Difference between revisions of "Invoking untrusted mobile code"

From OWASP
Jump to: navigation, search
 
(5 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
{{Template:SecureSoftware}}
 
{{Template:SecureSoftware}}
 +
{{Template:Vulnerability}}
  
==Overview==
+
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
 +
 
 +
[[ASDR_TOC_Vulnerabilities|Vulnerabilities Table of Contents]]
 +
 
 +
==Description==
  
 
This process will download external source or binaries and execute it.
 
This process will download external source or binaries and execute it.
  
==Consequences ==
+
'''Consequences'''
  
 
Unspecified.
 
Unspecified.
  
==Exposure period ==
+
'''Exposure period'''
  
 
Implementation: This flaw is a simple logic issue, introduced entirely at implementation time.
 
Implementation: This flaw is a simple logic issue, introduced entirely at implementation time.
  
==Platform ==
+
'''Platform'''
  
 
Languages: Java and C++
 
Languages: Java and C++
Line 19: Line 24:
 
Operating platform: Any
 
Operating platform: Any
  
==Required resources ==
+
'''Required resources'''
  
 
Any
 
Any
  
==Severity ==
+
'''Severity'''
  
 
Medium
 
Medium
  
==Likelihood   of exploit ==
+
'''Likelihood of exploit'''
  
 
Medium
 
Medium
  
==Avoidance and mitigation ==
+
This is an unsafe practice and should not be performed unless one can use some type of cryptographic protection to assure that the mobile code has not been altered.
  
* Implementation: Avoid doing this without proper cryptographic safeguards.
 
  
==Discussion ==
 
  
This is an unsafe practice and should not be performed unless one can use some type of cryptographic protection to assure that the mobile code has not been altered.
+
==Risk Factors==
  
==Examples ==
+
* Talk about the [[OWASP Risk Rating Methodology|factors]] that make this vulnerability likely or unlikely to actually happen
 +
* Discuss the technical impact of a successful exploit of this vulnerability
 +
* Consider the likely [business impacts] of a successful attack
 +
 
 +
 
 +
==Examples==
  
 
In Java:
 
In Java:
Line 49: Line 57:
 
</pre>
 
</pre>
  
==Related problems ==
+
==Related [[Attacks]]==
  
* [[Cross-site scripting]]
+
* [[Attack 1]]
 +
* [[Attack 2]]
  
  
[[Category:Vulnerability]]
+
==Related [[Vulnerabilities]]==
  
[[Category:Range and Type Errors]]
+
* [[Cross-site Scripting (XSS)]]
  
 +
 +
==Related [[Controls]]==
 +
 +
* Implementation: Avoid doing this without proper cryptographic safeguards.
 +
 +
 +
==Related [[Technical Impacts]]==
 +
 +
* [[Technical Impact 1]]
 +
* [[Technical Impact 2]]
 +
 +
 +
==References==
 +
 +
TBD
 +
 +
[[Category:FIXME|add links
 +
 +
In addition, one should classify vulnerability based on the following subcategories: Ex:<nowiki>[[Category:Error Handling Vulnerability]]</nowiki>
 +
 +
Availability Vulnerability
 +
 +
Authorization Vulnerability
 +
 +
Authentication Vulnerability
 +
 +
Concurrency Vulnerability
 +
 +
Configuration Vulnerability
 +
 +
Cryptographic Vulnerability
 +
 +
Encoding Vulnerability
 +
 +
Error Handling Vulnerability
 +
 +
Input Validation Vulnerability
 +
 +
Logging and Auditing Vulnerability
 +
 +
Session Management Vulnerability]]
 +
 +
__NOTOC__
 +
 +
 +
[[Category:OWASP ASDR Project]]
 +
[[Category:Vulnerability]]
 +
[[Category:Range and Type Error Vulnerability]]
 
[[Category:OWASP_CLASP_Project]]
 
[[Category:OWASP_CLASP_Project]]
 +
[[Category:Code Snippet]]
 +
[[Category:Java]]

Latest revision as of 20:31, 20 February 2009

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.


Last revision (mm/dd/yy): 02/20/2009

Vulnerabilities Table of Contents

Description

This process will download external source or binaries and execute it.

Consequences

Unspecified.

Exposure period

Implementation: This flaw is a simple logic issue, introduced entirely at implementation time.

Platform

Languages: Java and C++

Operating platform: Any

Required resources

Any

Severity

Medium

Likelihood of exploit

Medium

This is an unsafe practice and should not be performed unless one can use some type of cryptographic protection to assure that the mobile code has not been altered.


Risk Factors

  • Talk about the factors that make this vulnerability likely or unlikely to actually happen
  • Discuss the technical impact of a successful exploit of this vulnerability
  • Consider the likely [business impacts] of a successful attack


Examples

In Java:

URL[] classURLs= new URL[]{new URL("file:subdir/")};
URLClassLoader loader = nwe URLClassLoader(classURLs);
Class loadedClass = Class.forName("loadMe", true, loader);

Related Attacks


Related Vulnerabilities


Related Controls

  • Implementation: Avoid doing this without proper cryptographic safeguards.


Related Technical Impacts


References

TBD