目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1336

100%

CWE-472 对假设不可变Web参数的外部可控制 类漏洞列表 131

CWE-472 对假设不可变Web参数的外部可控制 类弱点 131 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-472指外部控制假设不可变Web参数漏洞。攻击者常通过修改隐藏表单字段、Cookie或URL参数,篡改本应固定的关键数据。开发者应避免依赖客户端数据,对任何输入进行服务端严格验证,确保业务逻辑不受用户可控参数影响,从而防止数据被恶意修改。

MITRE CWE 官方描述
CWE:CWE-472 外部对假定不可变 Web 参数的控制 英文:Web 应用程序未充分验证那些被假定为不可变但实际上可受外部控制的输入,例如隐藏表单字段。 如果 Web 产品未能正确保护隐藏表单字段、参数、Cookie 或 URL 中假定不可变的值免受修改,则可能导致关键数据被篡改。Web 应用程序经常错误地假设通过隐藏字段或 Cookie 传递给客户端的数据不易被篡改。对用户可控制的数据进行不当验证可能导致应用程序处理不正确且通常是恶意的输入。例如,自定义 Cookie 通常存储会话数据或跨会话的持久数据。这类会话数据通常参与服务器端与安全相关的决策,例如用户身份验证和访问控制。因此,Cookie 可能包含敏感数据,如用户凭据和权限。这是一种危险的做法,因为它经常导致服务器端应用程序不当依赖客户端提供的 Cookie 的值。
常见影响 (1)
IntegrityModify Application Data
Without appropriate protection mechanisms, the client can easily tamper with cookies and similar web data. Reliance on the cookies without detailed validation can lead to problems such as SQL injection. If you use cookie values for security related decisions on the server side, manipulating the cook…
缓解措施 (2)
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
ImplementationInputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
代码示例 (2)
In this example, a web application uses the value of a hidden form field (accountID) without having done any input validation because it was assumed to be immutable.
String accountID = request.getParameter("accountID"); User user = getUserFromID(Long.parseLong(accountID));
Bad · Java
Hidden fields should not be trusted as secure parameters.
<input type="hidden"
Bad · HTML
CVE ID标题CVSS风险等级Published
CVE-2021-1290 多款Cisco产品安全漏洞 — Cisco Small Business RV Series Router Firmware 9.8 Critical2021-02-04
CVE-2021-1291 多款Cisco产品安全漏洞 — Cisco Small Business RV Series Router Firmware 9.8 Critical2021-02-04
CVE-2021-1292 多款 Cisco 产品授权问题漏洞 — Cisco Small Business RV Series Router Firmware 9.8 Critical2021-02-04
CVE-2021-1293 多款 Cisco 产品授权问题漏洞 — Cisco Small Business RV Series Router Firmware 9.8 Critical2021-02-04
CVE-2021-1294 多款 Cisco 产品授权问题漏洞 — Cisco Small Business RV Series Router Firmware 9.8 Critical2021-02-04
CVE-2021-1295 Cisco Small Business 安全漏洞 — Cisco Small Business RV Series Router Firmware 9.8 Critical2021-02-04
CVE-2021-1289 多款 Cisco 产品授权问题漏洞 — Cisco Small Business RV Series Router Firmware 9.8 Critical2021-02-04
CVE-2020-1765 Open-source Ticket Request System 安全漏洞 — ((OTRS)) Community Edition 3.5 Low2020-01-10
CVE-2019-13927 Siemens Desigo PX 安全漏洞 — Desigo PX automation controllers PXC00-E.D, PXC50-E.D, PXC100-E.D, PXC200-E.D with Desigo PX Web modules PXA40-W0, PXA40-W1, PXA40-W2 8.2 -2019-12-12
CVE-2017-5260 Cambium Networks cnPilot 安全漏洞 — cnPilot 8.8 -2017-12-20
CVE-2017-5261 Cambium Networks cnPilot Web administrative console 路径遍历漏洞 — cnPilot 8.1 -2017-12-20

CWE-472(对假设不可变Web参数的外部可控制) 是常见的弱点类别,本平台收录该类弱点关联的 131 条 CVE 漏洞。