Professional Documents
Culture Documents
1
Zero Day (SW)
. 2011 Sony
SQL .
ICT ,
. ,
.
. , , SW ,
,
.
2
( "" )
, SW
.
2 SW
SW SW , SW
, SW
. SW SW (SDLC, SW Development
Lifecycle) , SW
(Secure Coding)'
.
,
Zero Day , , SW
. ,
75%(, SW).
,
.
,
.
(XSS) SQL
(, SW) , SW
. ,
, SW
.
SW ,
. , 8
.
: , 15(2009. 4.)
,
.
SW
. ,
(DB) ,
. , SW
() ,
.
SW
, 30
. ,
30. , 20
.
< SW >
5
1
10
10
1
15
20
10
30
30
20
[ : The Economic Impacts of Inadequate Infrastructure for Software Testing, 2002.5, NIST]
, ,
. ,
,
.
3 SW
CWE1), CWE/SANS Top252), OWASP Top103),
CERT4) ,
.
, , API
7 , .
CWE 7 Pernicious Kingdoms5)
SW .
:
.
XSS,
SQL , , .
API : API, API
. gets(), J2EE: System.exit().
gets(),
: (, , , , )
. , ,
.
: ,
.
(dead lock), , .
:
. ,
.
: , , SW
, ()
. .
:
.
, .
1) Common Weakness Enumeration, http://cwe.mitre.org
2) CWE/SANS TOP 25 Most Dangerous Software Errors, http://www.sans.org
3) Open Web Application Security Project, http://www.owasp.org
4) Computer Emergency Response Team, http://www.cert.org
5) Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors, IEEE Security and Privacy Magazine, Vol.3, No.6, 2005, pp.81-84.
1
.
,
.
XSS, SQL , HTTP
, , , , LDAP ,
, .
1. (XSS)
.
()
,
. (
, , ) ,
, .
.
.
.
(URI).
.
.
.
.
,
ReplaceAll().
.
- HTML
1:
2:
3:
4:
5:
<h1>XSS Sample</h1>
<%
String name = request.getParameter("name");
%>
<p>NAME:<%=name%></p>
- HTML
1:
<%
2:
3:
if ( name != null ) {
4:
name = name.replaceAll("<","<");
5:
name = name.replaceAll(">",">");
6:
name = name.replaceAll("&","&");
7:
8:
name = name.replaceAll("",""");
} else { return; }
9:
%>
(name) <script>alert replaceAll()
(name).
2. SQL
.
DB
() DB,
SQL SQL
.
.
.
SQL ,
.
preparedStatement executeQuery(), execute(),
executeUpdate().
.
SQL SQL Query
. SQL .
- JAVA
1:
try {
2:
String
tableName
- JAVA
String
try {
2:
String
props.getProperty("jdbc.tableName");
3:
1:
props.getProperty("jdbc.name");
String
name
props.getProperty("jdbc.name");
4:
4:
props.getProperty("jdbc.tableName");
3:
name
tableName
* FROM
5:
stmt = con.prepareStatement(query);
5:
stmt = con.prepareStatement(query);
6:
stmt.setString(1, tableName);
6:
rs = stmt.executeQuery();
7:
stmt.setString(2, name);
7:
... ...
8:
rs = stmt.executeQuery();
8:
9:
... ...
9:
finally {
10:
11: finally {
}
tableName name PreparedStatement
SQL , name ,
.
- C
1:
2:
3:
4:
5:
- C
1:
2:
3:
4:
5:
- JAVA
try {
1:
- JAVA
1:
2:
3:
String fileName =
4:
5:
if( in != null ) {
6:
in.close();
7:
name = props.getProperty("name");
8:
9:
2:
3:
4:
props.load(in); }
}
return (List<Contact>)
FileInputStream
in
new
FileInputStream(fileName);
5:
} catch (IOException e) {
11:
13:
"contacts.txt";
10:
12:
Properties();
try {
7:
props.load(in);
9:
10:
11:
javax.jdo.Query q = pm.newQuery(query);
12:
13: }
pm.newQuery(query).execute();
(name) "name';
? (Parameterize
DELETE FROM MYTABLE; --" ,
Query),
.
(name)
(SELECT col1 FROM MYTABLE WHERE name
.
= 'name' ; DELETE FROM MYTABLE; --')
- JAVA
- JAVA
1:
try {
1:
props
new 3:
Properties();
4:
3:
FileInputStream
4:
in
5:
props.load(in);
6:
String id =
7:
Query query =
new 5:
props.getProperty("id");
OBJECT(i) 9:
+
id);
10:
return r_type;
10:
in
new
String id = props.getProperty("id");
if
(id
==
null
||
"".equals(id))
id
Query query =
em.createNativeQuery("SELECT
OBJECT(i)
9:
FileInputStream
"itemid";
8:
"conditions.txt";
props.load(in);
6:
7:
em.createNativeQuery("SELECT
Properties();
String fileName =
FileInputStream(fileName);
FileInputStream(fileName);
8:
2:
Properties
2:
try {
query.setParameter("id", id);
List<S9103>
items
query.getResultList();
12:
return r_type;
13:
(id) "foo';
.
- XML
1:
<!DOCTYPE
sqlMap
PUBLIC
- XML
1:
<?xml version="1.0"
2:
<!DOCTYPE
... ...
3:
4:
<delete id="delStudent"
Class="Student">
5:
DELETE STUDENTS
6:
7:
"http://www.ibatis.com/dtd/sql-map-2.dtd">
3:
parameter-
</delete>
PUBLIC
"http://www.ibatis.com/dtd/sql-map-2.dtd">
2:
encoding="UTF-8"?>
sqlMap
... ...
4:
5:
<delete
id="delStudent"
parameter-
Class="Student">
6:
7:
DELETE STUDENTS
WHERE NUM = #num# AND Name =
'#name#'
8:
</delete>
delStudent
$name$
. name "' OR 'x'='x'"
.
3. HTTP
.
HTTP HTTP
CR(Carriage Return)LF(Line Feed)HTTP
2.
XSS (cache poisoning) .
.
HTTP HTTP
HTTP .
.
HTTP (Set Cookie )CR,
LF.
.
- JAVA
- JAVA
1:
2:
response.setContentType("text/html");
3:
4:
Cookie
cookie
cookie.setMaxAge(1000);
6:
response.addCookie(cookie);
7:
RequestDispatcher
new
response.setContentType("text/html");
3:
String
frd
frd.forward(request, response);
4:
5:
"");
7:
cookie.setMaxAge(1000);
8:
cookie.setSecure(true);
9:
response.addCookie(cookie);
10:
RequestDispatcher
frd
request.getRequestDispatcher("cookie-
9:
author
filtered_author);
Test.jsp");
10:
2:
6:
request.getRequestDispatcher("cookie8:
request.getParameter("authorName");
Cookie("replidedAuthor", author);
5:
1:
Test.jsp");
frd.forward(request, response);
11:
12:
13:
.
4.
.
. ,
,
.
.
, User Memory(18Bytes)
.
.
.
.
.
(bounds checking).
strcpy().
.
(, )
.
- C
- C
1:
2:
1:
3:
/* buf. */
if (strlen(string < sizeof(buf))
2:
char buf[24];
4:
3:
ctrcpy(buf, string);
5:
4:
6:
5:
7:
, strcpy()
.
.
8:
9:
(string) buf
. strncpy()
buf , buf
'\0'.
- C
- C
1:
#include <stdio.h>
1:
#include <stdio.h>
2:
#include <stdlib.h>
2:
#include <stdlib.h>
3:
#include <string.h>
3:
#include <string.h>
4:
#define BUFSIZE 10
4:
#define BUFSIZE 10
5:
5:
6:
6:
7:
7:
8:
8:
9:
9:
10:
strcpy(dest, argv[1]);
10:
11:
11:
12:
free(dest);
12:
free(dest);
13:
return 0;
13:
return 0;
}
14: }
(string) buf
, strcpy()
. strncpy()
.
buf, buf
'\0'.
.
14:
5.
.
,
. (.., / )
.
.
../../../rootFile.txt
"/usr/local/tmp/rootFile.txt
. "/usr/local/tmp/rootFile.txt
.
.
.
, replaceAll()
(",/,\).
.
. , .. .
.
- JAVA
1:
2:
3:
4:
5:
6:
7:
- JAVA
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
if (file != null)
11:
file.delete();
12:
}
Null
13:
name../../../rootFile.txt
.
, (name)
(/, \\, &, . )re-
placeAll.
- C
1:
void f()
2:
3:
4:
char buf[30];
5:
6:
7:
unlink(buf);
8:
}
reportName
/home/www/tmp
, reportName ../../../etc/passwd
- C
1:
void f()
2:
3:
char buf[30];
4:
5:
6:
7:
.
.
,
.
.
- JAVA
- JAVA
1:
public
void
f(Properties
cfg)
throws
IOException {
2:
1:
public
void
f(Properties
cfg)
throws 3:
IOException {
FileInputStream
2:
4:
fis
FileInputStream fis;
String subject = cfg.getProperty("subject");
if (subject.equals("math"))
new 5:
FileInputStream(cfg.getProperty("subject"));
6:
3:
7:
4:
fis.read(arr);
8:
5:
System.out.println(arr);
9:
6:
10:
11:
12:
fis.read(arr);
7:
System.out.println(arr);
13:
14:
(fis)
,
,
.
.
- C
1:
void f()
2:
3:
4:
unlink(rName);
5:
}
reportName
.
- C
1:
void f()
2:
{
unlink("/home/www/tmp/report");
3:
4:
.
6.
.
.
(, )
.
.
.
.
.
.
.
.
.
- JAVA
- JAVA
1:
1:
2:
props.load(in);
3:
4:
int
props.load(in);
3:
5:
\"rmanDB.bat \"");
\"rmanDB.bat \"");
String vs = "";
if (versionSelection == 0)
7:
Runtime.getRuntime().exec(cmd
5:
Integer.parseInt(props.getProperty("version"));
2:
4:
versionSelection
" 8:
c:\\prog_cmd\\" + version);
9:
6:
10:
7:
11:
vs = version[0];
else if (versionSelection == 1)
vs = version[1];
else
vs = version[1];
12:
Runtime.getRuntime().exec(cmd
13:
"
c:\\prog_cmd\\" + vs);
14:
cmd.exe
rmanDB.bat ,
dir_type manDB.bat
,
, dir_type,
,
,
.
- C
1:
- C
1:
2:
fgets(arg,80,stdin);
3:
commandLength
strlen(cat)
command
4:
(char
*)
5:
6:
strncat(command,
9:
return 0;
,
.
7:
9:
system(command);
exit(1);
6:
argv[1], 8:
(commandLength - strlen(cat)) );
8:
if (strpbrk(arg,";\"'."))
{
mal- 5:
loc(commandLength);
7:
fgets(arg,80,stdin);
+ 3:
strlen(arg) + 1;
4:
2:
(char
*)
mal-
loc(commandLength);
10:
11:
strpbrk()
.
7. LDAP
.
LDAP .
, LDAP
, Authentication
.
.
LDAP*
.
.
LDAP , (white list)
(black list= + < > # ; \ ),
.
.
- JAVA
1:
2:
3:
FileInputStream
in
- JAVA
Properties props = new Properties();
2:
3:
new 4:
FileInputStream(fileName);
props.load(in);
4:
1:
5:
props.load(in);
6:
5:
7:
6:
8:
7:
NamingEnumeration
ctx.search("ou=NewHires",
answer
= 9:
filter,
new
String
filter
"(name
="
nam-
SearchControls());
10:
NamingEnumeration answer =
8:
printSearchEnumeration(answer);
11:
ctx.search("ou=NewHires",
9:
ctx.close();
filter,
new
SearchControls());
printSearchEnumeration(answer);
12:
ctx.close();
name "*"
13:
"(name=*)"
.
.
- C
- C
1:
int main()
1:
int main()
2:
2:
3:
3:
4:
int rc;
4:
int rc;
5:
5:
6:
LDAPMessage* result;
6:
7:
rc
ldap_search_ext_s(ld,
rc
ldap_search_ext_s(
ld,
FIND_DN,
NULL,
NULL,
LDAP_NO_LIMIT,
LDAP_NO_LIMIT, &result);
8:
LDAPMessage* result;
FIND_DN, 7:
return 0;
LDAP_NO_LIMIT,
return 0;
8:
}
9:
getenv() LDAP
9:
LDAP_NO_LIMIT,
&result);
}
.
'|'
.
8.
.
. , C
1
.
.
.
.
.
.
.
.
- C
- C
1:
int main()
1:
int main()
2:
2:
3:
int i;
3:
int i;
4:
int sum = 0;
4:
int sum = 0;
5:
int buf[10];
5:
int buf[10];
6:
6:
7:
7:
{
sum += i;
8:
sum += i;
8:
9:
9:
10:
sum = buf[i];
10:
sum = buf[i-1];
return 0;
11:
11:
12:
12:
return 0;
}
10 -1
.
.
9.
.
.
.
URI
.
.
,
(white list). ,
.
.
- JAVA
- JAVA
1:
1:
2:
2:
props.load(in);
3:
4:
5:
7:
if (port != 0)
8:
4:
9:
6:
6:
3:
else
5:
case 1:
port = 3001; break;
case 2:
10:
11:
default:
12:
port = 3000;
13:
14:
15:
16:
(service)
. , Service No
-2920 80
.
- C
- C
1:
int main()
2:
1:
int main()
3:
2:
4:
3:
5:
int sockfd = 0;
4:
6:
char buf[25];
5:
int sockfd = 0;
7:
if(strcmp(rPort,"") < 0)
6:
char buf[25]
8:
7:
9:
if
(connect(sockfd,(struct
sockaddr 10:
*)&buf,sizeof(serv_addr)) < 0) {
11:
12:
if
8:
exit(1);
9:
10:
return 0;
11:
12:
printf("bad input");
}
(connect(sockfd,(struct
sockaddr
*)&buf,sizeof(serv_addr)) < 0) {
exit(1);
13:
14:
15:
return 0;
}
16:
getenv("rPort").
.
.
2 API
API(Application Programming Interface)
, C, C++, JAVA, MFC
. API
API
.
API , J2EE: System.exit()
, Null , equals()hashCode() .
1.
.
,
. gets()
.
gets() ,
. , .
.
.
gets() .
.
- C
#include <stdio.h>
1:
#include <stdio.h>
2:
#include <stdlib.h>
2:
#include <stdlib.h>
3:
3:
4:
void f() {
4:
void f() {
5:
char buf[BUFSIZE];
5:
6:
gets(buf);
6:
7:
gets().
- C
1:
7:
char buf[BUFSIZE];
fgets(buf, BUFSIZE, stdin);
}
gets() fgets() .
2. J2EE: System.exit()
.
J2EE System.exit(). ,
Exception" ""
.
J2EE System.exit().
System.exit(), .
System.exit()JVM.
.
JVM .
.
J2EE System.exit().
.
- JAVA
1:
2:
void
- JAVA
1:
HttpServlet {
doPost(HttpServletRequest
3:
4:
FileHandler
5:
Logger
IOException {
handler
new
FileHandler("errors.log");
logger
Logger.getLogger("com.mycompany");
6:
logger.addHandler(handler);
7:
try {
8:
do_something(logger);
9:
10:
11:
12:
2:
void
HttpServlet {
doPost(HttpServletRequest
3:
4:
FileHandler
handler
IOException {
=
new
FileHandler("errors.log");
5:
Logger
logger
6:
logger.addHandler(handler);
7:
try {
Logger.getLogger("com.mycompany");
8:
do_something(logger);
9:
10:
logger.info("Caught:
12:
" + ase.toString());
// System.exit(1);
11:
13:
}
System.exit() System.exit()
.
3. Null
.
Java Object.equals(), Comparable.compareTo(), Comparator.compare()
null.
.
.
Null
Object.equals(), Comparable.compareTo(), Comparator.compare()
Null .
.
Object.equals(), Comparable.compareTo()Comparator.compare()
Null .
.
- JAVA
public class Test implements java.util.Comparator {
public int compare(Object o1, Object o2)
{
3:
int i1 = o1.hashCode();
4:
int i2 = o2.hashCode();
5:
int ret;
6:
if (i1 > i2)
{
ret = 1;
}
7:
else if (i1 == i2) {
ret = 0;
}
8:
else {
ret = -1;
}
9:
return ret;
10: }
1:
2:
null.
- JAVA
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
null .
4. equals()hashCode()
.
Java . "a.equals(b) ==
true" "a.hashCode() == b.hashCode()" . equals()
hashCode().
.
equals()equals()
hashCode().
.
equals()hashCode()hashCode()
equals().
.
1:
1:
2:
3:
4:
5:
6:
7:
8:
2:
3:
4:
5:
6:
7:
37).toHashCode();
8:
9:
}
Test equal() hashCode()
10:
Test equals() .
.
3
.
, , , , .
, ,
, , ,
.
1.
.
,
.
, ,
.
.
.
.
.
.
SW , "-"
.
.
- JAVA
1:
public
String id) {
2:
try {
3:
4:
System.err.println("...");
5:
6:
1:
try {
2:
3:
String id = props.getProperty("id");
4:
5:
6:
byte[] decrypted_pwd =
7:
cipher.doFinal(pwd.getBytes());
return conn;
7:
- JAVA
}
8:
conn = DriverManager.getConnection(url, id, pwd);
}
8:
9:
,
.
.
- C
- C
1:
1:
2:
SQLHENV henv;
2:
SQLHENV henv;
3:
SQLHDBC hdbc;
3:
SQLHDBC hdbc;
4:
SQLAllocHandle(SQL_HANDLE_ENV,
SQLAllocHandle(SQL_HANDLE_ENV,
4:
SQL_NULL_HANDLE, &henv);
SQL_NULL_HANDLE, &henv);
5:
SQLAllocHandle(SQL_HANDLE_DBC,
5:
henv, &hdbc);
SQLConnect(hdbc,
6:
henv, &hdbc);
6:
(SQLCHAR*)
server,
SQLAllocHandle(SQL_HANDLE_DBC,
SQLConnect(hdbc,
(SQLCHAR*)
server,
strlen(passwd) );
7:
return 0;
8:
SQLFreeHandle(SQL_HANDLE_DBC, hdbc);
8:
9:
SQLFreeHandle(SQL_HANDLE_ENV, henv);
10:
return 0;
}
,
11:
asdf".
.
2.
.
(, , )
.
.
,
CSRF .
CSRF Script .
CSRF Script.
CSRF.
.
GET POST .
,
URL
.
- HTML
-HTML
1:
2:
tion="customer.do">
tion="customer.do">
3:
3:
4:
4:
5:
</form>
5:
</form>
1:
6:
6:
GET form URL
GET form
CSRF
Post .
.
3.
.
.
(XSS) ID.
.
.
.
.
.
- JAVA
1:
2:
- JAVA
1:
void
noExpiration(HttpSession
session) {
3:
if (session.isNew()) {
3:
if (session.isNew()) {
4:
session.setMaxInactiveInterval(-1);
4:
session.setMaxInactiveInterval(12000);
5:
6:
5:
6:
7:
}
7:
}
-1,
.
- C
- C
1:
int
searchData2LDAP(LDAP
*ld,
char
1:
int
searchData2LDAP(LDAP
*ld,
char
*username) {
2:
3:
char filter[20];
4:
LDAPMessage *result;
5:
sizeof(filFIND_DN,
LDAP_SCOPE_BASE,
filter,
NULL,
LDAP_NO_LIMIT,
LDAP_NO_LIMIT, &result);
7:
return rc;
8:
4:
LDAPMessage *result
5:
7:
ldap_search_ext_s(ld,
NULL,
char filter[20];
!= LDAP_SUCCESS ) {
snprintf(filter,
rc
3:
6:
ter),"(name=%s)",username);
6:
2:
NULL,
0,
8:
9:
if ( strcmp(username,getLoginName()) != 0 ) {
printf(");
10:
return(FAIL);
11:
12:
13:
snprintf(filter,
sizeof(filter),
"(name=%s)",
username);
14:
rc
ldap_search_ext_s(ld,
LDAP_SCOPE_BASE,
NULL,
NULL,
filter,
FIND_DN,
NULL,
0,
LDAP_NO_LIMIT,
LDAP_NO_LIMIT, &result);
15:
return rc;
}
LDAP username user
16:
LDAP
.
.
4.
.
, .
.
.
(attack surface).
ACL(Access Control List).
. , JAAS Authorization Framework
OWASP ESAPI Access Control .
.
- JAVA
1:
- JAVA
2:
3:
4:
env.put(Context.INITIAL_CONTEXT_FAC 1:
TORY, CommonMySingleConst.INITCTX);
e n v . p u t ( C o n t e x t . P R O V I D E R _ U R L , 2:
env.put(Context.PROVIDER_URL, sServiceProvider);
sServiceProvider);
env.put(Context.SECURITY_AUTHENTICATIO
3:
env.put(Context.SECURITY_AUTHENTIC
5:
6:
N, "simple");
4:
env.put(Context.SECURITY_PRINCIPAL, sUid);
env.put(Context.SECURITY_PRINCIPAL, 5:
env.put(Context.SECURITY_CREDENTIALS,
sUid);
sPwd);
ATION, "none");
env.put(Context.SECURITY_CREDENTIALS
, sPwd);
name LDAP
,
. IDpassword
anonymous binding. .
.
- C
1:
#define
- C
FIND_DN
"uid=han,ou=staff,dc=example,dc=com"
2:
int
searchData2LDAP(LDAP
*ld,
char
*username) {
unsigned long rc;
4:
char filter[20];
5:
LDAPMessage *result;
snprintf(filter,
sizeof(filter),
"(name=%s)",
username);
7:
rc
ldap_search_ext_s(ld,
FIND_DN,
LDAP_SCOPE_BASE,
filter,
NULL,
LDAP_NO_LIMIT,
NULL,
NULL,
0,
LDAP_NO_LIMIT, &result);
8:
9:
return rc;
}
, LDAP
10:
2:
return(FAIL);
3:
3:
6:
1:
4:
5:
if ( strcmp(username,getLoginName()) != 0 ) {
printf(");
6:
return(FAIL);
7:
8:
9:
snprintf(filter,
sizeof(filter),
"(name=%s)",
username);
10:
rc
ldap_search_ext_s(ld,
LDAP_SCOPE_BASE,
NULL,
NULL,
filter,
FIND_DN,
NULL,
0,
LDAP_NO_LIMIT,
LDAP_NO_LIMIT, &result);
5.
.
(DES, MD5 ),
.
.
DES
.
.
,
.
DES, RC5, 3DES, AES, SEED
.
.
- JAVA
1:
2:
3:
4:
5:
6:
try {
Cipher c = Cipher.getInstance("DES");
c.init(Cipher.ENCRYPT_MODE, k);
rslt = c.update(msg);
}
catch (InvalidKeyException e) {
- JAVA
1:
try {
2:
Cipher c =
Cipher.getInstance("AES/CBC/PKCS5Padding");
3:
c.init(Cipher.ENCRYPT_MODE, k);
4:
rslt = c.update(msg);
6:
DES .
5:
catch (InvalidKeyException e) {
AES .
- C
1:
... ...
- C
1:
EVP_CIPHER_CTX ctx;
2:
EVP_CIPHER_CTX ctx;
3:
EVP_CIPHER_CTX_init(&ctx);
3:
EVP_CIPHER_CTX_init(&ctx);
4:
5:
... ...
DES .
... ...
