CWE

CWE-90 – Improper Neutralization of Special Elements used in an LDAP Query (‘LDAP Injection’)

Read Time:42 Second

Description

The software constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

CWE-943

 

Consequences

Confidentiality, Integrity, Availability: Execute Unauthorized Code or Commands, Read Application Data, Modify Application Data

An attacker could include input that changes the LDAP query which allows unintended commands or code to be executed, allows sensitive data to be read or modified or causes other unintended behavior.

 

Potential Mitigations

Phase: Implementation

Effectiveness:

Description: 

CVE References

 

  • CVE-2005-2301
    • Server does not properly escape LDAP queries, which allows remote attackers to cause a DoS and possibly conduct an LDAP injection attack.
CWE

CWE-9 – J2EE Misconfiguration: Weak Access Permissions for EJB Methods

Read Time:39 Second

Description

If elevated access rights are assigned to EJB methods, then an attacker can take advantage of the permissions to exploit the software system.

If the EJB deployment descriptor contains one or more method permissions that grant access to the special ANYONE role, it indicates that access control for the application has not been fully thought through or that the application is structured in such a way that reasonable access control restrictions are impossible.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

CWE-266

 

Consequences

Other: Other

 

Potential Mitigations

Phase: Architecture and Design, System Configuration

Effectiveness:

Description: 

Follow the principle of least privilege when assigning access rights to EJB methods. Permission to invoke EJB methods should not be granted to the ANYONE role.

CVE References

 

CWE

CWE-89 – Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)

Read Time:3 Minute, 3 Second

Description

The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit: High

 

Related Weaknesses

CWE-943
CWE-74

 

Consequences

Confidentiality: Read Application Data

Since SQL databases generally hold sensitive data, loss of confidentiality is a frequent problem with SQL injection vulnerabilities.

Access Control: Bypass Protection Mechanism

If poor SQL commands are used to check user names and passwords, it may be possible to connect to a system as another user with no previous knowledge of the password.

Access Control: Bypass Protection Mechanism

If authorization information is held in a SQL database, it may be possible to change this information through the successful exploitation of a SQL injection vulnerability.

Integrity: Modify Application Data

Just as it may be possible to read sensitive information, it is also possible to make changes or even delete this information with a SQL injection attack.

 

Potential Mitigations

Phase: Architecture and Design

Effectiveness:

Description: 

Phase: Architecture and Design

Effectiveness:

Description: 

Phase: Architecture and Design, Operation

Effectiveness:

Description: 

Phase: Architecture and Design

Effectiveness:

Description: 

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Phase: Implementation

Effectiveness:

Description: 

Phase: Implementation

Effectiveness:

Description: 

Phase: Architecture and Design

Effectiveness:

Description: 

When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.

Phase: Implementation

Effectiveness:

Description: 

Phase: Operation

Effectiveness: Moderate

Description: 

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth.

An application firewall might not cover all possible input vectors. In addition, attack techniques might be available to bypass the protection mechanism, such as using malformed inputs that can still be processed by the component that receives those inputs. Depending on functionality, an application firewall might inadvertently reject or modify legitimate requests. Finally, some manual effort may be required for customization.

Phase: Operation, Implementation

Effectiveness:

Description: 

When using PHP, configure the application so that it does not use register_globals. During implementation, develop the application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues.

CVE References

 

  • CVE-2004-0366
    • chain: SQL injection in library intended for database authentication allows SQL injection and authentication bypass.
  • CVE-2008-2790
    • SQL injection through an ID that was supposed to be numeric.
  • CVE-2008-2223
    • SQL injection through an ID that was supposed to be numeric.
  • CVE-2003-0377
    • SQL injection in security product, using a crafted group name.
  • CVE-2017-11508
    • SQL injection in vulnerability management and reporting tool, using a crafted password.
CWE

CWE-88 – Improper Neutralization of Argument Delimiters in a Command (‘Argument Injection’)

Read Time:6 Minute, 56 Second

Description

The software constructs a string for a command to executed by a separate component
in another control sphere, but it does not properly delimit the
intended arguments, options, or switches within that command string.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit:

 

Related Weaknesses

CWE-77
CWE-74
CWE-77
CWE-77

 

Consequences

Confidentiality, Integrity, Availability, Other: Execute Unauthorized Code or Commands, Alter Execution Logic, Read Application Data, Modify Application Data

An attacker could include arguments that allow unintended commands or code to be executed, allow sensitive data to be read or modified or could cause other unintended behavior.

