "CBL_CREATE_FILE"
      USING filename
            access-mode
            deny-mode
            device
            file-handle
  END-CALL

  IF return-code NOT = 0
      DISPLAY "Error!"
      GOBACK
  ELSE
      PERFORM write-data
      IF ws-status-code NOT = 0
          DISPLAY "Error!"
          GOBACK
      ELSE
           DISPLAY "Success!"
      END-IF
  END-IF

  CALL "CBL_CLOSE_FILE"
      USING file-handle
  END-CALL

  GOBACK
  .
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 772
[6] Standards Mapping - Common Weakness Enumeration Top 25 2019 [21] CWE ID 772
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 22.1
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[11] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.3 - Web Software Attack Mitigation
[21] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 404
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002310 CAT I, APSC-DV-002400 CAT II
[43] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[44] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.cobol.unreleased_resource
Abstract
程式可能會無法釋出系統資源。
Explanation

資源洩漏至少有兩種常見原因:

- 錯誤條件以及其他異常情況。

- 不確定程式的哪一部份負責釋放資源。

大部分的 Unreleased Resource 問題都會導致一般軟體可靠性問題。但是如果攻擊者蓄意觸發資源洩漏的話,攻擊者就可能會藉由耗盡資源集區的方式來發動 Denial of Service 攻擊。

範例 1:下列方法絕對不會關閉它所開啟的通訊端。New() 函數會建立與系統記錄常駐程式的新連線。它是 log.syslog 套件的一部分。每次寫入傳回的寫入器時,都會傳送一則含有指定優先順序 (系統記錄工具和嚴重性的組合) 和字首標籤的記錄訊息。因此,在繁忙的環境中,這可能會導致系統用盡其所有的通訊端。


func TestNew() {

	s, err := New(syslog.LOG_INFO|syslog.LOG_USER, "the_tag")
	if err != nil {
		if err.Error() == "Unix syslog delivery error" {
			fmt.Println("skipping: syslogd not running")
		}
		fmt.Println("New() failed: %s", err)
	}
}
範例 2:在此範例中,net/smtp 套件的 Dial() 方法將傳回一個新用戶端,這個新用戶端會連線到位於 localhost 的 SMTP 伺服器。連線資源會被分配,但永遠不會透過呼叫 Close() 函數來釋放。


	func testDial() {
	   client, _ := smtp.Dial("127.0.0.1")
	   client.Hello("")
	}
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 772
[6] Standards Mapping - Common Weakness Enumeration Top 25 2019 [21] CWE ID 772
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 22.1
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[11] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.3 - Web Software Attack Mitigation
[21] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 404
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002310 CAT I, APSC-DV-002400 CAT II
[43] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[44] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.golang.unreleased_resource
Abstract
程式可能會無法釋出系統資源。
Explanation
程式可能會無法釋出系統資源。

資源洩漏至少有兩種常見原因:

- 錯誤條件以及其他異常情況。

- 不確定程式的哪一部份負責釋放資源。

大部分的 Unreleased Resource 問題都會導致一般軟體可靠性問題,但是如果攻擊者蓄意觸發資源洩漏的話,攻擊者就可能會藉由耗盡資源集區的方式來發動 Denial of Service。

範例:以下函數不會關閉它所開啟的檔案控制碼。如果執行的時間很長,它可能會耗盡所有的檔案控制碼。


BEGIN
...
  F1 := UTL_FILE.FOPEN('user_dir','u12345.tmp','R',256);
  UTL_FILE.GET_LINE(F1,V1,32767);
...
END;
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 772
[6] Standards Mapping - Common Weakness Enumeration Top 25 2019 [21] CWE ID 772
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 22.1
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[11] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.3 - Web Software Attack Mitigation
[21] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 404
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002310 CAT I, APSC-DV-002400 CAT II
[43] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[44] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.sql.unreleased_resource

Intent Manipulation: Mutable Pending Intent

Abstract
偵測到 PendingIntent 的旗標值設為 FLAG_MUTABLE。建立的 Pending Intent 具有 FLAG_MUTABLE 旗標值時,很容易受到下游設定的未指定 Intent 欄位的影響,這可能會修改 Intent 的能力並使系統容易受到攻擊。
Explanation
若允許在建立 PendingIntent 後修改其底層 Intent,可能會使系統容易受到攻擊。這主要取決於底層 Intent 的整體能力。在大多數情況下,最佳方式是將 PendingIntent 旗標設為 FLAG_IMMUTABLE 來防止潛在問題。

範例 1:以下包括建立一個使用 FLAG_MUTABLE 旗標值建立 PendingIntent


...
val intent_flag_mut = Intent(Intent.ACTION_GTALK_SERVICE_DISCONNECTED, Uri.EMPTY, this, DownloadService::class.java)
val flag_mut = PendingIntent.FLAG_MUTABLE

val pi_flagmutable = PendingIntent.getService(
    this,
    0,
    intent_flag_mut,
    flag_mut
)
...
References
[1] Remediation for Implicit PendingIntent Vulnerability
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Cloud Computing Platform Benchmark partial
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[8] Standards Mapping - CIS Kubernetes Benchmark partial
[9] Standards Mapping - Common Weakness Enumeration CWE ID 99
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[14] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[23] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[44] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[45] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.java.intent_manipulation_mutable_pending_intent

PHP Misconfiguration: register_globals Enabled

Abstract
若配置 PHP 為所有的 Environment、GET、POST、cookie 和 Server 變數進行註冊,會導致非預期的運作方式,開啟攻擊者可進入的大門。
Explanation
如果啟用 register_globals 選項,會造成 PHP 對所有的 EGPCS (Environment、GET、POST、Cookie 和 Server) 變數進行全域註冊,使得任何使用者在任何 PHP 程式中都可存取這些變數。如果程式設計師在撰寫程式時啟用此選項,或多或少都會導致察覺不到它們所依賴的原始值,這會導致在正常的環境中產生非預期的運作方式,使程式容易遭受惡意環境中的攻擊者攻擊。由於知道 register_globals 所隱含的安全問題,在 PHP 4.2.0 中該選項的預設為關閉,且在 PHP 6 中捨棄且移除該選項。

範例 1:以下程式碼易受 Cross-site scripting 的攻擊。程式設計師假設 $username 的值來自伺服器控制的階段作業,但是攻擊者可能會為 $username 提供惡意值來取代要求參數。如果啟用 register_globals,此程式碼會在其所產生的動態 HTML 內容中包含由攻擊者傳遞的惡意值。


<?php
if (isset($username)) {
    echo "Hello <b>$username</b>";
} else {
    echo "Hello <b>Guest</b><br />";
    echo "Would you like to login?";

}
?>
References
[1] M. Achour et al. PHP Manual
[2] Artur Maj Securing PHP
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[8] Standards Mapping - CIS Kubernetes Benchmark partial
[9] Standards Mapping - Common Weakness Enumeration CWE ID 473
[10] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[11] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[12] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[13] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[15] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[16] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[26] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.php.php_misconfiguration_register_globals

Race Condition: File System Access

Abstract
在檢查檔案屬性和使用檔案的期間內,能夠被用來發動擴大權限的攻擊。
Explanation
File access race condition (也稱為 time-of-check)、time-of-use (TOCTOU) race conditions,在以下情況中出現:

1. 程式檢查檔案特性時,根據名稱來參照檔案。

2.程式稍後會使用相同的檔案名稱執行檔案系統作業,並假設先前檢查的屬性並未變更。
範例 1:以下程式碼來自一個安裝了 setuid root 的程式。程式代表無權限使用者執行了特定的檔案操作,並使用存取檢查來確保它不使用其根權限執行目前使用者不應該執行的操作。程式使用 access() 系統呼叫來檢查在程式開啟檔案和執行必要操作之前,執行程式的使用者是否具有權限去存取這些指定的檔案。


  if (!access(file,W_OK)) {
    f = fopen(file,"w+");
    operate(f);
    ...
  }
  else {
    fprintf(stderr,"Unable to open file %s.\n",file);
  }
access() 呼叫的運作方式在意料之中,而且,如果執行程式的使用者具有必要的權限來編輯檔案,那麼就會回傳 0,其他情況則會回傳-1。無論怎樣,因為 access()fopen() 都是對檔案名稱進行操作,而不是對檔案控制碼進行操作,所以當 file 變數傳送到 fopen() 的時候,就不能保證這個變數仍然能夠像傳送到 access() 的時候那樣參照磁碟上相同的檔案。如果攻擊者在 access() 呼叫之後,用指向不同檔案的一個象徵連結來取代 file,程式就會使用它的根權限對檔進行操作,即使這個檔案攻擊者在其他情況下是無法篡改的。藉由欺騙程式去執行其他情況下不被允許的操作,攻擊者就能取得權限的提高。

這種形式的弱點具有 root 權限,因而沒有受到程式的限制。如果應用程式有能力執行攻擊者在其他情況下不被允許的任何操作,那麼這個程式就是一個可能的攻擊目標。

導致這種攻擊的弱點的間隙是在這段時間內,檔案特性經過測試到檔案被使用為止。即使檔案的使用緊接在測試之後,現代的作業系統也無法確認在程式佔用 CPU 前所執行的程式碼數量。攻擊者有多種技術來延長機會時間的長度,以便更容易地發動攻擊。然而,即使機會時間很短,攻擊企圖也可能一而再地重複,直到成功。

範例 2:以下程式碼會建立檔案,然後變更該檔案的所有者。


    fd = creat(FILE, 0644);  /* Create file */
    if (fd == -1)
        return;
    if (chown(FILE, UID, -1) < 0) {  /* Change file owner */
      ...
    }


此程式碼假設對 chown() 呼叫所操作的檔案與對 creat() 的呼叫所建立的檔案相同,但實際上未必如此。由於 chown() 是針對檔案名稱 (而非檔案控制碼) 進行操作,因此攻擊者可能會使用並非由攻擊者所擁有的檔案連結來取代檔案。隨後,對 chown() 的呼叫會為攻擊者提供所連結檔案的擁有權。
References
[1] J. Viega, G. McGraw Building Secure Software Addison-Wesley
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 4
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[7] Standards Mapping - CIS Kubernetes Benchmark partial
[8] Standards Mapping - Common Weakness Enumeration CWE ID 362, CWE ID 367
[9] Standards Mapping - Common Weakness Enumeration Top 25 2022 [22] CWE ID 362
[10] Standards Mapping - Common Weakness Enumeration Top 25 2023 [21] CWE ID 362
[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-003178
[12] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[14] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.11.2 Business Logic Architectural Requirements (L2 L3), 1.11.3 Business Logic Architectural Requirements (L3), 11.1.6 Business Logic Security Requirements (L2 L3)
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.3 - Terminal Software Attack Mitigation
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.3 - Terminal Software Attack Mitigation
[24] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 362
[25] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 362
[26] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3630.1 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3630.1 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3630.1 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3630.1 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3630.1 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3630.1 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3630.1 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001995 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001995 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001995 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001995 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001995 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001995 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001995 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001995 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001995 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001995 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001995 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001995 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001995 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001410 CAT II, APSC-DV-001995 CAT II
desc.controlflow.cpp.file_access_race_condition
Abstract
在檢查檔案屬性和使用檔案的期間內,能夠被用來發動擴大權限的攻擊。
Explanation
File access race condition (也稱為 time-of-check)、time-of-use (TOCTOU) race conditions,在以下情況中出現:

1.程式檢查檔案特性時,根據名稱來參照檔案。

2.程式稍後會使用相同的檔案名稱執行檔案系統作業,並假設先前檢查的屬性並未變更。
範例:以下程式呼叫 CBL_CHECK_FILE_EXIST 常式,以在建立檔案之前先檢查檔案是否存在,並執行必要的操作。


  CALL "CBL_CHECK_FILE_EXIST" USING
      filename
      file-details
      RETURNING status-code
  END-CALL

  IF status-code NOT = 0
      MOVE 3 to access-mode
      MOVE 0 to deny-mode
      MOVE 0 to device

      CALL "CBL_CREATE_FILE" USING
          filename
          access-mode
          deny-mode
          device
          file-handle
          RETURNING status-code
      END-CALL
  END-IF
CBL_CHECK_FILE_EXIST 呼叫的運作方式在意料之中,並傳回一個非零值,表示該檔案不存在。不過,因為 CBL_CHECK_FILE_EXISTCBL_CREATE_FILE 都是對檔案名稱進行操作,而不是對檔案控制碼進行操作,所以當 filename 變數傳遞到 CBL_CREATE_FILE 的時候,就不能保證這個變數仍然能夠像傳遞到 CBL_CHECK_FILE_EXIST 的時候那樣參照磁碟上相同的檔案。如果攻擊者在 CBL_CHECK_FILE_EXIST 呼叫後建立 filenameCBL_CREATE_FILE 的呼叫將會失敗,進而導致程式認為該檔案是空的,但實際上它包含由攻擊者控制的資料。

導致這種攻擊的弱點的間隙是在這段時間內,檔案特性經過測試到檔案被使用為止。即使檔案的使用緊接在測試之後,現代的作業系統也無法確認在程式佔用 CPU 前所執行的程式碼數量。攻擊者有多種技術來延長機會時間的長度,以便更容易地發動攻擊。然而,即使機會時間很短,攻擊企圖也可能一而再地重複,直到成功。

這種類型的弱點可能應用於具有 root 權限的程式,以代表無權限使用者執行特定檔案操作,並使用存取測試來確保它沒有使用其根權限來執行操作,這種權限對目前使用者來說在其他情況下是無法取得的。藉由欺騙程式去執行其他情況下不被允許的操作,攻擊者就可能取得提升的權限。
References
[1] J. Viega, G. McGraw Building Secure Software Addison-Wesley
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 4
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[7] Standards Mapping - CIS Kubernetes Benchmark partial
[8] Standards Mapping - Common Weakness Enumeration CWE ID 362, CWE ID 367
[9] Standards Mapping - Common Weakness Enumeration Top 25 2022 [22] CWE ID 362
[10] Standards Mapping - Common Weakness Enumeration Top 25 2023 [21] CWE ID 362
[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-003178
[12] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[14] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.11.2 Business Logic Architectural Requirements (L2 L3), 1.11.3 Business Logic Architectural Requirements (L3), 11.1.6 Business Logic Security Requirements (L2 L3)
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.3 - Terminal Software Attack Mitigation
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.3 - Terminal Software Attack Mitigation
[24] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 362
[25] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 362
[26] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3630.1 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3630.1 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3630.1 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3630.1 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3630.1 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3630.1 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3630.1 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001995 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001995 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001995 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001995 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001995 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001995 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001995 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001995 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001995 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001995 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001995 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001995 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001995 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001410 CAT II, APSC-DV-001995 CAT II
desc.controlflow.cobol.file_access_race_condition

