checkmarxReport

檔案 PDF/mobile/javascript/main.js PDF/mobile/javascript/main.js
行 2382 2382
物件 text append

代碼片斷 PDF/mobile/javascript/main.js
檔案名稱
方法 Class("RollerText",{Package:"PageItem",create:function(b,c,d,f,g){this._super(b,

c,d,f);this.animateConfig();this.bgColor=Color(this.config.bgcolor).toString();this

.originWidth=this.config.pageW;this.originHeight=this.config.pageH;this.id="text

"+g;this.initText();this.initEvents();parseBool(this.config.reflection)&&this.image

Reflection(this.rollerText);this.onResize(this.pageWidth,this.pageHeight)},initText

:function(){this.textli="";this.container=$("<div id="+this.id+"

content='width=device-width' style='position:absolute;'></div>");

....
2382. "textUp.png"})):this.rollerText.css({"-webkit-text-size-
adjust":"100%",display:"inline-block","word-wrap":"break-
word",overflow:"hidden",position:"absolute",width:this.width+"px",height
:this.height+"px"});this.enterText.css({"-webkit-text-size-
adjust":"100%",display:"inline-
block",position:"absolute",width:this.width-
this.scrollWidth+"px",left:"0",top:"0"});this.enterText.append(this.text
);this.rollerText.append(this.enterText);this.container.append(this.roll
erText);this.parent.append(this.container);

Client DOM Cookie Poisoning

查詢路徑:
JavaScript\Cx\JavaScript Medium Threat\Client DOM Cookie Poisoning 版本:0

類別

PCI DSS v3.2: PCI DSS (3.2) - 6.5.10 - Broken authentication and session management
OWASP Top 10 2017: A1-Injection

描述

Client DOM Cookie Poisoning\路徑 1:

嚴重程度： 中風險

結果狀態： 校驗

線上結果 http://CHECKMARX/CxWebClient/ViewerMain.aspx?scanid=1000150&projectid

=77&pathid=32

狀態 新的

應用程式在 PDF/mobile/javascript/main.js 中第 854 行 "").replace 方法中的 cookie 設定了 cookie，這個
cookie 被賦予的值是由 PDF/mobile/javascript/main.js 中第 854 行 "").replace 方法中的 replace

外部使用者輸入變數所控制，這個輸入變數有可能會受到第三方控制。

來源 目的地

檔案 PDF/mobile/javascript/main.js PDF/mobile/javascript/main.js

行 854 854

物件 replace cookie

代碼片斷

PAGE 51 OF 77

檔案名稱 PDF/mobile/javascript/main.js
方法
"").replace(/;/g,"#@&")},storageByIndex:function(b,c){var

d,k=this.getPageContent(c);try{window.localStorage?(window.localStorage.remo

veItem(window.location.href.replace(window.location.hash,"")+"flipHtml5Remark

"+b),k&&window.localStorage.setItem(window.location.href.replace(window.locat

ion.hash,"")+"flipHtml5Remark"+b,k)):(k?(d=new

Date,d.setDate(d.getDate()+this.expires)):d=new Date("01 Jan 1970

00:00:01"),document.cookie=window.location.href.replace(window.location.hash,

"")+"flipHtml5Remark"+b+

....
854. "").replace(/;/g,"#@&")},storageByIndex:function(b,c){var
d,k=this.getPageContent(c);try{window.localStorage?(window.localStorage.
removeItem(window.location.href.replace(window.location.hash,"")+"flipHt
ml5Remark"+b),k&&window.localStorage.setItem(window.location.href.replac
e(window.location.hash,"")+"flipHtml5Remark"+b,k)):(k?(d=new
Date,d.setDate(d.getDate()+this.expires)):d=new Date("01 Jan 1970
00:00:01"),document.cookie=window.location.href.replace(window.location.
hash,"")+"flipHtml5Remark"+b+

Client DOM Cookie Poisoning\路徑 2:

嚴重程度： 中風險

結果狀態： 校驗

線上結果 http://CHECKMARX/CxWebClient/ViewerMain.aspx?scanid=1000150&projectid

=77&pathid=33

狀態 新的

應用程式在 PDF/mobile/javascript/main.js 中第 854 行 "").replace 方法中的 cookie 設定了 cookie，這個
cookie 被賦予的值是由 PDF/mobile/javascript/main.js 中第 854 行 "").replace 方法中的 hash

外部使用者輸入變數所控制，這個輸入變數有可能會受到第三方控制。

來源 目的地

檔案 PDF/mobile/javascript/main.js PDF/mobile/javascript/main.js

行 854 854

物件 hash cookie

代碼片斷 PDF/mobile/javascript/main.js
檔案名稱
方法 "").replace(/;/g,"#@&")},storageByIndex:function(b,c){var
d,k=this.getPageContent(c);try{window.localStorage?(window.localStorage.remo
veItem(window.location.href.replace(window.location.hash,"")+"flipHtml5Remark
"+b),k&&window.localStorage.setItem(window.location.href.replace(window.locat
ion.hash,"")+"flipHtml5Remark"+b,k)):(k?(d=new
Date,d.setDate(d.getDate()+this.expires)):d=new Date("01 Jan 1970
00:00:01"),document.cookie=window.location.href.replace(window.location.hash,
"")+"flipHtml5Remark"+b+