 

Potential Mitigations

Phase: Implementation

Effectiveness: High

Description: 

Where possible, avoid building a single string that contains the command and its arguments. Some languages or frameworks have functions that support specifying independent arguments, e.g. as an array, which is used to automatically perform the appropriate quoting or escaping while building the command. For example, in PHP, escapeshellarg() can be used to escape a single argument to system(), or exec() can be called with an array of arguments. In C, code can often be refactored from using system() – which accepts a single string – to using exec(), which requires separate function arguments for each parameter.

Phase: Architecture and Design

Effectiveness:

Description: 

Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, request headers as well as content, URL components, e-mail, files, databases, and any external systems that provide data to the application. Perform input validation at well-defined interfaces.

Phase: Implementation

Effectiveness:

Description: 

Phase: Implementation

Effectiveness:

Description: 

Directly convert your input type into the expected data type, such as using a conversion function that translates a string into a number. After converting to the expected data type, ensure that the input’s values fall within the expected range of allowable values and that multi-field consistencies are maintained.

Phase: Implementation

Effectiveness:

Description: 

Phase: Implementation

Effectiveness:

Description: 

When exchanging data between components, ensure that both components are using the same character encoding. Ensure that the proper encoding is applied at each interface. Explicitly set the encoding you are using whenever the protocol allows you to do so.

Phase: Implementation

Effectiveness:

Description: 

When your application combines data from multiple sources, perform the validation after the sources have been combined. The individual data elements may pass the validation step but violate the intended restrictions after they have been combined.

Phase: Testing

Effectiveness:

Description: 

Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible.

Phase: Testing

Effectiveness:

Description: 

Use dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software’s operation may slow down, but it should not become unstable, crash, or generate incorrect results.

CVE References

 