2:
EVP_EncryptInit(&ctx,
EVP_aes_128_cbc(),
key, iv);
5:
... ...
AES .
6.
.
,
.
.
ClientServer
,
.
.
.
.
1:
2:
3:
4:
5:
6:
7:
8:
void foo() {
try {
Socket socket = new Socket("taranis", 4444);
PrintWriter out = new PrintWriter
(socket.getOutputStream(), true);
String password = getPassword();
out.write(password);
} catch (FileNotFoundException e) {
(Plain text)
.
.
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
void foo() {
try {
Socket socket = new Socket("taranis", 4444);
PrintStream out = new PrintStream
(socket.getOutputStream(), true);
Cipher c = Cipher.getInstance
("AES/CBC/PKCS5Padding");
String password = getPassword();
encryptedStr= c.update(password.getBytes());
out.write(encryptedStr,0,encryptedStr.length);
} catch (FileNotFoundException e) {
128.
4
( ) ( )
.
,
, J2EE .
1. :
.
.
. ,
.
.
.
(: ),
.
(EX : thread safe ,
C(mutex)JAVAsynchronized
.
- JAVA
- JAVA
1:
2:
3:
4:
- C
- C
1:
1:
2:
2:
3:
char *file_name;
3:
if(!access(file,W_OK))
4:
int fd;
4:
5:
5:
f = fopen(file,"w+");
6:
operate(f);
fd
open(
file_name,
O_WRONLY
6:
7:
7:
8:
else {
8:
9:
fprintf(stderr,"Unable
to
open
file 9:
%s.\n",file);
10:
{
}
10:
11:
close(fd);
12:
,
. chmod fchmod
fd.
2.
.
. , (base case)
.
.
Func_A
.
.
.
.
- JAVA
- JAVA
.
- C
1:
int fac(n) {
2:
return n*fac(n-1);
3:
.
- C
1:
int fac(n) {
2:
if (n <= 0) return 1;
3:
}
4:
3. J2EE :
.
J2EE .
. , , , .
.
.
.
J2EE.
.
- JAVA
1:
2:
3:
4:
5:
System.err.println("do
}
6:
7:
8:
something");
};
new Thread(r).start();
}
J2EE
- JAVA
1:
2:
protected
void
doGet(HttpServletRequest
// New MyClass().main();
4:
Runtime.getRuntime().exec("java AsyncClass");
}
5:
6:
9:
, , ,
.
.
5
()
.
, .
1.
.
.
//9.
.
,
.
.
.
//9.
.
- JAVA
- JAVA
1:
1:
try {
2:
String id = request.getParameter("id");
3:
4:
} catch (SQLException e)
5:
try {
2:
String id = request.getParameter("id");
3:
4:
5:
return;
6:
if (!passwd.matches("") &&
passwd.indexOf("@!#")
> 4 &&
passwd.length() > 8)
7:
} catch (SQLException e)
}
8:
.
.
2.
.
, ,
.
.
,
MS-SQL.
.
.
.
.
.
- JAVA
- JAVA
1:
1:
2:
2:
3:
try{
3:
try{
4:
4:
5:
URLConnection cmx =
5:
URLConnection cmx =
6:
url.openConnection();
6:
url.openConnection();
7:
cmx.connect();
7:
cmx.connect();
8:
8:
9:
catch (Exception e)
9:
catch (Exception e)
10:
{ e.printStackTrace();
10:
{ System.out.println("");
11:
11:
}
12: }
.
.
12:
- C
1:
2:
3:
char* path=getenv("MYPATH");
4:
fprintf(stderr,path);
5:
return 0;
}
(MYAPTH)
6:
.
- C
1:
2:
{
char* path=getenv("MYPATH");
3:
return 0;
4:
5:
.
6
, , , , ,
. ,
, ,
.
1.
.
(signed integer)(unsigned integer)
. ,
.
.
-1
.
.
, .
, .
.
- C
1:
2:
3:
unsigned int l = 0;
4:
if (s == NULL) {
5:
return -1;
}
6:
7:
l = strnlen(s, BUFSIZE-1);
8:
return l;
9:
- C
10:
11:
12:
char buf[BUFSIZE];
13:
unsigned int l = 0;
14:
l = len(argv[1]);
15:
16:
buf[l] = '\0';
17:
printf("last
character
%c\n",
buf[l-1]);
19:
2:
3:
unsigned int l = 0;
4:
if (s == NULL) {
5:
return 0;
6:
7:
l = strnlen(s, BUFSIZE-1);
8:
return l;
9:
return 0;
18:
1:
10:
11:
12:
char buf[BUFSIZE];
13:
unsigned int l = 0;
14:
l = len(argv[1]);
15:
if (l > 0) {
16:
17:
buf[l] = '\0';
18:
19:
return 0;
20:
21:
len()
NULL -1 un-
signed
2.
.
(character).
41
.
.
.
(4Bytes)1111(1Bytes)3Bytes
.
.
,
.
.
- C
- C
1:
char char_type()
1:
int char_type()
2:
2:
3:
char bA;
3:
int bA;
4:
int iB;
4:
int iB;
5:
iB = 24;
5:
iB = 24;
6:
bA = iB;
6:
bA = iB;
7:
f(iB);
7:
8:
9:
return iB;
9:
}
10:
1 char int
10:
f(iB);
printf("int = %d char = %d\n", iB, bA);
return iB;
}
/charoverflow .
.
3.
.
, (open file descriptor), (heap memory), (socket) . ,
.
.
.
.
.
- JAVA
1:
2:
3:
4:
5:
6:
... ...
try {
Class.forName("com.mysql.jdbc.Driver");
conn = DriverManager.getConnection(url);
conn.close();
} catch (ClassNotFoundException e) {
- JAVA
1: ... ...
2:
try {
3:
Class.forName("com.mysql.jdbc.Driver");
4:
conn = DriverManager.getConnection(url);
5:
} catch (ClassNotFoundException e) {
6:
System.err.print("error");
7:
} catch (SQLException e) {
8:
System.err.print("error");
9:
} finally {
10:
conn.close();
JDBC finally
.
7
,
.
.
,
, .
1.
.
.
.
.
.
.
.
.
.
- JAVA
1:
2:
- JAVA
1:
3:
4:
System.err.printf("Print debug
5:
code");
J2EE
main() .
2:
3:
//
.
- C
1:
2:
println("Debug Info...");
3:
- C
1:
......
2:
//
.
2.
.
, .
.
.
Private .
Private.
(Static) (local)
(anonymous) .
.
- JAVA
1:
2:
3:
4:
5:
6:
- JAVA
1:
2:
3:
4:
5:
(static)
.
private .
3.
.
getMessage(), , DB
,
.
.
getMessage()
.
.
,
.
.
- JAVA
1:
2:
try {
2:
try {
3:
catch (IOException e) {
3:
catch (IOException e) {
4:
System.err.printf(e.getMessage());
4:
System.err.println("IOException Occured");
5:
6:
g();
- JAVA
1:
5:
6:
g();
getMessage()
.
.
+"7"
944
42-
42-+%0
42-1FSTJTUFODF
42-NZCBUJT%BUB.BQ
-%"1
-%"1
)551
%0.
42-)JCFSOBUF
63-
91BUI
92VFSZ
"1*
+&&
+&&
%/4MPPLVQ
+&&4ZTUFNFYJU
OVMM
&+#
FRVBMT
IBTI$PEF
34"
)5514
+&&
OPUJGZ
TFSJBM1FSTJTUFOU'JFMET
5ISFBESVO
'JOBM
QSJWBUF
QSJWBUF
<1> JAVA
API
CWE-ID
(XSS)
CWE-80
SQL
CWE-89
SQL : JDO
CWE-89
SQL : Persistence
CWE-89
CWE-89
CWE-23
CWE-36
CWE-78
LDAP
CWE-90
LDAP
CWE-90
CWE-99
HTTP
CWE-113
CWE-15
: DOM
CWE-80
CWE-95
CWE-114
CWE-190
CWE-434
CWE-470
CWE-494
SQL :Hibernate
CWE-564
URL
CWE-601
XPath
CWE-643
XQuery
CWE-652
CWE-807
J2EE:
CWE-245
CWE-ID
J2EE:
CWE-246
DNS lookup
CWE-247
J2EE: System.exit()
CWE-382
null
CWE-398
EJB:
CWE-577
equals()hashCode()
CWE-581
CWE-259
CWE-285
CWE-352
CWE-613
:
CWE-226
CWE-255
CWE-256
CWE-260
CWE-261
CWE-306
:
CWE-310
CWE-311
CWE-319
CWE-321
: RSA
CWE-325
:
CWE-326
CWE-327
CWE-330
:
CWE-359
CWE-ID
CWE-521
:
CWE-539
CWE-605
HTTPS
CWE-614
CWE-615
CWE-732
:
CWE-362
:
CWE-362
:
CWE-367
J2EE :
CWE-383
CWE-386
CWE-609
CWE-674
CWE-521
CWE-209
CWE-390
CWE-754
: notify()
CWE-362
CWE-404
CWE-476
: serialPersistentFields
CWE-485
: Thread.run()
CWE-572
:
CWE-665
CWE-770
CWE-488
CWE-ID
CWE-489
CWE-492
Final
CWE-493
private -
CWE-495
private -
CWE-496
CWE-497
CWE-545
1 JAVA
1
.
,
.
1. (XSS)
(Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS))
.
,
.
.
, replaceAll()
.
.
- HTML
1:
<%@page
2:
<html>
3:
<head>
4:
<meta
5:
</head>
6:
<body>
contentType="text/html" pageEncoding="UTF-8"%>
http-equiv="Content-Type" content="text/html;
7:
<h1>XSS
8:
<%
9:
<!- -->
10:
11:
%>
12:
13:
charset=UTF-8">
Sample</h1>
<p>NAME:<%=name%></p>
14:
</body>
15:
</html>
name ,
. name ,
- HTML
1:
<%@page
2:
<html>
3:
<head>
4:
<meta
5:
</head>
6:
<body>
contentType="text/html" pageEncoding="UTF-8"%>
http-equiv="Content-Type" content="text/html;
7:
<h1>XSS
8:
<%
9:
<!-- -->
10:
charset=UTF-8">
Sample</h1>
11:
12:
13:
if ( name != null ) {
14:
name = name.replaceAll("<","<");
15:
name = name.replaceAll(">",">");
16:
} else {
return;
17:
18:
19:
%>
20:
<!-- name-->
21:
<p>NAME:<%=name%></p>
22:
</body>
23:
</html>
.
[1] CWE-80 (XSS) - http://cwe.mitre.org/data/definitions/80.html
[2] OWASP Top 10 2010 - (OWASP 2010) A2 Cross-Site Scripting(XSS)
[3] SANS Top 25 2010 - Insecure Interaction Between Components, RANK 1 CWE-79 Improper
Neutralization of Input During Web Page Generation ('Cross-site Scripting')
.
preparedStatement executeQuery(), execute(), executeUpdate()
.
.
- JAVA
1:
2:
3:
4:
try {
5:
6:
// (tablename)(name).
7:
8:
9:
String query = "SELECT * FROM " + tableName + " WHERE Name =" + name;
10:
11:
// SQL.
12:
// SQL(name).
13:
stmt = con.prepareStatement(query);
14:
rs = stmt.executeQuery();
15:
16:
17:
while (rs.next()) {
18:
dos.writeBytes(printStr);
19:
20:
finally {
21:
tableNamenameSQL .
name"name' OR 'a'='a",
.
(SELECT * FROM userTable WHERE Name ='name' OR 'a'='a')
name ["name'; DELETE FROM userTable; --"]
.
(SELECT * FROM userTable WHERE Name ='name'; DELETE FROM userTable; --')
- JAVA
1:
2:
3:
4:
try {
5:
6:
7:
8:
9:
// PreparedStatement.
10:
11:
stmt = con.prepareStatement(query);
12:
// setXXX().
13:
stmt.setString(1, tableName);
14:
stmt.setString(2, name);
15:
16:
rs = stmt.executeQuery();
17:
ResultSetMetaData rsmd =
18:
int columnCount =
19:
String printStr =
20:
while (rs.next()) {
21:
dos.writeBytes(printStr);
"";
22:
23:
finally {
24:
rs.getMetaData();
rsmd.getColumnCount();
}
PreparedStatement ,
setXXX() , .
.
[1] CWE-89 SQL - http://cwe.mitre.org/data/definitions/89.html
[2] OWASP Top 10 2010 - (OWASP 2010) A1 - Injection
[3] SANS Top 25 2010 - Insecure Interaction Between Components, RANK 2 CWE-89 Improper
Neutralization of Special Elements used in an SQL Command ('SQL Injection')
.
JDO Query.execute(...)
(Parameterize Query).
.
- JAVA
1:
2:
3:
4:
PersistenceManager pm = getPersistenceManagerFactory().getPersistenceManager();
5:
6:
try {
7:
Properties();
8:
String fileName =
9:
FileInputStream in = new
10:
if( in != null ) {
11:
in.close();
12:
//
13:
14:
"contacts.txt";
FileInputStream(fileName);
props.load(in);
15:
16:
} catch (IOException e) {
17:
18:
// JDO .
19:
20:
21:
22:
- JAVA
1:
2:
3:
4:
getPersistenceManagerFactory().getPersistenceManager();
5:
6:
7:
8:
try {
9:
10:
11:
12:
props.load(in);
13:
// .
14:
name = props.getProperty("name");
15:
// .
16:
17:
} catch (IOException e) {
18:
19:
20:
javax.jdo.Query q = pm.newQuery(query);
21:
// Query API.
return (List<Contact>) q.execute(name);
22:
23:
24:
.
[1] CWE-89 SQL - http://cwe.mitre.org/data/definitions/89.html
[2] OWASP Top 10 2010 - (OWASP 2010) A1 Injection
[3] JDO API Documentation
[4] SANS Top 25 2010 - Insecure Interaction Between Components, RANK 2 CWE-89 Improper
Neutralization of Special Elements used in an SQL Command ('SQL Injection')
.
(Parameterize Query)
. , javax.persistence.Query.setParameter()
.
.
- JAVA
1:
2:
3:
4:
EntityManager em = getEntityManager();
5:
6:
try {
7:
Properties();
8:
9:
10:
props.load(in);
11:
12:
// .
13:
String id =
14:
// query.
15:
Query query =
props.getProperty("id");
16:
18:
return r_type;
19:
20:
21:
- JAVA
1:
2:
3:
implements ServletContextListener {
4:
EntityManager em = getEntityManager();
5:
6:
try {
7:
8:
String fileName =
9:
FileInputStream in = new
10:
props.load(in);
Properties();
"conditions.txt";
FileInputStream(fileName);
11:
12:
// .
13:
String id = props.getProperty("id");
14:
// .
15:
16:
// Query.
17:
Query query =
em.createNativeQuery("SELECT OBJECT(i) FROM Item i WHERE
18:
query.setParameter("id", id);
20:
21:
return r_type;
22:
23:
24:
(query),
. .
.
[1] CWE-89 SQL - http://cwe.mitre.org/data/definitions/89.html
[2] OWASP Top 10 2010 - (OWASP 2010) A1 Injection
[3] SANS Top 25 2010 - Insecure Interaction Between Components, RANK 2 CWE-89 Improper
Neutralization of Special Elements used in an SQL Command ('SQL Injection')
.
.
mybatis Data Map ($...$)
. #<># .
.
- XML
1:
<?xml version="1.0"
2:
<!DOCTYPE
sqlMap
encoding="UTF-8"?>
PUBLIC
"-//iBATIS.com//DTD
SQL
Map
2.0//EN"
"http://www.ibatis.com/dtd/sql-map-2.dtd">
3:
4:
5:
6:
7:
8:
<sqlMap
namespace="Student">
9:
10:
FROM STUDENTS
11:
ORDER BY NUM
12:
</select>
13:
<select id="nameStudent"
parameterClass="Integer" resultClass="Student">
14:
15:
FROM STUDENTS
16:
17:
</select>
18:
19:
<delete id="delStudent"
20:
21:
22:
23:
parameterClass="Student">
DELETE STUDENTS
WHERE NUM = #num# AND Name = '$name$'
</delete>
</sqlMap>
'x'='x'".
(DELETE STUDENTS WHERE NUM = #num# and Name = '' OR 'x'='x')
- XML
1:
<?xml version="1.0"
2:
<!DOCTYPE
sqlMap
encoding="UTF-8"?>
PUBLIC
"-//iBATIS.com//DTD
SQL
Map
2.0//EN"
"http://www.ibatis.com/dtd/sql-map-2.dtd">
3:
4:
5:
<sqlMap
namespace="Student">
<resultMap
id="StudentResult" class="Student">
6:
7:
8:
</resultMap>
9:
<select
id="listStudents" resultMap="StudentResult">
10:
11:
FROM STUDENTS
12:
ORDER BY NUM
13:
</select>
14:
15:
16:
FROM STUDENTS
WHERE NUM = #num#
17:
18:
</select>
19:
20:
21:
<delete id="delStudent"
parameterClass="Student">
22:
DELETE STUDENTS
23:
24:
25:
</delete>
</sqlMap>
.
[1] CWE-89 SQL - http://cwe.mitre.org/data/definitions/89.html
[2] OWASP Top 10 2010 - (OWASP 2010) A1 Injection
[3] SANS Top 25 2010 - Insecure Interaction Between Components, RANK 2 CWE-89 Improper
Neutralization of Special Elements used in an SQL Command ('SQL Injection')
.
.
, replaceAll()
(",/,\).
.
- JAVA
1:
2:
3:
4:
5:
6:
7:
file.delete();
}
8:
9:
10:
(name). name
../../../rootFile.txt
.
- JAVA
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
Null, (name)
(/, \\, &, . )replaceAll
.
.
[1] CWE-23 - http://cwe.mitre.org/data/definitions/23.html
[2] OWASP Top 10 2010 - (OWASP 2010) A4 Insecure Direct Object Reference
[3] SANS Top 25 2010 - (SANS 2010) Risky Resource Management, Rank 7 CWE ID 22:
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
.
,
.
.
- JAVA
1:
2:
3:
4:
5:
fis.read(arr);
6:
System.out.println(arr);
7:
8:
(fis),
, .
- JAVA
1:
2:
3:
FileInputStream fis;
4:
5:
if (subject.equals("math"))
6:
7:
else if (subject.equals("physics"))
8:
9:
else if (subject.equals("chemistry"))
10:
11:
else
12:
13:
14:
15:
16:
fis.read(arr);
System.out.println(arr);
17:
18:
19:
.
.
[1] CWE-36 - http://cwe.mitre.org/data/definitions/36.html
[2] OWASP Top 10 2010 - (OWASP 2010) A4 Insecure Direct Object Reference
[3] SANS Top 25 2010 - Risky Resource Management, Rank 7 CWE ID 22: Improper Limitation
of a Pathname to a Restricted Directory ('Path Traversal')
8.
(Improper Neutralization of Special Elements Used in an OS Command (OS Command Injection))
.
.
. ,
.
.
.
.
.
- JAVA
1:
2:
3:
4:
5:
6:
props.load(in);
7:
8:
9:
10:
11:
\"rmanDB.bat \"");
- JAVA
1:
2:
3:
4:
5:
FileInputStream in = new
6:
props.load(in);
7:
8:
9:
10:
String vs = "";
FileInputStream(fileName);
"1.01", "1.11", "1.4"};
\"rmanDB.bat \"");
11:
12:
// .
13:
if (versionSelection == 0)
14:
vs = version[0];
15:
else if (versionSelection == 1)
16:
vs = version[1];
17:
else if (versionSelection == 2)
18:
vs = version[2];
19:
else if (versionSelection == 3)
vs = version[3];
20:
else
21:
vs = version[3];
22:
Runtime.getRuntime().exec(cmd + "
23:
24:
25:
c:\\prog_cmd\\" + vs);
,
, .
.
[1] CWE-78 - http://cwe.mitre.org/data/definitions/78.html
[2] OWASP Top 10 2010 - (OWASP 2010) A1 Injection
[3] SANS, Frank Kim. "Top 25 Series - Rank 9 - OS Command Injection".
[4] SANS Top 25 2010 - Insecure Interaction Between Components, RANK 9 CWE-78: Improper
Neutralization of Special Elements used in an OS Command ('OS Command Injection')
.
LDAP , (white list)
(black list= + < > # ; \ ),
.
.
- JAVA
1:
2:
3:
4:
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
5:
env.put(Context.PROVIDER_URL,
6:
try {
"ldap://localhost:389/o=rootDir");
7:
javax.naming.directory.DirContext
8:
// .
9:
10:
11:
12:
props.load(in);
13:
// LDAP Searchname
14:
15:
16:
// LDAP searchname.
17:
NamingEnumeration answer =
18:
printSearchEnumeration(answer);
19:
ctx.close();
20:
21:
} catch (NamingException e) { }
(name).
name "*""(name=*)"
.
- JAVA
1:
2:
3:
4:
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
5:
env.put(Context.PROVIDER_URL, "ldap://localhost:389/o=rootDir");
6:
try {
7:
8:
9:
10:
11:
12:
13:
props.load(in);
14:
15:
16:
17:
18:
// name* .
19:
20:
NamingEnumeration answer =
ctx.search("ou=NewHires", filter, new SearchControls());
21:
22:
printSearchEnumeration(answer);
23:
ctx.close();
24:
25:
} catch (NamingException e) {
.
.
[1] CWE-90 LDAP - http://cwe.mitre.org/data/definitions/90.html
[2] OWASP Top 10 2010 - (OWASP 2010) A1 - Injection
[3] SPI Dynamics. "Web Applications and LDAP Injection".
[4] SANS Top 25 2009 - (SANS 2009) Insecure Interaction - CWE ID 116 Improper Encoding
or Escaping of Output
.
, LDAP
.
.
- JAVA
1:
try {
2:
3:
4:
// .
5:
6:
// BasicAttribute.
7:
8:
// LDAP search.
9:
NamingEnumeration answer =
ctx.search("ou=NewHires", attr.getID(), new SearchControls());
10:
11:
printSearchEnumeration(answer);
12:
ctx.close();
} catch (NamingException e) {
13:
14:
15:
16:
17:
18:
while (value.hasMore()) {
19:
SearchResult
20:
System.out.println(">>>"
23:
21:
22:
sr = (SearchResult) value.next();
} catch (NamingException e) {
(name)base .
,
.
- JAVA
1:
try {
2:
3:
4:
// .
5:
6:
// .
7:
8:
9:
10:
// LDAP search .
11:
NamingEnumeration answer =
ctx.search("ou=NewHires", filter, new SearchControls());
12:
printSearchEnumeration(answer);
13:
ctx.close();
14:
} catch (NamingException e) {
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
} catch (NamingException e) {
, LDAP
.
.
[1] CWE-639 - http://cwe.mitre.org/data/definitions/639.html
CWE-90 LDAP - http://cwe.mitre.org/data/definitions/90.html
CWE-116 - http://cwe.mitre.org/data/definitions/116.html
[2] OWASP Top 10 2010 - (OWASP 2010) A4 Insecure Direct Object Reference
[3] SANS Top 25 2009 - (SANS 2009) Insecure Interaction - CWE ID 116 Improper Encoding
or Escaping of Output
.
,
(white list). ,
.
.
- JAVA
1:
2:
3:
4:
ServerSocket serverSocket;
5:
6:
7:
8:
props.load(in);
9:
10:
// .
11:
12:
13:
14:
// .
15:
if (port != 0)
serverSocket = new ServerSocket(port + 3000);
16:
else
17:
18:
19:
20:
21:
(service) . ,
Service No -2920 80
.
