[JAVA] Path Manipulation and Resource Insertion - Software Security Guide
Security weakness that allows access or identification of system resources such as files and servers through unverified external input values, allows arbitrary access to the resources protected by the system through input value manipulation.
By utilizing path manipulation and resource insertion weaknesses, attackers can cause service failures due to modification and deletion of resources, leakage of system information, and conflicts between system resources. That is, through path manipulation and resource insertion, an attacker can acquire disallowed rights to change or execute files related to settings.
Wring ex)
How to solve?
If an external input is used as an identifier for a resource (file, port of socket, etc.), ensure that it undergoes appropriate verification or is selected from a predefined appropriate list.
In particular, if the external input is a file name, a character at risk of a directory traversal attack (" / ₩...").. Use a filter that can remove etc.
In particular, if the external input is a file name, a character at risk of a directory traversal attack (" / ₩...").. Use a filter that can remove etc.
Right ex)
Thank you !!
😀
감사합니다 !!
Comments
Post a Comment