  • CVE-1999-0113
    • Canonical Example – “-froot” argument is passed on to another program, where the “-f” causes execution as user “root”
  • CVE-2001-0150
    • Web browser executes Telnet sessions using command line arguments that are specified by the web site, which could allow remote attackers to execute arbitrary commands.
  • CVE-2001-0667
    • Web browser allows remote attackers to execute commands by spawning Telnet with a log file option on the command line and writing arbitrary code into an executable file which is later executed.
  • CVE-2002-0985
    • Argument injection vulnerability in the mail function for PHP may allow attackers to bypass safe mode restrictions and modify command line arguments to the MTA (e.g. sendmail) possibly executing commands.
  • CVE-2003-0907
    • Help and Support center in windows does not properly validate HCP URLs, which allows remote attackers to execute arbitrary code via quotation marks in an “hcp://” URL.
  • CVE-2004-0121
    • Mail client does not sufficiently filter parameters of mailto: URLs when using them as arguments to mail executable, which allows remote attackers to execute arbitrary programs.
  • CVE-2004-0473
    • Web browser doesn’t filter “-” when invoking various commands, allowing command-line switches to be specified.
  • CVE-2004-0480
    • Mail client allows remote attackers to execute arbitrary code via a URI that uses a UNC network share pathname to provide an alternate configuration file.
  • CVE-2004-0489
    • SSH URI handler for web browser allows remote attackers to execute arbitrary code or conduct port forwarding via the a command line option.
  • CVE-2004-0411
    • Web browser doesn’t filter “-” when invoking various commands, allowing command-line switches to be specified.
  • CVE-2005-4699
    • Argument injection vulnerability in TellMe 1.2 and earlier allows remote attackers to modify command line arguments for the Whois program and obtain sensitive information via “–” style options in the q_Host parameter.
  • CVE-2006-1865
    • Beagle before 0.2.5 can produce certain insecure command lines to launch external helper applications while indexing, which allows attackers to execute arbitrary commands. NOTE: it is not immediately clear whether this issue involves argument injection, shell metacharacters, or other issues.
  • CVE-2006-2056
    • Argument injection vulnerability in Internet Explorer 6 for Windows XP SP2 allows user-assisted remote attackers to modify command line arguments to an invoked mail client via ” (double quote) characters in a mailto: scheme handler, as demonstrated by launching Microsoft Outlook with an arbitrary filename as an attachment. NOTE: it is not clear whether this issue is implementation-specific or a problem in the Microsoft API.
  • CVE-2006-2057
    • Argument injection vulnerability in Mozilla Firefox 1.0.6 allows user-assisted remote attackers to modify command line arguments to an invoked mail client via ” (double quote) characters in a mailto: scheme handler, as demonstrated by launching Microsoft Outlook with an arbitrary filename as an attachment. NOTE: it is not clear whether this issue is implementation-specific or a problem in the Microsoft API.
  • CVE-2006-2058
    • Argument injection vulnerability in Avant Browser 10.1 Build 17 allows user-assisted remote attackers to modify command line arguments to an invoked mail client via ” (double quote) characters in a mailto: scheme handler, as demonstrated by launching Microsoft Outlook with an arbitrary filename as an attachment. NOTE: it is not clear whether this issue is implementation-specific or a problem in the Microsoft API.
  • CVE-2006-2312
    • Argument injection vulnerability in the URI handler in Skype 2.0.*.104 and 2.5.*.0 through 2.5.*.78 for Windows allows remote authorized attackers to download arbitrary files via a URL that contains certain command-line switches.
  • CVE-2006-3015
    • Argument injection vulnerability in WinSCP 3.8.1 build 328 allows remote attackers to upload or download arbitrary files via encoded spaces and double-quote characters in a scp or sftp URI.
  • CVE-2006-4692
    • Argument injection vulnerability in the Windows Object Packager (packager.exe) in Microsoft Windows XP SP1 and SP2 and Server 2003 SP1 and earlier allows remote user-assisted attackers to execute arbitrary commands via a crafted file with a “/” (slash) character in the filename of the Command Line property, followed by a valid file extension, which causes the command before the slash to be executed, aka “Object Packager Dialogue Spoofing Vulnerability.”
  • CVE-2006-6597
    • Argument injection vulnerability in HyperAccess 8.4 allows user-assisted remote attackers to execute arbitrary vbscript and commands via the /r option in a telnet:// URI, which is configured to use hawin32.exe.
  • CVE-2007-0882
    • Argument injection vulnerability in the telnet daemon (in.telnetd) in Solaris 10 and 11 (SunOS 5.10 and 5.11) misinterprets certain client “-f” sequences as valid requests for the login program to skip authentication, which allows remote attackers to log into certain accounts, as demonstrated by the bin account.
  • CVE-2001-1246
    • Language interpreter’s mail function accepts another argument that is concatenated to a string used in a dangerous popen() call. Since there is no neutralization of this argument, both OS Command Injection (CWE-78) and Argument Injection (CWE-88) are possible.
  • CVE-2019-13475
    • Argument injection allows execution of arbitrary commands by injecting a “-exec” option, which is executed by the command.
  • CVE-2016-10033
    • Argument injection in mail-processing function allows writing unxpected files and executing programs using tecnically-valid email addresses that insert “-o” and “-X” switches.
CWE

CWE-87 – Improper Neutralization of Alternate XSS Syntax

Read Time:1 Minute, 36 Second

Description

The software does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax.