- JAVA
1:
2:
3:
ServerSocket serverSocket;
4:
5:
6:
7:
8:
9:
10:
props.load(in);
11:
// .
12:
13:
14:
// .
if ("".equals(service)) service = "8080";
15:
16:
17:
18:
// .
19:
switch (port) {
case 1:
20:
21:
case 2:
22:
23:
case 3:
24:
25:
default:
26:
port = 3000;
27:
28:
// .
29:
30:
31:
32:
33:
.
, .
.
[1] CWE-99 - http://cwe.mitre.org/data/definitions/99.html
12. HTTP
(Failure to Sanitize CRLF Sequences in HTTP Headers ('HTTP Response Splitting'))
.
HTTP HTTP
.
HTTP (Set Cookie )CR,
LF.
.
- JAVA
1:
2:
3:
4:
response.setContentType("text/html");
5:
// .
6:
7:
8:
cookie.setMaxAge(1000);
9:
// cookie.setSecure(true); // HTTP()
// HTTPS
10:
...
11:
12:
// .
13:
response.addCookie(cookie);
14:
15:
16:
17:
. ,
"Wiley Hacker\r\nHTTP/1.1 200 OK\r\n"authorName,
.
.
(: HTTP/1.1 200 OK...Set-Cookie: author=Wiley Hacker HTTP/1.1 200 OK...)
- JAVA
1:
2:
3:
response.setContentType("text/html");
4:
5:
6:
// .
7:
8:
9:
// \n \r
10:
.
11:
12:
13:
cookie.setMaxAge(1000);
14:
cookie.setSecure(true);
"");
15:
16:
// .
17:
response.addCookie(cookie);
18:
19:
20:
21:
Null,
relpaceAll(\r, \n) .
.
[1] CWE-113 HTTP - http://cwe.mitre.org/data/definitions/113.html
[2] OWASP Top 10 2004 A1 Unvalidated Input
[3] OWASP Top 10 2007 A2 Injection Flaws
[4] Web Application Security Consortium 24 + 2 HTTP Response Splitting
13.
(External Control of System or Configuration Setting)
.
(:
).
.
Connection.setCatalog() .
, .
.
- JAVA
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
props.load(in);
11:
// catalog
12:
13:
14:
// catalogDB Connection, DB
15:
con.setCatalog(catalog);
con.close();
16:
17:
System.err.println("SQLException Occured");
18:
} catch (NamingException e) {
19:
System.err.println("NamingException Occured");
20:
} catch (FileNotFoundException e) {
21:
System.err.println("FileNotFoundException Occured");
22:
} catch (IOException e) {
23:
System.err.println("IOException Occured");
24:
25:
26:
27:
(catalog)JDBC.
.
- JAVA
1:
2:
3:
4:
// caltalog c1c2
5:
6:
7:
8:
9:
10:
11:
String catalog;
12:
13:
14:
15:
16:
17:
18:
else
catalog = props.getProperty("catalog");
19:
} else
20:
catalog = "c1";
21:
22:
23:
// (catalog).
24:
if ("c1".equals(catalog))
con.setCatalog("c1");
25:
else
26:
con.setCatalog("c2");
27:
con.close();
28:
29:
System.err.println("SQLException Occured");
30:
} catch (NamingException e) {
31:
System.err.println("NamingException Occured");
32:
} catch (FileNotFoundException e) {
33:
System.err.println("FileNotFoundException Occured");
34:
} catch (IOException e) {
35:
System.err.println("IOException Occured");
36:
37:
38:
, .
.
[1] CWE-15 - http://cwe.mitre.org/data/definitions/15.html
.
JSPdocument.write() JSPDOM
.
.
- HTML
1:
2:
<%
3:
// .
4:
5:
%>
6:
<SCRIPT language="javascript">
7:
// .
8:
document.write("name:" + <%=name%> );
- HTML
1:
2:
<%
3:
// .
4:
5:
// .
6:
if ( name != null ) {
name = name.replaceAll("<","<");
7:
name = name.replaceAll(">",">");
8:
9:
} else {
return;
10:
%>
11:
<SCRIPT language="javascript">
12:
// .
13:
document.write("name:" + <%=name%> );
(name)<">"HTML
"<">".
.
[1] CWE-79 - http://cwe.mitre.org/data/definitions/79.html
CWE-80 (XSS) - http://cwe.mitre.org/data/definitions/80.html
[2] OWASP Top 10 2010 - (OWASP 2010) A2 Cross Site Scripting (XSS)
[3] SANS Top 25 2010 - (SANS 2010) Insecure Interaction - CWE ID 079 Improper
Neutralization of Input During Web Page Generation ('Cross-site Scripting')
15.
(Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'))
.
. ,
.
.
eval() JavaScript
.
.
- HTML
1:
<%@page import="org.owasp.esapi.*"%>
2:
3:
<html>
4:
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
5:
6:
7:
</head>
<body>
8:
<h1>Eval </h1>
9:
<%
String evalParam = request.getparameter("eval");
10:
11:
12:
%>
13:
<script>
14:
15:
eval(<%=evalParam%>);
</script>
16:
</body>
17:
</html>
- HTML
1:
<%@page import="org.owasp.esapi.*"%>
2:
3:
<html>
4:
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
5:
6:
7:
</head>
<body>
8:
<h1>Eval </h1>
9:
<%
10:
// .
11:
12:
// .
13:
if ( evalParam != null ) {
14:
evalParam = evalParam.replaceAll("<","<");
15:
evalParam = evalParam.replaceAll(">",">");
16:
evalParam = evalParam.replaceAll("&","&");
17:
evalParam = evalParam.replaceAll("(","(");
18:
evalParam = evalParam.replaceAll(")",")");
19:
evalParam = evalParam.replaceAll("\"",""");
evalParam = evalParam.replaceAll("\'","'");
20:
21:
22:
23:
%>
24:
<script>
eval(<%=evalParam%>);
25:
18:
</script>
19:
</body>
20:
</html>
.
[1] CWE-95 - http://cwe.mitre.org/data/definitions/95.html
[2] OWASP Top Ten 2007 Category A3 - Malicious File Execution
[3] SANS Top 25 2009 - (SANS 2009) Insecure Interaction - CWE ID 116 Improper Encoding
or Escaping of Output
.
.
.
- JAVA
1:
2:
3:
Runtime.getRuntime().loadLibrary("libraryName");
4:
5:
6:
.
- JAVA
1:
2:
3:
Runtime.getRuntime().loadLibrary("/usr/lib/libraryName");
4:
5:
6:
.
.
[1] CWE-114 - http://cwe.mitre.org/data/definitions/114.html
.
.
.
- JAVA
1:
2:
3:
4:
5:
6:
7:
(args[0], args[1])
(size). (size)
.
- JAVA
1:
2:
3:
4:
5:
// .
6:
7:
8:
.
.
[1] CWE-190 - http://cwe.mitre.org/data/definitions/190.html
.
,
.
,
.
.
- JAVA
1:
2:
3:
4:
5:
6:
7:
// MultipartFilefile
8:
9:
10:
11:
12:
13:
14:
15:
,
.
- JAVA
1:
2:
3:
4:
5:
6:
if ( file == null )
return ;
7:
8:
9:
// .
10:
11:
12:
13:
// MultipartFilefile
14:
15:
16:
// .
17:
if ( fileName != null ) {
if ( fileName.endsWith(".doc") || fileName.endsWith(".hwp")
18:
|| fileName.endsWith(".pdf") || fileName.endsWith(".xls") ) {
19:
/* file */
20:
21:
else
22:
23:
24:
// .
25:
26:
27:
28:
29:
.
.
.
[1] CWE-434 - http://cwe.mitre.org/data/definitions/434.html
[2] OWASP Top Ten 2007 A3, Malicious File Execution
[3] SANS Top 25 2010 - (SANS 2010) Insecure Interaction - CWE ID 434 Unrestricted Upload
of File with Dangerous Type
19.
(Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection'))
.
(loading),
.
.
,
(white list) .
.
- JAVA
1:
2:
3:
4:
....
5:
6:
props.load(in);
7:
8:
9:
10:
11:
Worker w;
12:
13:
// type.
14:
try {
15:
16:
w = (Worker) workClass.newInstance();
w.doAction();
17:
} catch (ClassNotFoundException e) {
18:
19:
20:
21:
22:
23:
24:
25:
(type).
.
- JAVA
1:
2:
3:
4:
....
5:
6:
props.load(in);
7:
8:
9:
10:
11:
Worker w;
12:
13:
// .
14:
15:
if (type.equals("Slow")) {
w = new SlowWorker();
16:
w.doAction();
17:
18:
} else if (type.equals("Hard")) {
19:
w = new HardWorker();
w.doAction();
20:
} else {
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
.
[1] CWE-470 - http://cwe.mitre.org/data/definitions/470.html
20.
(Download of Code Without Integrity Check)
.
,
.
.
SW
.
.
- JAVA
1:
2:
3:
URLClassLoader, .
, .
- JAVA
1:
// private keyMyClass.
2:
3:
4:
loadFile = encrypt(loadFile,privateKey);
5:
// jarFile.
6:
FileManager.createFile(loadFile,jarFileName);
7:
....
8:
// public key.
9:
10:
URLConnection conn=classURLs.openConnection();
11:
InputStream is = conn.getInputStream();
12:
// jarFile.
13:
14:
while ( is.read(buf) != -1 ) {
...
15:
16:
17:
18:
loadFile = decrypt(loadFile,publicKey);
19:
// .
20:
FileManager.createFile(loadFile,jarFile);
21:
22:
, .
.
[1] CWE-494 - http://cwe.mitre.org/data/definitions/494.html
[2] SANS Top 25 Most Dangerous Software Errors, http://www.sans.org/top25-software-errors/
[3] Richard Stanway (r1CH). "Dynamic File Uploads, Security and You
[4] Johannes Ullrich. "8 Basic Rules to Implement Secure File Uploads". 2009-12-28
.
.
.
.
- JAVA
1:
2:
3:
4:
try {
5:
6:
7:
8:
props.load(in);
9:
10:
//
11:
12:
// SQL qeuery.
13:
14:
15:
16:
} catch (IOException e) {
(idValue).
, "n' or '1'='1" ,
.
("from Address a where a.name='n' or '1'='1'")
- JAVA
1:
2:
3:
4:
try {
5:
6:
7:
8:
9:
props.load(in);
10:
11:
// .
12:
13:
// .
14:
15:
// SQL query .
16:
17:
query.setParameter("idVal", idValue);
18:
query.list();
19:
20:
} catch (IOException e) {
(idValue)setParameter
.
.
[1] CWE-564 SQL : Hibernate - http://cwe.mitre.org/data/definitions/564.html
[2] SANS Top 25 2009 - (SANS 2009) Insecure Interaction - CWE ID 116 Improper Encoding
or Escaping of Output
.
URL.
.
- JAVA
1:
2:
3:
4:
5:
if (query.contains("url")) {
6:
7:
response.sendRedirect(url);
8:
9:
().
(<a href="http://bank.example.com/redirect?url=http://attacker.example.net">Click here to
log in</a>)
- JAVA
1:
2:
3:
4:
5:
6:
// URL .
7:
8:
9:
10:
11:
12:
if (query.contains("url")) {
String url = request.getParameter("url");
13:
// url. http://URL
14:
redirect.
15:
16:
17:
// URL .
18:
"");
response.sendRedirect(url);
19:
20:
21:
22:
.
[1] CWE-601 URL - http://cwe.mitre.org/data/definitions/601.html
[2] OWASP Top Ten 2010 Category A10 - Unvalidated Redirects and Forward
[3] SANS 2010 Top 25 - Insecure Interaction Between Components
23. XPath
(Failure to Sanitize Data within XPath Expressions (XPath injection))
.
XPath
,
.
.
XQuery
.
.
- JAVA
1:
2:
//
3:
4:
5:
6:
7:
8:
9:
// xpath
10:
11:
12:
13:
14:
15:
16:
if (value.indexOf(">") < 0) {
System.out.println(value);
17:
18:
19:
- JAVA
dologin.xp
1:
2:
3:
XQueryXPath Injection
1:
//
2:
3:
4:
5:
// XQuery
6:
7:
8:
vars.put("loginID", name);
9:
vars.put("password", passwd);
10:
11:
12:
13:
XQuery
.
.
[1] CWE-643 XPath - http://cwe.mitre.org/data/definitions/643.html
[2] OWASP Top 10 2010 A1 Injection Flaws
[3] Web Application Security Consortium. "XPath Injection".
http://www.webappsec.org/projects/threat/classes/xpath_injection.shtml
24. XQuery
(Failure to Sanitize Data within XQuery Expressions (XQuery injection))
.
XQueryXML
,
.
.
prepareExpression() (Parameterized
Query), .
.
- JAVA
1:
2:
//
3:
4:
5:
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
6:
env.put(Context.PROVIDER_URL, "ldap://localhost:389/o=rootDir");
7:
8:
javax.xml.xquery.XQDataSource xqds =
(javax.xml.xquery.XQDataSource) ctx.lookup("xqj/personnel");
9:
10:
11:
12:
13:
// Xquery
14:
15:
16:
while (result.next()) {
17:
18:
if (str.indexOf('>') < 0) {
System.out.println(str);
19:
20:
21:
(name)executeQuery
. something' or '='1 name
, .
(doc('users.xml')/userlist/user[uname='something' or '=')
- JAVA
1:
2:
//
3:
4:
5:
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
6:
env.put(Context.PROVIDER_URL, "ldap://localhost:389/o=rootDir");
7:
8:
javax.xml.xquery.XQDataSource xqds =
(javax.xml.xquery.XQDataSource) ctx.lookup("xqj/personnel");
9:
10:
11:
12:
String es = "doc('users.xml')/userlist/user[uname='$xpathname']";
13:
// Xquery
14:
15:
16:
17:
while (result.next()) {
18:
19:
if (str.indexOf('>') < 0) {
System.out.println(str);
20:
21:
22:
XQuery
bindXXX
.
.
[1] CWE-652 XQuery - http://cwe.mitre.org/data/definitions/652.html
[2] OWASP Top 10 2010 A1 Injection Flaws
25.
(Reliance on Untrusted Inputs in a Security Decision)
.
.
.
.
.
,
.
.
.
- JSP
1:
<%
2:
3:
4:
5:
6:
7:
8:
9:
10:
response.addCookie(userCookie);
11:
response.addCookie(authCookie);
12:
%>
authenticated.
,
WAS(Web Application Server) .
- JSP
1:
<%
2:
3:
4:
5:
6:
7:
// .
8:
9:
ses.putValue("user",username);
10:
ses.putValue("authenticated","1");
11:
%>
.
.
[1] CWE-807 - http://cwe.mitre.org/data/definitions/807.html
CWE-247 DNS Lookup- http://cwe.mitre.org/data/definitions/247.html
CWE-302 -- http://cwe.mitre.org/data/definitions/302.html
CWE-784 - http://cwe.mitre.org
/data/definitions/784.html
[2] CWE/SANS Top 25 Most Dangerous Software Errors
2 API
API(Application Programming Interface)
,
. API API
.
1. J2EE:
(J2EE Bad Practices: Direct Management of Connections)
.
J2EE
J2EE .
.
J2EE .
.
- JAVA
1:
javax.servlet.http.HttpServlet {
2:
3:
4:
try {
5:
// j2ee .
6:
conn =
7:
8:
} catch (SQLException e) {
9:
System.err.println("...");
} finally {
10:
11:
12:
(connection).
- JAVA
1:
javax.servlet.http.HttpServlet {
2:
"jdbc:ocl:orcl";
3:
4:
5:
try {
6:
7:
// .
8:
9:
10:
} catch (SQLException e) {
11:
12:
} finally {
13:
if ( conn != null )
14:
conn.close();
15:
16:
17:
.
.
[1] CWE-245 J2EE: - http://cwe.mitre.org/data/definitions/245.html
.
.
.
- JAVA
1:
2:
javax.servlet.http.HttpServlet {
3:
4:
HttpServletResponse
5:
6:
try {
7:
// J2EE (Socket)
.
8:
} catch (UnknownHostException e) {
9:
System.err.println("UnknownHostException
10:
System.err.println("IOException
12:
occured");
} finally {
13:
...
14:
15:
16:
17:
occured");
} catch (IOException e) {
11:
doGet (Socket).
- JAVA
1:
2:
javax.servlet.http.HttpServlet {
3:
ServletException {
4:
5:
6:
try {
7:
8:
9:
10:
urlConn.setDoOutput(true);
11:
12:
oos.writeObject("data");
13:
14:
} catch (ClassNotFoundException e) {
15:
System.err.println("Class
16:
} catch (IOException e) {
17:
System.err.println("URL
18:
} finally {
19:
20:
21:
22:
23:
Not Found");
.
.
[1] CWE-246 J2EE: - http://cwe.mitre.org/data/definitions/246.html
3. DNS lookup
(Reliance on DNS Lookups in a Security Decision )
.
DNS . DNS . DNS
, SWDNS
. DNS, IP
.
.
IP DNS .
.
- JAVA
1:
HttpServlet {
2:
3:
throws ServletException,
HttpServletResponse res)
IOException {
4:
5:
String ip = req.getRemoteAddr();
6:
7:
// IP .
8:
9:
10:
// IP(trustme.com).
11:
if (addr.getCanonicalHostName().endsWith("trustme.com") ) {
trusted = true;
12:
13:
14:
if (trusted) {
15:
16:
} else {
17:
18:
19:
20:
- JAVA
1:
HttpServlet {
2:
3:
throws ServletException,
4:
res)
IOException {
5:
6:
String ip = req.getRemoteAddr();
7:
if ( ip == null || "".equals(ip) )
return ;
8:
9:
10:
11:
if (ip.equals(trustedAddr) ) {
12:
13:
} else {
14:
15:
16:
17:
18:
.
[1] CWE-247 DNS lookup- http://cwe.mitre.org/data/definitions/247.html
[2] SANS Top 25 2010 - (SANS 2010) Porus Defense - CWE ID 807 Reliance on Untrusted
Inputs in a Security Decision
.
J2EE System.exit.
.
- JAVA
1:
HttpServlet {
2:
throws ServletException,
3:
HttpServletResponse response)
IOException {
4:
5:
6:
Logger logger =
7:
logger.addHandler(handler);
8:
try {
FileHandler("errors.log");
Logger.getLogger("com.mycompany");
9:
do_something(logger);
10:
11:
System.exit(1);
12:
13:
14:
15:
16:
17:
18:
IOException {
doPost() System.exit().
- JAVA
1:
HttpServlet {
2:
throws ServletException,
3:
HttpServletResponse response)
IOException {
4:
5:
6:
Logger logger =
7:
logger.addHandler(handler);
8:
try {
FileHandler("errors.log");
Logger.getLogger("com.mycompany");
9:
do_something(logger);
10:
11:
logger.info("Caught:
12:
// System.exit(1).
" + ase.toString());
// System.exit(1);
13:
14:
15:
16:
17:
18:
19:
IOException {
System.exit()doPost .
.
[1] CWE-382 J2EE: System.exit() - http://cwe.mitre.org/data/definitions/382.html
.
Object.equals(), Comparable.compareTo()Comparator.compare()
null.
.
- JAVA
1:
2:
3:
// o1, o2null
4:
int i1 = o1.hashCode();
5:
int i2 = o2.hashCode();
6:
int ret;
7:
8:
ret = 0;
9:
else {
10:
return ret;
ret = -1;
}
}
11:
12:
13:
ret = 1;
null.
- JAVA
1:
2:
3:
int ret;
4:
// null .
5:
6:
int i1 = o1.hashCode();
7:
int i2 = o2.hashCode();
8:
9:
ret = 0;
10:
else {
ret = -1;
}
}
} else
11:
ret = -1;
12:
return ret;
13:
14:
15:
16:
ret = 1;
null.
.
[1] CWE-398 - http://cwe.mitre.org/data/definitions/398.html
EJB
bean ServerSocket
.
.
EJB .
.
- JAVA
1:
2:
3:
4:
5:
6:
7:
EJB .
- JAVA
1:
2:
3:
// EJBserver socket .
4:
8:
9:
5:
6:
EJB .
.
[1] CWE-577 EJB: - http://cwe.mitre.org/data/definitions/577.html
7. equals()hashCode()
(Object Model Violation: Just one of equals() and hashCode() Defined)
.
Java , Java.
"a.equals(b) == true""a.hashCode() == b.hashCode()" .
equals()hashCode().
.
equals()hashCode()hashCode()
equals().
.
- JAVA
1:
2:
3:
// equals()
4:
5:
boolean ret;
6:
if (obj != null) {
7:
int i1 = this.hashCode();
8:
int i2 = obj.hashCode();
9:
if (i1 == i2) {
10:
else {
} else {
11:
ret = false;
12:
13:
14:
return ret;
}
15:
16:
17:
ret = true;
ret = false;
equals()hashCode() .
- JAVA
1:
2:
3:
// equals()
4:
5:
boolean ret;
6:
if (obj != null) {
7:
int i1 = this.hashCode();
8:
int i2 = obj.hashCode();
9:
if (i1 == i2) {
10:
else {
} else {
11:
ret = false;
12:
13:
return ret;
14:
15:
16:
// hashCode()
17:
18:
19:
20:
21:
ret = true;
ret = false;
equals()hashCode() .
.
[1] CWE-581 equals()hashCode() - http://cwe.mitre.org/data/definitions/581.html
3
.
. , , , ,
.
1. (Hard-coded Password)
.
SW,
.
.
, SW
.
.
.
SW , "-"
.
.
- JAVA
1:
2:
3:
4:
try {
5:
// password-.
6:
conn =
7:
8:
} catch (SQLException e) {
9:
System.err.println("...");
}
10:
return conn;
11:
12:
13:
14:
.
- JAVA
1:
2:
3:
4:
5:
String id = props.getProperty("id");
6:
7:
//,
8:
9:
10:
!"".equals(id)
!"".equals(pwd)) {
11:
12:
13:
14:
15:
16:
17:
cipher.init(Cipher.DECRYPT_MODE, skeySpec);
18:
19:
20:
21:
} catch (SQLException e) {
22:
23:
,
.
- JAVA
1:
try {
Connection con = DriverManager.getConnection(url, "scott", "tiger");
2:
......
3:
4:
} catch (SQLException e) {
throw new MyException("DB );
5:
6:
- JAVA
1:
2:
try {
3:
System.setProperty("oracle.net.tns_admin", "/mydir");
4:
5:
// DB oracle .
6:
info.put("oracle.net.wallet_location",
7:
"(SOURCE=(METHOD=file)(METHOD_DATA=(DIRECTORY=/mydir)))");
8:
9:
ds.setURL("jdbc:oracle:thin:@MyTNSName");
10:
ds.setConnectionProperties(info);
Connection conn = ds.getConnection();
11:
12:
} catch (SQLException e) {
throw new MyException("DB );
13:
14:
mkstoreDB .
.
[1] CWE-259 - http://cwe.mitre.org/data/definitions/259.html
CWE-321 - http://cwe.mitre.org/data/definitions/321.html
CWE-798 - http://cwe.mitre.org/data/definitions/798.html
[2] SANS Top 25 2010 - (SANS 2010) Porus Defense - CWE ID 798 Use of Hard-coded
Credentials
2. (Improper Authorization)
.
SW
, .
.
(attack surface).
ACL(Access Control List).
. , JAAS Authorization Framework
OWASP ESAPI Access Control .