PAGE 52 OF 77

....
854. "").replace(/;/g,"#@&")},storageByIndex:function(b,c){var
d,k=this.getPageContent(c);try{window.localStorage?(window.localStorage.
removeItem(window.location.href.replace(window.location.hash,"")+"flipHt
ml5Remark"+b),k&&window.localStorage.setItem(window.location.href.replac
e(window.location.hash,"")+"flipHtml5Remark"+b,k)):(k?(d=new
Date,d.setDate(d.getDate()+this.expires)):d=new Date("01 Jan 1970
00:00:01"),document.cookie=window.location.href.replace(window.location.
hash,"")+"flipHtml5Remark"+b+

Client HTML5 Insecure Storage

查詢路徑:
JavaScript\Cx\JavaScript Medium Threat\Client HTML5 Insecure Storage 版本:0

類別

PCI DSS v3.2: PCI DSS (3.2) - 6.5.8 - Improper access control
OWASP Top 10 2013: A6-Sensitive Data Exposure
FISMA 2014: Media Protection
NIST SP 800-53: SC-28 Protection of Information at Rest (P1)
OWASP Top 10 2017: A3-Sensitive Data Exposure

描述

Client HTML5 Insecure Storage\路徑 1:

嚴重程度： 中風險

結果狀態： 校驗

線上結果 http://CHECKMARX/CxWebClient/ViewerMain.aspx?scanid=1000150&projectid

=77&pathid=35

狀態 新的

應用程式將敏感性資料 passward 以不安全的方式儲存，位於 PDF/mobile/javascript/main.js 第 3021 行。

來源 目的地

檔案 PDF/mobile/javascript/main.js PDF/mobile/javascript/main.js

行 3021 3021

物件 passward passward

代碼片斷 PDF/mobile/javascript/main.js
檔案名稱
方法 this.showResult()},rememberAuthentication:function(){try{global.passward=this
.$passward.val(),global.username=this.$username.val(),window.localStorage.set
Item("passward",global.passward),window.localStorage.setItem("username",glob
al.username)}catch(b){}},fillCurrentPageContent:function(){for(var
b=1;b<=bookConfig.totalPageCount;b++)BookInfo.getBook().fillPage(b,!0);thum
bnail&&thumbnail.show&&thumbnail.fillContent&&thumbnail.fillContent()},show:f
unction(){this.background.show();this.view.show()},hide:function(){this.backgro
und.hide();

PAGE 53 OF 77

....
3021.
this.showResult()},rememberAuthentication:function(){try{global.passward
=this.$passward.val(),global.username=this.$username.val(),window.localS
torage.setItem("passward",global.passward),window.localStorage.setItem("
username",global.username)}catch(b){}},fillCurrentPageContent:function()
{for(var
b=1;b<=bookConfig.totalPageCount;b++)BookInfo.getBook().fillPage(b,!0);t
humbnail&&thumbnail.show&&thumbnail.fillContent&&thumbnail.fillContent()
},show:function(){this.background.show();this.view.show()},hide:function
(){this.background.hide();

Client HTML5 Insecure Storage\路徑 2:

嚴重程度： 中風險

結果狀態： 校驗

線上結果 http://CHECKMARX/CxWebClient/ViewerMain.aspx?scanid=1000150&projectid

=77&pathid=36

狀態 新的

應用程式將敏感性資料 ""passward"" 以不安全的方式儲存，位於 PDF/mobile/javascript/main.js 第 3021
行。

來源 目的地

檔案 PDF/mobile/javascript/main.js PDF/mobile/javascript/main.js

行 3021 3021

物件 ""passward"" ""passward""

代碼片斷 PDF/mobile/javascript/main.js
檔案名稱
方法 this.showResult()},rememberAuthentication:function(){try{global.passward=this

.$passward.val(),global.username=this.$username.val(),window.localStorage.set

Item("passward",global.passward),window.localStorage.setItem("username",glob

al.username)}catch(b){}},fillCurrentPageContent:function(){for(var

b=1;b<=bookConfig.totalPageCount;b++)BookInfo.getBook().fillPage(b,!0);thum

bnail&&thumbnail.show&&thumbnail.fillContent&&thumbnail.fillContent()},show:f

unction(){this.background.show();this.view.show()},hide:function(){this.backgro

und.hide();

....
3021.
this.showResult()},rememberAuthentication:function(){try{global.passward
=this.$passward.val(),global.username=this.$username.val(),window.localS
torage.setItem("passward",global.passward),window.localStorage.setItem("
username",global.username)}catch(b){}},fillCurrentPageContent:function()
{for(var
b=1;b<=bookConfig.totalPageCount;b++)BookInfo.getBook().fillPage(b,!0);t
humbnail&&thumbnail.show&&thumbnail.fillContent&&thumbnail.fillContent()
},show:function(){this.background.show();this.view.show()},hide:function
(){this.background.hide();