Cross-Site Scripting: Inter-Component Communication

Abstract
傳送未經驗證的資料至網路瀏覽器,會導致瀏覽器執行惡意的程式碼。
Explanation
Cross-site scripting (XSS) 弱點會在以下情況中出現:

1.資料從一個不可信賴的來源進入 Web 或行動應用程式。在 Inter-Component Communication XSS 案例中,不可信賴的來源為同一系統上其他元件所接收的資料。在行動環境中,這些是指在同一裝置上執行的應用程式。在 Reflected XSS 案例中,不可信賴的來源通常為網頁要求,而在 Persisted XSS (也可稱為 Stored XSS) 案例中,來源通常為資料庫或其他後端資料儲存區。


2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

有人認為在行動環境中,典型的 Web 應用程式弱點 (例如跨網站指令碼) 不會產生影響,因為使用者為何會攻擊自己呢?但是請謹記,行動平台的本質是從多種來源下載,並在相同裝置上一起執行的應用程式。在金融應用程式旁執行惡意程式碼的可能性很高,這必然會擴大行動應用程式的受攻擊面,將程序之間的通訊包括在內。

範例 1:以下 ASP.NET 程式碼片段會從 HTTP 要求中讀取員工 ID eid,並向使用者顯示。


String eid = Request["eid"];
...
EmployeeID.Text = eid;


其中,EmployeeID 是定義如下的伺服器端 ASP.NET 控制項:


<form runat="server">
   ...
   <asp:Label id="EmployeeID" runat="server"/>
   ...
</form>


如果 eid 只包含標準英數字元,則這個範例中的程式碼會正確地執行。如果 eid 中有包含中繼字元或來源程式碼中的值,那麼網路瀏覽器就會像顯示 HTTP 回應那樣執行程式碼。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的電腦中輸入會執行惡意程式碼的 URL?其實,真正的危險在於攻擊者會建立惡意的 URL,接著使用電子郵件或社交工程病毒誘騙受害者透過連結前往該 URL。當受害者按下該連結時,他們即不知不覺地透過易受攻擊的 Web 應用程式,將惡意內容資訊帶回他們自己的電腦。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。

範例 2:以下 ASP.NET 程式碼片段會在資料庫中查詢具有指定 ID 的員工,並列印相應的員工姓名。


...
string name = "";
using (SqlConnection conn = new SqlConnection(_ConnectionString))
{
string eid = Request["eid"];
SqlCommand cmd = new SqlCommand("SELECT * FROM emp WHERE id = @id", conn);
cmd.Parameters.AddWithValue("@id", eid);
conn.Open();
SqlDataReader objReader = cmd.ExecuteReader();

while (objReader.Read())
  {
    name = objReader["name"];
  }
  objReader.Close();
}
...

EmployeeName.Text = name;


其中,EmployeeName 是定義如下的伺服器端 ASP.NET 控制項:


<form runat="server">
   ...
   <asp:Label id="EmployeeName" runat="server"/>
   ...
</form>


Example 2 所述,name 的值正常運作時,此程式碼也會正常運作,但如果該值不正常運作,則會完全無法避免程式碼遭受攻擊。此外,這個程式碼之所以看似不那麼危險,是因為 name 的值是從資料庫中讀取的,而顯然這些內容是由應用程式管理的。但是,如果 name 的值是從使用者提供的資料中產生,那麼資料庫可能會成為提供惡意內容的管道。如果未對資料庫中儲存的所有資料進行適當的輸入驗證,那麼攻擊者可能在使用者的網路瀏覽器中執行惡意指令。這類型的攻擊稱為 Persistent XSS (或 Stored XSS),其性質特別狡詐,因為間接的資料儲存方式而難以辨別該威脅,且該攻擊影響多個使用者的可能性可能提高。XSS 盜取會從存取提供造訪者訪客留名簿 (guestbook) 的網站開始。攻擊者會在他們的訪客留名簿項目中加入 JavaScript,所有後來前往訪客留名簿頁面的造訪者都可能會執行這些惡意程式碼。

如同範例中所示,XSS 的弱點是由 HTTP 回應中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 如 Example 1 所述,會直接從 HTTP 要求中讀取資料,並在 HTTP 回應中回傳資料。當攻擊者誘使使用者提供危險內容給易受攻擊的 Web 應用程式,接著這些危險內容就會回傳給使用者並由在網路瀏覽器中執行,這時就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊網站的 URL。網站將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含階段作業資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 如 Example 2 所述,應用程式會將危險資料儲存到資料庫或其他可信任的資料儲存區中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。Persistent XSS 攻擊會在以下情況出現:攻擊者把危險內容插入到之後會讀取的資料儲存區中,並包含在動態內容中。從攻擊者的角度來看,插入惡意內容的最佳位置莫過於一個會對很多使用者或特別感興趣的使用者顯示的區域。感興趣的使用者通常會在應用程式中擁有較高的權限,或者會與敏感資料進行互動,且這些資料對攻擊者而言很有利用價值。如果其中一個使用者執行了惡意內容,攻擊者可能會代替使用者去執行需要權限許可的作業,或者取得存取使用者專屬敏感資料的權限。

有許多現代的 Web 架構提供執行使用者輸入驗證的機制 (包括 Struts 和 Struts 2)。為了突顯未驗證的輸入來源,Fortify 安全編碼檢查規則會降低 Fortify Static Code Analyzer 所報告之問題的攻擊可能性,並在使用框架驗證機制時提供支援證據的指標,以動態重新排列其優先順序。我們將此功能稱為「內容相關性排名」。為了進一步協助 Fortify 使用者進行稽核程序,Fortify Software 安全研發團隊提供了資料驗證專案範本,該範本會依據套用到其輸入來源的驗證機制,按資料夾對問題進行分組。
References
[1] Anti-Cross Site Scripting Library MSDN
[2] Understanding Malicious Content Mitigation for Web Developers CERT
[3] HTML 4.01 Specification W3
[4] Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, and Heng Yin Attacks on WebView in the Android System
[5] Erika Chin and David Wagner Bifocals: Analyzing WebView Vulnerabilities in Android Applications
[6] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[7] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[8] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[9] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[10] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[11] Standards Mapping - CIS Kubernetes Benchmark complete
[12] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[13] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[15] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[16] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[17] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[18] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[19] Standards Mapping - FIPS200 SI
[20] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[21] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[22] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[23] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[24] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[26] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[27] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[28] Standards Mapping - OWASP Top 10 2021 A03 Injection
[29] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[30] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[31] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[32] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[33] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[38] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[39] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[40] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[41] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[42] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[43] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[44] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[45] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[46] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[47] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[48] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[65] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[66] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[67] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[68] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[69] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[70] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.dotnet.cross_site_scripting_inter_component_communication
Abstract
傳送未經驗證的資料至網頁瀏覽器,會導致瀏覽器執行惡意程式碼。
Explanation
Cross-Site Scripting (XSS) 弱點會在以下情況中出現:

1.資料從一個不可信賴的來源進入 Web 應用程式。在 Inter-Component Communication XSS 案例中,不可信賴的來源為同一系統上其他元件所接收的資料。在 Reflected XSS 案例中,不可信賴的來源通常為網頁要求,而在 Persisted XSS (也可稱為 Stored XSS) 案例中,來源通常為資料庫或其他後端資料存放區。

2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。


範例 1:以下 Go 程式碼片段會從 HTTP 要求中讀取使用者名稱 user,並向使用者顯示。

func someHandler(w http.ResponseWriter, r *http.Request){
  r.parseForm()
  user := r.FormValue("user")
  ...
  fmt.Fprintln(w, "Username is: ", user)
}


如果 user 只包含標準英數字元,則這個範例中的程式碼會正確地執行。如果 user 中有包含中繼字元或來源程式碼中的值,那麼網路瀏覽器就會像顯示 HTTP 回應那樣執行程式碼。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的電腦中輸入會執行惡意程式碼的 URL?其實,真正的危險在於攻擊者會建立惡意的 URL,接著使用電子郵件或社交工程病毒誘騙受害者透過連結前往該 URL。當受害者按下該連結時,他們即不知不覺地透過易受攻擊的 Web 應用程式,將惡意內容資訊帶回他們自己的電腦。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。

範例 2:以下 Go 程式碼片段會查詢資料庫中具有指定 ID 的員工,然後列印相對應的員工姓名。

func someHandler(w http.ResponseWriter, r *http.Request){
  ...
  row := db.QueryRow("SELECT name FROM users WHERE id =" + userid)
  err := row.Scan(&name)
  ...
  fmt.Fprintln(w, "Username is: ", name)
}


Example 1 所述,name 的值正常運作時,此程式碼也會正常運作,但如果該值不正常運作,則會完全無法避免程式碼遭受攻擊。此外,這個程式碼之所以看似不那麼危險,是因為 name 的值是從資料庫中讀取的,而顯然這些內容是由應用程式管理的。但是,如果 name 的值是從使用者提供的資料中產生,那麼資料庫可能會成為提供惡意內容的管道。如果沒有對所有儲存在資料庫中的資料進行適當的輸入驗證,那麼攻擊者即可在使用者的網頁瀏覽器中執行惡意指令。這類型的攻擊稱為 Persistent XSS (或 Stored XSS),其極其隱蔽,會因為間接的資料儲存方式而難以辨別該威脅,並會提高影響多個使用者的可能性。XSS 弱點會從存取提供造訪者訪客留名簿 (guestbook) 的網站開始。攻擊者會在他們的訪客留名簿項目中加入 JavaScript,所有後來前往訪客留名簿頁面的造訪者都可能會執行這些惡意程式碼。

如同範例中所示,XSS 弱點是由 HTTP 回應中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 如 Example 1 所示,會直接從 HTTP 要求中讀取資料,並在 HTTP 回應中回傳資料。當攻擊者誘使使用者提供危險內容給易受攻擊的 Web 應用程式,接著這些危險內容就會回傳給使用者並由網頁瀏覽器執行時,就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊網站的 URL。網站將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含階段作業資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 如 Example 2 所示,應用程式會將危險資料儲存在資料庫或其他可信任的資料存放區中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。Persistent XSS 攻擊會在以下情況出現:攻擊者把危險內容插入到之後會讀取的資料儲存區中,並包含在動態內容中。從攻擊者的角度來看,插入惡意內容的最佳位置莫過於一個會對很多使用者或特別感興趣的使用者顯示的區域。感興趣的使用者通常會在應用程式中擁有較高的權限,或者會與敏感資料進行互動,且這些資料對攻擊者而言很有利用價值。如果其中一個使用者執行了惡意內容,攻擊者可能會代替使用者執行需要權限許可的操作,或者取得存取使用者專屬敏感資料的權限。

- 應用程式以外的來源會在資料庫或是其他資料存放區中儲存危險資料,且之後這些危險資料會被當作信賴的資料回讀到應用程式,並會包含在動態內容中。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[10] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[11] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[12] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[13] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[15] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[16] Standards Mapping - FIPS200 SI
[17] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[18] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[19] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[20] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[21] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[22] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[23] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2021 A03 Injection
[26] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[27] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[28] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[29] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[30] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[38] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[41] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[42] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[43] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[44] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[45] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[65] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[66] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[67] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.golang.cross_site_scripting_inter_component_communication
Abstract
傳送未經驗證的資料至網路瀏覽器,會導致瀏覽器執行惡意的程式碼。
Explanation
Cross-site scripting (XSS) 弱點會在以下情況中出現:

1.資料從一個不可信賴的來源進入 Web 或行動應用程式。在 Inter-Component Communication XSS 案例中,不可信賴的來源為同一系統上其他元件所接收的資料。在行動環境中,這些是指在同一裝置上執行的應用程式。在 Reflected XSS 案例中,不可信賴的來源通常為網頁要求,而在 Persisted XSS (也可稱為 Stored XSS) 案例中,來源通常為資料庫或其他後端資料儲存區。


2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

有人認為在行動環境中,典型的 Web 應用程式弱點 (例如跨網站指令碼) 不會產生影響,因為使用者為何會攻擊自己呢?但是請謹記,行動平台的本質是從多種來源下載,並在相同裝置上一起執行的應用程式。在金融應用程式旁執行惡意程式碼的可能性很高,這必然會擴大行動應用程式的受攻擊面,將程序之間的通訊包括在內。

範例 1:以下程式碼會在 Android 的 WebView 中啟用 JavaScript (預設狀況下停用 JavaScript),並根據從 Android 用意接收的值載入頁面。


...
        WebView webview = (WebView) findViewById(R.id.webview);
        webview.getSettings().setJavaScriptEnabled(true);
        String url = this.getIntent().getExtras().getString("url");
        webview.loadUrl(url);
...


url 的值以 javascript: 開頭,隨後的 JavaScript 程式碼將在網頁範圍中的 WebView 內執行。

範例 2:以下 JSP 程式碼片段會從 HTTP 要求中讀取員工識別碼 eid,並將其向使用者顯示。


<% String eid = request.getParameter("eid"); %>
...
Employee ID: <%= eid %>


如果 eid 只包含標準英數字元,則這個範例中的程式碼會正確地執行。如果 eid 中有包含中繼字元或來源程式碼中的值,那麼網路瀏覽器就會像顯示 HTTP 回應那樣執行程式碼。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的電腦中輸入會執行惡意程式碼的 URL?其實,真正的危險在於攻擊者會建立惡意的 URL,接著使用電子郵件或社交工程病毒誘騙受害者透過連結前往該 URL。當受害者按下該連結時,他們即不知不覺地透過易受攻擊的 Web 應用程式,將惡意內容資訊帶回他們自己的電腦。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。

