All posts by rocco

CWE-113 – Improper Neutralization of CRLF Sequences in HTTP Headers (‘HTTP Response Splitting’)

Read Time:2 Minute, 0 Second

Description

The software receives data from an upstream component, but does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-93
CWE-79
CWE-20

 

Consequences

Integrity, Access Control: Modify Application Data, Gain Privileges or Assume Identity

CR and LF characters in an HTTP header may give attackers control of the remaining headers and body of the response the application intends to send, as well as allowing them to create additional responses entirely under their control.

 

Potential Mitigations

Phase: Implementation

Description: 

Construct HTTP headers very carefully, avoiding the use of non-validated input data.

Phase: Implementation

Description: 

Phase: Implementation

Description: 

Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component.

Phase: Implementation

Description: 

Inputs should be decoded and canonicalized to the application’s current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

CVE References

  • CVE-2004-2146
    • Application accepts CRLF in an object ID, allowing HTTP response splitting.
  • CVE-2004-1620
    • HTTP response splitting via CRLF in parameter related to URL.
  • CVE-2004-1656
    • HTTP response splitting via CRLF in parameter related to URL.
  • CVE-2005-2060
    • Bulletin board allows response splitting via CRLF in parameter.
  • CVE-2005-2065
    • Bulletin board allows response splitting via CRLF in parameter.
  • CVE-2005-1951
    • Chain: Application accepts CRLF in an object ID, allowing HTTP response splitting.
  • CVE-2004-1687
    • Chain: HTTP response splitting via CRLF in parameter related to URL.

CWE-114 – Process Control

Read Time:1 Minute, 37 Second

Description

Executing commands or loading libraries from an untrusted source or in an untrusted environment can cause an application to execute malicious commands (and payloads) on behalf of an attacker.

Process control vulnerabilities take two forms: 1. An attacker can change the command that the program executes: the attacker explicitly controls what the command is. 2. An attacker can change the environment in which the command executes: the attacker implicitly controls what the command means. Process control vulnerabilities of the first type occur when either data enters the application from an untrusted source and the data is used as part of a string representing a command that is executed by the application. By executing the command, the application gives an attacker a privilege or capability that the attacker would not otherwise have.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-73
CWE-20

 

Consequences

Confidentiality, Integrity, Availability: Execute Unauthorized Code or Commands

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Libraries that are loaded should be well understood and come from a trusted source. The application can execute code contained in the native libraries, which often contain calls that are susceptible to other security problems, such as buffer overflows or command injection. All native libraries should be validated to determine if the application requires the use of the library. It is very difficult to determine what these native libraries actually do, and the potential for malicious code is high. In addition, the potential for an inadvertent mistake in these native libraries is also high, as many are written in C or C++ and may be susceptible to buffer overflow or race condition problems. To help prevent buffer overflow attacks, validate all input to native calls for content and length. If the native library does not come from a trusted source, review the source code of the library. The library should be built from the reviewed source before using it.

CVE References

CWE-115 – Misinterpretation of Input

Read Time:22 Second

Description

The software misinterprets an input, whether from an attacker or another product, in a security-relevant fashion.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-436

 

Consequences

Integrity: Unexpected State

 

Potential Mitigations

CVE References

  • CVE-2005-2225
    • Product sees dangerous file extension in free text of a group discussion, disconnects all users.
  • CVE-2001-0003
    • Product does not correctly import and process security settings from another product.

CWE-116 – Improper Encoding or Escaping of Output

Read Time:2 Minute, 51 Second

Description

The software prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: High

 

Related Weaknesses

CWE-707
CWE-74

 

Consequences

Integrity: Modify Application Data

The communications between components can be modified in unexpected ways. Unexpected commands can be executed, bypassing other security mechanisms. Incoming data can be misinterpreted.

Integrity, Confidentiality, Availability, Access Control: Execute Unauthorized Code or Commands

The communications between components can be modified in unexpected ways. Unexpected commands can be executed, bypassing other security mechanisms. Incoming data can be misinterpreted.

Confidentiality: Bypass Protection Mechanism

The communications between components can be modified in unexpected ways. Unexpected commands can be executed, bypassing other security mechanisms. Incoming data can be misinterpreted.

 

Potential Mitigations

Phase: Architecture and Design

Description: 

Phase: Architecture and Design

Description: 

Phase: Architecture and Design, Implementation

Description: 

Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies.

Phase: Architecture and Design

Description: 

In some cases, input validation may be an important strategy when output encoding is not a complete solution. For example, you may be providing the same output that will be processed by multiple consumers that use different encodings or representations. In other cases, you may be required to allow user-supplied input to contain control information, such as limited HTML tags that support formatting in a wiki or bulletin board. When this type of requirement must be met, use an extremely strict allowlist to limit which control sequences can be used. Verify that the resulting syntactic structure is what you expect. Use your normal encoding methods for the remainder of the input.