Client Reflected File Download

查詢路徑:
JavaScript\Cx\JavaScript Medium Threat\Client Reflected File Download 版本:1

PAGE 54 OF 77

類別

FISMA 2014: Media Protection
NIST SP 800-53: SC-28 Protection of Information at Rest (P1)
OWASP Top 10 2017: A1-Injection

描述

Client Reflected File Download\路徑 1:

嚴重程度： 中風險

結果狀態： 校驗

線上結果 http://CHECKMARX/CxWebClient/ViewerMain.aspx?scanid=1000150&projectid

=77&pathid=45

狀態 新的

PDF/js/actionhtmlwindow.js 第 6 行中 Content-Disposition 標頭沒有定義明確的檔案名稱。
一定要設定Filename 屬性來避免讓瀏覽器認為下載的資料是二進制，這樣有可能會下載到惡意檔案。

來源 目的地

檔案 PDF/js/actionhtmlwindow.js PDF/js/actionhtmlwindow.js

行8 66

物件 protocol ajax

代碼片斷 PDF/js/actionhtmlwindow.js
檔案名稱 return {
方法
....
8. src: c.replace(/^https?:/,
window.location.protocol),

檔案名稱 PDF/js/actionhtmlwindow.js
方法 function ActionHtmlWindow(a) {

.... $.ajax({
66.

Client Reflected File Download\路徑 2:

嚴重程度： 中風險

結果狀態： 校驗

線上結果 http://CHECKMARX/CxWebClient/ViewerMain.aspx?scanid=1000150&projectid

=77&pathid=46

狀態 新的

PDF/js/actionhtmlwindow.js 第 66 行中 Content-Disposition 標頭沒有定義明確的檔案名稱。
一定要設定Filename 屬性來避免讓瀏覽器認為下載的資料是二進制，這樣有可能會下載到惡意檔案。

來源 目的地

檔案 PDF/js/actionhtmlwindow.js PDF/js/actionhtmlwindow.js

行 69 66

PAGE 55 OF 77

物件 ""jsonp"" ajax

代碼片斷 PDF/js/actionhtmlwindow.js
檔案名稱 $.ajax({
方法

.... dataType: "jsonp",
69.

檔案名稱 PDF/js/actionhtmlwindow.js
方法 function ActionHtmlWindow(a) {

.... $.ajax({
66.

Client HTML5 Store Sensitive data In Web Storage

查詢路徑:
JavaScript\Cx\JavaScript Medium Threat\Client HTML5 Store Sensitive data In Web Storage 版本:0

類別

PCI DSS v3.2: PCI DSS (3.2) - 6.5.10 - Broken authentication and session management
OWASP Top 10 2013: A6-Sensitive Data Exposure
FISMA 2014: Media Protection
NIST SP 800-53: SC-28 Protection of Information at Rest (P1)
OWASP Top 10 2017: A3-Sensitive Data Exposure

描述

Client HTML5 Store Sensitive data In Web Storage\路徑 1:

嚴重程度： 中風險

結果狀態： 校驗

線上結果 http://CHECKMARX/CxWebClient/ViewerMain.aspx?scanid=1000150&projectid

=77&pathid=34

狀態 新的

應用程式將敏感性資料 ""passward"" 以不安全的方式儲存，位於 PDF/mobile/javascript/main.js 第 3021
行。

來源 目的地

檔案 PDF/mobile/javascript/main.js PDF/mobile/javascript/main.js

行 3021 3021

物件 ""passward"" ""passward""

代碼片斷 PDF/mobile/javascript/main.js
檔案名稱

PAGE 56 OF 77

方法 this.showResult()},rememberAuthentication:function(){try{global.passward=this

.$passward.val(),global.username=this.$username.val(),window.localStorage.set

Item("passward",global.passward),window.localStorage.setItem("username",glob

al.username)}catch(b){}},fillCurrentPageContent:function(){for(var

b=1;b<=bookConfig.totalPageCount;b++)BookInfo.getBook().fillPage(b,!0);thum

bnail&&thumbnail.show&&thumbnail.fillContent&&thumbnail.fillContent()},show:f

unction(){this.background.show();this.view.show()},hide:function(){this.backgro

und.hide();

....
3021.
this.showResult()},rememberAuthentication:function(){try{global.passward
=this.$passward.val(),global.username=this.$username.val(),window.localS
torage.setItem("passward",global.passward),window.localStorage.setItem("
username",global.username)}catch(b){}},fillCurrentPageContent:function()
{for(var
b=1;b<=bookConfig.totalPageCount;b++)BookInfo.getBook().fillPage(b,!0);t
humbnail&&thumbnail.show&&thumbnail.fillContent&&thumbnail.fillContent()
},show:function(){this.background.show();this.view.show()},hide:function
(){this.background.hide();

