[Forgot Password]
Login  Register Subscribe

25354

 
 

132805

 
 

139176

 
 

909

 
 

113006

 
 

156

Paid content will be excluded from the download.


Download | Alert*
CWE
view XML

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

ID: 470Date: (C)2012-05-14   (M)2019-12-05
Type: weaknessStatus: DRAFT
Abstraction Type: Base





Description

The application uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.

Extended Description

If the application uses external inputs to determine which class to instantiate or which method to invoke, then an attacker could supply values to select unexpected classes or methods. If this occurs, then the attacker could create control flow paths that were not intended by the developer. These paths could bypass authentication or access control checks, or otherwise cause the application to behave in an unexpected manner. This situation becomes a doomsday scenario if the attacker can upload files into a location that appears on the application's classpath (CWE-427) or add new entries to the application's classpath (CWE-426). Under either of these conditions, the attacker can use reflection to introduce new, malicious behavior into the application.

Applicable Platforms
Language: Java
Language: PHP
Language Class: Sometimes
Language Class: Interpreted languages

Time Of Introduction

  • Architecture and Design
  • Implementation

Common Consequences

ScopeTechnical ImpactNotes
Integrity
Confidentiality
Availability
Other
 
Execute unauthorized code or commands
Alter execution logic
 
The attacker might be able to execute code that is not directly accessible to the attacker. Alternately, the attacker could call unexpected code in the wrong place or the wrong time, possibly modifying critical system state.
 
Availability
Other
 
DoS: crash / exit / restart
Other
 
The attacker might be able to use reflection to call the wrong code, possibly with unexpected arguments that violate the API (CWE-227). This could cause the application to exit or hang.
 
Confidentiality
 
Read application data
 
By causing the wrong code to be invoked, the attacker might be able to trigger a runtime error that leaks sensitive information in the error message, such as CWE-536.
 

Detection Methods
None

Potential Mitigations

PhaseStrategyDescriptionEffectivenessNotes
Architecture and Design
 
 Refactor your code to avoid using reflection.
 
  
Architecture and Design
 
 Do not use user-controlled inputs to select and load classes or code.
 
  
Implementation
 
 Apply strict input validation by using whitelists or indirect selection to ensure that the user is only selecting allowable classes or code.
 
  

Relationships

Related CWETypeViewChain
CWE-470 ChildOf CWE-896 Category CWE-888  

Demonstrative Examples   (Details)

  1. A common reason that programmers use the reflection API is to implement their own command dispatcher. The following example shows a command dispatcher that does not use reflection:

Observed Examples

  1. CVE-2004-2331 : Database system allows attackers to bypass sandbox restrictions by using the Reflection APi.

For more examples, refer to CVE relations in the bottom box.

White Box Definitions
A weakness where code path has:
1. start statement that accepts input
2. end statement that performs reflective operation and where the input is part of the target name of the reflective operation

Black Box Definitions
None

Taxynomy Mappings

TaxynomyIdNameFit
7 Pernicious Kingdoms  Unsafe Reflection
 
 
CERT Java Secure Coding SEC06-J
 
Do not use reflection to increase accessibility of classes, methods, or fields
 
 

References:
None

CVE    4
CVE-2019-3834
CVE-2018-5511
CVE-2017-7536
CVE-2019-10174
...

© SecPod Technologies