Recently we have a code scan for one of our projects and "Resource Injection" is reported, below is an explanation from Open Web Application Security Project (OWASP) for this vulnerability:This attack consists of changing resource identifiers used by an application in order to perform a malicious task. When an application permits a user input to define a resource, like a file name or port number, this data can be manipulated to execute or access different resources.
In order to be properly executed, the attacker must have the possibility to specify a resource identifier through the application form and the application must permit its execution.
The resource type affected by user input indicates the content type that may be exposed. For example, an application that permits input of special characters like period, slash, and backslash is risky when used in methods that interact with the file system.
The resource injection attack focuses on accessing other resources than the local filesystem, which is different attack technique known as a Path Manipulation attack.
Confused right ?
Below is the code with "Resource Injection" reported at line 5 "reader.readLine()"
StringBuffer buff = new StringBuffer();
InputStream in = request.getInputStream();
reader = new BufferedReader(new InputStreamReader(in));
while (true) {
String line = reader.readLine();
if (line == null)
break;
buff.append(line);
}
The only thing I can think of is this readLine method has no control of what data would be read and its size which is a risk to get unexpected content.But how the server could know the integrity of the coming in resource (by data size is not safe also)
So to fool the scan I update the above code to below
InputStream in = request.getInputStream(); reader = new BufferedReader(new InputStreamReader(in), 2048); StringWriter writer = new StringWriter(); IOUtils.copy(reader, writer);
Please let me know how you deal with the same vulnerability.
No comments:
Post a Comment