Client Use Of JQuery Outdated Version

查詢路徑:
JavaScript\Cx\JavaScript Medium Threat\Client Use Of JQuery Outdated Version 版本:1

類別

OWASP Top 10 2013: A9-Using Components with Known Vulnerabilities
OWASP Top 10 2017: A9-Using Components with Known Vulnerabilities

描述

Client Use Of JQuery Outdated Version\路徑 1:

嚴重程度： 中風險

結果狀態： 校驗

線上結果 http://CHECKMARX/CxWebClient/ViewerMain.aspx?scanid=1000150&projectid

=77&pathid=50

狀態 新的

PDF/mobile/index.html 中第 27 行的 方法呼叫了過時的方法
1，這方法已經棄用而且不應該於程式中使用。

來源 目的地

檔案 PDF/mobile/index.html PDF/mobile/index.html

行 27 27

物件 1 1

代碼片斷 PDF/mobile/index.html
檔案名稱 <script type="text/javascript" src="javascript/jquery-1.9.1.min.js"></script>
方法
....
27. <script type="text/javascript" src="javascript/jquery-
1.9.1.min.js"></script>

PAGE 57 OF 77

Failure to Control Generation of Code ('Code Injection') Status: Draft

Weakness ID: 94 (Weakness Class)

Description

Description Summary

The product does not sufficiently filter code (control-plane) syntax from user-controlled input (data plane)
when that input is used within code that the product generates.

Extended Description

When software allows a user's input to contain code syntax, it might be possible for an
attacker to craft the code in such a way that it will alter the intended control flow of the
software. Such an alteration could lead to arbitrary code execution.

Injection problems encompass a wide variety of issues -- all mitigated in very different
ways. For this reason, the most effective way to discuss these weaknesses is to note the
distinct features which classify them as injection weaknesses. The most important issue
to note is that all injection problems share one thing in common -- i.e., they allow for
the injection of control plane data into the user-controlled data plane. This means that
the execution of the process may be altered by sending code in through legitimate data
channels, using no other mechanism. While buffer overflows, and many other flaws,
involve the use of some further issue to gain execution, injection problems need only for
the data to be parsed. The most classic instantiations of this category of weakness are
SQL injection and format string vulnerabilities.

Time of Introduction

 Architecture and Design
 Implementation

Applicable Platforms

Languages

Interpreted languages: (Sometimes)
Common Consequences

Scope Effect

Confidentiality The injected code could access restricted data / files
Authentication
Access Control In some cases, injectable code controls authentication; this may
Integrity lead to a remote vulnerability

Accountability Injected code can access resources that the attacker is directly
prevented from accessing
Likelihood of Exploit
Code injection attacks can lead to loss of data integrity in nearly
all cases as the control-plane data injected is always incidental
to data recall or writing. Additionally, code injection can often
result in the execution of arbitrary code.

Often the actions performed by injected control code are
unlogged.

Medium
Demonstrative Examples

Example 1

This example attempts to write user messages to a message file and allow users to view

them.

(Bad Code)

Example Language: PHP

$MessageFile = "cwe-94/messages.out";
if ($_GET["action"] == "NewMessage") {

PAGE 58 OF 77

$name = $_GET["name"];
$message = $_GET["message"];
$handle = fopen($MessageFile, "a+");
fwrite($handle, "<b>$name</b> says '$message'<hr>\n");
fclose($handle);
echo "Message Saved!<p>\n";
}
else if ($_GET["action"] == "ViewMessages") {
include($MessageFile);
}

While the programmer intends for the MessageFile to only include data, an attacker can
provide a message such as:

(Attack)

name=h4x0r
message=%3C?php%20system(%22/bin/ls%20-l%22);?%3E

which will decode to the following:

(Attack)

<?php system("/bin/ls -l");?>

The programmer thought they were just including the contents of a regular data file,
but PHP parsed it and executed the code. Now, this code is executed any time people
view messages.

Notice that XSS (CWE-79) is also possible in this situation.
Potential Mitigations

Phase: Architecture and Design
Refactor your program so that you do not have to dynamically generate code.

Phase: Architecture and Design
Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating
system. This may effectively restrict which code can be executed by your software.
Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection.
This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be
subject to compromise.
Be careful to avoid CWE-243 and other weaknesses related to jails.

Phase: Implementation

Strategy: Input Validation

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a whitelist of acceptable inputs that
strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something
that does. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). However, blacklists
can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of
acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an
example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not
valid if you are expecting colors such as "red" or "blue."
To reduce the likelihood of code injection, use stringent whitelists that limit which constructs are allowed. If you are dynamically
constructing code that invokes a function, then verifying that the input is alphanumeric might be insufficient. An attacker might
still be able to reference a dangerous function that you did not intend to allow, such as system(), exec(), or exit().

Phase: Testing
Use automated static analysis tools that target this type of weakness. Many modern techniques use data flow analysis to minimize
the number of false positives. This is not a perfect solution, since 100% accuracy and coverage are not feasible.

