All posts by rocco

CWE

CWE-176 – Improper Handling of Unicode Encoding

Read Time:50 Second

Description

The software does not properly handle when an input contains Unicode encoding.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-172

 

Consequences

Integrity: Unexpected State

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names.

Phase: Implementation

Description: 

Phase: Implementation

Description: 

Inputs should be decoded and canonicalized to the application’s current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

CVE References

  • CVE-2000-0884
    • Server allows remote attackers to read documents outside of the web root, and possibly execute arbitrary commands, via malformed URLs that contain Unicode encoded characters.
  • CVE-2001-0709
    • Server allows a remote attacker to obtain source code of ASP files via a URL encoded with Unicode.
CWE

CWE-177 – Improper Handling of URL Encoding (Hex Encoding)

Read Time:1 Minute, 21 Second

Description

The software does not properly handle when all or part of an input has been URL encoded.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-172

 

Consequences

Integrity: Unexpected State

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names.

Phase: Implementation

Description: 

Phase: Implementation

Description: 

Inputs should be decoded and canonicalized to the application’s current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

CVE References

  • CVE-2000-0900
    • Hex-encoded path traversal variants – “%2e%2e”, “%2e%2e%2f”, “%5c%2e%2e”
  • CVE-2005-2256
    • Hex-encoded path traversal variants – “%2e%2e”, “%2e%2e%2f”, “%5c%2e%2e”
  • CVE-2004-2121
    • Hex-encoded path traversal variants – “%2e%2e”, “%2e%2e%2f”, “%5c%2e%2e”
  • CVE-2004-0072
    • “%5c” (encoded backslash) and “%2e” (encoded dot) sequences
CWE

CWE-178 – Improper Handling of Case Sensitivity

Read Time:2 Minute, 48 Second

Description

The software does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-706
CWE-706
CWE-433
CWE-289

 

Consequences

Access Control: Bypass Protection Mechanism

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names.

Phase: Implementation

Description: 

Phase: Implementation

Description: 

Inputs should be decoded and canonicalized to the application’s current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

CVE References

  • CVE-2000-0499
    • Application server allows attackers to bypass execution of a jsp page and read the source code using an upper case JSP extension in the request.
  • CVE-2000-0497
    • The server is case sensitive, so filetype handlers treat .jsp and .JSP as different extensions. JSP source code may be read because .JSP defaults to the filetype “text”.
  • CVE-2000-0498
    • The server is case sensitive, so filetype handlers treat .jsp and .JSP as different extensions. JSP source code may be read because .JSP defaults to the filetype “text”.
  • CVE-2001-0766
    • A URL that contains some characters whose case is not matched by the server’s filters may bypass access restrictions because the case-insensitive file system will then handle the request after it bypasses the case sensitive filter.
  • CVE-2001-0795
    • Server allows remote attackers to obtain source code of CGI scripts via URLs that contain MS-DOS conventions such as (1) upper case letters or (2) 8.3 file names.
  • CVE-2001-1238
    • Task Manager does not allow local users to end processes with uppercase letters named (1) winlogon.exe, (2) csrss.exe, (3) smss.exe and (4) services.exe via the Process tab which could allow local users to install Trojan horses that cannot be stopped.
  • CVE-2003-0411
    • chain: Code was ported from a case-sensitive Unix platform to a case-insensitive Windows platform where filetype handlers treat .jsp and .JSP as different extensions. JSP source code may be read because .JSP defaults to the filetype “text”.
  • CVE-1999-0239
    • Directories may be listed because lower case web requests are not properly handled by the server.
  • CVE-2005-0269
    • File extension check in forum software only verifies extensions that contain all lowercase letters, which allows remote attackers to upload arbitrary files via file extensions that include uppercase letters.
  • CVE-2004-1083
    • Web server restricts access to files in a case sensitive manner, but the filesystem accesses files in a case insensitive manner, which allows remote attackers to read privileged files using alternate capitalization.
  • CVE-2002-2119
    • Case insensitive passwords lead to search space reduction.
  • CVE-2004-2214
    • HTTP server allows bypass of access restrictions using URIs with mixed case.
  • CVE-2005-4509
    • Bypass malicious script detection by using tokens that aren’t case sensitive.
  • CVE-2002-1820
    • Mixed case problem allows “admin” to have “Admin” rights (alternate name property).
  • CVE-2007-3365
    • Chain: uppercase file extensions causes web server to return script source code instead of executing the script.
CWE

