Dynamic Code Evaluation:Code Injection 动态代码评估:代码注入
Abstract:
ext-all-debug.js 文件将未验证的用户输入解析为第 11304 行的源代码。在运行时中解析用户控制的指令,会让攻击者有机会执行恶意代码。
Explanation:
许多现代编程语言都允许动态解析源代码指令。这使得程序员可以执行基于用户输入的动态指令。当程序员错误地认为由用户直接提供的指令仅会执行一些无害的操作时(如对当前的用户对象进行简单的计算或修改用户的状态),就会出现 code injection 漏洞:然而,若不经过适当的验证,用户指定的操作可能并不是程序员最初所期望的。
示例:在这一典型的代码注入示例中,应用程序实施的基本计算器允许用户指定要执行的命令。
...
userOp = form.operation.value;
calcResult = eval(userOp);
...
如果 operation 参数的值为良性值,程序就可以正常运行。例如,当该值为 "8 + 7 * 2" 时,calcResult 变量被赋予的值将为 22。然而,如果攻击者指定的语言操作既有可能是有效的,又有可能是恶意的,那么,只有在对主进程具有完全权限的情况下才能执行这些操作。如果底层语言提供了访问系统资源的途径或允许执行系统命令,这种攻击甚至会更加危险。对于 JavaScript,攻击者还可以利用这种漏洞进行 cross-site scripting 攻击。
Instance ID: 76CA8A4FC1DFDFEC36C23CECC2DB3FF9
Priority Metadata Values:
IMPACT: 5.0
LIKELIHOOD: 3.07
Legacy Priority Metadata Values:
SEVERITY: 4.0
CONFIDENCE: 4.8
Remediation Effort: 4.0
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Recommendations:
在任何时候,都应尽可能地避免动态的代码解析。如果程序的功能要求对代码进行动态的解析,您可以通过以下方式将此种攻击的可能性降低到最小:尽可能的限制程序中动态执行的代码数量,将此类代码应用到特定的应用程序和上下文中的基本编程语言的子集。
如果需要执行动态代码,应用程序绝不应当直接执行和解析未验证的用户输入。而应采用间接方法:创建一份合法操作和数据对象列表,用户可以指定其中的内容,并且只能从中进行选择。利用这种方法,就绝不会直接执行由用户提供的输入。
References:
[1] Standards Mapping - Common Weakness Enumeration, CWE ID 95, CWE ID 494
[2] Standards Mapping - FIPS200, SI
[3] Standards Mapping - NIST Special Publication 800-53 Revision 4, SI-10 Information Input Validation (P1)
[4] Standards Mapping - OWASP Mobile Top 10 Risks 2014, M7 Client Side Injection
[5] Standards Mapping - OWASP Top 10 2004, A6 Injection Flaws
[6] Standards Mapping - OWASP Top 10 2007, A2 Injection Flaws
[7] Standards Mapping - OWASP Top 10 2010, A1 Injection
[8] Standards Mapping - OWASP Top 10 2013, A1 Injection
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1, Requirement 6.5.6
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2, Requirement 6.3.1.1, Requirement 6.5.2
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0, Requirement 6.5.1
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0, Requirement 6.5.1
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1, Requirement 6.5.1
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2, Requirement 6.5.1
[15] Standards Mapping - SANS Top 25 2009, Insecure Interaction - CWE ID 116
[16] Standards Mapping - Security Technical Implementation Guide Version 3.1, APP3510 CAT I, APP3570 CAT I
[17] Standards Mapping - Security Technical Implementation Guide Version 3.10, APP3510 CAT I, APP3570 CAT I
[18] Standards Mapping - Security Technical Implementation Guide Version 3.4, APP3510 CAT I, APP3570 CAT I
[19] Standards Mapping - Security Technical Implementation Guide Version 3.5, APP3510 CAT I, APP3570 CAT I
[20] Standards Mapping - Security Technical Implementation Guide Version 3.6, APP3510 CAT I, APP3570 CAT I
[21] Standards Mapping - Security Technical Implementation Guide Version 3.7, APP3510 CAT I, APP3570 CAT I
[22] Standards Mapping - Security Technical Implementation Guide Version 3.9, APP3510 CAT I, APP3570 CAT I
[23] Standards Mapping - Security Technical Implementation Guide Version 4.1, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[24] Standards Mapping - Web Application Security Consortium Version 2.00, Improper Input Handling (WASC-20)