Phase: Testing
Use dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz
testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become
unstable, crash, or generate incorrect results.

Phase: Operation

PAGE 59 OF 77

Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses
tainted variables, such as Perl's "-T" switch. This will force you to perform validation steps that remove the taint, although you
must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-
183 and CWE-184).

Relationships Type ID Name View(s) this
Weakness Class 74 relationship pertains
Nature Failure to Sanitize Data
into a Different Plane to
ChildOf ('Injection') Development
Concepts
ChildOf Weakness Class 691 Insufficient Control Flow (primary)699
ChildOf Category 752 Management Research Concepts
2009 Top 25 - Risky (primary)1000
ParentOf Weakness Base 95 Resource Management Research Concepts1000

ParentOf Weakness Base 96 Improper Sanitization of Weaknesses in the
Weakness Base Directives in 2009 CWE/SANS Top
ParentOf Weakness Base 621 Dynamically Evaluated 25 Most Dangerous
ParentOf 627 Code ('Eval Injection') Programming Errors
View (primary)750
MemberOf Weakness Base 635 Improper Neutralization Development
CanFollow 98 of Directives in Concepts
Statically Saved Code (primary)699
Research Gaps ('Static Code Injection') Research Concepts
(primary)1000
Variable Extraction Error Development
Concepts
Dynamic Variable (primary)699
Evaluation Research Concepts
(primary)1000
Weaknesses Used by Research Concepts
NVD (primary)1000
Improper Control of Development
Filename for Concepts
Include/Require (primary)699
Statement in PHP Research Concepts
Program ('PHP File (primary)1000
Inclusion') Weaknesses Used by
NVD (primary)635
Development
Concepts699
Research Concepts1000

Many of these weaknesses are under-studied and under-researched, and terminology is not sufficiently precise.

Taxonomy Mappings

Mapped Taxonomy Name Node ID Fit Mapped Node Name

PLOVER CODE Code Evaluation and Injection
(CAPEC Version: 1.5)
Related Attack Patterns Attack Pattern Name

CAPEC-ID

35 Leverage Executable Code in
Nonexecutable Files

77 Manipulating User-Controlled Variables

Content History Submitter Organization Source
PLOVER Externally Mined
Submissions
Submission Date Modifier Organization Source

Modifications Eric Dalci Cigital External
Modification Date
2008-07-01 updated Time of Introduction

2008-09-08 CWE Content Team MITRE Internal

2009-01-12 updated Applicable Platforms, Relationships, Research Gaps, Taxonomy Mappings

CWE Content Team MITRE Internal

updated Common Consequences, Demonstrative Examples, Description, Likelihood of

Exploit, Name, Potential Mitigations, Relationships

PAGE 60 OF 77

2009-03-10 CWE Content Team MITRE Internal

updated Potential Mitigations

2009-05-27 CWE Content Team MITRE Internal

updated Demonstrative Examples, Name

2010-02-16 CWE Content Team MITRE Internal

updated Potential Mitigations

Previous Entry Names

Change Date Previous Entry Name

2009-01-12 Code Injection

2009-05-27 Failure to Control Generation of Code (aka 'Code Injection')

BACK TO TOP

PAGE 61 OF 77

Client DOM Stored Code Injection

風險

可能發生什麼問題

攻擊者可使策劃內容在瀏覽器中執行，重先編寫網頁並插入惡意腳本。
然後，攻擊者可以偽裝成原來的網站，這將使攻擊者可以竊取使用者的密碼，要求使用者的信用卡資訊
，提供偽造的資訊，或執行惡意軟體。
但從受害者的角度來看，這是原來的網站，受害人會責怪的網站所產生的損害。

原因

如何發生

應用程式的Web頁面通過客戶端程式碼來建立，如cookies，HTML5的LocalStorage，或者本機資料庫。
如果輸入包含惡意程式碼，執行的程式碼可能包含由攻擊者設計的行為。

一般建議

如何避免

避免對程式碼動態編譯、執行、或評估。如果動態執行是必要的，只使用既有資料或來自伺服器所受信
任的資料，而不使用者的資料(包括先前被應用程式本身緩存的資料).

程式碼範例

JavaScript
If you must set code to be called dynamically, only call predefined methods or hard-coded Javascript. Never call
“eval()” or dynamically create code.

window.setInterval( "timedFunction();", 1000);

PAGE 62 OF 77

Client DOM XSS

風險

可能發生什麼問題

攻擊者可能使用社交工程攻擊，讓使用者能夠發送網頁設計的輸入，從而導致瀏覽器重新編寫網頁。
然後，攻擊者可以偽裝成原來的網站，這將使攻擊者可以竊取使用者的密碼，要求使用者的信用卡資訊
，提供偽造的資訊，或執行惡意軟體。
但從受害者的角度來看，這是原來的網站，受害人會責怪的網站所產生的損害。