範例 3:以下 JSP 程式碼片段會在資料庫中查詢具有指定識別碼的員工,並列印相應的員工姓名。


<%...
Statement stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery("select * from emp where id="+eid);
if (rs != null) {
   rs.next();
   String name = rs.getString("name");
}
%>

Employee Name: <%= name %>


Example 2 所述,name 的值正常運作時,此程式碼也會正常運作,但如果該值不正常運作,則會完全無法避免程式碼遭受攻擊。此外,這個程式碼之所以看似不那麼危險,是因為 name 的值是從資料庫中讀取的,而顯然這些內容是由應用程式管理的。但是,如果 name 的值是從使用者提供的資料中產生,那麼資料庫可能會成為提供惡意內容的管道。如果未對資料庫中儲存的所有資料進行適當的輸入驗證,那麼攻擊者可能在使用者的網路瀏覽器中執行惡意指令。這類型的攻擊稱為 Persistent XSS (或 Stored XSS),其性質特別狡詐,因為間接的資料儲存方式而難以辨別該威脅,且該攻擊影響多個使用者的可能性可能提高。XSS 盜取會從存取提供造訪者訪客留名簿 (guestbook) 的網站開始。攻擊者會在他們的訪客留名簿項目中加入 JavaScript,所有後來前往訪客留名簿頁面的造訪者都可能會執行這些惡意程式碼。

如同範例中所示,XSS 的弱點是由 HTTP 回應中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 如 Example 1 所述,應用程式以外的來源會在資料庫或是其他資料儲存區中儲存危險資料,且之後這些危險資料會被當作信賴的資料回讀到應用程式,並會包含在動態內容中。

- 如 Example 2 所述,會直接從 HTTP 要求中讀取資料,並在 HTTP 回應中回傳資料。當攻擊者誘使使用者提供危險內容給易受攻擊的 Web 應用程式,接著這些危險內容就會回傳給使用者並由在網路瀏覽器中執行,這時就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊網站的 URL。網站將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含階段作業資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 如 Example 3 所述,應用程式會將危險資料儲存到資料庫或其他可信任的資料儲存區中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。Persistent XSS 攻擊會在以下情況出現:攻擊者把危險內容插入到之後會讀取的資料儲存區中,並包含在動態內容中。從攻擊者的角度來看,插入惡意內容的最佳位置莫過於一個會對很多使用者或特別感興趣的使用者顯示的區域。感興趣的使用者通常會在應用程式中擁有較高的權限,或者會與敏感資料進行互動,且這些資料對攻擊者而言很有利用價值。如果其中一個使用者執行了惡意內容,攻擊者可能會代替使用者去執行需要權限許可的作業,或者取得存取使用者專屬敏感資料的權限。

有許多現代的 Web 架構提供執行使用者輸入驗證的機制 (包括 Struts 和 Struts 2)。為了突顯未驗證的輸入來源,Fortify 安全編碼檢查規則會降低 Fortify Static Code Analyzer 所報告之問題的攻擊可能性,並在使用框架驗證機制時提供支援證據的指標,以動態重新排列其優先順序。我們將此功能稱為「內容相關性排名」。為了進一步協助 Fortify 使用者進行稽核程序,Fortify Software 安全研發團隊提供了資料驗證專案範本,該範本會依據套用到其輸入來源的驗證機制,按資料夾對問題進行分組。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, and Heng Yin Attacks on WebView in the Android System
[4] Erika Chin and David Wagner Bifocals: Analyzing WebView Vulnerabilities in Android Applications
[5] INJECT-3: XML and HTML generation requires care Oracle
[6] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[7] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[8] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[9] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[10] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[11] Standards Mapping - CIS Kubernetes Benchmark complete
[12] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[13] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[15] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[16] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[17] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[18] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[19] Standards Mapping - FIPS200 SI
[20] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[21] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[22] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[23] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[24] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[26] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[27] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[28] Standards Mapping - OWASP Top 10 2021 A03 Injection
[29] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[30] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[31] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[32] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[33] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[38] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[39] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[40] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[41] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[42] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[43] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[44] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[45] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[46] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[47] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[48] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[65] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[66] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[67] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[68] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[69] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[70] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.java.cross_site_scripting_inter_component_communication
Abstract
傳送未經驗證的資料至網路瀏覽器,會導致瀏覽器執行惡意的程式碼。
Explanation
Cross-Site Scripting (XSS) 弱點會在以下情況中出現:

1.資料從一個不可信賴的來源進入 Web 應用程式。在 Inter-Component Communication XSS 案例中,不可信賴的來源為同一系統上其他元件所接收的資料。在行動環境中,這些是指在同一裝置上執行的應用程式。在 Reflected XSS 案例中,不可信賴的來源通常為網頁要求,而在 Persisted XSS (也可稱為 Stored XSS) 案例中,來源通常為資料庫或其他後端資料存放區。


2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

有人認為在行動環境中,典型的 Web 應用程式弱點 (例如跨網站指令碼) 不會產生影響,因為使用者為何會攻擊自己呢?但是請謹記,行動平台的本質是從多種來源下載,並在相同裝置上一起執行的應用程式。在金融應用程式旁執行惡意程式碼的可能性很高,這必然會擴大行動應用程式的受攻擊面,將程序之間的通訊包括在內。

範例 1:以下程式碼會在 Android 的 WebView 中啟用 JavaScript (JavaScript 預設為停用),並根據從 Android 用意接收的值載入頁面。


...
        val webview = findViewById<View>(R.id.webview) as WebView
        webview.settings.javaScriptEnabled = true
        val url = this.intent.extras!!.getString("url")
        webview.loadUrl(url)
...


url 的值以 javascript: 開頭,隨後的 JavaScript 程式碼將在網頁範圍中的 WebView 內執行。

範例 2:以下程式碼會從 HTTP servlet 要求讀取員工識別碼 eid,然後在 servlet 的回應中向使用者顯示其值。


val eid: String = request.getParameter("eid")
...
val out: ServletOutputStream = response.getOutputStream()
out.print("Employee ID: $eid")
...
out.close()
...


如果 eid 只包含標準英數字元,則這個範例中的程式碼會正確地執行。如果 eid 中有包含中繼字元或來源程式碼中的值,那麼網路瀏覽器就會像顯示 HTTP 回應那樣執行程式碼。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的電腦中輸入會執行惡意程式碼的 URL?其實,真正的危險在於攻擊者會建立惡意的 URL,接著使用電子郵件或社交工程病毒誘騙受害者透過連結前往該 URL。當受害者按下該連結時,他們即不知不覺地透過易受攻擊的 Web 應用程式,將惡意內容資訊帶回他們自己的電腦。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。

範例 3:以下的程式碼片段,會根據所給予的識別碼在資料庫中查詢員工,並在 servlet 的回應中列印對應的員工姓名。


val stmt: Statement = conn.createStatement()
val rs: ResultSet = stmt.executeQuery("select * from emp where id=$eid")
rs.next()
val name: String = rs.getString("name")
...
val out: ServletOutputStream = response.getOutputStream()
out.print("Employee Name: $name")
...
out.close()
...


