在運行時中解析用戶控制的指令,會讓攻擊者有機會執行惡意代碼。
許多現代編程語言都允許動態解析源代碼指令。這使得程序員可以執行基于用戶輸入的動態指令。當程序員錯誤地認為由用戶直接提供的指令僅會執行一些無害的操作時(如對當前的用戶對象進行簡單的計算或修改用戶的狀態),就會出現 code injection 漏洞:然而,若不經過適當的驗證,用戶指定的操作可能并不是程序員最初所期望的。
例:在這個經典的 code injection 實例中,應用程序可以實施一個基本的計算器,該計算器允許用戶指定執行命令。
...
ScriptEngineManager scriptEngineManager = new ScriptEngineManager();
ScriptEngine scriptEngine = scriptEngineManager.getEngineByExtension("js");
userOps = request.getParameter("operation");
Object result = scriptEngine.eval(userOps);
...
operation 參數的值為良性值,程序就可以正常運行。例如,當該值為 "8 + 7 * 2" 時,result 變量被賦予的值將為 22。然而,如果攻擊者指定的語言操作既有可能是有效的,又有可能是惡意的,那么,只有在對主進程具有完全權限的情況下才能執行這些操作。如果底層語言提供了訪問系統資源的途徑或允許執行系統命令,這種攻擊甚至會更加危險。例如,Javascript 允許調用 Java 對象;如果攻擊者計劃將 " java.System.RunTime.exec("shutdown -h now")" 的值指定為 operation,主機系統就會執行關機命令。
[1] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A1 Injection
[2] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A1 Unvalidated Input
[3] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A2 Injection Flaws
[4] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A3 Malicious File Execution
[5] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A6 Injection Flaws
[6] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3510 CAT I, APP3570 CAT I
[7] Standards Mapping - Security Technical Implementation Guide Version 3.4 - (STIG 3.4) APP3510 CAT I, APP3570 CAT I
[8] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 94
[9] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 95
[10] Standards Mapping - SANS Top 25 2009 - (SANS 2009) Insecure Interaction - CWE ID 116
[11] Standards Mapping - SANS Top 25 2009 - (SANS 2009) Insecure Interaction - CWE ID 116, Risky Resource Management - CWE ID 094
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.3.1.1
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.3.1.1, Requirement 6.5.2
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.3.1.1, Requirement 6.5.3
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.1
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.6
[18] Standards Mapping - FIPS200 - (FISMA) SI