原因

如何發生

'應用程式的網頁，包含從使用者輸入的資料。資料直接嵌入至HTML的頁面，其資料透過瀏覽器顯示為
網頁的一部分。 如果資料包含HTML片段或Javascript，這樣使用者無法分辨是否為預期的頁面。
該漏洞沒有先對嵌入使用者輸入的資料進行編碼以防止瀏覽器將之當成HTML的格式而非純文字。

一般建議

如何避免

1.
驗證所有資料，無論其來源為何。驗證應基於白名單：僅接受預定結構的資訊，而不是拒絕不良的樣式(P
atterns)。 應確認： ● 資料型態 ● 大小 ● 範圍 ● 格式 ● 期望值 2. 在網頁嵌入前充分編碼所有動態資料。
3.編碼應該是上下文相關的。例如： ●HTML內容使用HTML的編碼方式
●HTML編碼特性是將資料輸出到特性的值 ●JavaScript的編碼方式為伺服器產生的Javascript 4.
請考慮使用ESAPI4JS元件。

程式碼範例

CSharp
For dynamically creating URLs in JavaScript, use the OWASP ESAPI4JS library:

window.location = ESAPI4JS.encodeForURL(input);

For creating dynamic HTML in JavaScript, use the OWASP ESAPI4JS library:

window.location = ESAPI4JS.encodeForURL(input);

PAGE 63 OF 77

Java
For dynamically creating URLs in JavaScript, use the OWASP ESAPI4JS library:

window.location = ESAPI4JS.encodeForURL(input);
For creating dynamic HTML in JavaScript, use the OWASP ESAPI4JS library:

window.location = ESAPI4JS.encodeForURL(input);

PAGE 64 OF 77

Client DOM Cookie Poisoning

風險

可能發生什麼問題

如果一個外部、惡意的第三方能夠控制另外一位使用者應用程式
cookie，這可能會以各種方式被濫用。包括篡改應用程式資料、繞過存取控制檢查、違反完整性限制或是
修改使用者的喜好設定像是購物車的內容等。
此外，這個漏洞可能導致其他種類的攻擊，像是 Session 固定攻擊或是跨網站腳本 (XSS) 攻擊。

原因

如何發生

應用程式沒有避免惡意輸入變數被新增到應用程式 cookie 中，攻擊者可以透過惡意 URL
參數影響受害者的瀏覽器，導致腳本把這些惡意值讀取到使用者的 cookie
中，這可以透過釣魚式攻擊、儲存連結、外部連結等多種方式來達成。

一般建議

如何避免

不要用使用者控制的輸入變數像是 URL 等來設定 cookie 的值。

程式碼範例

JavaScript
URL-Based Cookie

function setCookie()
{

var value = window.location.hash;
document.cookie = "Action=" + value;
}

Whitelisted Cookie Value
function setCookie()
{
var value = window.location.hash;
if (actionsArray[value] != undefined)
{
var date = new Date();
date.setTime(date.getTime() + 1000*60*20);
document.cookie = "ActionID=" + actionsArray[value]
+ "; expires=" + date.toUTCString()
+ "; path=/myApp/"
+ "; secure;"
}
}

PAGE 65 OF 77

PAGE 66 OF 77

Client HTML5 Store Sensitive data In Web Storage

風險

可能發生什麼問題

攻擊者擁有使用者電腦或裝置的存取權，能夠從客戶端儲存空間取得使用者的敏感性個人資料
(PII)。這對使用者有害而且會損害他們的隱私權，還有可能造成名譽受損、財物損失或甚至身份竊盜。

原因

如何發生

應用程式將敏感性資料像是 PII (個人可辨識資訊)
儲存在客戶端瀏覽器或是裝置上，應用程式使用不安全的儲存格式，代表沒有提供任何未授權存取的保
護措施，這些資料在儲存前也沒有受到加密或是過濾，因此裝置或是瀏覽器存取權的惡意個體可以輕易
取得使用者資料

一般建議

如何避免

 避免將 PII 等敏感性資料儲存在不受保護的客戶端。
 如果 PII 或是其他敏感性資料一定要儲存在客戶端，請確保它有被加密或是有其他保護措施。

程式碼範例

JavaScript
User Data Stored in Local Storage

function storeUserData() {
var accountId = getUserAccount();
localStorage.setItem('accountId', accountId);

}

User Data in Globals instead of Persistent Storage
var globalAccountId; // Cache user data for application use
function storeUserData() {
var accountId = getUserAccount();
// localStorage.setItem('accountId', accountId);
// Do not store user data in persistent storage
globalAccountId = accountId;
}

PAGE 67 OF 77

Client HTML5 Insecure Storage

風險

可能發生什麼問題

攻擊者擁有使用者電腦或裝置的存取權，能夠從客戶端儲存空間取得使用者的敏感性個人資料
(PII)。這對使用者有害而且會損害他們的隱私權，還有可能造成名譽受損、財物損失或甚至身份竊盜。