.
- JAVA
1:
public void f(String sSingleId, int iFlag, String sServiceProvider, String sUid, String sPwd)
{
2:
3:
env.put(Context.INITIAL_CONTEXT_FACTORY, CommonMySingleConst.INITCTX);
4:
env.put(Context.PROVIDER_URL, sServiceProvider);
5:
// LDAP
6:
env.put(Context.SECURITY_AUTHENTICATION, "none");
7:
env.put(Context.SECURITY_PRINCIPAL, sUid);
8:
env.put(Context.SECURITY_CREDENTIALS, sPwd);
9:
name LDAP
, . anonymous
binding.
.
- JAVA
1:
public void f(String sSingleId, int iFlag, String sServiceProvider, String sUid, String sPwd)
{
2:
3:
env.put(Context.PROVIDER_URL, sServiceProvider);
4:
// .
5:
env.put(Context.SECURITY_AUTHENTICATION, "simple");
6:
env.put(Context.SECURITY_PRINCIPAL, sUid);
7:
env.put(Context.SECURITY_CREDENTIALS, sPwd);
8:
IDpassword.
- JSP
1:
<%
2:
3:
4:
5:
6:
7:
8:
9:
if ( msgId == null ) {
throw new MyException("");
10:
11:
12:
13:
if ( msg != null ) {
14:
15:
16:
out.println("\n" + msg.getBodyField()");
17:
18:
%>
- JSP
1:
<%
2:
3:
4:
5:
6:
7:
8:
9:
if ( msgId == null ) {
throw new MyException("");
10:
11:
12:
13:
14:
15:
16:
17:
out.println("\n" + msg.getBodyField()");
18:
19:
%>
, .
.
[1] CWE-285 - http://cwe.mitre.org/data/definitions/285.html
CWE-219 - http://cwe.mitre.org/data/definitions/219.html
[2] OWASP Top 10 2010 - (OWASP 2010) A8 Failure to Restrict URL Access
[3] SANS Top 25 2010 - (SANS 2010) Porus Defense - CWE ID 285 Improper Authorization
[4] NIST. "Role Based Access Control and Role Based Security"
[5] M. Howard and D. LeBlanc. "Writing Secure Code". Chapter 4, "Authorization" Page 114;
Chapter 6, "Determining Appropriate Access Control" Page 171. 2nd Edition. Microsoft. 2002
.
form data postingPOST .
OWASP CSRFGuard anti-CSRF .
.
- JAVA
1:
2:
3:
4:
5:
</form>
6:
- JAVA
1:
2:
3:
4:
5:
</form>
6:
Post .
.
[1] CWE-352 - http://cwe.mitre.org/data/definitions/352.html
[2] OWASP Top Ten 2010 Category A5 - Cross-Site Request Forgery(CSRF)
[3] SANS Top 25 2010 - (SANS 2010) Insecure Interaction - CWE ID 352 Cross-Site Request Forgery
.
.
.
- JAVA
1:
2:
3:
if (session.isNew()) {
4:
// -1.
session.setMaxInactiveInterval(-1);
5:
6:
7:
8:
-1, .
.
- JAVA
1:
2:
3:
if (session.isNew()) {
4:
// .
session.setMaxInactiveInterval(12000);
5:
6:
7:
8:
.
.
[1] CWE-613 - http://cwe.mitre.org/data/definitions/613.html
.
String ,
. .
.
- JAVA
1:
2:
3:
4:
5:
6:
7:
8:
9:
if (pass != null) {
10:
if (-1 != pass.indexOf("<"))
11:
System.out.println("bad input");
12:
else {
13:
14:
// .
15:
16:
17:
} else {
18:
19:
System.out.println("bad
input");
String
.
- JAVA
1:
2:
3:
4:
5:
6:
7:
8:
9:
// .
10:
11:
// .
12:
if (pass != null) {
if (-1 != pass.indexOf("<"))
13:
System.out.println("bad input");
14:
else {
15:
// password..
16:
17:
18:
} else {
19:
20:
21:
System.out.println("bad input");
(: ),
.
.
.
[1] CWE-226 - http://cwe.mitre.org/data/definitions/226.html
[2] OWASP Top 10 2010 - (OWASP 2010) A7 Insecure Cryptographic Storage
6. (Hard-coded Username)
.
SW,
.
,
. ,
SW .
.
.
.
- JAVA
1:
2:
3:
4:
// .
5:
6:
7:
String id = "scott";
8:
9:
try {
10:
11:
12:
} catch (SQLException e) {
13:
return conn;
14:
,
. .
- JAVA
1:
2:
3:
4:
// .
5:
6:
7:
try {
8:
9:
10:
11:
// connection.
12:
conn = datasource.getConnection();
13:
14:
} catch (SQLException e) {
15:
return conn;
16:
. ,
.
.
[1] CWE-255 - http://cwe.mitre.org/data/definitions/255.html
[2] OWASP Top 10 2010 - (OWASP 2010) A7 Insecure Cryptographic Storage
[3] Security Technical Implementation Guide Version 3 - (STIG 3) APP3210.1 CAT II
.
,
.
- JAVA
1:
package testbed.unsafe;
2:
import java.sql.*;
3:
import java.util.Properties;
4:
import java.io.*;
5:
6:
7:
8:
try {
Properties props = new Properties();
9:
10:
11:
12:
// password .
in.read(pass);
13:
// password DB connection .
14:
15:
con.close();
16:
} catch (SQLException e) {
17:
18:
} finally {
19:
try {
20:
if (con != null)
21:
22:
con.close();
23:
} catch (SQLException e) {
System.err.println("SQLException Occured ");
24:
25:
26:
27:
28:
String
. ,
.
- JAVA
1:
package testbed.safe;
2:
import java.sql.*;
3:
import java.util.Properties;
4:
import java.io.*;
5:
6:
7:
8:
try {
Properties props = new Properties();
9:
10:
11:
props.load(in);
12:
13:
14:
15:
16:
// .
17:
18:
19:
} finally {
20:
try {
21:
if (con != null)
22:
23:
con.close();
24:
} catch (SQLException e) {
System.err.println("SQLException Occured ");
25:
26:
27:
28:
29:
.
.
[1]. CWE-256 - http://cwe.mitre.org/data/definitions/256.html
[2]. J. Viega and G. McGraw. "Building Secure Software: How to Avoid Security Problems
the Right Way". 2002.
.
, .
.
- JAVA
1:
package testbed.unsafe;
2:
import java.io.FileInputStream;
3:
import java.io.FileNotFoundException;
4:
import java.io.IOException;
5:
import java.sql.Connection;
6:
import java.sql.DriverManager;
7:
import java.sql.SQLException;
8:
9:
11:
12:
13:
try {
14:
15:
// .
16:
fs.read(b);
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
10:
//
String password = new String(b);
// DB .
con = DriverManager.getConnection(url, usr, password);
} catch (FileNotFoundException e) {
System.err.println("File Not Found Exception Occurred!");
} catch (IOException e) {
System.err.println("I/O Exception Occurred!");
} catch (SQLException e) {
System.err.println("SQL Exception Occurred!");
} finally {
try {
if (con != null) {
con.close();
result = true;
31:
32:
} catch (SQLException e) {
33:
34:
35:
36:
return result;
37:
38:
39:
configuration
.
.
- JAVA
1:
2:
3:
4:
5:
6:
7:
try {
FileInputStream fs = new FileInputStream("sample.cfg");
if (fs == null || fs.available() <= 0) return false;
8:
9:
// .
int length = fs.read(b);
10:
if (length == 0) {
11:
result = false;
12:
13:
} else {
// .
14:
15:
16:
cipher.init(Cipher.DECRYPT_MODE, key);
17:
byte[] db = cipher.doFinal(b);
//
18:
19:
// DB
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
}
} catch (FileNotFoundException e) {
System.err.println("File Not Found Exception Occurred!");
} catch (IOException e) {
System.err.println("I/O Exception Occurred!");
} catch (SQLException e) {
System.err.println("SQL Exception Occurred!");
} catch (NoSuchAlgorithmException e) {
System.err.println("NoSuchAlgorithmException Occurred!");
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
} catch (NoSuchPaddingException e) {
System.err.println("NoSuchPaddingException Occurred!");
} catch (InvalidKeyException e) {
System.err.println("InvalidKeyException Occurred!");
} catch (IllegalBlockSizeException e) {
System.err.println("IllegalBlockSizeException Occurred!");
} catch (BadPaddingException e) {
System.err.println("BadPaddingException Occurred!");
} finally {
try {
if (con != null) {
con.close();
42:
43:
44:
45:
} }
(, ),
.
.
[1] CWE-260 - http://cwe.mitre.org/data/definitions/260.html
[2]. J. Viega and G. McGraw. "Building Secure Software: How to Avoid Security Problems
the Right Way". 2002.
.
. 128
.
.
- JAVA
1:
2:
3:
4:
5:
6:
7:
try {
8:
9:
prop.load(new FileInputStream("config.properties"));
10:
11:
// 64bitdecoding.
12:
13:
14:
// .
15:
16:
} catch (FileNotFoundException e) {
17:
e.printStackTrace();
18:
} catch (IOException e) {
19:
e.printStackTrace();
20:
21:
- JAVA
1:
2:
3:
4:
5:
6:
7:
try {
8:
9:
prop.load(new FileInputStream("config.properties"));
10:
11:
// AES .
12:
13:
14:
15:
} catch (FileNotFoundException e) {
16:
e.printStackTrace();
17:
} catch (IOException e) {
18:
e.printStackTrace();
19:
20:
G G }
21:
22:
23:
24:
cipher.init(Cipher.DECRYPT_MODE, skeySpec);
25:
26:
27:
128
.
.
[1] CWE-261 - http://cwe.mitre.org/data/definitions/261.html
[2] OWASP Top 10 2010 - (OWASP 2010) A7 Insecure Cryptographic Storage
[3] J. Viega and G. McGraw. "Building Secure Software: How to Avoid Security Problems
the Right Way". 2002.
10.
(Missing Authentication for Critical Function)
.
, SW
.
.
.
().
. OpenSSLESAPI
.
.
- JAVA
1:
2:
3:
4:
account.setAccountNumber(accountNumber);
5:
account.setToPerson(toPerson);
6:
account.setBalance(balance);
7:
AccountManager.send(account);
...
8:
9:
.
- JAVA
1:
2:
3:
...
4:
// credential.
5:
6:
7:
8:
9:
10:
11:
// credential.
12:
13:
14:
15:
// .
if ( isAuthenticatedUser() && newUserName.equal(userName) &&
16:
17:
newPassword.equal(password) ) {
18:
19:
account.setAccountNumber(accountNumber);
20:
account.setToPerson(toPerson);
21:
account.setBalance(balance);
22:
AccountManager.send(account);
23:
24:
...
25:
.
.
[1] CWE-306 - http://cwe.mitre.org/data/definitions/306.html
CWE-302 -- http://cwe.mitre.org/data/definitions/302.html
CWE-307 - http://cwe.mitre.org/data/definitions/307.html
CWE-287 - http://cwe.mitre.org/data/definitions/287.html
CWE-602 - http://cwe.mitre.org/data/definitions/602.html
[2] CWE/SANS Top 25 Most Dangerous Software Errors, http://cwe.mitre.org/top25/
11. :
(Weak Encryption: Insufficient Key Size)
.
. RSA
1024
Symmetric 128.
.
1024 .
.
- JAVA
1:
2:
3:
4:
// Key generator
5:
keyGen.initialize(512);
KeyPair myKeys = keyGen.generateKeyPair();
6:
7:
- JAVA
1:
2:
3:
4:
// Key generator1024bit.
5:
keyGen.initialize(1024);
KeyPair myKeys = keyGen.generateKeyPair();
6:
7:
1024.
.
[1] CWE-310 - http://cwe.mitre.org/data/definitions/310.html
[2] OWASP Top 10 2010 - (OWASP 2010) A7 Insecure Cryptographic Storage
.
, ,
, SHA-256.
SW .
, SSL HTTPS Secure
Channel.
.
- JAVA
1:
2:
3:
PreparedStatement p=null;
4:
try {
5:
......
6:
if (username==nill || password==null
|| !isAuthenticatedUser(usename, password)) {
7:
8:
9:
10:
11:
p.setString(1,username);
12:
p.setString(2,password);
p.execute();
13:
......
14:
15:
DB.
- JAVA
1:
2:
3:
PreparedStatement p=null;
4:
try {
5:
......
6:
if (username==nill || password==null
7:
8:
|| !isAuthenticatedUser(usename, password)) {
throw new MyException("");
9:
10:
MessageDigest md = MessageDigest.getInstance("SHA-256");
11:
md.reset();
......
12:
13:
// DB.
password =md.digest(password.getBytes());
14:
15:
16:
p.setString(1,username);
17:
p.setString(2,password);
p.execute();
18:
......
19:
20:
.
.
[1] CWE-311 - http://cwe.mitre.org/data/definitions/311.html
CWE-312 - http://cwe.mitre.org/data/definitions/312.html
CWE-319 - http://cwe.mitre.org/data/definitions/319.html
CWE-614 HTTPS - http://cwe.mitre.org/data/definitions/614.html
[2] CWE/SANS Top 25 Most Dangerous Software Errors, http://cwe.mitre.org/top25/
13.
(Cleartext Transmission of Sensitive Information)
.
SW
, .
.
.
.
- JAVA
1:
2:
String getPassword()
3:
return "secret";
4:
5:
void foo() {
6:
try
7:
8:
9:
10:
11:
out.write(password);
} catch (FileNotFoundException e) {
12:
13:
14:
true);
(Plain text).
.
- JAVA
1:
2:
String getPassword()
4:
return "secret_password";
3:
5:
6:
void foo() {
try {
7:
8:
9:
10:
Cipher c = Cipher.getInstance("AES/CBC/PKCS5Padding");
11:
12:
13:
} catch (FileNotFoundException e) {
14:
15:
16:
128
.
.
[1] CWE-319 - http://cwe.mitre.org/data/definitions/319.html
CWE-311 - http://cwe.mitre.org/data/definitions/311.html
[2] OWASP Top 10 2007 - (OWASP 2007) A9 Insecure Communications
.
.
AES, ARIA, SEED, 3DES ,
RSA 1024. MD4, MD5, SHA1.
.
- JAVA
1:
2:
3:
4:
5:
6:
7:
try {
8:
// encrypt.
9:
10:
11:
//
12:
..
13:
} catch (SQLException e) {
14:
15:
16:
return con;
17:
18:
.
- JAVA
1:
2:
3:
4:
5:
6:
7:
try {
// .
8:
9:
seed = getPassword("./password.ini");
// .
10:
11:
seed = decrypt(seed);
12:
// encrypt.
13:
14:
15:
16:
//
17:
..
18:
} catch (SQLException e) {
19:
20:
21:
return con;
22:
23:
24:
.
.
[1] CWE-321 - http://cwe.mitre.org/data/definitions/321.html
15. : RSA
(Weak Encryption: Inadequate RSA Padding)
.
OAEP RSA . RSA
.
RSA .
.
RSA ("RSA/NONE/NoPadding"),
.
.
- JAVA
1:
2:
3:
4:
try {
5:
6:
// RSA NoPadding
7:
rsa = javax.crypto.Cipher.getInstance("RSA/NONE/NoPadding");
8:
} catch (java.security.NoSuchAlgorithmException e) {
9:
return rsa;
10:
RSA .
- JAVA
1:
2:
3:
4:
try {
5:
/* paddingRSA. */
6:
rsa =
7:
javax.crypto.Cipher.getInstance("RSA/CBC/PKCS5Padding");
8:
} catch (java.security.NoSuchAlgorithmException e) {
9:
return rsa;
10:
. RSA
PKCS1 Padding PKCS5 Padding
.
.
[1] CWE-325 - http://cwe.mitre.org/data/definitions/325.html
[2] OWASP Top 10 2010 - (OWASP 2010) A7 Insecure Cryptographic Storage
16. :
(Weak Cryptographic Hash: Hardcoded Salt)
.
,
.
, rainbow
.
.
Salt(nonce),
.
.
- JAVA
1:
2:
3:
// .
4:
5:
6:
try {
7:
8:
MessageDigest md = MessageDigest.getInstance("SHA-256");
9:
// Salt .
10:
md.update(badsalt);
rslt = md.digest(msg);
11:
} catch (NoSuchAlgorithmException e) {
12:
System.out.println("Exception:
13:
return rslt;
15:
16:
" + e);
14:
, salt
.
- JAVA
1:
2:
3:
4:
try {
5:
6:
7:
8:
MessageDigest md = MessageDigest.getInstance("SHA-256");
9:
10:
// .
11:
md.update(randomNum.getBytes());
12:
rslt = md.digest(msg);
} catch (NoSuchAlgorithmException e) {
13:
System.out.println("Exception:
14:
15:
16:
return rslt;
}
17:
18:
" + e);
Salt(nonce), salt
.
.
[1] CWE-326 - http://cwe.mitre.org/data/definitions/326.html
[2] OWASP Top 10 2010 - (OWASP 2010) A7 Insecure Cryptographic Storage
17.
(Use of a Broken or Riscky Cryptographic Algorithm)
.
.
.
,
. RC2, RC4, RC5, RC6, MD4, MD5, SHA1, DES
.
.
AES.
.
- JAVA
1:
2:
3:
4:
try {
5:
6:
// DES.
7:
Cipher c = Cipher.getInstance("DES");
8:
c.init(Cipher.ENCRYPT_MODE,
9:
rslt = c.update(msg);
} catch (InvalidKeyException e) {
10:
11:
12:
13:
return rslt;
}
14:
15:
k);
DES .
- JAVA
1:
2:
3:
4:
try {
5:
// DES AES .
6:
7:
Cipher c = Cipher.getInstance("AES/CBC/PKCS5Padding");
8:
c.init(Cipher.ENCRYPT_MODE,
rslt = c.update(msg);
9:
} catch (InvalidKeyException e) {
10:
11:
12:
return rslt;
13:
14:
15:
k);
AES 128
.
.
[1] CWE-327 - http://cwe.mitre.org/data/definitions/327.html
[2] OWASP Top 10 2010 - (OWASP 2010) A7 Insecure Cryptographic Storage
[3] SANS Top 25 2010 - (SANS 2010) Porus Defense - CWE ID 327 Use of a Broken or Risky
Cryptographic Algorithm
[4] Bruce Schneier. "Applied Cryptography". John Wiley &Sons. 1996.
.
seed
.
.
- JAVA
1:
2:
3:
4:
5:
- JAVA
1:
import java.util.Random;
2:
import java.util.Date;
3:
4:
5:
6:
// setSeed() rlong.
7:
r.setSeed(new Date().getTime());
8:
//
9:
return (r.nextInt()%6) + 1;
}
10:
11:
java.util.Random seed.
Random .
.
[1] CWE-330 - http://cwe.mitre.org/data/definitions/330.html
[2] SANS Top 25 2009 - (SANS 2009) Porus Defense - CWE ID 330 Use of Insufficiently
Random Values
[3] J. Viega and G. McGraw. "Building Secure Software: How to Avoid Security Problems the Right Way". 2002.
19. :
(Password Management: Password in Redirect)
.
HTTP HTTP GET .
,
. ,
, .
.
ServeletsendRedirect
. GET POST
.
.
- JAVA
1:
2:
3:
4:
5:
6:
7:
8:
9:
- JAVA
1:
2:
3:
4:
request.getSession().invalidate();
5:
6:
7:
8:
// .
9:
10:
11:
12:
13:
// POST .
14:
15:
16:
GET POST
.
.
[1] CWE-359 - http://cwe.mitre.org/data/definitions/359.html
[2] OWASP Top 10 2010 - (OWASP 2010) A7 Insecure Cryptographic Storage
.
.
.
- JAVA
public void doPost(HttpServletRequest request, HttpServletResponse response)
1:
2:
3:
try {
4:
5:
6:
7:
8:
// passwd
9:
10:
11:
con.close();
12:
} catch (SQLException e) {
13:
System.err.println("...");
14:
15:
16:
(passwd)
.
- JAVA
1:
2:
3:
4:
5:
try {
6:
request.getSession().invalidate();
7:
8:
9:
// passwd
10:
11:
12:
// ,
13:
14:
15:
16:
17:
18:
con.close();
19:
} catch (SQLException e) {
20:
System.err.println("...");
21:
} catch (NamingException e) {
22:
System.err.println("...");
23:
24:
25:
(passwd) (: 8
), .
.
[1] CWE-521 - http://cwe.mitre.org/data/definitions/521.html
[2] OWASP Top 10 2010 A3 Broken Authentication Session Management
http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
. ,
, .
.
.
.
- JAVA
1:
2:
3:
4:
if (maxAge.matches("[0-9]+")) {
5:
6:
if (sessionID.matches("[A-Z=0-9a-z]+")) {
7:
8:
// .
9:
c.setMaxAge(Integer.parseInt(maxAge));
}
10:
11:
12:
javax.servlet.http.Cookie.setMaxAge
.
- JAVA
1:
2:
3:
4:
5:
6:
if (maxAge.matches("[0-9]+")) {
7:
8:
9:
if (sessionID.matches("[A-Z=0-9a-z]+")) {
10:
11:
// , .
12:
int t = Integer.parseInt(maxAge);
13:
if (t > 3600) {
t = 3600;
14:
15:
16:
c.setMaxAge(t);
}
17:
18:
19:
, .
.
[1] CWE-539 - http://cwe.mitre.org/data/definitions/539.html
[2] OWASP Top 10 2010 - (OWASP 2010) A7 Insecure Cryptographic Storage
.
UDP
.
.
- JAVA
1:
2:
3:
void foo () {
try {
4:
5:
socket.setReuseAddress(true);
6:
} catch (SocketException e) { }
7:
8:
9:
.
- JAVA
1:
2:
3:
void foo () {
4:
try {
java.net.DatagramSocket socket = new java.net.DatagramSocket(INPORT);
5:
socket.setReuseAddress(false);
6:
} catch (SocketException e) { }
7:
8:
.
.
[1] CWE-605 - http://cwe.mitre.org/data/definitions/605.html
.
HTTPSCookie
setSecure(true) .
: ()HTTPHTTPHTTPSsetSecure
.
.
- JAVA
1:
2:
3:
4:
5:
HttpServletResponse response) {
r.getParameter("accountID");
6:
//
7:
8:
9:
HTTPS,
.
- JAVA
1:
2:
3:
4:
5:
String acctID =
6:
//
HttpServletResponse response) {
r.getParameter("accountID");
7:
8:
9:
10:
11:
// .
c.setSecure(true);
12:
response.addCookie(c);
13:
14:
HTTPSCookie
setSecure(true).
.
[1] CWE-614 HTTPS - http://cwe.mitre.org/data/definitions/614.html
[2] OWASP Top 10 2010 - (OWASP 2010) A9 Insufficient Transport Layer Protection
.
.
.
- JAVA
1:
2:
3:
4:
5:
6:
7:
try {
8:
9:
} catch (SQLException e) {
10:
11:
12:
.
- JAVA
1:
2:
// .
3:
4:
5:
password) {
6:
try {
7:
8:
9:
10:
11:
} catch (SQLException e) {
12:
return conn;
13:
14:
.
.
[1] CWE-615 - http://cwe.mitre.org/data/definitions/615.html
[2] OWASP Top 10 2010 - (OWASP 2010) A7 Insecure Cryptographic Storage
[3] Web Application Security Consortium 24 + 2 - (WASC 24 + 2) Information Leakage
25.