CWE-1385 – Missing Origin Validation in WebSockets

Read Time:2 Minute, 12 Second

Description

The software uses a WebSocket, but it does not properly verify that the source of data or communication is valid.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-346

 

Consequences

Confidentiality, Integrity, Availability, Non-Repudiation, Access Control: Varies by Context, Gain Privileges or Assume Identity, Bypass Protection Mechanism, Read Application Data, Modify Application Data, DoS: Crash, Exit, or Restart

The consequences will vary depending on the nature of the functionality that is vulnerable to CSRF. An attacker could effectively perform any operations as the victim. If the victim is an administrator or privileged user, the consequences may include obtaining complete control over the web application – deleting or stealing data, uninstalling the product, or using it to launch other attacks against all of the product’s users. Because the attacker has the identity of the victim, the scope of the CSRF is limited only by the victim’s privileges.

 

Potential Mitigations

Phase: Implementation

Description: 

Enable CORS-like access restrictions by verifying the ‘Origin’ header during the WebSocket handshake.

Phase: Implementation

Description: 

Use a randomized CSRF token to verify requests.

Phase: Implementation

Description: 

Use TLS to securely communicate using ‘wss’ (WebSocket Secure) instead of ‘ws’.

Phase: Architecture and Design, Implementation

Description: 

Require user authentication prior to the WebSocket connection being established. For example, the WS library in Node has a ‘verifyClient’ function.

Phase: Implementation

Effectiveness: Defense in Depth

Description: 

Leverage rate limiting to prevent against DoS. Use of the leaky bucket algorithm can help with this.

Phase: Implementation

Effectiveness: Defense in Depth

Description: 

Use a library that provides restriction of the payload size. For example, WS library for Node includes ‘maxPayloadoption’ that can be set.

Phase: Implementation

Description: 

Treat data/input as untrusted in both directions and apply the same data/input sanitization as XSS, SQLi, etc.

CVE References

  • CVE-2020-25095
    • web console for SIEM product does not check Origin header, allowing Cross Site WebSocket Hijacking (CSWH)
  • CVE-2018-6651
    • Chain: gaming client attempts to validate the Origin header, but only uses a substring, allowing Cross-Site WebSocket hijacking by forcing requests from an origin whose hostname is a substring of the valid origin.
  • CVE-2018-14730
    • WebSocket server does not check the origin of requests, allowing attackers to steal developer’s code using a ws://127.0.0.1:3123/ connection.
  • CVE-2018-14731
    • WebSocket server does not check the origin of requests, allowing attackers to steal developer’s code using a ws://127.0.0.1/ connection to a randomized port number.
  • CVE-2018-14732
    • WebSocket server does not check the origin of requests, allowing attackers to steal developer’s code using a ws://127.0.0.1:8080/ connection.
CWE

CWE-14 – Compiler Removal of Code to Clear Buffers

Read Time:42 Second

Description

Sensitive memory is cleared according to the source code, but compiler optimizations leave the memory untouched when it is not read from again, aka “dead store removal.”

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-733

 

Consequences

Confidentiality, Access Control: Read Memory, Bypass Protection Mechanism

This weakness will allow data that has not been cleared from memory to be read. If this data contains sensitive password information, then an attacker can read the password and use the information to bypass protection mechanisms.