Example 2 所述,name 的值正常運作時,此程式碼也會正常運作,但如果該值不正常運作,則會完全無法避免程式碼遭受攻擊。此外,這個程式碼之所以看似不那麼危險,是因為 name 的值是從資料庫中讀取的,而顯然這些內容是由應用程式管理的。但是,如果 name 的值是從使用者提供的資料中產生,那麼資料庫可能會成為提供惡意內容的管道。如果未對資料庫中儲存的所有資料進行適當的輸入驗證,那麼攻擊者可能在使用者的網路瀏覽器中執行惡意指令。這類型的攻擊稱為 Persistent XSS (或 Stored XSS),其性質特別狡詐,因為間接的資料儲存方式而難以辨別該威脅,且該攻擊影響多個使用者的可能性可能提高。XSS 盜取會從存取提供造訪者訪客留名簿 (guestbook) 的網站開始。攻擊者會在他們的訪客留名簿項目中加入 JavaScript,所有後來前往訪客留名簿頁面的造訪者都可能會執行這些惡意程式碼。

如同範例中所示,XSS 弱點是由 HTTP 回應中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 如 Example 1 所述,應用程式以外的來源會在資料庫或是其他資料儲存區中儲存危險資料,且之後這些危險資料會被當作信賴的資料回讀到應用程式,並會包含在動態內容中。

- 如 Example 2 所述,會直接從 HTTP 要求中讀取資料,並在 HTTP 回應中回傳資料。當攻擊者誘使使用者提供危險內容給易受攻擊的 Web 應用程式,接著這些危險內容就會回傳給使用者並由在網路瀏覽器中執行,這時就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊網站的 URL。網站將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含階段作業資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 如 Example 3 所述,應用程式會將危險資料儲存到資料庫或其他可信任的資料儲存區中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。Persistent XSS 攻擊會在以下情況出現:攻擊者把危險內容插入到之後會讀取的資料儲存區中,並包含在動態內容中。從攻擊者的角度來看,插入惡意內容的最佳位置莫過於一個會對很多使用者或特別感興趣的使用者顯示的區域。感興趣的使用者通常會在應用程式中擁有較高的權限,或者會與敏感資料進行互動,且這些資料對攻擊者而言很有利用價值。如果其中一個使用者執行了惡意內容,攻擊者可能會代替使用者去執行需要權限許可的作業,或者取得存取使用者專屬敏感資料的權限。


有許多現代的 Web 架構提供執行使用者輸入驗證的機制 (包括 Struts 和 Spring MVC)。為了突顯未驗證的輸入來源,Fortify 安全編碼檢查規則會降低 Fortify Static Code Analyzer 所報告之問題的攻擊可能性,並在使用框架驗證機制時提供支援證據的指標,以動態重新排列其優先順序。我們將此功能稱為「內容相關性排名」。為了進一步協助 Fortify 使用者進行稽核程序,Fortify Software 安全研發團隊提供了資料驗證專案範本,該範本會依據套用到其輸入來源的驗證機制,按資料夾對問題進行分組。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, and Heng Yin Attacks on WebView in the Android System
[4] Erika Chin and David Wagner Bifocals: Analyzing WebView Vulnerabilities in Android Applications
[5] INJECT-3: XML and HTML generation requires care Oracle
[6] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[7] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[8] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[9] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[10] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[11] Standards Mapping - CIS Kubernetes Benchmark complete
[12] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[13] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[15] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[16] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[17] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[18] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[19] Standards Mapping - FIPS200 SI
[20] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[21] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[22] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[23] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[24] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[26] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[27] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[28] Standards Mapping - OWASP Top 10 2021 A03 Injection
[29] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[30] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[31] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[32] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[33] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[38] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[39] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[40] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[41] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[42] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[43] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[44] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[45] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[46] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[47] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[48] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[65] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[66] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[67] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[68] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[69] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[70] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.kotlin.cross_site_scripting_inter_component_communication
Abstract
傳送未經驗證的資料至網路瀏覽器,會導致瀏覽器執行惡意的程式碼。
Explanation
Cross-site scripting (XSS) 弱點會在以下情況中出現:

1. 資料從一個不可信賴的來源進入 Web 或行動應用程式。在 Inter-Component Communication XSS 案例中,不可信賴的來源為同一系統上其他元件所接收的資料。在行動環境中,這些是指在同一裝置上執行的應用程式。在 Reflected XSS 案例中,不可信賴的來源通常為網頁要求,而在 Persisted XSS (也可稱為 Stored XSS) 案例中,來源通常為資料庫或其他後端資料儲存區。


2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

有人認為在行動環境中,典型的 Web 應用程式弱點 (例如跨網站指令碼) 不會產生影響,因為使用者為何會攻擊自己呢?但是請謹記,行動平台的本質是從多種來源下載,並在相同裝置上一起執行的應用程式。在金融應用程式旁執行惡意程式碼的可能性很高,這必然會擴大行動應用程式的受攻擊面,將程序之間的通訊包括在內。

範例 1:以下程式碼可讓應用程式在含有資料的 WKWebView 中,從使用應用程式自訂 URL 架構的 URL 要求載入 html 頁面:

AppDelegate.m:

...
@property (strong, nonatomic) NSString *webContentFromURL;
...
- (BOOL)application:(UIApplication *)application openURL:(NSURL *)url sourceApplication:(NSString *)sourceApplication annotation:(id)annotation {
  ...
  [self setWebContentFromURL:[url host]];
  ...
...


ViewController.m

...
@property (strong, nonatomic) WKWebView *webView;
...
AppDelegate *appDelegate = (AppDelegate *)[[UIApplication sharedApplication] delegate];
...
[_webView loadHTMLString:appDelegate.webContentFromURL] baseURL:nil];
...


由於傳遞到 loadHTMLString: 的字串是使用者可控制的,並且 WKWebView 內依預設已啟用 JavaScript,因此使用者可透過使用應用程式自訂 URL 架構的要求,將任意內容 (包括可執行檔指令碼) 寫入 WKWebView。

範例 2:以下程式碼會讀取 UITextField 的內容,並在 WKWebView 中將其顯示給使用者:


...
@property (strong, nonatomic) WKWebView *webView;
@property (strong, nonatomic) UITextField *inputTextField;
...
[_webView loadHTMLString:_inputTextField.text baseURL:nil];
...


如果 inputTextField 中的文字只包含標準英數字元,這個範例中的程式碼便會正常運作而不會有問題。如果 inputTextField 中的文字包括中繼字元或原始程式碼,那麼網路瀏覽器就會像顯示 HTTP 回應那樣,可能會將輸入當成程式碼來執行。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的裝置上提供會導致惡意程式碼執行的輸入?真正的危險在於攻擊者可能使用電子郵件或社交工程病毒誘騙受害者執行此類動作。當這樣的誘騙成功,受害者就在不知情的情況下,透過易受攻擊的 Web 應用程式,將惡意內容帶回他們自己的裝置。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。

範例 3:以下程式碼片段會查詢資料庫中具有指定識別碼的員工,然後將值輸出於 WKWebView 的顯示內容中。


...
@property (strong, nonatomic) WKWebView *webView;
...
NSFetchRequest *fetchRequest = [[NSFetchRequest alloc] init];
NSEntityDescription *entity = [NSEntityDescription entityForName:@"Employee" inManagedObjectContext:context];
[fetchRequest setEntity:entity];

NSArray *fetchedObjects = [context executeFetchRequest:fetchRequest error:&error];
for (NSManagedObject *info in fetchedObjects) {
  NSString msg = @"Hello, " + [info valueForKey:@"name"];
  [_webView loadHTMLString:msg baseURL:nil]
  ...
}
...