Modes of Introduction:

– Implementation

Likelihood of Exploit:

 

Related Weaknesses

CWE-79

 

Consequences

Confidentiality, Integrity, Availability: Read Application Data, Execute Unauthorized Code or Commands

 

Potential Mitigations

Phase: Implementation

Effectiveness:

Description: 

Resolve all input to absolute or canonical representations before processing.

Phase: Implementation

Effectiveness:

Description: 

Carefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including tag attributes, hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. We often encounter data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended.

Phase: Implementation

Effectiveness:

Description: 

Phase: Implementation

Effectiveness:

Description: 

With Struts, write all data from form beans with the bean’s filter attribute set to true.

Phase: Implementation

Effectiveness: Defense in Depth

Description: 

To help mitigate XSS attacks against the user’s session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user’s session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.

CVE References

 

CWE

CWE-863 – Incorrect Authorization

Read Time:3 Minute, 16 Second

Description

The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

An access control list (ACL) represents who/what has permissions to a given object. Different operating systems implement (ACLs) in different ways. In UNIX, there are three types of permissions: read, write, and execute. Users are divided into three classes for file access: owner, group owner, and all other users where each class has a separate set of rights. In Windows NT, there are four basic types of permissions for files: “No access”, “Read access”, “Change access”, and “Full control”. Windows NT extends the concept of three types of users in UNIX to include a list of users and groups along with their associated permissions. A user can create an object (file) and assign specified permissions to that object.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit: High

 

Related Weaknesses

CWE-285
CWE-284

 

Consequences

Confidentiality: Read Application Data, Read Files or Directories

An attacker could read sensitive data, either by reading the data directly from a data store that is not correctly restricted, or by accessing insufficiently-protected, privileged functionality to read the data.

Integrity: Modify Application Data, Modify Files or Directories

An attacker could modify sensitive data, either by writing the data directly to a data store that is not correctly restricted, or by accessing insufficiently-protected, privileged functionality to write the data.

Access Control: Gain Privileges or Assume Identity, Bypass Protection Mechanism

An attacker could gain privileges by modifying or reading critical data directly, or by accessing privileged functionality.

 

Potential Mitigations

Phase: Architecture and Design

Effectiveness:

Description: 

Phase: Architecture and Design

Effectiveness:

Description: 

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient’s doctor [REF-7].

Phase: Architecture and Design

Effectiveness:

Description: 

Phase: Architecture and Design

Effectiveness:

Description: 

Phase: System Configuration, Installation

Effectiveness:

Description: 

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a “default deny” policy when defining these ACLs.

CVE References

 

  • CVE-2019-15900
    • Chain: sscanf() call is used to check if a username and group exists, but the return value of sscanf() call is not checked (CWE-252), causing an uninitialized variable to be checked (CWE-457), returning success to allow authorization bypass for executing a privileged (CWE-863).
  • CVE-2009-2213
    • Gateway uses default “Allow” configuration for its authorization settings.
  • CVE-2009-0034
    • Chain: product does not properly interpret a configuration option for a system group, allowing users to gain privileges.
  • CVE-2008-6123
    • Chain: SNMP product does not properly parse a configuration option for which hosts are allowed to connect, allowing unauthorized IP addresses to connect.
  • CVE-2008-7109
    • Chain: reliance on client-side security (CWE-602) allows attackers to bypass authorization using a custom client.
  • CVE-2008-3424
    • Chain: product does not properly handle wildcards in an authorization policy list, allowing unintended access.
  • CVE-2008-4577
    • ACL-based protection mechanism treats negative access rights as if they are positive, allowing bypass of intended restrictions.
  • CVE-2006-6679
    • Product relies on the X-Forwarded-For HTTP header for authorization, allowing unintended access by spoofing the header.
  • CVE-2005-2801
    • Chain: file-system code performs an incorrect comparison (CWE-697), preventing default ACLs from being properly applied.
  • CVE-2001-1155
    • Chain: product does not properly check the result of a reverse DNS lookup because of operator precedence (CWE-783), allowing bypass of DNS-based access restrictions.
CWE

CWE-862 – Missing Authorization

Read Time:4 Minute, 5 Second

Description

The software does not perform an authorization check when an actor attempts to access a resource or perform an action.