(Incorrect Permission Assignment for Critical Resource)
.
SW
, .
.
, , SW
.
,
.
.
- JAVA
1:
2:
3:
4:
...
5:
Runtime.getRuntime().exec(cmd);
JAVA API
umask, /.
- JAVA
1:
2:
3:
4:
...
5:
Runtime.getRuntime().exec(cmd);
, /
umask.
.
[1] CWE-732 - http://cwe.mitre.org/data/definitions/732.html
CWE-276 - http://cwe.mitre.org/data/definitions/276.html
CWE-277 - http://cwe.mitre.org/data/definitions/277.html
CWE-278 - http://cwe.mitre.org/data/definitions/278.html
CWE-279 -- http://cwe.mitre.org/data/definitions/279.html
CWE-281 - http://cwe.mitre.org/data/definitions/281.html
CWE-285 - http://cwe.mitre.org/data/definitions/281.html
[2] CWE/SANS Top 25 Most Dangerous Software Errors, http://cwe.mitre.org/top25/
4
()()
. (dead lock),
, .
1. :
(Race Condition: Static Database Connection(dbconn))
.
DB ,
.
.
DB (race condition)
DB .
.
- JAVA
1:
2:
// DB .
3:
4:
"jdbc:ocl:orcl";
5:
6:
7:
InitialContext ctx;
8:
try {
9:
10:
11:
conn = datasource.getConnection();
12:
} catch (NamingException e) {
13:
return conn;
14:
15:
- JAVA
1:
2:
// DB .
3:
4:
5:
6:
7:
InitialContext ctx;
8:
try {
9:
10:
11:
} catch (NamingException e) {
12:
return conn;
13:
14:
15:
.
[1] CWE-362 - http://cwe.mitre.org/data/definitions/362.html
[2] SANS Top 25 2010 - (SANS 2010) Insecure Interaction - CWE ID 362 Concurrent Execution
using Shared Resource with Improper Synchronization ('Race Condition')
[3] Java 2 Platform Enterprise Edition Specification, v1.4, Sun Microsystems
.
(race condition)
, . ,
.
.
- JAVA
1:
2:
// .
3:
4:
5:
6:
name = req.getParameter("name");
7:
8:
, .
, 2
.
- JAVA
1:
2:
3:
HttpServletResponse res)
throws ServletException, IOException {
9:
4:
// .
5:
6:
7:
.
.
[1] CWE-362 - http://cwe.mitre.org/data/definitions/362.html
[2] SANS Top 25 2010 - (SANS 2010) Insecure Interaction - CWE ID 362 Concurrent Execution
using Shared Resource with Improper Synchronization ('Race Condition')
[3] The Java Servlet Specification, Sun Microsystems
3. :
(Time-of-check Time-of-use (TOCTOU) Race Condition)
.
.
.
, , .
.
(: ), (synchronized)
.
.
thread safe .
.
- JAVA
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
if (f.exists()) { //
14:
15:
br.close();
}
16:
} else if ( manageType.equals("DELETE") ) {
17:
18:
19:
if (f.exists()) { //
f.delete();
20:
} else {
21:
22:
23:
24:
25:
} catch (IOException e) {
26:
27:
28:
29:
30:
31:
32:
// .
33:
34:
35:
fileAccessThread.start();
36:
fileDeleteThread.start();
}
37:
38:
,
.
.
- JAVA
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
if ( manageType.equals("READ") ) {
17:
18:
if (f.exists()) { //
19:
20:
br.close();
21:
22:
}
} else if ( manageType.equals("DELETE") ) {
23:
24:
if (f.exists()) { //
25:
f.delete();
} else {
26:
27:
28:
29:
} catch (IOException e) {
30:
31:
32:
33:
34:
35:
36:
37:
38:
// .
39:
40:
41:
fileAccessThread.start();
42:
fileDeleteThread.start();
43:
}
}
44:
(, ),
.
- JAVA
1:
2:
String name;
3:
4:
5:
6:
name
MyServlet.
1 - JAVA
1:
2:
// .
3:
4:
...
5:
6:
namedoPost .
2 - JAVA
public class MyClass {
1:
2:
String name;
3:
4:
// .
synchronized {
5:
name = hreq.getParameter("name");
6:
...
7:
8:
...
9:
10:
name , synchronized ,
.
.
[1] CWE-367 : - http://cwe.mitre.org/data/definitions/367.html
[2] SANS Top 25 Most Dangerous Software Errors
[3] Michael Howard, David LeBlanc and John Viega. "24 Deadly Sins of Software
Security".
4. J2EE :
(J2EE Bad Practices Direct Use of Threads)
.
J2EE .
. , , , .
.
J2EE.
.
- JAVA
1:
2:
// Threadbackground.
4:
5:
6:
};
8:
new Thread(r).start();
9:
10:
11:
something");
7:
J2EE , , ,
.
- JAVA
1:
2:
// Thread.
4:
// New MyClass().main();
5:
6:
// asyncJAVA Runtime
7:
// async.
Runtime.getRuntime().exec("java AsyncClass");
8:
9:
10:
11:
12:
class AsyncClass {
public static void main(String args[]) {
13:
14:
15:
//
System.err.println("do something");
16:
17:
18:
.
.
[1] CWE-383 J2EE : - http://cwe.mitre.org/data/definitions/383.html
[2] Java 2 Platform Enterprise Edition Specification, v1.4, Sun Microsystems
5.
(Symbolic Name not Mapping to Correct Object)
.
.
.
.
.
- JAVA
1:
2:
IllegalAccessException {
3:
// Class.forName.
4:
Class c = Class.forName("testbed.unsafe.U386.Add");
5:
6:
7:
System.out.println(add.add(3, 5)); // 34
8:
9:
10:
11:
12:
13:
class Add {
14:
15:
return x + y;
16:
17:
18:
19:
20:
21:
class Add {
int add(int x, int y) {
22:
23:
java.lang.Class.forName()(return),
""
.
- JAVA
1:
2:
InstantiationException,
3:
IllegalAccessException {
4:
// .
5:
6:
System.out.println(add.add(3, 5));
7:
8:
System.out.println(add2.add(3, 5));
}
9:
10:
class Add {
11:
12:
return x + y;
13:
14:
15:
16:
17:
18:
class Add {
int add(int x, int y) {
19:
20:
java.lang.Class.forName , .
.
[1] CWE-386 - http://cwe.mitre.org/data/definitions/386.html
6. (Double-Checked Locking)
.
(double-checked locking)
, .
,
,
.
.
()
().
.
.
- JAVA
1:
2:
Helper helper;
3:
4:
5:
6:
if (helper == null) {
synchronized (this) {
7:
if (helper == null) {
8:
9:
10:
11:
12:
return helper;
13:
14:
15:
class Helper {
16:
17:
18:
19:
helper .
.
, helper
.
- JAVA
1:
2:
Helper helper;
3:
4:
// .
5:
6:
7:
8:
return helper;
9:
10:
11:
12:
13:
class Helper {
14:
15:
,
.
.
[1] CWE-609 - http://cwe.mitre.org/data/definitions/609.html
[2] David Bacon et al.. "The "Double-Checked Locking is Broken" Declaration".
http://www.cs.umd.edu/~pugh/java/memoryModel/DoubleCheckedLocking.html
7. (Uncontrolled Recursion)
.
. , (base case)
.
.
.
.
- JAVA
1:
2:
3:
4:
5:
, /
.
- JAVA
1:
2:
3:
int i;
4:
// .
5:
if (n == 1) {
i = 1;
6:
} else {
7:
i = n * factorial(n - 1);
8:
9:
return i;
10:
11:
.
.
[1] CWE-674 - http://cwe.mitre.org/data/definitions/674.html
5
,
.
.
( )
.
.
.
.
- JAVA
1:
2:
3:
try {
4:
5:
String id = request.getParameter("id");
6:
7:
//
....
8:
} catch (SQLException e) {
9:
10:
.
- JAVA
1:
2:
3:
4:
response)
5:
try {
6:
7:
String id = request.getParameter("id");
8:
9:
10:
// passwd
11:
12:
13:
14:
} catch (SQLException e) {
15:
catch (NamingException e) {
16:
17:
}
}
.
.
[1] CWE-521 - http://cwe.mitre.org/data/definitions/521.html
[2] OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management
.
SW
.
.
- JAVA
1:
2:
3:
4:
try{
5:
6:
7:
8:
catch (Exception e) {
9:
10:
e.printStackTrace();
.
- JAVA
1:
2:
3:
4:
try{
5:
6:
7:
8:
catch (Exception e) {
9:
10:
System.out.println("");
.
.
[1] CWE-209 - http://cwe.mitre.org/data/definitions/209.html
.
(catch).
.
- JAVA
1:
2:
3:
4:
5:
6:
7:
8:
9:
} catch (SQLException e) {
10:
11:
// catch
12:
} catch (NamingException e) {
// catch
13:
14:
return conn;
15:
16:
try (catch)
.
.
- JAVA
1:
2:
3:
4:
String password) {
try {
5:
6:
7:
8:
9:
} catch (SQLException e) {
10:
11:
// Exception catchException.
12:
if ( conn != null ) {
try {
13:
conn.close();
14:
15:
conn = null;
16:
17:
18:
} catch (NamingException e) {
19:
20:
// Exception catchException.
21:
if ( conn != null ) {
try {
22:
conn.close();
23:
24:
conn = null;
25:
26:
27:
28:
return conn;
29:
30:
(catch), (Exception).
.
[1] CWE-390 - http://cwe.mitre.org/data/definitions/390.html
[2] OWASP Top Ten 2004 Category A7 - Improper Error Handling
4.
(Improper Check for Unusual or Exceptional Conditions)
.
, .
.
, ,
.
.
- JAVA
1:
2:
...
3:
4:
5:
6:
7:
8:
fileNameNull File ,
Exception.
- JAVA
1:
2:
try {
3:
...
4:
5:
// filename
if ( fileName == NULL ) throw new MyException(");
6:
7:
8:
9:
10:
// .
} catch (FileNotFoundException fe) {...}
11:
12:
13:
.
[1] CWE-754 - http://cwe.mitre.org/data/definitions/754.html
CWE-252 - http://cwe.mitre.org/data/definitions/252.html
CWE-253 - http://cwe.mitre.org/data/definitions/253.html
CWE-273 - http://cwe.mitre.org/data/definitions/273.html
CWE-296 - http://cwe.mitre.org/data/definitions/296.html
CWE-297 -- http://cwe.mitre.org/data/definitions/297.html
CWE-298 - http://cwe.mitre.org/data/definitions/298.html
CWE-299 - http://cwe.mitre.org/data/definitions/299.html
[2] SANS Top 25 Most Dangerous Software Errors, http://www.sans.org/top25-software-errors/
[3] M. Howard, D. LeBlanc, Writing Secure Code, Second Edition, Microsoft Press
6
, , , , ,
. ,
, ,
.
.
notify().
.
- JAVA
1:
2:
3:
4:
notify();
5:
notify().
- JAVA
1:
2:
3:
4:
// notify() .
5:
notify() .
.
[1] CWE-362 - http://cwe.mitre.org/data/definitions/362.html
CWE-662 - http://cwe.mitre.org/data/definitions/662.html
[2] Sun Microsystems, Inc. Java Sun Tutorial - Concurrency
.
finally .
.
- JAVA
1:
2:
3:
4:
5:
try {
6:
Class.forName("com.mysql.jdbc.Driver");
7:
conn = DriverManager.getConnection(url);
8:
9:
// .
conn.close();
10:
11:
} catch (ClassNotFoundException e)
13:
} catch (SQLException e) {
System.err.println("SQLException occured");
14:
15:
System.err.println("ClassNotFoundException occured");
12:
} finally {
16:
17:
JDBC .
.
- JAVA
1:
2:
3:
4:
5:
try {
6:
Class.forName("com.mysql.jdbc.Driver");
7:
conn = DriverManager.getConnection(url);
8:
9:
} catch (ClassNotFoundException e) {
System.err.print("error");
10:
11:
} catch (SQLException e) {
System.err.print("error");
12:
13:
} finally {
14:
15:
// close().
16:
conn.close();
17:
finally
.
.
[1] CWE-404 - http://cwe.mitre.org/data/definitions/404.html
[2] SANS Top 25 2009 - (SANS 2009) Risky Resource Management - CWE ID 404 Improper
Resource Shutdown or Release
.
(reference)
.
.
- JAVA
1:
2:
3:
4:
// cmdnull.
5:
cmd = cmd.trim();
6:
System.out.println(cmd);
7:
"cmd" ,
"cmd" , cmdtrim()
.
- JAVA
1:
2:
3:
4:
// cmdnull.
5:
if (cmd != null) {
6:
cmd = cmd.trim();
7:
System.out.println(cmd);
8:
9:
cmd.
.
[1] CWE-476 - http://cwe.mitre.org/data/definitions/476.html
4. : serialPersistentFields
(Code Correctness: Incorrect serialPersistentFields Modifier)
.
serialPersistentFieldsprivate static final.
public.
.
serialPersistentFieldsprivate, static, final.
.
- JAVA
1:
2:
3:
- JAVA
1:
Serializable {
2:
3:
4:
.
[1] CWE-485 - http://cwe.mitre.org/data/definitions/485.html
[2] Sun Microsystems, Inc. Java Sun Tutorial
.
run() start().
.
- JAVA
1:
2:
3:
4:
// run() .
thr.run();
5:
6:
7:
}
class PrintThread extends Thread {
8:
9:
10:
- JAVA
1:
2:
3:
4:
// .
thr.start();
5:
6:
7:
8:
9:
10:
System.out.println("CWE 572
TEST");
start() .
.
[1] CWE-572 : Thread.run() - http://cwe.mitre.org/data/definitions/572.html
6. :
(Code Correctness: Non-Synchronized Method Overrides Synchronized Method)
.
, (synchronized)
(override),
(synchronized) .
.
(synchronized) ,
synchronized .
.
- JAVA
1:
2:
3:
4:
5:
6:
System.out.print(i);
7:
8:
9:
// .
10:
11:
13:
System.out.print(i);
12:
(synchronized)
(override)
- JAVA
1:
2:
3:
4:
5:
6:
System.out.print(i);
7:
8:
9:
System.out.print(i);
11:
12:
synchronizedMethod() {
10:
(synchronized) (synchronized)
.
[1] CWE-665 - http://cwe.mitre.org/data/definitions/665.html
[2] Sun Microsystems, Inc. Bug ID: 4294756 Javac should warn if synchronized method is
overridden with a non synchronized
.
, .
.
.
Pool(Thread Pool, Connection Pool ).
.
- JAVA
1:
2:
3:
try {
4:
conn=getConnection();
5:
...
6:
7:
8:
...
9:
conn.close();
10:
11:
pstmt.close();
}catch (SQLException ex) {...}
- JAVA
1:
2:
3:
try {
conn=getConnection();
4:
5:
...
6:
7:
...
8:
9:
10:
// finally.
11:
finally {
if ( conn!= null ) try { conn.close(); } catch (SQLException e){...}
12:
13:
14:
finally,
finally.
.
[1] CWE-400 - http://cwe.mitre.org/data/definitions/400.html
CWE-774 - http://cwe.mitre.org/data/definitions/774.html
CWE-789 - http://cwe.mitre.org/data/definitions/789.html
CWE-770 - http://cwe.mitre.org/data/definitions/770.html
[2] M. Howard and D. LeBlanc. "Writing Secure Code". Chapter 17, "Protecting Against Denial
of Service Attacks" Page 517. 2nd Edition. Microsoft. 2002
[3] J. Antunes, N. Ferreira Neves and P. Verissimo. "Detection and Prediction of
Resource-Exhaustion Vulnerabilities". Proceedings of the IEEE International
7
,
.
.
.
HttpServlet .
.
.
- JAVA
1:
2:
3:
4:
5:
name = request.getParameter("name");
6:
7:
8:
9:
, out.println(...)
name = ...
(name).
- JAVA
1:
2:
3:
4:
// .
5:
6:
7:
8:
9:
.
.
[1] CWE-488 - http://cwe.mitre.org/data/definitions/488.html
.
J2EEmain() .
, main() .
.
- JAVA
1:
2:
3:
4:
// main().
5:
6:
7:
8:
code");
J2EEmain() .
- JAVA
1:
2:
3:
4:
5:
// .
J2EEmain() .
.
[1] CWE-489 - http://cwe.mitre.org/data/definitions/489.html
3.
(Use of Inner Class Containing Sensitive Data)
.
. (static) , (local)
(anonymous) .
.
private .
, , (static)
(local) (anonymous) .
.
- JAVA
1:
2:
// .
3:
4:
String secret;
5:
6:
,
, .
- JAVA
1:
2:
3:
4:
String secret;
urlHelper helper = new urlHelper(secret);
5:
6:
7:
private
.
.
[1] CWE-492 - http://cwe.mitre.org/data/definitions/492.html
4. Final
(Critical Public Variable Without Final Modifier)
.
publicfinal,
. .
.
public final.
.
- JAVA
1:
2:
3:
4:
5:
6:
7:
8:
- JAVA
1:
extends Applet {
2:
// final .
3:
4:
5:
6:
7:
8:
public final .
.
[1] CWE-493 Final - http://cwe.mitre.org/data/definitions/493.html
5. private -
(Private Array-Typed Field Returned From A Public Method)
.
privatepublic(return),
.
.
privatepublic.
, public
.
.
- JAVA
1:
// private publicreturn
2:
3:
4:
return colors;
colorsprivatepublicgetColors()
reference. .
- JAVA
1:
2:
3:
// private, , public
.
4:
5:
6:
if ( this.colors != null ) {
7:
8:
ret[i] = this.colors[i];
9:
return ret;
10:
11:
12:
.
[1] CWE-495 private -- http://cwe.mitre.org/data/definitions/495.html
6. private -
(Public Data Assigned to Private Array-Typed Field)
.
publicprivate , private
.
.
publicprivate .
.
- JAVA
1:
2:
3:
4:
5:
6:
7:
8:
- JAVA
1:
2:
// private member.
3:
4:
5:
6:
7:
8:
9:
10:
.
[1] CWE-496 private -- http://cwe.mitre.org/data/definitions/496.html
.
.
.
- JAVA
1:
2:
3:
try {
4:
catch (IOException e) {
5:
// printf(e.getMessage()).
g();
System.err.printf(e.getMessage());
6:
7:
8:
9:
10:
getMessage()
.
- JAVA
1:
2:
3:
try {
4:
catch (IOException e) {
5:
// end user.
}
7:
9:
10:
System.err.println("IOException Occured");
6:
8:
g();
}
private void g() throws IOException {
.
.
[1] CWE-497 - http://cwe.mitre.org/data/definitions/497.html
.
.
.
- JAVA
1:
2:
3:
//
4:
5:
try {
6:
7:
System.out.println(clazz);
8:
9:
} catch (ClassNotFoundException e) {
.
- JAVA
1:
2:
3:
// .
4:
5:
6:
System.out.println(tc);
.
.
.
[1] CWE-545 - http://cwe.mitre.org/data/definitions/545.html
2
1
SQL(Dynamic SQL) : SQL,
DBSQL.
(Mutex) :
, (critical section)
.
(Sandbox) : (Executable File)
.
(Servlet) : (Java Servlet)
.
(Struts) : 2 .
SQL(Static SQL) : SQL
.
: ,
.
(Whitelist) : (Black List), IP
.
(Hash) : (),
(message digest function)()
()''.
Advanced Encryption Standard (AES) :
DES, (NIST)52001
11(FIPS 197).
Big Endian :
.
DES : DES(Data Encryption Standard)
64,
64, 64. (Brute Force)
.
LDAP(Lightweight Directory Access Protocol) : TCP/IP
.
Little Endian :
.
MultipartRequest : O'reilly
.
OAEP(Optimal Asymmetric Encryption Padding) : BellareRogaway
RSApadding scheme
Pool : ,
,
.
Private key :
Public key : ,
,
.
SHA(Secure Hash Algorithm) : .
RC5 : 1994RSA SecurityRonald Rivest.
Synchronized : JAVA
Umask : .
Wraparound : int longMSB(Most
Significant Bit), .
2
ACL : Access Control List
AES : Advanced Encryption Standard
CSRF : Cross-Site Request Forgery
CWE : Common Weakness Enumeration
DES : Data Encryption Standard
ESAPI : Enterprise Security API
HTML : Hyper Text Markup Language
HTTPS : Hypertext Transfer Protocol over Secure Socket Layer
JAAS : Java Authentication and Authorization Service
JDBC : Java Database Connectivity
LDAP : Lightweight Directory Access Protocol
MSB : Most Significant Bit
OAEP : Optimal Asymmetric Encryption Padding
OWASP : Open Web Application Security Project
RSA : Ron Rivest, Adi Shamir, Leonard Adleman
SHA : Secure Hash Algorithm
SQL : Structured Query Language
OpenSSL : Open Secure Socket Layer
URL : Uniform Resource Locator
XSS : Cross-Site Scripting
WAS : Web Application Server
$
42-
-%"1
-%"1
"1*
DISPPU+BJM
%/4MPPLVQ
HFUMPHJO
34"
<1> C
CWE-ID
SQL
CWE-89
CWE-121
CWE-122
CWE-23
CWE-36
CWE-78
LDAP
CWE-90
LDAP
CWE-90
CWE-99
CWE-125
CWE-15
CWE-114
CWE-124
CWE-125
CWE-129
CWE-170
CWE-190
CWE-194
CWE-196
API
CWE-242
chroot Jail
CWE-243
DNS lookup
CWE-247
:
CWE-251
getlogin()
CWE-558
CWE-259
CWE-285
CWE-255
CWE-ID
CWE-256
CWE-260
CWE-261
CWE-266
CWE-272
:
CWE-310
CWE-321
: RSA
CWE-325
:
CWE-326
CWE-327
CWE-330
CWE-605
CWE-615
CWE-732
:
CWE-367
CWE-386
CWE-674
CWE-209
CWE-754
CWE-195
CWE-398
CWE-404
CWE-476
CWE-562
CWE-730
CWE-ID
:
CWE-730
:
CWE-730
CWE-770
CWE-489
1 C
1
.
,
.
.
SQL ,
. .
.
- C
1:
#include <stdlib.h>
2:
#include <sql.h>
3:
4:
{
char *query = getenv("query_string");
5:
6:
7:
- C
1:
#include <sql.h>
2:
3:
{
char *query_items = "SELECT * FROM items";
4:
5:
6:
.
.
[1] CWE-89 SQL - http://cwe.mitre.org/data/definitions/89.html
[2] OWASP Top 10 2010 - (OWASP 2010) A1 Injection
[3] SANS Top 25 2010 - (SANS 2010) Insecure Interaction
.
.
.
.
(bounds checking).
strcpy().
.
- C
1:
2:
char buf[24];
3:
ctrcpy(buf, string);
4:
5:
, strcpy()
.
.
- C
1:
2:
char buf[24];
3:
/* buf. */
4:
5:
/* null*/
6:
buf[sizeof(buf)-1] = '\0';
7:
8:
9:
(string)buf. strncpy()
buf, buf'\0'.
.
[1] CWE-121 - http://cwe.mitre.org/data/definitions/121.html
.
.
.
.
(bounds checking).
strlcpy().
.
