<noframes id="vfxvr">

    <track id="vfxvr"></track>

      <span id="vfxvr"></span>

          CWE-99 對資源描述符的控制不恰當(資源注入)

          Improper Control of Resource Identifiers ('Resource Injection')

          結構: Simple

          Abstraction: Base

          狀態: Draft

          被利用可能性: High

          基本描述

          The software receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.

          擴展描述

          A resource injection issue occurs when the following two conditions are met:

          This may enable an attacker to access or modify otherwise protected system resources.

          相關缺陷

          • cwe_Nature: ChildOf cwe_CWE_ID: 74 cwe_View_ID: 1000 cwe_Ordinal: Primary

          • cwe_Nature: ChildOf cwe_CWE_ID: 74 cwe_View_ID: 699 cwe_Ordinal: Primary

          • cwe_Nature: PeerOf cwe_CWE_ID: 706 cwe_View_ID: 1000

          • cwe_Nature: CanAlsoBe cwe_CWE_ID: 73 cwe_View_ID: 1000

          適用平臺

          Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

          常見的影響

          范圍 影響 注釋
          ['Confidentiality', 'Integrity'] ['Read Application Data', 'Modify Application Data', 'Read Files or Directories', 'Modify Files or Directories'] An attacker could gain access to or modify sensitive data or system resources. This could allow access to protected files or directories including configuration files and files containing sensitive information.

          可能的緩解方案

          MIT-5 Implementation

          策略: Input Validation

          Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

          示例代碼

          The following Java code uses input from an HTTP request to create a file name. The programmer has not considered the possibility that an attacker could provide a file name such as "../../tomcat/conf/server.xml", which causes the application to delete one of its own configuration files.

          bad Java

          String rName = request.getParameter("reportName");
          File rFile = new File("/usr/local/apfr/reports/" + rName);
          ...
          rFile.delete();

          The following code uses input from the command line to determine which file to open and echo back to the user. If the program runs with privileges and malicious users can create soft links to the file, they can use the program to read the first part of any file on the system.

          bad C++

          ifstream ifs(argv[0]);
          string s;
          ifs >> s;
          cout << s;

          The kind of resource the data affects indicates the kind of content that may be dangerous. For example, data containing special characters like period, slash, and backslash, are risky when used in methods that interact with the file system. (Resource injection, when it is related to file system resources, sometimes goes by the name "path manipulation.") Similarly, data that contains URLs and URIs is risky for functions that create remote connections.

          Notes

          Relationship Resource injection that involves resources stored on the filesystem goes by the name path manipulation (CWE-73). Maintenance The relationship between CWE-99 and CWE-610 needs further investigation and clarification. They might be duplicates. CWE-99 "Resource Injection," as originally defined in Seven Pernicious Kingdoms taxonomy, emphasizes the "identifier used to access a system resource" such as a file name or port number, yet it explicitly states that the "resource injection" term does not apply to "path manipulation," which effectively identifies the path at which a resource can be found and could be considered to be one aspect of a resource identifier. Also, CWE-610 effectively covers any type of resource, whether that resource is at the system layer, the application layer, or the code layer. Other

          分類映射

          映射的分類名 ImNode ID Fit Mapped Node Name
          7 Pernicious Kingdoms Resource Injection
          Software Fault Patterns SFP24 Tainted input to command
          OMG ASCSM ASCSM-CWE-99

          相關攻擊模式

          • CAPEC-10
          • CAPEC-240
          • CAPEC-75

          引用

          欧美日韩国产亚洲,天天射影院,大芭蕉天天视频在线观看,欧美肥老太牲交大片,奇米色888,黄三级高清在线播放,国产卡一卡二卡三卡四,亚洲第一黄色视频 日韩中文字幕中文有码,日本A级作爱片一,奇米第四,三级片短片视频免费在线观看,奇米网狠狠网,影音先锋色AV男人资源网,日本丰满熟妇hd 日本日韩中文字幕无区码,涩 色 爱 性,天天射影视,中文字幕制服丝袜第57页,777米奇影院奇米网狠狠,尤物TV国产精品看片在线,欧洲女同牲恋牲交视频 久久AV天堂日日综合,亚洲性爱影院色yeye,日韩亚洲欧美Av精品,十八禁全身裸露全彩漫画,奇米网影视,人人爽人人澡人人人妻,动漫AV专区,天天色综合影院 日韩精品中文字幕,特级无码毛片免费视频,人妻少妇不卡无码视频,制服丝袜有码中文字幕在线,深爱激动情网婷婷,影音先锋全部色先锋,香港三级日本三级韩级人妇 日韩欧美亚洲综合久久在线视频,2021XX性影院,玖玖资源站最稳定网址,日韩亚洲制服丝袜中文字幕,国产超碰人人模人人爽人人喊,先锋色熟女丝袜资源 很黄特别刺激又免费的视频,2021一本久道在线线观看,色中娱乐黄色大片,日本高清不卡在线观看播放,97国产自在现线免费视频,国产在线精品亚洲第一区 免费中文字幕精品一区二区 视频,狠狠爱俺也色,天天好逼网,日韩制服丝袜,国产女人大象蕉视频在线观看,国产 精品 自在 线免费,午夜时刻在线观看