AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

Insecure Comparison - Type Name

Attackers can inject malicious types despite of a validation which takes type name into consideration

Severity

Low

Fix Cost

Low

Trust Level

High

Applications, from time to time, may need dynamic class loading in order to carry out certain requirements such as extensibility.

When loading a class, class name based validations may be bypassed by attackers by providing classes with names having seemingly valid type names. Below is such a code;

            
public void LoadAndExecute()
{
// load a class instance

if(loadedClass.GetType().Name == "MyClass")
{
loadedClass.Run();
}
else
{
throw new ArgumentException();
}
...
                 
            

Other insecure name based checks can also be used;


    public void LoadAndExecute()
{   
   // load a class instance
   
   if(loadedClass.GetType().FullName == "com.mywebportal.MyClass")
   {
     loadedClass.Run();
   }
   else
   {
     throw new ArgumentException();
   }
...


		

Applications, from time to time, may need dynamic class loading in order to carry out certain requirements such as extensibility.

When loading a class, class name based validations may be bypassed by attackers by providing classes with names having seemingly valid type names. Below is such a code;

            
                public void LoadAndExecute()
                {
                // load a class instance

                if(loadedClass.getClass().getName().equals("MyClass"))
                {
                loadedClass.Run();
                }
                else
                {
                throw new ClassNotFoundException();
                }
                ...
                 
            

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!