- C
1:
#include <stdio.h>
2:
#include <stdlib.h>
3:
#include <string.h>
4:
#define BUFSIZE 10
5:
6:
{
char *dest = NULL;
7:
8:
9:
10:
strcpy(dest, argv[1]);
11:
12:
free(dest);
13:
return 0;
14:
- C
1:
#include <stdio.h>
2:
#include <stdlib.h>
3:
#include <string.h>
4:
#define BUFSIZE 10
5:
6:
7:
8:
9:
10:
11:
12:
free(dest);
return 0;
13:
14:
strlcpy() .
(strlcpy() null.)
.
[1] CWE-122 - http://cwe.mitre.org/data/definitions/122.html
.
.
.
- C
1:
#include <stdio.h>
2:
#include <stdlib.h>
3:
#include <unistd.h>
4:
#include <string.h>
5:
void f()
6:
7:
/* */
8:
9:
char buf[30];
10:
11:
12:
13:
reportName/home/www/tmp
, reportName../../../etc/passwd
.
- C
1:
#include <stdio.h>
2:
#include <stdlib.h>
3:
#include <unistd.h>
4:
#include <string.h>
5:
void f()
6:
{
/* */
7:
8:
char buf[30];
9:
10:
11:
12:
.
.
[1] CWE-23 -http://cwe.mitre.org/data/definitions/23.html
[2] CWE-22 - http://cwe.mitre.org/data/definitions/22.html
[3] OWASP Top 10 2010 - (OWASP 2010) A4 Insecure Direct Object Reference
[4] SANS Top 25 2010 - (SANS 2010) Risky Resource Management
.
.
.
- C
1:
#include <stdio.h>
2:
#include <stdlib.h>
3:
#include <unistd.h>
4:
void f()
5:
6:
/* */
7:
8:
9:
reportName
().
- C
1:
#include <stdio.h>
2:
#include <stdlib.h>
3:
#include <unistd.h>
4:
void f()
5:
6:
/* */
7:
unlink("/home/www/tmp/report");
8:
.
.
[1] CWE-36 - http://cwe.mitre.org/data/definitions/36.html
6.
(Improper Neutralization of Special Elements Used in an OS
Command (OS Command Injection))
.
.
.
, .
.
system()
. ,
.
.
- C
1:
#include <stdio.h>
2:
#include <unistd.h>
3:
#include <limits.h>
4:
5:
6:
char arg[80];
7:
8:
char *command;
9:
size_t commandLength;
/* */
10:
11:
fgets(arg,80,stdin);
12:
13:
14:
15:
16:
);
17:
system(command);
return 0;
18:
19:
.
catWrapper"Story.txt; ls"Story.txt
.
,
.
- C
1:
#include <stdio.h>
2:
#include <unistd.h>
3:
4:
5:
char arg[80];
6:
7:
char *command;
8:
size_t commandLength;
9:
fgets(arg,80,stdin);
/* */
10:
1:
if (strpbrk(arg,";\"'."))
11:
{
exit(1);
12:
13:
14:
15:
16:
17:
18:
19:
20:
system(command);
return 0;
21:
22:
strpbrk() .
.
[1] CWE-78 - http://cwe.mitre.org/data/definitions/78.html
[2] OWASP Top 10 2010 - (OWASP 2010) A1 Injection
[3] SANS Top 25 2010 - (SANS 2010) Insecure Interaction
.
LDAP .
.
- C
1:
#include <stdio.h>
2:
#include <ldap.h>
3:
4:
int main()
5:
6:
7:
int rc;
8:
9:
LDAPMessage* result;
rc = ldap_search_ext_s(ld, FIND_DN, LDAP_SCOPE_BASE, filter, NULL, 0, NULL, NULL,
10:
11:
12:
- C
1:
#include <stdio.h>
2:
#include <ldap.h>
3:
4:
int main()
5:
6:
7:
int rc;
8:
9:
LDAPMessage* result;
rc = ldap_search_ext_s( ld, FIND_DN, LDAP_SCOPE_BASE, filter, NULL, 0, NULL,
10:
11:
12:
.
.
[1] CWE-90 LDAP - http://cwe.mitre.org/data/definitions/90.html
[2] OWASP Top 10 2010 - (OWASP 2010) A1 Injection
[3] SANS Top 25 2009 - (SANS 2009) Insecure Interaction - CWE ID 116 Improper
Encoding or Escaping of Output
.
.
.
.
- C
1:
#include <stdio.h>
2:
#include <ldap.h>
3:
4:
5:
6:
char base[MAX];
7:
char manager[MAX-10];
8:
int rc;
9:
LDAPMessage* result;
10:
fgets(manager,sizeof(manager),file);
11:
12:
13:
14:
return rc;
managersnprintf() LDAP
. .
- C
1:
#include <stdio.h>
2:
#include <ldap.h>
3:
4:
5:
6:
LDAPMessage* result;
7:
8:
9:
return rc;
.
.
[1] CWE-90 LDAP - http://cwe.mitre.org/data/definitions/90.html
[2] OWASP Top 10 2004 - (OWASP 2004) A1 Unvalidated Input
9. (Resource Injection)
.
SW
.
.
.
connect() .
.
- C
1:
#include <stdio.h>
2:
#include <netinet/in.h>
3:
#include <stdlib.h>
4:
#include <string.h>
5:
int main()
6:
{
char* rPort = getenv("rPort");
7:
8:
9:
int sockfd = 0;
10:
char buf[25]
11:
12:
13:
14:
return 0;
15:
16:
getenv("rPort").
.
- C
1:
#include <stdio.h>
2:
#include <netinet/in.h>
3:
#include <stdlib.h>
4:
#include <string.h>
5:
int main()
6:
7:
8:
9:
int sockfd = 0;
10:
char buf[25];
11:
if(strcmp(rPort,"") < 0)
12:
{
printf("bad input");
13:
14:
15:
16:
17:
18:
19:
return 0;
20:
.
.
[1] CWE-99 - http://cwe.mitre.org/data/definitions/99.html
[2] OWASP Top 10 2010 - (OWASP 2010) A4 Insecure Direct Object Reference
.
.
.
- C
1:
int u9119()
2:
3:
int i;
4:
int sum = 0;
5:
int buf[10];
for(i=0; i < 10; i++)
6:
7:
{
sum += i;
8:
9:
10:
sum = buf[i];
11:
/* 10*/
12:
return 0;
}
13:
10.
- C
1:
int main()
2:
3:
int i;
4:
int sum = 0;
5:
int buf[10];
6:
7:
{
sum += i;
8:
9:
10:
sum = buf[i-1];
11:
return 0;
12:
-1
.
.
[1] CWE-125 - http://cwe.mitre.org/data/definitions/125.html
[2] CWE-129 - http://cwe.mitre.org/data/definitions/129.html
[3] CWE-131 - http://cwe.mitre.org/data/definitions/131.html
[4] CWE-193 - http://cwe.mitre.org/data/definitions/193.html
[5] CWE-805 - http://cwe.mitre.org/data/definitions/805.html
[6] OWASP Top 10 2004 - (OWASP 2004) A5 Buffer Overflow
[7] SANS Top 25 2010 - (SANS 2010) Risky Resource Management
11.
(External Control of System or Cofiguration Setting)
.
.
, .
.
sethostid() .
.
- C
1:
#include <stdlib.h>
2:
#include <unistd.h>
3:
4:
{
sethostid(atol(argv[1]));
5:
6:
ID.
sethostid()
. ID
.
- C
1:
#include <stdlib.h>
2:
#include <unistd.h>
3:
4:
{
sethostid(0xC0A80101);
5:
6:
ID.
.
[1] CWE-15 - http://cwe.mitre.org/data/definitions/15.html
[2] OWASP Top 10 2004 - (OWASP 2004) A1 Unvalidated Input
.
.
.
.
- C
1:
#include <stdio.h>
2:
#include <dlfcn.h>
3:
int main()
4:
5:
char *filename;
6:
int *handle;
7:
filename = getenv("SHAREDFILE");
8:
/* RRLD_LAZY: */
if ((handle = dlopen(filename, RTLD_LAZY)) != NULL)
9:
10:
11:
exit(1);
12:
13:
...
14:
return 0;
15:
dlopen() filename.
- C
1. #include <stdio.h>
2. #include <dlfcn.h>
3. int main()
4. {
5.
char *filename;
6.
int *handle;
7.
/* */
filename = "/usr/lib/hello.so";
8.
9.
10.
11.
exit(1);
12.
13.
...
14.
return 0;
15. }
.
.
[1] CWE-114 - http://cwe.mitre.org/data/definitions/114.html
[2] OWASP Top 10 2010 - (OWASP 2010) A4 Insecure Direct Object Reference
13.
(Boundary Beginning Violation ('Buffer Underwrite'))
.
.
.
.
.
.
- C
1:
int main()
2:
3:
int a[10];
4:
a[-1] = 0;
5:
return 0;
6:
.
- C
1:
int main()
2:
3:
int a[10];
4:
a[0] = 0;
return 0;
5:
6:
.
.
[1] CWE-124 - http://cwe.mitre.org/data/definitions/124.html
.
.
.
.
- C
1:
int main()
2:
3:
4:
int b = a[3];
return 0;
5:
6:
.
- C
1:
int main() {
2:
3:
int b = a[2];
return 0;
4:
5:
.
.
[1] CWE-125 - http://cwe.mitre.org/data/definitions/125.html
[2] CWE-129 - http://cwe.mitre.org/data/definitions/129.html
[3] CWE-131 - http://cwe.mitre.org/data/definitions/131.html
[4] CWE-805 - http://cwe.mitre.org/data/definitions/805.html
[5] OWASP Top 10 2004 - (OWASP 2004) A5 Buffer Overflow
[6] SANS Top 25 2010 - (SANS 2010) Risky Resource Management
.
,
.
, '>' '>='.
.
- C
1:
2:
char buf[BUFFER_SIZE];
3:
int ok;
4:
5:
6:
7:
if (hasDotInBuffer(buf))
break;
8:
9:
sizes[num-1] = size;
10:
11:
...
12:
13:
numsizes size
.
.
- C
int getsizes(int sock, unsigned int MAXCOUNT, int *sizes) {
1:
2:
char buf[BUFFER_SIZE];
3:
int ok;
4:
5:
6:
if (hasDotInBuffer(buf)) break;
7:
// bufnum, size.
8:
9:
10:
// num.
if (num > 0 && num <= MAXCOUNT)
11:
sizes[num-1] = size;
12:
13:
14:
15:
...
16:
17:
.
[1] CWE-129 - http://cwe.mitre.org/data/definitions/129.html
CWE-120 - http://cwe.mitre.org/data/definitions/120.html
[2] SANS Top 25 2010 - (SANS 2010) Risky Resource Management - CWE ID 805 Buffer
Access with Incorrect Length Value
[3] M. Howard and D. LeBlanc. "Writing Secure Code". Chapter 5, "Public Enemy #1: The
Buffer Overrun" Page 127. 2nd Edition. Microsoft. 2002
[4] M. Howard, D. LeBlanc and J. Viega. "24 Deadly Sins of Software Security".
"Sin 5: Buffer Overruns." Page 89. McGraw-Hill. 2010
.
read(), readlink()strcpy(), strcat(), strlen() .
strlcpy()strlcat() .
.
- C
1:
#include <stdio.h>
2:
#include <string.h>
3:
#include <unistd.h>
4:
5:
6:
7:
void f() {
8:
char buf[MAXLEN];
9:
10:
11:
- C
1:
#include <stdio.h>
2:
#include <string.h>
3:
#include <unistd.h>
4:
#include <string.h>
5:
6:
7:
8:
void f() {
char buf[MAXLEN];
9:
10:
11:
12:
read() MAXLENstrcpy()
.
.
[1] CWE-170 - http://cwe.mitre.org/data/definitions/170.html
[2] CWE-665 - http://cwe.mitre.org/data/definitions/665.html
[3] OWASP Top 10 2004 - (OWASP 2004) A5 Buffer Overflow
[4] SANS Top 25 2010 - (SANS 2010) Risky Resource Management - CWE ID 665
Improper Initialization
.
Signed ,
. ,
unsigned
.
.
- C
1:
#include <stdlib.h>
2:
3:
{
void *rptr;
4:
5:
size += reserve;
6:
7:
8:
exit(1);
9:
return rptr;
10:
- C
1:
#include <stdlib.h>
2:
3:
4:
void *rptr;
5:
unsigned s;
6:
size += reserve;
7:
s=size* sizeof(int);
8:
if(s<0)
9:
return NULL;
10:
rptr = malloc(s);
11:
if (rptr == NULL)
12:
exit(1);
return rptr;
13:
14:
malloc() unsigned
integer overflow .
.
[1] CWE-190 - http://cwe.mitre.org/data/definitions/190.html
[2] OWASP Top 10 2004 - (OWASP 2004) A1 Unvalidated Input
[3] SANS Top 25 2010 - (SANS 2010) Risky Resource Management
.
.
.
- C
1:
2:
3:
4:
short s;
5:
unsigned sz;
6:
/* intshort*/
7:
s = id;
8:
9:
/* unsigned*/
sz = s;
10:
return info[sz];
11:
12:
- C
1:
2:
3:
4:
int s;
5:
unsigned sz;
6:
s = id;
7:
8:
return 0;
9:
sz = (unsigned) s;
10:
return info[sz];
11:
.
.
[1] CWE-194 - http://cwe.mitre.org/data/definitions/194.html
19.
(Unsigned to Signed Conversion Error)
.
(unsigned integer)(signed integer)
.
.
.
signed intunsigned int.
.
- C
1:
#include <stdlib.h>
2:
#include <string.h>
3:
4:
int chunkSz()
5:
{
if (!initialized) return -1;
6:
return chunkSize;
7:
8:
9:
10:
11:
unsigned size;
12:
size = chunkSz();
return memcpy(dBuf, sBuf, size);
13:
13:
chunkSz() chunkSize-1
. chunkCpy memcpy
. sizeunsigned-1
.
- C
1:
#include <stdlib.h>
2:
#include <string.h>
3:
4:
int chunkSz()
5:
{
if (! initialized) return -1;
6:
return chunkSize;
7:
8:
9:
10:
11:
int size;
12:
size = chunkSz();
13:
14:
15:
.
[1] CWE-196 - http://cwe.mitre.org/data/
definitions/196.html
2 API
API(Application Programming Interface)
,
. API API
.
.
.
(: gets )
.
- C
1:
#include <stdio.h>
2:
#include <stdlib.h>
3:
4:
void f() {
5:
char buf[BUFSIZE];
6:
gets(buf);
7:
- C
1:
#include <stdio.h>
2:
#include <stdlib.h>
3:
4:
void f() {
char buf[BUFSIZE];
5:
8:
/* buf */
9:
6:
gets() fgets() .
.
[1] CWE-242 - http://cwe.mitre.org/data/definitions/242.html
[2] CWE-676 - http://cwe.mitre.org/data/definitions/676.html
[3] OWASP Top 10 2004 - (OWASP 2004) A5 Buffer Overflow
2. chroot Jail
(Creation of chroot Jail Without Change Working Directory)
.
chroot
.
chroot
.
,
.
.
chroot() chdir("/")
.
.
- C
1:
#include <stdio.h>
2:
#include <stdlib.h>
3:
#include <unistd.h>
4:
5:
FILE *localfile;
6:
7:
int len;
8:
9:
chroot("/var/ftproot");
10:
11:
12:
13:
14:
15:
16:
fclose(localfile);
17:
- C
1:
#include <stdio.h>
2:
#include <stdlib.h>
3:
#include <unistd.h>
4:
5:
FILE *localfile;
6:
7:
int len;
8:
chroot("/var/ftproot");
9:
10:
11:
/* */
12:
chdir("/");
13:
14:
15:
16:
17:
18:
19:
fclose(localfile);
20:
chroot() chdir("/")
.
.
[1] CWE-243 chroot Jail - http://cwe.mitre.org/data/
definitions/243.html
3. DNS lookup
(Reliance on DNS Lookups in a Security Decision )
.
DNS DNS . DNS
, DNS SW
. DNS, IP
.
.
DNS IP
DNS .
- C
1:
#include <stdio.h>
2:
#include <stdlib.h>
3:
#include <string.h>
4:
#include <netdb.h>
5:
#include <sys/socket.h>
6:
#include <netinet/in.h>
7:
#include <arpa/inet.h>
8:
9:
10:
11:
12:
myaddr.s_addr = inet_addr(ip_addr_string);
13:
14:
/* IPDNS */
15:
16:
17:
{
return 1; // true
18:
19:
20:
else {
return 0; // false
21:
22:
23:
- C
1:
#include <stdio.h>
2:
#include <stdlib.h>
3:
#include <string.h>
4:
#include <netdb.h>
5:
#include <sys/socket.h>
6:
#include <netinet/in.h>
7:
#include <arpa/inet.h>
int decision(char *ip_addr_string) {
8:
9:
10:
/* IP */
11:
12:
13:
14:
15:
else {
return 0; // false
16:
17:
18:
IP DNS
.
.
[1] CWE-247 DNS lookup- http://cwe.mitre.org/data/definitions/247.html
[2] SANS Top 25 2010 - (SANS 2010) Porus Defense - CWE ID 807 Reliance on
Untrusted Inputs in a Security Decision
.
_mbsXXX()
.
- C
1:
#include <mbstring.h>
2:
3:
4:
_mbsXXX()
.
.
- C
1:
#include <mbstring.h>
2:
3:
4:
_mbscpy_s().
.
[1] CWE-251 :- http://cwe.mitre.org/data/definitions/251.html
[2] CWE-176 Unicode - http://cwe.mitre.org/data/definitions/176.html
[3] OWASP Top 10 2004 - (OWASP 2004) A5 Buffer Overflow
5. getlogin()
(Use of getlogin() in Multithreaded Application)
.
.
. getlogin()
.
.
.
getlogin() getlogin_r() .
.
- C
1:
#include <stdio.h>
2:
#include <stdlib.h>
3:
#include <unistd.h>
4:
#include <sys/types.h>
5:
#include <pwd.h>
6:
int isTrustedGroup(int);
7:
int f() {
8:
9:
if (isTrustedGroup(pwd->pw_gid))
return 1; // allow
10:
else
11:
return 0; // deny
12:
13:
getlogin(). getlogin()
.
.
- C
1:
#include <stdio.h>
2:
#include <stdlib.h>
3:
#include <unistd.h>
4:
#include <sys/types.h>
5:
#include <pwd.h>
6:
7:
int isTrustedGroup(int);
8:
int f() {
9:
char id[MAX];
10:
11:
if (getlogin_r(id, MAX) != 0)
return 0;
12:
13:
pwd = getpwnam(id);
14:
if (isTrustedGroup(pwd->pw_gid))
return 1; // allow
15:
16:
else
return 0; // deny
17:
18:
getlogin_r() .
.
[1] CWE-558 getlogin() - http://cwe.mitre.org/data/definitions/558.html
[2] SANS Top 25 2010 - (SANS 2010) Porus Defense - CWE ID 807 Reliance on
Untrusted Inputs in a Security Decision
3
.
. , , , ,
.
1. (Hard-coded Password)
.
SW,
.
.
, SW
.
.
.
.
.
- C
1:
#include <stdio.h>
2:
#include <stdlib.h>
3:
#include <string.h>
4:
#include <sqlext.h>
5:
6:
SQLHENV henv;
7:
SQLHDBC hdbc;
8:
9:
10:
/* asdf".*/
11:
12:
return 0;
13:
.
- C
1:
#include <stdio.h>
2:
#include <stdlib.h>
3:
#include <string.h>
4:
#include <sqlext.h>
5:
6:
SQLHENV henv;
7:
SQLHDBC hdbc;
8:
9:
10:
11:
strlen(passwd) );
12:
SQLFreeHandle(SQL_HANDLE_DBC, hdbc);
13:
SQLFreeHandle(SQL_HANDLE_ENV, henv);
return 0;
14:
15:
,
.
.
[1] CWE-259 - http://cwe.mitre.org/data/definitions/259.html
[2] CWE-798 - http://cwe.mitre.org/data/definitions/798.html
[3] OWASP Top 10 2010 - (OWASP 2010) A7 Insecure Cryptographic Storage
[4] SANS Top 25 2010 - (SANS 2010) Porus Defense
2. (Improper Authorization)
.
SW
, .
.
(attack surface).
ACL(Access Control List).
.
- C
1:
2:
3:
4:
5:
char filter[20];
6:
LDAPMessage *result;
7:
8:
snprintf(filter, sizeof(filter),"(name=%s)",username);
9:
/* LDAP */
10:
11:
12:
13:
- C
1:
2:
3:
4:
5:
char filter[20];
6:
LDAPMessage *result
7:
8:
/* username*/
9:
10:
return(FAIL);
11:
12:
13:
/* username*/
14:
if ( strcmp(username,getLoginName()) != 0 ) {
15:
printf(");
16:
return(FAIL);
17:
18:
19:
20:
21:
return rc;
22:
.
[1] CWE-285 - http://cwe.mitre.org/data/definitions/285.html
CWE-219 - http://cwe.mitre.org/data/definitions/219.html
[2] OWASP Top 10 2010 - (OWASP 2010) A8 Failure to Restrict URL Access
[3] SANS Top 25 2010 - (SANS 2010) Porus Defense - CWE ID 285 Improper Authorization
[4] NIST. "Role Based Access Control and Role Based Security"
[5] M. Howard and D. LeBlanc. "Writing Secure Code". Chapter 4, "Authorization" Page
114; Chapter 6, "Determining Appropriate Access Control" Page 171. 2nd Edition.
Microsoft. 2002
3. (Hard-coded Username)
.
,
.
,
.
, SW
.
.
.
.
- C
1:
#include <stdio.h>
2:
#include <stdlib.h>
3:
#include <string.h>
4:
#include <sqlext.h>
5:
6:
{
SQLHENV henv;
7:
8:
SQLHDBC hdbc;
9:
10:
11:
SQLConnect(hdbc,
12:
(SQLCHAR*) server,
13:
(SQLSMALLINT) strlen(server),
14:
/**/
15:
"root",
4,
16:
17:
passwd,
18:
strlen(passwd));
return 0;
19:
20:
.
.
- C
1:
#include <stdio.h>
2:
#include <stdlib.h>
3:
#include <string.h>
4:
#include <sqlext.h>
5:
6:
7:
SQLHENV henv;
8:
SQLHDBC hdbc;
9:
10:
11:
SQLConnect(hdbc,
12:
(SQLCHAR*) server,
13:
strlen(server),
14:
user,
15:
strlen(user),
16:
passwd,
strlen(passwd));
17:
return 0;
18:
19:
.
.
[1] CWE-255 - http://cwe.mitre.org/data/definitions/255.html
[2] OWASP Top 10 2010 - (OWASP 2010) A7 Insecure Cryptographic Storage
.
.
.
- C
1:
int dbaccess()
2:
3:
4:
char passwd[20];
5:
char user[20];
6:
SQLHENV henv;
7:
SQLHDBC hdbc;
8:
fp = fopen("config", "r");
9:
10:
11:
fclose(fp);
12:
13:
14:
SQLConnect(hdbc,
15:
(SQLCHAR*) server,
16:
(SQLSMALLINT) strlen(server),
17:
(SQLCHAR*) user,
18:
(SQLSMALLINT) strlen(user),
19:
/* */
20:
(SQLCHAR*) passwd,
21:
(SQLSMALLINT) strlen(passwd)
22:
return 0;
23:
);
.
.
