Difference between revisions of "Invoking untrusted mobile code"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
 
 
{{Template:SecureSoftware}}
 
{{Template:SecureSoftware}}
  
Line 54: Line 53:
 
* [[Cross-site scripting]]
 
* [[Cross-site scripting]]
  
==Categories ==
 
  
 
[[Category:Vulnerability]]
 
[[Category:Vulnerability]]

Revision as of 23:11, 27 May 2006


Overview

This process will download external source or binaries and execute it.

Consequences

Unspecified.

Exposure period

Implementation: This flaw is a simple logic issue, introduced entirely at implementation time.

Platform

Languages: Java and C++

Operating platform: Any

Required resources

Any

Severity

Medium

Likelihood of exploit

Medium

Avoidance and mitigation

  • Implementation: Avoid doing this without proper cryptographic safeguards.

Discussion

This is an unsafe practice and should not be performed unless one can use some type of cryptographic protection to assure that the mobile code has not been altered.

Examples

In Java:

URL[] classURLs= new URL[]{new URL("file:subdir/")};
URLClassLoader loader = nwe URLClassLoader(classURLs);
Class loadedClass = Class.forName("loadMe", true, loader);

Related problems