Example 2 所述,name 的值正常運作時,此程式碼也會正常運作,但如果該值不正常運作,則會完全無法避免程式碼遭受攻擊。此外,這個程式碼之所以看似不那麼危險,是因為 name 的值是從資料庫中讀取的,而顯然這些內容是由應用程式管理的。但是,如果 name 的值是從使用者提供的資料中產生,那麼資料庫可能會成為提供惡意內容的管道。如果未對資料庫中儲存的所有資料進行適當的輸入驗證,那麼攻擊者可能在使用者的網路瀏覽器中執行惡意指令。這類型的攻擊稱為 Persistent XSS (或 Stored XSS),其性質特別狡詐,因為間接的資料儲存方式而難以辨別該威脅,且該攻擊影響多個使用者的可能性可能提高。XSS 盜取會從存取提供造訪者訪客留名簿 (guestbook) 的網站開始。攻擊者會在他們的訪客留名簿項目中加入 JavaScript,所有後來前往訪客留名簿頁面的造訪者都可能會執行這些惡意程式碼。

如同範例中所示,XSS 的弱點是由 HTTP 回應中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 如 Example 1 所述,目標應用程式以外的來源會使用目標應用程式的自訂 URL 架構提出 URL 要求,之後來自此 URL 要求的未驗證資料會被當作信賴的資料讀回到應用程式,並會包含在動態內容中。

- 如 Example 2 所述,會直接從使用者可控制的 UI 元件讀取資料,並在 HTTP 回應中傳回資料。當攻擊者誘使使用者提供危險內容給易受攻擊的 Web 應用程式,接著這些危險內容就會回傳給使用者並由在網路瀏覽器中執行,這時就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊網站的 URL。網站將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含階段作業資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 如 Example 3 所述,應用程式會將危險資料儲存到資料庫或其他可信任的資料儲存區中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。Persistent XSS 攻擊會在以下情況出現:攻擊者把危險內容插入到之後會讀取的資料儲存區中,並包含在動態內容中。從攻擊者的角度來看,插入惡意內容的最佳位置莫過於一個會對很多使用者或特別感興趣的使用者顯示的區域。感興趣的使用者通常會在應用程式中擁有較高的權限,或者會與敏感資料進行互動,且這些資料對攻擊者而言很有利用價值。如果其中一個使用者執行了惡意內容,攻擊者可能會代替使用者去執行需要權限許可的作業,或者取得存取使用者專屬敏感資料的權限。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] MWR Labs Continued Adventures with iOS UIWebViews
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[5] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[6] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[7] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[8] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[9] Standards Mapping - CIS Kubernetes Benchmark complete
[10] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[11] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[12] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[13] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[15] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[16] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[17] Standards Mapping - FIPS200 SI
[18] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[19] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[20] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[21] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[22] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[23] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[26] Standards Mapping - OWASP Top 10 2021 A03 Injection
[27] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[28] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[29] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[30] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[31] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[38] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[39] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[41] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[42] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[43] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[44] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[45] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[46] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[65] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[66] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[67] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[68] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.objc.cross_site_scripting_inter_component_communication
Abstract
傳送未經驗證的資料至網路瀏覽器,會導致瀏覽器執行惡意的程式碼。
Explanation
Cross-site scripting (XSS) 弱點會在以下情況中出現:

1. 資料從一個不可信賴的來源進入 Web 或行動應用程式。在 Inter-Component Communication XSS 案例中,不可信賴的來源為同一系統上其他元件所接收的資料。在行動環境中,這些是指在同一裝置上執行的應用程式。在 Reflected XSS 案例中,不可信賴的來源通常為網頁要求,而在 Persisted XSS (也可稱為 Stored XSS) 案例中,來源通常為資料庫或其他後端資料儲存區。


2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現,但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡,但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容,或者利用易受攻擊的網站,在使用者的機器上執行其他惡意操作。

有人認為在行動環境中,典型的 Web 應用程式弱點 (例如跨網站指令碼) 不會產生影響,因為使用者為何會攻擊自己呢?但是請謹記,行動平台的本質是從多種來源下載,並在相同裝置上一起執行的應用程式。在金融應用程式旁執行惡意程式碼的可能性很高,這必然會擴大行動應用程式的受攻擊面,將程序之間的通訊包括在內。

範例 1:以下程式碼可讓應用程式在含有資料的 WKWebView 中,從使用應用程式自訂 URL 架構的 URL 要求載入 html 頁面:


...
func application(app: UIApplication, openURL url: NSURL, options: [String : AnyObject]) -> Bool {
    ...
    let name = getQueryStringParameter(url.absoluteString, "name")
    let html = "Hi \(name)"
    let webView = WKWebView()
    webView.loadHTMLString(html, baseURL:nil)
    ...
}
func getQueryStringParameter(url: String?, param: String) -> String? {
    if let url = url, urlComponents = NSURLComponents(string: url), queryItems = (urlComponents.queryItems as? [NSURLQueryItem]) {
        return queryItems.filter({ (item) in item.name == param }).first?.value!
    }
    return nil
}
...


由於傳遞到 loadHTMLString: 的字串是使用者可控制的,並且 WKWebView 內依預設已啟用 JavaScript,因此使用者可透過使用應用程式自訂 URL 架構的要求,將任意內容 (包括可執行檔指令碼) 寫入 WKWebView。

範例 2:以下程式碼會讀取 UITextField 的內容,並在 WKWebView 中將其顯示給使用者:


...
let webView : WKWebView
let inputTextField : UITextField
webView.loadHTMLString(inputTextField.text, baseURL:nil)
...


如果 inputTextField 中的文字只包含標準英數字元,這個範例中的程式碼便會正常運作而不會有問題。如果 inputTextField 中的文字包括中繼字元或原始程式碼,那麼網路瀏覽器就會像顯示 HTTP 回應那樣,可能會將輸入當成程式碼來執行。

一開始,這似乎不會輕易受到攻擊。畢竟,誰會在自己的裝置上提供會導致惡意程式碼執行的輸入?真正的危險在於攻擊者可能使用電子郵件或社交工程病毒誘騙受害者執行此類動作。當這樣的誘騙成功,受害者就在不知情的情況下,透過易受攻擊的 Web 應用程式,將惡意內容帶回他們自己的裝置。這個利用易受攻擊的 Web 應用程式進行攻擊的機制就是通常所知的 Reflected XSS。