- C
int dbaccess()
1:
2:
3:
FILE *fp;
4:
5:
char passwd[20];
6:
char user[20];
7:
char *verifiedPwd;
8:
SQLHENV henv;
9:
SQLHDBC hdbc;
10:
fp = fopen("config", "r");
11:
12:
13:
fclose(fp);
14:
verifiedPwd = verify(passwd);
15:
16:
17:
SQLConnect(hdbc,
18:
(SQLCHAR*) server,
19:
(SQLSMALLINT) strlen(server),
20:
(SQLCHAR*) user,
21:
(SQLSMALLINT) strlen(user),
22:
/* */
23:
(SQLCHAR*) verifiedPwd,
24:
(SQLSMALLINT) strlen(verifiedPwd )
);
25:
26:
return 0;
27:
.
.
[1] CWE-256 - http://cwe.mitre.org/data/definitions/256.html
[2] J. Viega and G. McGraw. "Building Secure Software: How to Avoid Security
Problems the Right Way". 2002.
.
,
.
.
- C
1:
int dbaccess()
2:
3:
FILE *fp;
4:
5:
char passwd[20];
6:
char user[20];
7:
SQLHENV henv;
8:
SQLHDBC hdbc;
9:
fp = fopen("config", "r");
10:
11:
12:
fclose(fp);
13:
14:
15:
SQLConnect(hdbc,
16:
(SQLCHAR*) server,
17:
(SQLSMALLINT) strlen(server),
18:
(SQLCHAR*) user,
19:
(SQLSMALLINT) strlen(user),
20:
(SQLCHAR*) passwd,
21:
(SQLSMALLINT) strlen(passwd)
22:
);
23:
return 0;
24:
config
.
.
- C
int dbaccess()
1:
2:
3:
FILE *fp;
4:
5:
char passwd[20];
6:
char user[20];
7:
char *verifiedPwd;
8:
SQLHENV henv;
9:
SQLHDBC hdbc;
10:
fp = fopen("config", "r");
11:
12:
13:
fclose(fp);
14:
verifiedPwd = verify(passwd);
15:
16:
17:
SQLConnect(hdbc,
18:
(SQLCHAR*) server,
19:
(SQLSMALLINT) strlen(server),
20:
(SQLCHAR*) user,
21:
(SQLSMALLINT) strlen(user),
22:
(SQLCHAR*) passwd,
23:
(SQLSMALLINT) strlen(passwd)
);
24:
25:
return 0;
26:
(, ),
.
.
[1] CWE-260 - http://cwe.mitre.org/data/definitions/260.html
[2] J. Viega and G. McGraw. "Building Secure Software: How to Avoid Security
Problems the Right Way". 2002.
.
.
.
- C
1:
char *base64_decode(char*);
2:
3:
4:
5:
char *passwd;
6:
SQLHENV henv;
7:
SQLHDBC hdbc;
8:
9:
10:
/* */
11:
passwd = base64_decode(cpasswd);
12:
SQLConnect(hdbc,
13:
(SQLCHAR*) server,
14:
(SQLSMALLINT) strlen(server),
15:
(SQLCHAR*) user,
16:
(SQLSMALLINT) strlen(user),
17:
(SQLCHAR*) passwd,
(SQLSMALLINT) strlen(passwd));
18:
19:
Base64.
- C
1:
2:
3:
4:
5:
SQLHENV henv;
6:
SQLHDBC hdbc;
7:
8:
9:
/* */
10:
11:
SQLConnect(hdbc,
12:
(SQLCHAR*) server,
13:
(SQLSMALLINT) strlen(server),
14:
(SQLCHAR*) user,
15:
(SQLSMALLINT) strlen(user),
16:
(SQLCHAR*) passwd,
(SQLSMALLINT) strlen(passwd));
17:
18:
.
.
[1] CWE-261 - http://cwe.mitre.org/data/definitions/261.html
[2] OWASP Top 10 2010 - (OWASP 2010) A7 Insecure Cryptographic Storage
.
.
.
- C
1:
#include <stdio.h>
2:
#include <sys/types.h>
3:
#include <unistd.h>
4:
char buf[100];
5:
char *privilegeUp()
{
6:
FILE *fp;
7:
8:
/* UID */
9:
seteuid(0);
fp = fopen("/etc/passwd", "r");
10:
11:
12:
/* UID*/
13:
seteuid(getuid());
fclose(fp);
14:
return buf;
15:
16:
17:
18:
int main()
19:
20:
printf(".\n");
21:
char *buffer=privilegeUp();
22:
printf("%s.\n",buffer);
return 0;
23:
24:
.
- C
1:
#include <stdio.h>
2:
#include <sys/types.h>
3:
#include <unistd.h>
char buf[100];
4:
5:
char *privilegeUp()
6:
7:
FILE *fp;
8:
/* . */
9:
fp = fopen("/etc/passwd", "r");
fgets(buf, sizeof(buf), fp);
10:
11:
fclose(fp);
12:
return buf;
}
13:
14:
int main()
15:
16:
printf(".\n");
17:
char *buffer;
18:
buffer=privilegeUp();
19:
printf("%s.\n",buffer);
20:
return 0;
21:
.
.
[1] CWE-266 - http://cwe.mitre.org/data/definitions/266.html
.
.
.
- C
1:
#include <stdio.h>
2:
#include <stdlib.h>
3:
#include <fcntl.h>
4:
#include <sys/types.h>
5:
#include <unistd.h>
6:
7:
char *privilegeDown()
8:
9:
10:
FILE *fp;
11:
/* root */
cchroot(APP_HOME);
12:
13:
chdir("/");
14:
fopen("important_file", "r");
15:
16:
fclose(fp);
return buf;
17:
18:
chroot()root setuid()
.
- C
1:
#include <stdio.h>
2:
#include <stdlib.h>
3:
#include <fcntl.h>
4:
#include <sys/types.h>
5:
#include <unistd.h>
6:
7:
char buf[100];
8:
char *privilegeDown()
9:
10:
FILE *fp;
11:
chroot(APP_HOME);
12:
chdir("/");
13:
fp=fopen("important_file", "r");
14:
15:
/* */
16:
seteuid(1);
fclose(fp);
17:
18:
return buf;
19:
chroot() seteuid()
.
.
[1] CWE-272 - http://cwe.mitre.org/data/definitions/272.html
9. :
(Weak Encryption: Insufficient Key Size)
.
.
RSA 1024 bit
.
.
1024 bit .
.
- C
1:
#include <stdio.h>
2:
#include <stdlib.h>
3:
#include <openssl/rsa.h>
4:
#include <openssl/evp.h>
5:
EVP_PKEY *RSAKey()
6:
7:
EVP_PKEY *pkey;
8:
RSA *rsa;
9:
/* 512bit*/
10:
11:
if (rsa == NULL)
{
12:
13:
printf("Error\n");
14:
return NULL;
15:
}
pkey = EVP_PKEY_new();
16:
17:
EVP_PKEY_assign_RSA(pkey, rsa);
18:
return pkey;
19:
- C
1:
#include <stdio.h>
2:
#include <stdlib.h>
3:
#include <openssl/rsa.h>
4:
#include <openssl/evp.h
5:
EVP_PKEY *RSAKey()
6:
7:
EVP_PKEY *pkey;
8:
RSA *rsa;
/* 1024Bit .*/
9:
10:
11:
if (rsa == NULL)
{
12:
13:
printf("Error\n");
14:
return NULL;
}
15:
16:
17:
EVP_PKEY_assign_RSA(pkey, rsa);
return pkey;
18:
19:
.
[1] CWE-310 - http://cwe.mitre.org/data/definitions/310.html
[2] OWASP Top 10 2010 - (OWASP 2010) A7 Insecure Cryptographic Storage
.
.
.
- C
1:
2:
3:
4:
5:
6:
char *cpasswd;
7:
SQLHENV henv;
8:
SQLHDBC hdbc;
9:
10:
11:
12:
/* */
13:
if (strcmp(cpasswd, "68af404b513073582b6c63e6b") != 0) {
14:
printf("Incorrect password\n");
15:
return -1;
16:
17:
18:
19:
.
.
- C
1:
2:
3:
char* getPassworld() {
4:
5:
return pass;
6:
7:
8:
9:
10:
char *cpasswd;
11:
char* storedpasswd;
12:
SQLHENV henv;
13:
SQLHDBC hdbc;
14:
15:
16:
17:
storedpasswd = getPassword();
18:
if (strcmp(cpasswd, storedpasswd) != 0)
19:
20:
printf("Incorrect password\n");
21:
SQLFreeHandle(SQL_HANDLE_DBC, &hdbc);
22:
SQLFreeHandle(SQL_HANDLE_ENV, &henv);
23:
return -1;
24:
25:
26:
,
.
.
[1] CWE-321 - http://cwe.mitre.org/data/definitions/321.html
11. : RSA
(Weak Encryption: Inadequate RSA Padding)
.
RSA .
NO_PADDING.
.
RSA_pubic_encrypt()RSA_NO_PADDING .
.
- C
1:
#include <stdio.h>
2:
#include <stdlib.h>
3:
#include <openssl/rsa.h>
4:
5:
6:
7:
char out[MAX_TEXT];
8:
9:
/* RSANO_PADDING*/
10:
11:
RSA NO_PADDING
. RSA_pubic_encrypt()RSA_NO_PADDING
.
- C
1:
#include <stdio.h>
2:
#include <stdlib.h>
3:
#include <openssl/rsa.h>
4:
5:
6:
7:
char out[MAX_TEXT];
8:
9:
10:
RSA_NO_PADDING .
.
[1] CWE-325 - http://cwe.mitre.org/data/definitions/325.html
[2] OWASP Top 10 2010 - (OWASP 2010) A7 Insecure Cryptographic Storage
12. :
(Weak Cryptographic Hash: Hardcoded Salt)
.
.
,
. ,
rainbow .
.
crypt() salt.
.
- C
1:
#include <stdio.h>
2:
#include <stdlib.h>
3:
#include <unistd.h>
4:
5:
6:
{
char *out;
7:
8:
/* salt*/
9:
10:
crypt()salt.
.
- C
1:
#include <stdio.h>
2:
#include <stdlib.h>
3:
#include <unistd.h>
4:
5:
6:
7:
char *out;
8:
9:
salt
.
.
[1] CWE-326 - http://cwe.mitre.org/data/definitions/326.html
[2] OWASP Top 10 2010 - (OWASP 2010) A7 Insecure Cryptographic Storage
13.
(Use of a Broken or Riscky Cryptographic Algorithm)
.
. , RC2, RC4, RC5, RC6, MD4, MD5, SHA1, DES
,
.
.
3-DES, AES.
.
- C
1:
#include <stdio.h>
2:
#include <string.h>
3:
#include <memory.h>
4:
#include <openssl/evp.h>
5:
#include <openssl/pem.h>
6:
#include <openssl/rsa.h>
7:
void encryption_init()
8:
{
EVP_CIPHER_CTX ctx;
9:
10:
EVP_CIPHER_CTX_init(&ctx);
11:
/* DES */
12:
13:
14:
- C
1:
#include <stdio.h>
2:
#include <string.h>
3:
#include <memory.h>
4:
#include <openssl/rsa.h>
5:
6:
7:
EVP_CIPHER_CTX ctx;
8:
EVP_CIPHER_CTX_init(&ctx);
/*AES */
9:
10:
11:
12:
.
[1] CWE-327 - http://cwe.mitre.org/data/definitions/327.html
[2] OWASP Top 10 2010 - (OWASP 2010) A7 Insecure Cryptographic Storage
[3] SANS Top 25 2010 - (SANS 2010) Porus Defense
.
seed.
.
- C
1:
#include <stdafx.h>
2:
#include <stdio.h>
3:
#include <stdlib.h>
4:
#include <time.h>
5:
int main(void)
6:
{
int count = 0;
7:
8:
int temp;
9:
printf("\n%s\n%s\n",
10:
11:
12:
/* srand()seed.*/
13:
srand( 100 );
14:
while ( 1 )
{
15:
16:
17:
temp = rand()%101;
18:
19:
else
20:
21:
break;
22:
printf("%5d", temp );
}
23:
24:
return 0;
25:
26:
- C
1:
#include <stdafx.h>
2:
#include <stdio.h>
3:
#include <stdlib.h>
4:
#include <time.h>
5:
int main(void)
6:
7:
int count = 0;
8:
int temp;
9:
int randNum = 0;
printf("\n%s\n%s\n",
10:
11:
12:
13:
14:
/**/
15:
randNum = getch();
16:
while ( 1 ) {
17:
if ( count % 6 == 0)
18:
printf("%s", "\n");
19:
/*seed*/
20:
srand(randNum);
temp = rand()%101;
21:
22:
count++;
23:
else
24:
break;
25:
printf("%5d", temp );
26:
27:
28:
return 0;
29:
30:
seed.
.
[1] CWE-330 - http://cwe.mitre.org/data/definitions/330.html
[2] OWASP Top 10 2010 - (OWASP 2010) A7 Insecure Cryptographic Storage
[3] SANS Top 25 2009 - (SANS 2009) Porus Defense
.
SO_REUSEADDRINADDR_ANY.
.
- C
1:
#include <stdio.h>
2:
#include <sys/types.h>
3:
#include <sys/socket.h>
4:
#include <netinet/in.h>
5:
void bind_socket(void) {
6:
int server_sockfd;
7:
int server_len;
8:
9:
int optval;
10:
unlink("server_socket");
11:
12:
optval = 1;
13:
14:
server_address.sin_family = AF_INET;
15:
server_address.sin_port = 21;
server_address.sin_addr.s_addr = htonl(INADDR_ANY);
16:
17:
/* SO_REUSEADDRINADDR_ANY*/
server_len = sizeof(struct sockaddr_in);
18:
19:
20:
SO_REUSEADDR, INADDR_ANY
.
- C
1:
#include <stdio.h>
2:
#include <sys/types.h>
3:
#include <sys/socket.h>
4:
#include <netinet/in.h>
5:
void bind_socket(void) {
int server_sockfd;
6:
7:
int server_len;
8:
9:
unlink("server_socket");
10:
11:
server_address.sin_family = AF_INET;
12:
server_address.sin_port = 21;
13:
server_address.sin_addr.s_addr = htonl(INADDR_ANY);
14:
15:
16:
closesocket(server_sockfd);
17:
SO_REUSEADDRINADDR_ANY
.
.
[1] CWE-605 - http://cwe.mitre.org/data/definitions/605.html
.
.
.
- C
1:
#include <stdio.h>
2:
#include <stdlib.h>
3:
4:
5:
6:
char* admin="admin";
7:
8:
9:
return admin;
10:
11:
.
- C
1:
#include <stdio.h>
2:
#include <stdlib.h>
3:
/* */
int verifyAuth(char *ipasswd, char *orgpasswd)
4:
5:
{
char* admin="admin";
6:
7:
8:
9:
10:
return admin;
11:
, .
.
[1] CWE-615 - http://cwe.mitre.org/data/definitions/615.html
[2] OWASP Top 10 2010 - (OWASP 2010) A7 Insecure Cryptographic Storage
17.
(Incorrect Permission Assignment for Critical Resource)
.
SW
, .
.
, , SW
.
,
.
.
- C
1:
2:
umask(0);
3:
4:
if (out) {
fprintf(out, "\n");
5:
fclose(out);
6:
7:
umask,
/.
- C
1:
2:
3:
if (out) {
fprintf(out, "\n");
4:
fclose(out);
5:
6:
,
umask.
.
[1] CWE-732 - http://cwe.mitre.org/data/definitions/732.html
CWE-276 - http://cwe.mitre.org/data/definitions/276.html
CWE-277 - http://cwe.mitre.org/data/definitions/277.html
CWE-278 - http://cwe.mitre.org/data/definitions/278.html
4
.
.
1. :
(Time-of-check Time-of-use (TOCTOU) Race Condition)
.
,
.
, ,
, .
.
. .
(mutex).
.
- C
1:
#include <stdio.h>
2:
#include <unistd.h.>
3:
4:
5:
/* */
6:
if(!access(file,W_OK))
7:
{
f = fopen(file,"w+");
8:
operate(f);
9:
10:
11:
else {
12:
13:
14:
- C
1:
#include <stdio.h>
2:
#include <unistd.h>
3:
4:
5:
char *file_name;
6:
int fd;
7:
8:
9:
if (fd == -1) {
10:
11:
12:
13:
14:
15:
close(fd);
16:
, .
- C
1:
2:
... ...
3:
pthread_mutex_lock(mutex);
4:
/* */
5:
pthread_mutex_unlock(mutex);
... ...
6:
7:
pthread_mutex_lock(). pthread_mutex_lock()
mutex,
.
- C
1:
2:
3:
// mutex
4:
result = pthread_mutex_lock(mutex);
5:
if (0 != result)
return result;
6:
7:
/* */
8:
return pthread_mutex_unlock(mutex);
9:
lock.
.
[1] CWE-367 : - http://cwe.mitre.org/data/definitions/367.html
[2] CWE-362 : Race Condition - http://cwe.mitre.org/data/definitions/362.html
[3] SANS Top 25 2010 - (SANS 2010) Insecure Interaction
[4] Michael Howard, David LeBlanc and John Viega. "24 Deadly Sins of Software
Security".
2.
(Symbolic Name not Mapping to Correct Object)
.
.
.
.
.
.
- C
1:
#include <stdio.h>
2:
#include <stdlib.h>
3:
4:
5:
char* file;
6:
FILE *f;
7:
/*
*/
8:
if(!access(file,W_OK))
9:
10:
f = fopen(file,"w+");
11:
operate(f);
12:
13:
14:
else {
fprintf(stderr,"Unable to open file %s.\n",file);
15:
16:
TOCTOU (KCWE-367)
. , access() fopen()
.
- C
1:
#include <stdio.h>
2:
#include <unistd.h>
3:
#include <string.h>
4:
5:
{
char* filename;
6:
7:
/* */
8:
if(mkstemp(filename))
9:
{
FILE* tmp = fopen(filename,"wb+");
10:
11:
12:
amt = fwrite(recvbuf,1,DATA_SIZE,tmp);
}
13:
14:
.
.
[1] CWE-386 - http://cwe.mitre.org/data/
definitions/386.html
3. (Uncontrolled Recursion)
.
.
: (lazy evaluation
) (base case)
. "data flow
" ,
. ,
stackprogram counter,
stack
.
.
.
.
- C
1:
#include <stdio.h>
2:
#include <unistd.h>
3:
#include <string.h>
4:
int fac(n) {
5:
return n*fac(n-1);
6:
.
- C
1:
#include <stdio.h>
2:
#include <unistd.h>
3:
#include <string.h>
4:
int fac(n) {
if (n <= 0)
5:
return 1;
6:
else
7:
8:
return n*fac(n-1);
9:
.
.
[1] CWE-674 - http://cwe.mitre.org/data/definitions/674.html
5
.
1.
(Information exposure through an error message)
.
SW, ,
.
.
.
SW
.
.
- C
1:
#include <stdio.h>
2:
#include <stdlib.h>
3:
#include <string.h>
4:
5:
6:
char* path=getenv("MYPATH");
7:
/* */
8:
fprintf(stderr,path);
return 0;
9:
10:
(MYAPTH)
.
- C
1:
##include <stdio.h>
2:
#include <stdlib.h>
3:
#include <string.h>
4:
5:
{
char* path=getenv("MYPATH");
6:
return 0;
7:
8:
.
.
[1] CWE-209 - http://cwe.mitre.org/data/definitions/209.html
2.
(Improper Check for Unusual or Exceptional Conditions)
.
, .
.
, ,
.
.
- C
1:
2:
3:
strcpy(toBuf, fromBuf);
4:
......
buf 10'\0',
'\0'strcpy().
- C
1:
2:
3:
// .
4:
if ( retBuf != fromBuf ) {
5:
println(");
6:
return;
7:
8:
strcpy(toBuf, fromBuf);
9:
...
.
[1] CWE-754 - http://cwe.mitre.org/data/definitions/754.html
CWE-252 - http://cwe.mitre.org/data/definitions/252.html
CWE-253 - http://cwe.mitre.org/data/definitions/253.html
CWE-273 - http://cwe.mitre.org/data/definitions/273.html
CWE-296 - http://cwe.mitre.org/data/definitions/296.html
CWE-297 - - http://cwe.mitre.org/data/definitions/297.html
CWE-298 - http://cwe.mitre.org/data/definitions/298.html
CWE-299 - http://cwe.mitre.org/data/definitions/299.html
[2] SANS Top 25 Most Dangerous Software Errors, http://www.sans.org/top25-software-errors/
[3] M. Howard, D. LeBlanc, Writing Secure Code, Second Edition, Microsoft Press
6
, , , , ,
. ,
, ,
.
1.
(Signed to Unsigned Conversion Error)
.
(signed integer)(unsigned integer)
.
, SW.
.
.
- C
1:
#include <stdio.h>
2:
#include <stdlib.h>
3:
#include <string.h>
4:
5:
6:
7:
unsigned int l = 0;
8:
if (s == NULL)
9:
{
return -1;
10:
11:
l = strnlen(s, BUFSIZE-1);
12:
return l;
13:
14:
15:
16:
17:
char buf[BUFSIZE];
18:
unsigned int l = 0;
19:
l = len(argv[1]);
20:
21:
buf[l] = '\0';
22:
23:
return 0;
24:
25:
len()NULL-1
unsigned intint4byte4,294,967,295(0xffffffff) .
.
- C
1:
#include <stdio.h>
2:
#include <stdlib.h>
3:
#include <string.h>
4:
5:
6:
7:
unsigned int l = 0;
8:
if (s == NULL) {
9:
return 0;
10:
11:
l = strnlen(s, BUFSIZE-1);
12:
return l;
13:
14:
15:
{
char buf[BUFSIZE];
16:
17:
unsigned int l = 0;
18:
l = len(argv[1]);
19:
if (l > 0) {
20:
21:
buf[l] = '\0';
22:
23:
return 0;
24:
25:
.
[1] CWE-195 - http://cwe.mitre.org/data/definitions/195.html
.
.
.
- C
1:
#include <stdio.h>
2:
#include <stdlib.h>
3:
4:
{
return bc;
5:
6:
7:
char char_type()
8:
9:
char bA;
10:
int iB;
11:
iB = 24;
12:
bA = iB;
12:
f(iB);
13:
13:
14:
- C
1:
#include <stdio.h>
2:
#include <stdlib.h>
3:
4:
5:
return bc;
6:
7:
int char_type()
8:
{
int bA;
9:
10:
int iB;
11:
iB = 24;
12:
bA = iB;
13:
f(iB);
14:
15:
return iB;
16:
.
.
[1] CWE-398 - http://cwe.mitre.org/data/definitions/398.html
.
.
.
- C
1:
2:
void sqlDB()
3:
4:
5:
6:
7:
8:
void serverSock()
struct sockaddr_in serverAddr;
9:
10:
11:
12:
13:
listen(listenFd, 5);
14:
while (1) {
15:
16:
17:
18:
- C
1:
2:
void sqlDB()
3:
{
SQLHANDLE env_hd, con_hd;
4:
5:
6:
7:
SQLFreeHandle(SQL_HANDLE_DBC, con_hd);
8:
SQLFreeHandle(SQL_HANDLE_ENV, env_hd);
9:
10:
void serverSock()
11:
{
struct sockaddr_in serverAddr;
12:
13:
14:
15:
16:
listen(listenFd, 5);
17:
while (1) {
18:
19:
shutdown(connectFd, 2);
close(connectFd);
20:
21:
22:
shutdown(listenFd, 2);
23:
close(listenFd);
24:
.
