使用用戶輸入控制資源標識符,借此攻擊者可以訪問或修改其他受保護的系統資源。
當滿足以下兩個條件時,就會發生 resource injection:
1. 攻擊者可以指定已使用的標識符來訪問系統資源。
例如,攻擊者可能可以指定用來連接到網絡資源的端口號。
2. 攻擊者可以通過指定特定資源來獲取某種權限,而這種權限在一般情況下是不可能獲得的。
例如,程序可能會允許攻擊者把敏感信息傳輸到第三方服務器。
注:Resource injection 涉及存儲在 filesystem 中的資源,(Fortify)可以根據資源名稱的 path manipulation,將其報告為不同的類別。有關這一漏洞的詳細信息,請參見 path manipulation 的描述。
例: 下面的代碼使用讀取自 HTTP 請求的端口號來建立一個套接字。
...
Begin MSWinsockLib.Winsock tcpServer
...
Dim Response As Response
Dim Request As Request
Dim Session As Session
Dim Application As Application
Dim Server As Server
Dim Port As Variant
Set Response = objContext("Response")
Set Request = objContext("Request")
Set Session = objContext("Session")
Set Application = objContext("Application")
Set Server = objContext("Server")
Set Port = Request.Form("port")
...
tcpServer.LocalPort = Port
tcpServer.Accept
...
[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A1 Unvalidated Input
[2] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A4 Insecure Direct Object Reference
[3] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A4 Insecure Direct Object References
[4] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3510 CAT I, APP3600 CAT II
[5] Standards Mapping - Security Technical Implementation Guide Version 3.4 - (STIG 3.4) APP3510 CAT I, APP3600 CAT II
[6] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 99
[7] G. Hoglund, G. McGraw Exploiting Software Addison-Wesley
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.3.1.1, Requirement 6.5.4
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.1
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.8
[11] Standards Mapping - FIPS200 - (FISMA) SI