原因

如何發生

應用程式將敏感性資料像是 PII (個人可辨識資訊)
儲存在客戶端瀏覽器或是裝置上，應用程式使用不安全的儲存格式，代表沒有提供任何未授權存取的保
護措施，這些資料在儲存前也沒有受到加密或是過濾，因此裝置或是瀏覽器存取權的惡意個體可以輕易
取得使用者資料

一般建議

如何避免

 避免將 PII 等敏感性資料儲存在不受保護的客戶端。
 如果 PII 或是其他敏感性資料一定要儲存在客戶端，請確保它有被加密或是有其他保護措施。

程式碼範例

PAGE 68 OF 77

Client Potential XSS

風險

可能發生什麼問題

攻擊者可能利用社交工程攻擊來導致使用者發送網站設計的輸入，重寫網頁並插入惡意腳本。
然後，攻擊者可以偽裝成原來的網站，這將使攻擊者可以竊取使用者的密碼，要求使用者的信用卡資訊
，提供偽造訊息，或執行惡意軟體。
但從受害者的角度來看，這是原來的網站，受害人會責怪網站所產生的損害。

原因

如何發生

'從使用者輸入的資料建立網頁。資料直接嵌入至HTML的頁面，利用瀏覽器顯示。
如果資料包含HTML片段或Javascript，這樣也顯示使用者無法分辨是否為預期的頁面。
該漏洞主因為未先對嵌入資料庫中的資料進行編碼(Encode)來預防瀏覽器將其當為HTML的格式而非純
文字。

一般建議

如何避免

1.
驗證所有輸入，無論其來源為何。驗證應基於白名單：僅接受資料擬合一個指定的結構，而不是拒絕不良
patterns. 應確認: ● 資料類型 ● 大小 ● 範圍 ● 格式 ● 期望值 2. 在輸出嵌入之前完全編碼所有動態資料。
3. 編碼應該是上下文相關的。例如： ● HTML內容使用HTML的編碼方式
●HTML編碼特性是將資料輸出到特性的值 ● JavaScript的編碼方式為伺服器產生的Javascript 4.
考慮使用ESAPI的編碼庫，或它的內置功能。對於舊版的ASP.NET，請考慮使用AntiXSS。 5.
在HTTP類型對應的表頭， 明確定義整個頁面的字元編碼。 6. 設置 httpOnly
標誌於會期資訊，以防止利用XSS來竊取資訊。

程式碼範例

CSharp
於使用者輸入顯示於螢幕前，先進行 HTML encoded

public class ReflectedXSSSpecificClientsFixed
{

public void foo(TextBox tb, AntiXssEncoder encode)
{

string input = Console.ReadLine();
tb.Text = encode.HtmlEncode(input);
}
}

,應用程式使用來自 HttpRequest 的 「filename」欄位字串建立 HttpResponse
public class UTF7XSS
{
public void foo(HttpRequest Request, HttpResponse Response
{
Response.Charset("UTF-7");
string filename = Request.QueryString["filename"];

PAGE 69 OF 77

Response.BinaryWrite(AntiXss.HtmlEncode(filename));

}
}

「filename」字串先轉為 int，並switch case至對應「filename」字串

public class UTF7XSSFixed
{

public static void foo(HttpRequest Request, HttpResponse Response)
{

Response.Charset("UTF-7");
string filename = Request.QueryString["fileNum"];
int fileNum = Convert.ToInt32(filename);

switch(fileNum)
{

case 1:
filename = "File1.txt";
break;

default:
filename = "File2.txt";
break;

}

Response.BinaryWrite(AntiXss.HtmlEncode(filename));

}
}

Good - The user input is HTML encoded before being displayed on the screen
public class ReflectedXSSSpecificClientsFixed
{
public void foo(TextBox tb, AntiXssEncoder encode)
{
string input = Console.ReadLine();
tb.Text = encode.HtmlEncode(input);
}
}

Bad - The application uses the "filename" field string from an HttpRequest construct an HttpResponse
public class UTF7XSS
{
public void foo(HttpRequest Request, HttpResponse Response

{
Response.Charset("UTF-7");

string filename = Request.QueryString["filename"];
Response.BinaryWrite(AntiXss.HtmlEncode(filename));
}
}

Good - The "filename" string is converted to an int and using a switch case the new "filename" string is constructed
public class UTF7XSSFixed
{
public static void foo(HttpRequest Request, HttpResponse Response)
{

PAGE 70 OF 77

Response.Charset("UTF-7");
string filename = Request.QueryString["fileNum"];
int fileNum = Convert.ToInt32(filename);
switch(fileNum)
{

case 1:
filename = "File1.txt";
break;

default:
filename = "File2.txt";
break;

}
Response.BinaryWrite(AntiXss.HtmlEncode(filename));
}
}

在HTML中嵌入：
<td><%= AntiXss.HtmlEncode(input.Text) %></td>

對於資料的屬性值：
<input value="<%= AntiXss.HtmlAttributeEncode(input.Text) %>" />

對於產生Javascript：
string serverId = '<%= AntiXss.JavaScriptEncode(input.Text) %>';