 

Potential Mitigations

Phase: Implementation

Description: 

Store the sensitive data in a “volatile” memory location if available.

Phase: Build and Compilation

Description: 

If possible, configure your compiler so that it does not remove dead stores.

Phase: Architecture and Design

Description: 

Where possible, encrypt sensitive data that are used by a software system.

CVE References

CWE

CWE-140 – Improper Neutralization of Delimiters

Read Time:1 Minute, 7 Second

Description

The software does not neutralize or incorrectly neutralizes delimiters.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-138

 

Consequences

Integrity: Unexpected State

 

Potential Mitigations

Phase: Implementation

Description: 

Developers should anticipate that delimiters will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system.

Phase: Implementation

Description: 

Phase: Implementation

Description: 

While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).

Phase: Implementation

Description: 

Inputs should be decoded and canonicalized to the application’s current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

CVE References

CWE

CWE-141 – Improper Neutralization of Parameter/Argument Delimiters

Read Time:1 Minute, 24 Second

Description

The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as parameter or argument delimiters when they are sent to a downstream component.

As data is parsed, an injected/absent/malformed delimiter may cause the process to take unexpected actions.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-140

 

Consequences

Integrity: Unexpected State

 

Potential Mitigations

Phase:

Description: 

Developers should anticipate that parameter/argument delimiters will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system.

Phase: Implementation

Description: 

Phase: Implementation

Description: 

While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).

Phase: Implementation

Description: 

Inputs should be decoded and canonicalized to the application’s current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

CVE References

  • CVE-2003-0307
    • Attacker inserts field separator into input to specify admin privileges.
CWE

CWE-142 – Improper Neutralization of Value Delimiters

Read Time:1 Minute, 24 Second

Description

The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as value delimiters when they are sent to a downstream component.

As data is parsed, an injected/absent/malformed delimiter may cause the process to take unexpected actions.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-140

 

Consequences

Integrity: Unexpected State

 

Potential Mitigations

Phase:

Description: 

Developers should anticipate that value delimiters will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system.

Phase: Implementation

Description: 

Phase: Implementation

Description: 

While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).

Phase: Implementation

Description: 

Inputs should be decoded and canonicalized to the application’s current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

CVE References

  • CVE-2000-0293
    • Multiple internal space, insufficient quoting – program does not use proper delimiter between values.
CWE

CWE-143 – Improper Neutralization of Record Delimiters

Read Time:1 Minute, 28 Second

Description

The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as record delimiters when they are sent to a downstream component.

As data is parsed, an injected/absent/malformed delimiter may cause the process to take unexpected actions.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-140

 

Consequences

Integrity: Unexpected State

 

Potential Mitigations

Phase:

Description: 

Developers should anticipate that record delimiters will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system.

Phase: Implementation

Description: 

Phase: Implementation

Description: 

While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).

Phase: Implementation

Description: 

Inputs should be decoded and canonicalized to the application’s current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

CVE References

  • CVE-2004-1982
    • Carriage returns in subject field allow adding new records to data file.
  • CVE-2001-0527
    • Attacker inserts carriage returns and “|” field separator characters to add new user/privileges.
CWE

CWE-144 – Improper Neutralization of Line Delimiters

Read Time:1 Minute, 25 Second

Description

The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as line delimiters when they are sent to a downstream component.

As data is parsed, an injected/absent/malformed delimiter may cause the process to take unexpected actions.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-140
CWE-93

 

Consequences

Integrity: Unexpected State

 

Potential Mitigations

Phase:

Description: 

Developers should anticipate that line delimiters will be injected/removed/manipulated in the input vectors of their software system. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system.

Phase: Implementation

Description: 

Phase: Implementation

Description: 

While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).

Phase: Implementation

Description: 

Inputs should be decoded and canonicalized to the application’s current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

CVE References

  • CVE-2002-0267
    • Linebreak in field of PHP script allows admin privileges when written to data file.