[1] CWE-404 - http://cwe.mitre.org/data/definitions/404.html
[2] OWASP Top 10 2004 - (OWASP 2004) A9 Application Denial of Service
[3] SANS Top 25 2009 - (SANS 2009) Risky Resource Management
.
NULL
crash .
.
.
- C
1:
#include <stdio.h>
2:
#include <stdlib.h>
3:
#include <string.h>
4:
5:
int main() {
char *p = NULL;
6:
7:
char cgi_home[BUFSIZE];
8:
p = getenv("CGI_HOME");
9:
strncpy(cgi_home, p, BUFSIZE-1);
10:
cig_home[BUFSIZE-1] = '\0';
return 0;
11:
12:
- C
1:
#include <stdio.h>
2:
#include <stdlib.h>
3:
#include <string.h>
4:
5:
int main() {
char *p = NULL;
6:
7:
char cgi_home[BUFSIZE];
8:
p = getenv("CGI_HOME");
9:
if (p == NULL) {
exit(1);
10:
11:
12:
strncpy(cgi_home, p, BUFSIZE-1);
13:
cig_home[BUFSIZE-1] = '\0';
14:
return 0;
15:
.
[1] CWE-476 - http://cwe.mitre.org/data/definitions/476.html
[2] OWASP Top 10 2004 - (OWASP 2004) A9 Application Denial of Service
.
.
.
.
- C
1:
char *rpl() {
char p[10];
2:
3:
/* */
4:
return p;
5:
6:
int main() {
7:
char *p;
8:
p = rpl();
9:
*p = '1';
return 0;
10:
11:
name
.
- C
1:
#include <stdlib.h>
2:
#include <string.h>
3:
char *rpl() {
4:
char p[10];
5:
6:
7:
8:
9:
if (!buf)
10:
exit(1);
11:
memcpy(buf,p,10);
12:
}
return buf;
13:
14:
int main()
15:
16:
char *p;
17:
p = rpl();
18:
*p = '1';
19:
free(p);
20:
return 0;
21:
.
.
[1] CWE-562 - http://cwe.mitre.org/data/definitions/562.html
[2] OWASP Top 10 2004 - (OWASP 2004) A9 Application Denial of Service
.
.
.
- C
1:
#include <stdio.h>
2:
#include <stdlib.h>
3:
#include <pthread.h>
4:
5:
6:
int j = (*(int*)(i))++;
7:
8:
void helper() {
9:
int a = 0;
10:
11:
pthread_cleanup_push()pthread_clenaup_pop()
. .
- C
1:
#include <stdio.h>
2:
#include <stdlib.h>
3:
#include <pthread.h>
4:
5:
6:
int j = (*(int*)(i))++;
7:
8:
void helper() {
9:
int a = 0;
10:
11:
pthread_cleanup_pop (1);
12:
pthread_cleanup_push()pthread_clenaup_pop() .
.
[1] CWE-730 OWASP Top Ten 2004 Category A9 - http://cwe.mitre.org/data/definitions/730.html
7. :
(Code Correctness:Memory Free on Stack Variable)
.
.
.
,
.
.
- C
1:
#include stdlib.h
2:
int main() {
3:
char p[10];
4:
/* */
5:
free(p);
return 0;
6:
7:
.
- C
1:
#include stdlib.h
2:
int main() {
3:
char p[10];
return 0;
4:
5:
Call Stack
.
.
[1] CWE-730 OWASP Top Ten 2004 Category A9 - http://cwe.mitre.org/data/definitions/730.html
8. :
(Code Correctness: Premature thread Termination)
.
,
.
pthread_join()
. , ,
.
PTHREADpthread_detach()(detach)
attribute""
.
.
joindetach.
.
- C
1:
#include <stdio.h>
2:
#include <stdlib.h>
3:
#include <pthread.h>
4:
5:
{
int a = *(int *)data;
6:
return a + 100;
7:
8:
9:
int run_thread1(void)
10:
11:
pthread_t th;
12:
int status, a = 1;
13:
14:
15:
exit(0);
16:
17:
18:
19:
joindetach.
- C
1:
#include <stdio.h>
2:
#include <stdlib.h>
3:
#include <pthread.h>
4:
5:
{
int a = *(int *)data;
6:
return a + 100;
7:
8:
}
int run_thread1(void)
9:
10:
11:
pthread_t th;
12:
int status, a = 1;
if (pthread_create(&th, NULL, (void*(*)(void*))th_worker, (void *)&a) < 0) {
13:
14:
15:
exit(0);
16:
17:
18:
pthread_join(th, (void**)&status);
19:
return 0;
20:
pthread_join() .
pthread_create() pthread_join()
.
.
[1] CWE-730 OWASP Top Ten 2004 Category A9 - http://cwe.mitre.org/data/definitions/730.html
.
, .
.
.
Pool(Thread Pool, Connection Pool ).
.
- C
1:
2:
3:
char *body;
4:
5:
if (length > 0) {
6:
body = &message[1][0];
7:
processMessageBody(body);
......
8:
9:
else {......}
10:
11:
Body,
Body, .
- C
1:
2:
3:
char *body;
4:
5:
// .
if (length > 0 && length < MAX_LENGTH) {
6:
7:
body = &message[1][0];
8:
processMessageBody(body);
......
9:
10:
else {......}
11:
12:
.
[1] CWE-400 - http://cwe.mitre.org/data/definitions/400.html
CWE-774 - http://cwe.mitre.org/data/definitions/774.html
CWE-789 - http://cwe.mitre.org/data/definitions/789.html
CWE-770 - http://cwe.mitre.org/data/definitions/770.html
[2] M. Howard and D. LeBlanc. "Writing Secure Code". Chapter 17, "Protecting Against Denial
of Service Attacks" Page 517. 2nd Edition. Microsoft. 2002
[3] J. Antunes, N. Ferreira Neves and P. Verissimo. "Detection and Prediction of
Resource-Exhaustion Vulnerabilities". Proceedings of the IEEE International
7
,
.
.
.
main
.
.
- C
1:
2:
3:
main()println()
.
- C
1:
// main().
2:
......
main().
.
[1] CWE-489 - http://cwe.mitre.org/data/definitions/489.html
[2] M. Howard and D. LeBlanc. "Writing Secure Code". Page 505. 2nd Edition. Microsoft.
2002
2
1
SQL(Dynamic SQL) : SQL,
DBSQL.
(Mutex) :
, (critical section)
.
(Sandbox) : (Executable File)
.
SQL(Static SQL) : SQL
.
: ,
.
(Whitelist) : (Black List), IP
.
(Hash) : (),
(message digest function)()
()''.
Advanced Encryption Standard (AES) :
DES, (NIST)52001
11(FIPS 197).
Big Endian :
.
DES : DES(Data Encryption Standard)
64,
64, 64. (Brute Force)
.
LDAP(Lightweight Directory Access Protocol) : TCP/IP
.
Little Endian :
.
2
ACL : Access Control List
AES : Advanced Encryption Standard
CSRF : Cross-Site Request Forgery
CWE : Common Weakness Enumeration
DES : Data Encryption Standard
ESAPI : Enterprise Security API
HTML : Hyper Text Markup Language
HTTPS : Hypertext Transfer Protocol over Secure Socket Layer
JAAS : Java Authentication and Authorization Service
JDBC : Java Database Connectivity
LDAP : Lightweight Directory Access Protocol
MSB : Most Significant Bit
OAEP : Optimal Asymmetric Encryption Padding
OWASP : Open Web Application Security Project
RSA : Ron Rivest, Adi Shamir, Leonard Adleman
SHA : Secure Hash Algorithm
SQL : Structured Query Language
OpenSSL : Open Secure Socket Layer
URL : Uniform Resource Locator
XSS : Cross-Site Scripting
WAS : Web Application Server
"OESPJE+"7"
"1*
OVMM
FRVBMT
IBTI$PEF
QSJWBUF
QSJWBUF
<1> Android-JAVA
CWE-ID
CWE-23
CWE-36
null
CWE-398
equals()hashCode()
CWE-581
CWE-319
CWE-327
CWE-330
:
CWE-367
CWE-674
CWE-209
CWE-390
CWE-476
private -
CWE-495
private -
CWE-496
CWE-497
API
1 Android-JAVA
1
.
,
.
.
.
, replaceAll()
(",/,\).
.
- Android-JAVA
1:
2:
3:
4:
5:
6:
7:
file.delete();
}
8:
9:
10:
(name). name
../../../rootFile.txt
.
- Android-JAVA
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
Null, (name)
(/, \\, &, . )replaceAll
.
.
[1] CWE-23 - http://cwe.mitre.org/data/definitions/23.html
[2] OWASP Top 10 2010 - (OWASP 2010) A4 Insecure Direct Object Reference
[3] SANS Top 25 2010 - (SANS 2010) Risky Resource Management, Rank 7 CWE ID 22:
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
.
replaceAll ,
.
.
- Android-JAVA
1:
2:
3:
super.onCreate(savedInstanceState);
4:
5:
try {
6:
7:
8:
9:
props.load(is);
String name = props.getProperty("filename");
10:
11:
G file.delete();
12:
is.close();
13:
} catch (IOException e) {
14:
15:
16:
,
, .
- Android-JAVA
1:
2:
3:
4:
5:
try {
6:
7:
8:
9:
props.load(is);
10:
11:
if (name.indexOf("/") <0) {
12:
13:
G G G file.delete();
}G
14:
15:
G G G G is.close();
16:
G } catch (IOException e) {
17:
18:
19:
, "\"
"/"
.
.
[1] CWE-36 - http://cwe.mitre.org/data/definitions/36.html
[2] OWASP Top 10 2010 - (OWASP 2010) A4 Insecure Direct Object Reference
[3] SANS Top 25 2010 - Risky Resource Management, Rank 7 CWE ID 22: Improper Limitation
of a Pathname to a Restricted Directory ('Path Traversal')
2 API
API(Application Programming Interface)
,
. API API
.
.
Object.equals(), Comparable.compareTo()Comparator.compare()
null.
.
- Android-JAVA
1:
2:
super.onCreate(savedInstanceState);
3:
4:
5:
6:
7:
return (toString().equals(object.toString()));
8:
null.
- Android-JAVA
1:
2:
super.onCreate(savedInstanceState);
3:
4:
5:
6:
{
if(object != null)
7:
8:
return (toString().equals(object.toString()));
9:
10:
null.
.
[1] CWE-398 - http://cwe.mitre.org/data/definitions/398.html
2. equals()hashCode()
(Object Model Violation: Just one of equals() and hashCode() Defined)
.
Java , Java.
"a.equals(b) == true""a.hashCode() == b.hashCode()" .
equals()hashCode().
.
equals()hashCode()hashCode()
equals().
.
- Android-JAVA
1:
2:
3:
super.onCreate(savedInstanceState);
4:
5:
6:
7:
if (obj == null)
8:
return false;
9:
int i1 = this.hashCode();
10:
int i2 = obj.hashCode();
11:
12:
if (i1 == i2)
13:
return true;
14:
else
15:
return false;
16:
equals()hashCode() .
- Android-JAVA
1:
2:
3:
if (obj == null)
4:
return false;
5:
int i1 = this.hashCode();
6:
int i2 = obj.hashCode();
7:
8:
if (i1 == i2)
9:
return true;
10:
else
11:
return false;
12:
13:
14:
15:
equals()hashCode() .
.
[1] CWE-581 equals()hashCode() - http://cwe.mitre.org/data/definitions/581.html
3
.
. , , , ,
.
1.
(Cleartext Transmission of Sensitive Information)
.
SW
, .
.
.
.
- Android-JAVA
1:
2:
3:
4:
5:
6:
InputStream in = socket.getInputStream();
7:
8:
9:
in.close();
10:
out.close();G
11:
.
.
- Android-JAVA
1:
2:
3:
4:
5:
6:
7:
InputStream in = socket.getInputStream();
8:
9:
10:
G in.close();
11:
G out.close();G
12:
128
.
.
[1] CWE-319 -http://cwe.mitre.org/data/definitions/319.html
[2] OWASP Top 10 2007 - (OWASP 2007) A9 Insecure Communications
2.
(Use of a Broken or Riscky Cryptographic Algorithm)
.
.
.
,
. RC2, RC4, RC5, RC6, MD4, MD5, SHA1, DES
.
.
AES.
.
- Android-JAVA
1:
2:
3:
4:
try {
5:
6:
// DES.
7:
Cipher c = Cipher.getInstance("DES");
8:
c.init(Cipher.ENCRYPT_MODE,
9:
rslt = c.update(msg);
} catch (InvalidKeyException e) {
10:
11:
12:
13:
return rslt;
}
14:
15:
k);
DES .
- Android-JAVA
1:
2:
3:
4:
try {
5:
// DES AES .
6:
7:
Cipher c = Cipher.getInstance("AES/CBC/PKCS5Padding");
8:
c.init(Cipher.ENCRYPT_MODE,
rslt = c.update(msg);
9:
} catch (InvalidKeyException e) {
10:
11:
12:
return rslt;
13:
14:
15:
k);
AES 128
.
.
[1] CWE-327 - http://cwe.mitre.org/data/definitions/327.html
[2] OWASP Top 10 2010 - (OWASP 2010) A7 Insecure Cryptographic Storage
[3] SANS Top 25 2010 - (SANS 2010) Porus Defense - CWE ID 327 Use of a Broken or Risky
Cryptographic Algorithm
[4] Bruce Schneier. "Applied Cryptography". John Wiley &Sons. 1996.
.
seed
.
.
- Android-JAVA
1:
2:
3:
4:
5:
- Android-JAVA
1:
import java.util.Random;
2:
import java.util.Date;
3:
4:
5:
6:
// setSeed() rlong.
7:
r.setSeed(new Date().getTime());
8:
//
9:
return (r.nextInt()%6) + 1;
}
10:
11:
java.util.Random seed.
Random .
.
[1] CWE-330 - http://cwe.mitre.org/data/definitions/330.html
[2] SANS Top 25 2009 - (SANS 2009) Porus Defense - CWE ID 330 Use of Insufficiently
Random Values
[3] J. Viega and G. McGraw. "Building Secure Software: How to Avoid Security Problems the Right Way". 2002.
.
.
.
- Android-JAVA
1:
2:
super.onCreate(savedInstanceState);
3:
try {
4:
5:
6:
out1.write("Hello World");
7:
out1.close();
8:
fOut.close();
9:
} catch (Throwable t) {
10:
11:
MODE_WORLD_READABLE.
- Android-JAVA
1:
2:
super.onCreate(savedInstanceState);
3:
try {
4:
5:
6:
out1.write("Hello World");
7:
out1.close();
8:
fOut.close();
9:
} catch (Throwable t) {
10:
11:
MODE_PRIVATE.
.
[1] http://developer.android.com/index.html
[2] ,
5.
(Exported Access to Components)
.
manifest.xml android:exported="true"
.
. (resolver)
System ID
.
.
.
.
- Android-JAVA
1:
2:
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
3:
package="com.example.android.samplesync"
android:versionCode="1"
an-
droid:versionName="1.0">
4:
5:
6:
7:
<intent-filter>
8:
<action android:name="android.content.SyncAdapter"/>
9:
</intent-filter>
10:
<meta-data android:name="android.content.SyncAdapter"
11:
android:resource="@xml/syncadapter"/>
12:
<meta-data android:name="android.provider.CONTACTS_STRUCTURE"
13:
android:resource="@xml/contacts"/>
14:
</service>
15:
</application>
16:
<uses-sdk android:minSdkVersion="5"/>
17:
</manifest>
SyncService android:exported="true"
.
- Android-JAVA
1:
2:
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
3:
package="com.example.android.samplesync"
android:versionCode="1"
an-
droid:versionName="1.0">
4:
5:
6:
7:
<intent-filter>
8:
<action android:name="android.content.SyncAdapter"/>
9:
</intent-filter>
10:
<meta-data android:name="android.content.SyncAdapter"
11:
android:resource="@xml/syncadapter"/>
12:
<meta-data android:name="android.provider.CONTACTS_STRUCTURE"
13:
android:resource="@xml/contacts"/>
14:
</service>
15:
</application>
16:
<uses-sdk android:minSdkVersion="5"/>
17:
</manifest>
android:exported "false""false"
.
.
[1] http://developer.android.com/index.html
[2] ,
6.
(Access Control Bypass using Share User ID)
.
Manifest.xml manifest android:sharedUserId
.
.
.
.
.
- Android-JAVA
1:
2:
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
3:
package="com.example.android.apis"
4:
android:versionCode="1"
5:
android:versionName="1.0"
6:
android:sharedUserId="android.uid.developer1">
- Android-JAVA
1:
2:
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
3:
package="com.example.android.apis"
4:
android:versionCode="1"
5:
android:versionName="1.0">
6:
.
[1] http://developer.android.com/index.html
[2] ,
4
()()
.
(dead lock),
, .
1. :
(Time-of-check Time-of-use (TOCTOU) Race Condition)
.
.
.
, , .
.
(: ),
.
.
- Android-JAVA
1:
2:
3:
4:
super.onCreate(savedInstanceState);
5:
6:
7:
fileAccessThread.start();
8:
fileDeleteThread.start();
9:
10:
11:
12:
13:
14:
try {
File f = new File("Test_367.txt");
16:
if (f.exists()) { //
17:
18:
br.close();
20:
21:
15:
19:
}
} catch(FileNotFoundException e) {
System.out.println("Exception Occurred") ; //
} catch(IOException e) {
22:
System.out.println("Exception Occurred") ; //
23:
24:
25:
26:
27:
28:
try {
29:
30:
31:
if (f.exists()) { //
f.delete();
32:
33:
} catch(FileNotFoundException e) {
34:
System.out.println("Exception Occurred") ; //
35:
} catch(IOException e) {
36:
System.out.println("Exception Occurred") ; //
37:
38:
39:
40:
,
.
.
- Android-JAVA
1:
2:
3:
super.onCreate(savedInstanceState);
4:
5:
6:
7:
8:
9:
10:
first.start();
11:
second.start();
12:
third.start();
13:
fourth.start();
14:
15:
16:
17:
18:
19:
G G try {G
20:
21:
if (f.exists()) { // G
22:
G G G Thread.sleep(100);G // G
23:
24:
25:
G G G br.close();G //
26:
G G G f.delete();G
27:
G }
28:
29:
System.err.println("IOException occured");
30:
G G }G
31:
}G
32:
(, ),
.
.
[1] CWE-367 : - http://cwe.mitre.org/data/definitions/367.html
2. (Uncontrolled Recursion)
.
. , (base case)
.
.
.
.
- Android-JAVA
1:
2:
3:
4:
5:
, /
.
- Android-JAVA
1:
2:
3:
int i;
4:
// .
5:
if (n == 1) {
i = 1;
6:
} else {
7:
i = n * factorial(n - 1);
8:
9:
return i;
10:
11:
.
.
[1] CWE-674 - http://cwe.mitre.org/data/definitions/674.html
5
,
.
.
( )
.
.
SW
.
.
- Android-JAVA
1:
2:
3:
super.onCreate(savedInstanceState);
4:
5:
6:
e.printStackTrace();
.
- Android-JAVA
1:
2:
3:
super.onCreate(savedInstanceState);
4:
try{
throw new IOException();
5:
6:
catch (IOException e) {
7:
8:
System.out.println("");
.
.
[1] CWE-209 - http://cwe.mitre.org/data/definitions/209.html
.
(catch).
.
- Android-JAVA
1:
2:
3:
4:
5:
6:
7:
8:
9:
} catch (SQLException e) {
10:
11:
// catch
12:
} catch (NamingException e) {
// catch
13:
14:
return conn;
15:
16:
try (catch)
.
.
- Android-JAVA
1:
2:
3:
4:
String password) {
try {
5:
6:
7:
8:
9:
} catch (SQLException e) {
10:
11:
// Exception catchException.
12:
if ( conn != null ) {
try {
13:
conn.close();
14:
15:
conn = null;
16:
17:
18:
} catch (NamingException e) {
19:
20:
// Exception catchException.
21:
if ( conn != null ) {
try {
22:
conn.close();
23:
24:
conn = null;
25:
26:
27:
28:
return conn;
29:
30:
(catch), (Exception).
.
[1] CWE-390 - http://cwe.mitre.org/data/definitions/390.html
[2] OWASP Top Ten 2004 Category A7 - Improper Error Handling
6
, , , , ,
. ,
, ,
.
.
(reference)null
.
- Android-JAVA
1:
2:
3:
4:
// cmdnull.
5:
cmd = cmd.trim();
6:
7:
System.out.println(cmd);
- Android-JAVA
1:
2:
3:
4:
// cmdnull.
5:
6:
7:
8:
cmd.
.
[1] CWE-476 - http://cwe.mitre.org/data/definitions/476.html
7
,
.
.
1. private -
(Private Array-Typed Field Returned From A Public Method)
.
privatepublic(return),
.
.
privatepublic.
, public
.
.
- Android-JAVA
1:
// private publicreturn
2:
3:
return colors;
colorsprivatepublicgetColors()
reference. .
- Android-JAVA
1:
2:
3:
4:
5:
6:
7:
8:
9:
if ( this.colors != null ) {
ret = new String[colors.length];
10:
11:
return ret;
13:
14:
ret[i] = this.colors[i];
12:
.
[1] CWE-495 private -- http://cwe.mitre.org/data/definitions/495.html
2. private -
(Public Data Assigned to Private Array-Typed Field)
.
publicprivate , private
.
.
publicprivate .
.
- Android-JAVA
1:
2:
3:
4:
5:
6:
7:
8:
- Android-JAVA
1:
2:
// private member.
3:
4:
5:
6:
7:
8:
9:
10:
.
[1] CWE-496 private -- http://cwe.mitre.org/data/definitions/496.html
.
.
.
- Android-JAVA
1:
2:
3:
try {
4:
catch (IOException e) {
5:
// printf(e.getMessage()).
g();
System.err.printf(e.getMessage());
6:
7:
8:
9:
10:
getMessage()
.
- Android-JAVA
1:
2:
3:
try {
4:
catch (IOException e) {
5:
// end user.
}
7:
9:
10:
System.err.println("IOException Occured");
6:
8:
g();
}
private void g() throws IOException {
.
.
[1] CWE-497 - http://cwe.mitre.org/data/definitions/497.html
2
1
Advanced Encryption Standard (AES) :
DES, (NIST)52001
11(FIPS 197).
DES : DES(Data Encryption Standard)
64,
64, 64. (Brute Force)
.
Manifest : , XML
Synchronized : JAVA
2
ACL : Access Control List
AES : Advanced Encryption Standard
CSRF : Cross-Site Request Forgery
CWE : Common Weakness Enumeration
DES : Data Encryption Standard
ESAPI : Enterprise Security API
HTML : Hyper Text Markup Language
HTTPS : Hypertext Transfer Protocol over Secure Socket Layer
JAAS : Java Authentication and Authorization Service
JDBC : Java Database Connectivity
LDAP : Lightweight Directory Access Protocol
MSB : Most Significant Bit
OAEP : Optimal Asymmetric Encryption Padding
OWASP : Open Web Application Security Project
RSA : Ron Rivest, Adi Shamir, Leonard Adleman
SHA : Secure Hash Algorithm
SQL : Structured Query Language
OpenSSL : Open Secure Socket Layer
URL : Uniform Resource Locator
XSS : Cross-Site Scripting
WAS : Web Application Server
SW
SW
20116
20116
(http://www.mopas.go.kr)
(Tel: 02-2279-8494)
< >
.
www.mopas.go.kr
www.kisa.or.kr
02) 405-5118