Unsafe Reflection

ABSTRACT

攻擊者會創建一個意想不到且貫穿于整個應用程序的控制流路徑，從而逃避潛在的安全檢查。

EXPLANATION

若攻擊者可以為應用程序提供確定實例化哪個類或調用哪個方法的參數值，那么就有可能創建一個貫穿于整個應用程序的控制流路徑，而該路徑并非是應用程序開發者最初設計的。這種攻擊途徑可能使攻擊者避開 authentication 或 access control 檢測，或使應用程序以一種意想不到的方式運行。即使狡猾的攻擊者只能控制傳送給指定函數或構造函數的參數，也有可能會成功地發起攻擊。


示例：各種程序使用 CallByName 的一個共同原因是，為了實施各自的命令發送器。以下示例顯示了一個沒有使用 CallByName 函數的命令發送器：

...
Dim ctl As String
Dim ao As new Worker
ctl = Request.Form("ctl")
If String.Compare(ctl,"Add") = 0 Then
	ao.DoAddCommand Request
Else If String.Compare(ctl,"Modify") = 0 Then
	ao.DoModifyCommand Request
Else
	App.EventLog "No Action Found", 4
End If
...

...
Dim ctl As String
Dim ao As Worker
ctl = Request.Form("ctl")
CallByName ao, ctl, vbMethod, Request
...

...
Dim ctl As String
Dim ao As Worker
ctl = Request.Form("ctl")
If ao.checkAccessControl(ctl,Request) = True Then
	CallByName ao, "Do" & ctl & "Command", vbMethod, Request
End If
...

REFERENCES

[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A1 Unvalidated Input

[2] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A4 Insecure Direct Object Reference

[3] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A4 Insecure Direct Object References

[4] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3510 CAT I, APP3570 CAT I

[5] Standards Mapping - Security Technical Implementation Guide Version 3.4 - (STIG 3.4) APP3510 CAT I, APP3570 CAT I

[6] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 470

[7] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.3.1.1, Requirement 6.5.4

[8] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.1

[9] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.8

[10] Standards Mapping - FIPS200 - (FISMA) SI