Java
User input is written to a label displayed on the screen enabling a user to inject a script

public class ReflectedXSSAllClients {
public static void XSSExample(TextArea name) {
Label label = new Label();
label.setText("Hello " + name.getText());
}

}

Switch case is used in order to assemble the label's text value and manage wrong user input
public class ReflectedXSSAllClientsFixed {
public static void XSSExample(TextArea name) {
Label label = new Label();
switch (name) {
case "Joan":
label.setText("Hello Joan");
break;
case "Jim":
label.setText("Hello Jim");
break;

PAGE 71 OF 77

case "James":
label.setText("Hello James");
break;

default:
System.out.println("Wrong Input");

}

}
}

在HTML中嵌入：
<td><%= ESAPI.encoder().encodeForHTML(request.getParameter("input"))%></td>

對於資料的屬性值：

<input value="<%= ESAPI.encoder().encodeForHTMLAttribute( request.getParameter( "input" ) )
%>" />

PAGE 72 OF 77

Client Reflected File Download

風險

可能發生什麼問題

反射型文件下載 (RFD) 是一種能夠讓攻擊者透過網路取得受害者裝置 RCE (遠端程式碼執行, Remote
Code Execution) 能力的漏洞。

RFD攻擊中，受害者瀏覽了一個惡意 URI，下載了一個檔案，並執行 OS 程式，造成 RCE。

原因

如何發生

要進行成功的RFD攻擊需要3種條件：

1) 反射-使用者的輸入變數會反射到被伺服器回應中。
2) 不受限的URL-URL或是API限制太寬鬆，使攻擊者可以建立合法的URI與可執行的檔案類型。
3) 下載回應-直接下載回應而不是先預覽，瀏覽器會將第(2)步中的檔案類型設定到檔案上。

一般建議

如何避免

 使用編碼(Encode)-
使用跳脫字元(Escape)是沒有幫助的，因為有問題的字元依然存在，因此用編碼是必需的。

 內容-使用具有Filename屬性的API；Content-Disposition
回應標頭定義了該如何處理回應還有被用來附加額外的中繼資料，像是檔案名稱等。有設定filena
me屬性能讓瀏覽器不用猜測資源的檔案類型，避免附加不必要的可執行檔案類型。

 CSRF Token – 如果可以的話，使用CSRF token避免攻擊者建立合法的連結來傳送給受害者。

 客製化標頭 – 為API要求客製HTTP標頭，同時有可能客戶端有使用同源政策(Same-Origin-
Policy)，這會使RFD在沒有其他弱點的輔助下無法被使用。

 移除路徑變數的輔助 – 如果不需要的話，路徑變數的輔助應該要移除。

 加上 X-Content-Type-Options 標頭 – 加上X-Content-Type-Options: nosniff
能夠防止攻擊者讓瀏覽器 ""猜測"" 檔案是二進制的並進行下載的動作。

程式碼範例

Java

PAGE 73 OF 77

Setting the filename attribute
response.setHeader("Content-Disposition", "attachment; filename=" + filename);

CSharp
Setting the filename attribute

Response.AddHeader("Content-Disposition", "attachment; filename=" +filename);
JavaScript
Setting the filename attribute

res.setHeader('Content-disposition', 'attachment; filename=' + filename);

PAGE 74 OF 77

Client Use Of JQuery Outdated Version

風險

可能發生什麼問題

參照使用已經棄用的模組會導致應用程式暴露在已知的漏洞底下，漏洞已經被公開回報而且已經被修
復，普通的攻擊方式是掃描應用程式尋找這些已知漏洞，接著透過這些棄用版本的模組來濫用應用程式
。
請注意，真正的風險要看舊版本中的所有已知漏洞詳情來判斷。

原因

如何發生

應用程式參照已經被宣告為棄用的程式元素，元素包含函數、方法、屬性、模組或是過時的函式庫版本，
有可能程式在開發後這些程式才被宣告成過時。

一般建議

如何避免

o 永遠使用最新版本的函式庫或套件以及其他相依程式。
o 不要用任何被宣告為棄用的方法、函數、屬性或其他元素。

程式碼範例

Java
Using Deprecated Methods for Security Checks

private void checkPermissions(InetAddress address) {
SecurityManager secManager = System.getSecurityManager();
if (secManager != null) {
secManager.checkMulticast(address, 0)
}

}

A Replacement Security Check
private void checkPermissions(InetAddress address) {
SecurityManager secManager = System.getSecurityManager();
if (secManager != null) {
SocketPermission permission = new SocketPermission(address.getHostAddress(),
"accept,connect");
secManager.checkPermission(permission)
}
}

PAGE 75 OF 77

PAGE 76 OF 77

檢測的語言 HASH值 變更的日期

語言 0139595324901015 2018/6/13
1349101913133594 2018/6/13
JavaScript 4310212271432955 2018/6/13
VbScript 6462054670145729 2018/6/13
Typescript
Common

PAGE 77 OF 77