Phase: Architecture and Design

Description: 

Use input validation as a defense-in-depth measure to reduce the likelihood of output encoding errors (see CWE-20).

Phase: Requirements

Description: 

Fully specify which encodings are required by components that will be communicating with each other.

Phase: Implementation

Description: 

When exchanging data between components, ensure that both components are using the same character encoding. Ensure that the proper encoding is applied at each interface. Explicitly set the encoding you are using whenever the protocol allows you to do so.

CVE References

  • CVE-2008-4636
    • OS command injection in backup software using shell metacharacters in a filename; correct behavior would require that this filename could not be changed.
  • CVE-2008-0769
    • Web application does not set the charset when sending a page to a browser, allowing for XSS exploitation when a browser chooses an unexpected encoding.
  • CVE-2008-0005
    • Program does not set the charset when sending a page to a browser, allowing for XSS exploitation when a browser chooses an unexpected encoding.
  • CVE-2008-5573
    • SQL injection via password parameter; a strong password might contain “&”
  • CVE-2008-3773
    • Cross-site scripting in chat application via a message subject, which normally might contain “&” and other XSS-related characters.
  • CVE-2008-0757
    • Cross-site scripting in chat application via a message, which normally might be allowed to contain arbitrary content.

CWE-1164 – Irrelevant Code

Read Time:19 Second

Description

The program contains code that is not essential for execution,
i.e. makes no state changes and has no side effects that alter
data or control flow, such that removal of the code would have no impact
to functionality or correctness.

Modes of Introduction:

 

 

Related Weaknesses

CWE-710

 

Consequences

Other: Reduce Reliability

Other: Reduce Performance

 

Potential Mitigations

CVE References

CWE-117 – Improper Output Neutralization for Logs

Read Time:2 Minute, 11 Second

Description

The software does not neutralize or incorrectly neutralizes output that is written to logs.

Applications typically use log files to store a history of events or transactions for later review, statistics gathering, or debugging. Depending on the nature of the application, the task of reviewing log files may be performed manually on an as-needed basis or automated with a tool that automatically culls logs for important events or trending information.

Modes of Introduction:

– Implementation

 

Likelihood of Exploit: Medium

 

Related Weaknesses

CWE-116
CWE-20

 

Consequences

Integrity, Confidentiality, Availability, Non-Repudiation: Modify Application Data, Hide Activities, Execute Unauthorized Code or Commands

Interpretation of the log files may be hindered or misdirected if an attacker can supply data to the application that is subsequently logged verbatim. In the most benign case, an attacker may be able to insert false entries into the log file by providing the application with input that includes appropriate characters. Forged or otherwise corrupted log files can be used to cover an attacker’s tracks, possibly by skewing statistics, or even to implicate another party in the commission of a malicious act. If the log file is processed automatically, the attacker can render the file unusable by corrupting the format of the file or injecting unexpected characters. An attacker may inject code or other commands into the log file and take advantage of a vulnerability in the log processing utility.

 

Potential Mitigations

Phase: Implementation

Description: 

Phase: Implementation

Description: 

Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component.

Phase: Implementation

Description: 

Inputs should be decoded and canonicalized to the application’s current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

CVE References

  • CVE-2006-4624
    • Chain: inject fake log entries with fake timestamps using CRLF injection

CWE-1173 – Improper Use of Validation Framework

Read Time:54 Second

Description

The application does not use, or incorrectly uses, an input validation framework that is provided by the source language or an independent library.

Many modern coding languages provide developers with input validation frameworks to make the task of input validation easier and less error-prone. These frameworks will automatically check all input against specified criteria and direct execution to error handlers when invalid input is received. The improper use (i.e., an incorrect implementation or missing altogether) of these frameworks is not directly exploitable, but can lead to an exploitable condition if proper input validation is not performed later in the application. Not using provided input validation frameworks can also hurt the maintainability of code as future developers may not recognize the downstream input validation being used in the place of the validation framework.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-20

 

Consequences

Integrity: Unexpected State

Unchecked input leads to cross-site scripting, process control, and SQL injection vulnerabilities, among others.

 

Potential Mitigations

Phase: Implementation

Description: 

Properly use provided input validation frameworks.

CVE References

CWE-1174 – ASP.NET Misconfiguration: Improper Model Validation

Read Time:15 Second

Description

The ASP.NET application does not use, or incorrectly uses, the model validation framework.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-1173

 

Consequences

Integrity: Unexpected State

Unchecked input leads to cross-site scripting, process control, and SQL injection vulnerabilities, among others.

 

Potential Mitigations

CVE References

CWE-1176 – Inefficient CPU Computation

Read Time:17 Second

Description

The program performs CPU computations using
algorithms that are not as efficient as they could be for the
needs of the developer, i.e., the computations can be
optimized further.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-405

 

Consequences

Availability: DoS: Resource Consumption (CPU)

Other: Reduce Performance

 

Potential Mitigations

CVE References