<noframes id="vfxvr">

    <track id="vfxvr"></track>

      <span id="vfxvr"></span>

          CWE-838 輸出上下文語義編碼不恰當

          Inappropriate Encoding for Output Context

          結構: Simple

          Abstraction: Base

          狀態: Incomplete

          被利用可能性: unkown

          基本描述

          The software uses or specifies an encoding when generating output to a downstream component, but the specified encoding is not the same as the encoding that is expected by the downstream component.

          擴展描述

          This weakness can cause the downstream component to use a decoding method that produces different data than what the software intended to send. When the wrong encoding is used - even if closely related - the downstream component could decode the data incorrectly. This can have security consequences when the provided boundaries between control and data are inadvertently broken, because the resulting data could introduce control characters or special elements that were not sent by the software. The resulting data could then be used to bypass protection mechanisms such as input validation, and enable injection attacks.

          While using output encoding is essential for ensuring that communications between components are accurate, the use of the wrong encoding - even if closely related - could cause the downstream component to misinterpret the output.

          For example, HTML entity encoding is used for elements in the HTML body of a web page. However, a programmer might use entity encoding when generating output for that is used within an attribute of an HTML tag, which could contain functional Javascript that is not affected by the HTML encoding.

          While web applications have received the most attention for this problem, this weakness could potentially apply to any type of software that uses a communications stream that could support multiple encodings.

          相關缺陷

          • cwe_Nature: ChildOf cwe_CWE_ID: 116 cwe_View_ID: 1000 cwe_Ordinal: Primary

          • cwe_Nature: ChildOf cwe_CWE_ID: 116 cwe_View_ID: 1003 cwe_Ordinal: Primary

          • cwe_Nature: ChildOf cwe_CWE_ID: 116 cwe_View_ID: 699 cwe_Ordinal: Primary

          適用平臺

          Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

          常見的影響

          范圍 影響 注釋
          ['Integrity', 'Confidentiality', 'Availability'] ['Modify Application Data', 'Execute Unauthorized Code or Commands'] An attacker could modify the structure of the message or data being sent to the downstream component, possibly injecting commands.

          可能的緩解方案

          Implementation

          策略: Output Encoding

          Use context-aware encoding. That is, understand which encoding is being used by the downstream component, and ensure that this encoding is used. If an encoding can be specified, do so, instead of assuming that the default encoding is the same as the default being assumed by the downstream component.

          Architecture and Design

          策略: Output Encoding

          Where possible, use communications protocols or data formats that provide strict boundaries between control and data. If this is not feasible, ensure that the protocols or formats allow the communicating components to explicitly state which encoding/decoding method is being used. Some template frameworks provide built-in support.

          MIT-4.3 Architecture and Design

          策略: Libraries or Frameworks

          Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, consider using the ESAPI Encoding control [REF-45] or a similar tool, library, or framework. These will help the programmer encode outputs in a manner less prone to error. Note that some template mechanisms provide built-in support for the appropriate encoding.

          示例代碼

          This code dynamically builds an HTML page using POST data:

          bad PHP

          $username = $_POST['username'];
          $picSource = $_POST['picsource'];
          $picAltText = $_POST['picalttext'];
          ...

          echo "<title>Welcome, " . htmlentities($username) ."</title>";
          echo "<img src='". htmlentities($picSource) ." ' alt='". htmlentities($picAltText) . '" />';
          ...

          The programmer attempts to avoid XSS exploits (CWE-79) by encoding the POST values so they will not be interpreted as valid HTML. However, the htmlentities() encoding is not appropriate when the data are used as HTML attributes, allowing more attributes to be injected.

          For example, an attacker can set picAltText to:

          attack

          "altTextHere' onload='alert(document.cookie)"

          This will result in the generated HTML image tag:

          result HTML

          <img src='pic.jpg' alt='altTextHere' onload='alert(document.cookie)' />

          The attacker can inject arbitrary javascript into the tag due to this incorrect encoding.

          分析過的案例

          標識 說明 鏈接

          分類映射

          映射的分類名 ImNode ID Fit Mapped Node Name
          The CERT Oracle Secure Coding Standard for Java (2011) IDS13-J Use compatible encodings on both sides of file or network IO

          相關攻擊模式

          • CAPEC-468

          引用

          欧美日韩国产亚洲,天天射影院,大芭蕉天天视频在线观看,欧美肥老太牲交大片,奇米色888,黄三级高清在线播放,国产卡一卡二卡三卡四,亚洲第一黄色视频 日韩中文字幕中文有码,日本A级作爱片一,奇米第四,三级片短片视频免费在线观看,奇米网狠狠网,影音先锋色AV男人资源网,日本丰满熟妇hd 日本日韩中文字幕无区码,涩 色 爱 性,天天射影视,中文字幕制服丝袜第57页,777米奇影院奇米网狠狠,尤物TV国产精品看片在线,欧洲女同牲恋牲交视频 久久AV天堂日日综合,亚洲性爱影院色yeye,日韩亚洲欧美Av精品,十八禁全身裸露全彩漫画,奇米网影视,人人爽人人澡人人人妻,动漫AV专区,天天色综合影院 日韩精品中文字幕,特级无码毛片免费视频,人妻少妇不卡无码视频,制服丝袜有码中文字幕在线,深爱激动情网婷婷,影音先锋全部色先锋,香港三级日本三级韩级人妇 日韩欧美亚洲综合久久在线视频,2021XX性影院,玖玖资源站最稳定网址,日韩亚洲制服丝袜中文字幕,国产超碰人人模人人爽人人喊,先锋色熟女丝袜资源 很黄特别刺激又免费的视频,2021一本久道在线线观看,色中娱乐黄色大片,日本高清不卡在线观看播放,97国产自在现线免费视频,国产在线精品亚洲第一区 免费中文字幕精品一区二区 视频,狠狠爱俺也色,天天好逼网,日韩制服丝袜,国产女人大象蕉视频在线观看,国产 精品 自在 线免费,午夜时刻在线观看