範例 3:以下程式碼片段會查詢資料庫中具有指定識別碼的員工,然後將值輸出於 WKWebView 的顯示內容中。


let fetchRequest = NSFetchRequest()
let entity = NSEntityDescription.entityForName("Employee", inManagedObjectContext: managedContext)
fetchRequest.entity = entity
do {
    let results = try managedContext.executeFetchRequest(fetchRequest)
    let result : NSManagedObject = results.first!
    let name : String = result.valueForKey("name")
    let msg : String = "Hello, \(name)"
    let webView : UIWebView = UIWebView()
    webView.loadHTMLString(msg, baseURL:nil)
} catch let error as NSError {
    print("Error \(error)")
}


Example 2 所述,name 的值正常運作時,此程式碼也會正常運作,但如果該值不正常運作,則會完全無法避免程式碼遭受攻擊。此外,這個程式碼之所以看似不那麼危險,是因為 name 的值是從資料庫中讀取的,而顯然這些內容是由應用程式管理的。但是,如果 name 的值是從使用者提供的資料中產生,那麼資料庫可能會成為提供惡意內容的管道。如果未對資料庫中儲存的所有資料進行適當的輸入驗證,那麼攻擊者可能在使用者的網路瀏覽器中執行惡意指令。這類型的攻擊稱為 Persistent XSS (或 Stored XSS),其性質特別狡詐,因為間接的資料儲存方式而難以辨別該威脅,且該攻擊影響多個使用者的可能性可能提高。XSS 盜取會從存取提供造訪者訪客留名簿 (guestbook) 的網站開始。攻擊者會在他們的訪客留名簿項目中加入 JavaScript,所有後來前往訪客留名簿頁面的造訪者都可能會執行這些惡意程式碼。

如同範例中所示,XSS 的弱點是由 HTTP 回應中包含未經驗證資料的程式碼所引起的。XSS 攻擊有三種途徑可攻擊受害者:

- 如 Example 1 所述,目標應用程式以外的來源會使用目標應用程式的自訂 URL 架構提出 URL 要求,之後來自此 URL 要求的未驗證資料會被當作信賴的資料讀回到應用程式,並會包含在動態內容中。

- 如 Example 2 所述,會直接從使用者可控制的 UI 元件讀取資料,並在 HTTP 回應中傳回資料。當攻擊者誘使使用者提供危險內容給易受攻擊的 Web 應用程式,接著這些危險內容就會回傳給使用者並由在網路瀏覽器中執行,這時就會出現 Reflected XSS 攻擊行為。傳遞惡意內容最常用的機制就是,將惡意內容當作參數隱藏在公開發表的 URL 中,或者以電子郵件方式直接傳送給受害者。以這種方法建立的 URL 會構成許多網路釣魚 (phishing) 架構的核心,攻擊者可以藉此誘使受害者去造訪一個指向到易受攻擊網站的 URL。網站將攻擊者的內容回傳給使用者之後,就會執行這些內容,並接著從使用者的電腦將可能包含階段作業資訊的 Cookie 之類的私人資訊傳給攻擊者,或者執行其他惡意活動。

- 如 Example 3 所述,應用程式會將危險資料儲存到資料庫或其他可信任的資料儲存區中。這些危險資料隨後會被回讀到應用程式,並包含在動態內容中。Persistent XSS 攻擊會在以下情況出現:攻擊者把危險內容插入到之後會讀取的資料儲存區中,並包含在動態內容中。從攻擊者的角度來看,插入惡意內容的最佳位置莫過於一個會對很多使用者或特別感興趣的使用者顯示的區域。感興趣的使用者通常會在應用程式中擁有較高的權限,或者會與敏感資料進行互動,且這些資料對攻擊者而言很有利用價值。如果其中一個使用者執行了惡意內容,攻擊者可能會代替使用者去執行需要權限許可的作業,或者取得存取使用者專屬敏感資料的權限。
References
[1] Understanding Malicious Content Mitigation for Web Developers CERT
[2] HTML 4.01 Specification W3
[3] MWR Labs Continued Adventures with iOS UIWebViews
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0
[5] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[6] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[7] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[8] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[9] Standards Mapping - CIS Kubernetes Benchmark complete
[10] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[11] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[12] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[13] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[14] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[15] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[16] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[17] Standards Mapping - FIPS200 SI
[18] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[19] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[20] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[21] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[22] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[23] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[24] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)
[25] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)
[26] Standards Mapping - OWASP Top 10 2021 A03 Injection
[27] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[28] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[29] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation
[30] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[31] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[38] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[39] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[41] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[42] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[43] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[44] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[45] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[46] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[65] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-002560 CAT I
[66] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[67] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[68] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.swift.cross_site_scripting_inter_component_communication

Dangerous Function: xp_cmdshell

Abstract
無法安全地使用 xp_cmdshell 函數。不應使用該函數。
Explanation
某些函數無論使用方法為何,都有危險性。xp_cmdshell 函數會啟動 Windows 指令 shell,以執行提供的指令字串。該指令會在預設系統或提供的代理伺服器環境中執行。但是,沒有方法可以將使用者限制為預先指定的權限操作組合,任何權限授予都會開放使用者執行任何指令字串。
References
[1] xp_cmdshell
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 4.0
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 4
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[7] Standards Mapping - Common Weakness Enumeration CWE ID 242
[8] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[9] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 7.1.2
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 7.1.2
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 7.1.2
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 7.1.2
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 7.2.2
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control
[18] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 676
[19] Standards Mapping - Web Application Security Consortium Version 2.00 OS Commanding (WASC-31)
[20] Standards Mapping - Web Application Security Consortium 24 + 2 OS Commanding
desc.semantic.sql.dangerous_function_xp_cmdshell

GCP Terraform Misconfiguration: Permissive Firewall

Abstract
Terraform 組態定義了一個 VPC 防火牆規則,該規則允許傳入連線到安全性敏感的連接埠。
Explanation
未能封鎖不需要的網路流量,將會擴大雲端服務的受攻擊面。開放與公眾互動的服務會受到惡意實體幾乎連續的掃描和探測。
References
[1] HashiCorp google_compute_firewall
[2] Google Cloud VPC firewall rules overview
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 4.0
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark partial
[8] Standards Mapping - Common Weakness Enumeration CWE ID 749
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[10] Standards Mapping - FIPS200 AC
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege
[14] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[15] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[16] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3)
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 1.4.2
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
desc.structural.hcl.gcp_terraform_misconfiguration_permissive_firewall

Possible Variable Overwrite

Abstract
這將會覆寫變數,但也等於是為攻擊者製造機會。
Explanation
函數若可覆寫已初始化的變數,則會讓攻擊者得以影響依賴已覆寫變數的程式碼執行。
可以覆寫變數。

範例 1:若攻擊者在以下 ColdFusion 程式碼區段中為 varName 提供惡意值,則呼叫 SetVariable() 時可能會覆寫包括 #first# 在內的任意變數。在此案例中,若包含 JavaScript 的惡意值覆寫 #first#,此程式會容易受到 Cross-Site Scripting 攻擊。 


<cfset first = "User">
<cfscript>
SetVariable(url.varName, url.varValue);
</cfscript>
<cfoutput>
#first#
</cfoutput>
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.0
[2] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.5
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[6] Standards Mapping - CIS Kubernetes Benchmark partial
[7] Standards Mapping - Common Weakness Enumeration CWE ID 473
[8] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[9] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[18] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II
desc.dataflow.cfml.possible_variable_overwrite