An access control list (ACL) represents who/what has permissions to a given object. Different operating systems implement (ACLs) in different ways. In UNIX, there are three types of permissions: read, write, and execute. Users are divided into three classes for file access: owner, group owner, and all other users where each class has a separate set of rights. In Windows NT, there are four basic types of permissions for files: “No access”, “Read access”, “Change access”, and “Full control”. Windows NT extends the concept of three types of users in UNIX to include a list of users and groups along with their associated permissions. A user can create an object (file) and assign specified permissions to that object.

Modes of Introduction:

– Architecture and Design

Likelihood of Exploit: High

 

Related Weaknesses

CWE-285
CWE-284

 

Consequences

Confidentiality: Read Application Data, Read Files or Directories

An attacker could read sensitive data, either by reading the data directly from a data store that is not restricted, or by accessing insufficiently-protected, privileged functionality to read the data.

Integrity: Modify Application Data, Modify Files or Directories

An attacker could modify sensitive data, either by writing the data directly to a data store that is not restricted, or by accessing insufficiently-protected, privileged functionality to write the data.

Access Control: Gain Privileges or Assume Identity, Bypass Protection Mechanism

An attacker could gain privileges by modifying or reading critical data directly, or by accessing privileged functionality.

 

Potential Mitigations

Phase: Architecture and Design

Effectiveness:

Description: 

Phase: Architecture and Design

Effectiveness:

Description: 

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient’s doctor [REF-7].

Phase: Architecture and Design

Effectiveness:

Description: 

Phase: Architecture and Design

Effectiveness:

Description: 

Phase: System Configuration, Installation

Effectiveness:

Description: 

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a “default deny” policy when defining these ACLs.

CVE References

 

  • CVE-2009-3168
    • Web application does not restrict access to admin scripts, allowing authenticated users to reset administrative passwords.
  • CVE-2009-3597
    • Web application stores database file under the web root with insufficient access control (CWE-219), allowing direct request.
  • CVE-2009-2282
    • Terminal server does not check authorization for guest access.
  • CVE-2008-5027
    • System monitoring software allows users to bypass authorization by creating custom forms.
  • CVE-2009-3781
    • Content management system does not check access permissions for private files, allowing others to view those files.
  • CVE-2008-6548
    • Product does not check the ACL of a page accessed using an “include” directive, allowing attackers to read unauthorized files.
  • CVE-2009-2960
    • Web application does not restrict access to admin scripts, allowing authenticated users to modify passwords of other users.
  • CVE-2009-3230
    • Database server does not use appropriate privileges for certain sensitive operations.
  • CVE-2009-2213
    • Gateway uses default “Allow” configuration for its authorization settings.
  • CVE-2009-0034
    • Chain: product does not properly interpret a configuration option for a system group, allowing users to gain privileges.
  • CVE-2008-6123
    • Chain: SNMP product does not properly parse a configuration option for which hosts are allowed to connect, allowing unauthorized IP addresses to connect.
  • CVE-2008-7109
    • Chain: reliance on client-side security (CWE-602) allows attackers to bypass authorization using a custom client.
  • CVE-2008-3424
    • Chain: product does not properly handle wildcards in an authorization policy list, allowing unintended access.
  • CVE-2005-1036
    • Chain: Bypass of access restrictions due to improper authorization (CWE-862) of a user results from an improperly initialized (CWE-909) I/O permission bitmap
  • CVE-2008-4577
    • ACL-based protection mechanism treats negative access rights as if they are positive, allowing bypass of intended restrictions.
  • CVE-2007-2925
    • Default ACL list for a DNS server does not set certain ACLs, allowing unauthorized DNS queries.
  • CVE-2006-6679
    • Product relies on the X-Forwarded-For HTTP header for authorization, allowing unintended access by spoofing the header.
  • CVE-2005-3623
    • OS kernel does not check for a certain privilege before setting ACLs for files.
  • CVE-2005-2801
    • Chain: file-system code performs an incorrect comparison (CWE-697), preventing default ACLs from being properly applied.
  • CVE-2001-1155
    • Chain: product does not properly check the result of a reverse DNS lookup because of operator precedence (CWE-783), allowing bypass of DNS-based access restrictions.
  • CVE-2020-17533
    • Chain: unchecked return value (CWE-252) of some functions for policy enforcement leads to authorization bypass (CWE-862)
CWE

CWE-86 – Improper Neutralization of Invalid Characters in Identifiers in Web Pages

Read Time:1 Minute, 13 Second

Description

The software does not neutralize or incorrectly neutralizes invalid characters or byte sequences in the middle of tag names, URI schemes, and other identifiers.

Some web browsers may remove these sequences, resulting in output that may have unintended control implications. For example, the software may attempt to remove a “javascript:” URI scheme, but a “java%00script:” URI may bypass this check and still be rendered as active javascript by some browsers, allowing XSS or other attacks.

Modes of Introduction:

– Implementation

Likelihood of Exploit:

 

Related Weaknesses

CWE-79
CWE-184
CWE-436

 

Consequences

Confidentiality, Integrity, Availability: Read Application Data, Execute Unauthorized Code or Commands

 

Potential Mitigations

Phase: Implementation

Effectiveness:

Description: 

Phase: Implementation

Effectiveness: Defense in Depth

Description: 

To help mitigate XSS attacks against the user’s session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user’s session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.

CVE References

 

  • CVE-2004-0595
    • XSS filter doesn’t filter null characters before looking for dangerous tags, which are ignored by web browsers. Multiple Interpretation Error (MIE) and validate-before-cleanse.
CWE

CWE-85 – Doubled Character XSS Manipulations

Read Time:1 Minute, 38 Second

Description

The web application does not filter user-controlled input for executable script disguised using doubling of the involved characters.

Modes of Introduction:

– Implementation

Likelihood of Exploit:

 

Related Weaknesses

CWE-79
CWE-675

 

Consequences

Confidentiality, Integrity, Availability: Read Application Data, Execute Unauthorized Code or Commands

 

Potential Mitigations

Phase: Implementation

Effectiveness:

Description: 

Resolve all filtered input to absolute or canonical representations before processing.

Phase: Implementation

Effectiveness:

Description: 

Carefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including tag attributes, hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. We often encounter data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended.

Phase: Implementation

Effectiveness:

Description: 

Phase: Implementation

Effectiveness:

Description: 

With Struts, write all data from form beans with the bean’s filter attribute set to true.

Phase: Implementation

Effectiveness: Defense in Depth

Description: 

To help mitigate XSS attacks against the user’s session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user’s session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.

CVE References

 

Read Time:54 Second

Description

The program allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.

Modes of Introduction:

– Implementation

Likelihood of Exploit:

 

Related Weaknesses

CWE-704
CWE-704
CWE-119

 

Consequences

Availability, Integrity, Confidentiality: Read Memory, Modify Memory, Execute Unauthorized Code or Commands, DoS: Crash, Exit, or Restart

When a memory buffer is accessed using the wrong type, it could read or write memory out of the bounds of the buffer, if the allocated buffer is smaller than the type that the code is attempting to access, leading to a crash and possibly code execution.

 

Potential Mitigations

CVE References

 

  • CVE-2010-4577
    • Type confusion in CSS sequence leads to out-of-bounds read.
  • CVE-2011-0611
    • Size inconsistency allows code execution, first discovered when it was actively exploited in-the-wild.
  • CVE-2010-0258
    • Improperly-parsed file containing records of different types leads to code execution when a memory location is interpreted as a different object than intended.

News, Advisories and much more

Exit mobile version