Reflection Injection |
---|
Scope | Impact | Likelihood |
---|---|---|
Integrity Confidentiality Availability Other | Technical Impact: Execute Unauthorized Code or Commands; Alter Execution Logic The attacker might be able to execute code that is not directly accessible to the attacker. Alternately, the attacker could call unexpected code in the wrong place or the wrong time, possibly modifying critical system state. | |
Availability Other | Technical Impact: DoS: Crash, Exit, or Restart; Other The attacker might be able to use reflection to call the wrong code, possibly with unexpected arguments that violate the API (CWE-227). This could cause the product to exit or hang. | |
Confidentiality | Technical Impact: Read Application Data By causing the wrong code to be invoked, the attacker might be able to trigger a runtime error that leaks sensitive information in the error message, such as CWE-536. |
Phase: Architecture and Design
Phase: Architecture and Design
Phase: Implementation
Nature | Type | ID | Name |
---|---|---|---|
ChildOf | ClassClass - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. | 610 | Externally Controlled Reference to a Resource in Another Sphere |
ChildOf | ClassClass - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. | 913 | Improper Control of Dynamically-Managed Code Resources |
Nature | Type | ID | Name |
---|---|---|---|
MemberOf | CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. | 399 | Resource Management Errors |
Nature | Type | ID | Name |
---|---|---|---|
ChildOf | ClassClass - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. | 913 | Improper Control of Dynamically-Managed Code Resources |
Nature | Type | ID | Name |
---|---|---|---|
ChildOf | ClassClass - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. | 20 | Improper Input Validation |
Phase | Note |
---|---|
Architecture and Design | |
Implementation |
Languages
Java (Undetermined Prevalence)
PHP (Undetermined Prevalence)
Class: Interpreted (Sometimes Prevalent)
Example 1
A common reason that programmers use the reflection API is to implement their own command dispatcher. The following example shows a command dispatcher that does not use reflection:
A programmer might refactor this code to use reflection as follows:
The refactoring initially appears to offer a number of advantages. There are fewer lines of code, the if/else blocks have been entirely eliminated, and it is now possible to add new command types without modifying the command dispatcher. However, the refactoring allows an attacker to instantiate any object that implements the Worker interface. If the command dispatcher is still responsible for access control, then whenever programmers create a new class that implements the Worker interface, they must remember to modify the dispatcher's access control code. If they do not modify the access control code, then some Worker classes will not have any access control.
One way to address this access control problem is to make the Worker object responsible for performing the access control check. An example of the re-refactored code follows:
Although this is an improvement, it encourages a decentralized approach to access control, which makes it easier for programmers to make access control mistakes. This code also highlights another security problem with using reflection to build a command dispatcher. An attacker can invoke the default constructor for any kind of object. In fact, the attacker is not even constrained to objects that implement the Worker interface; the default constructor for any object in the system can be invoked. If the object does not implement the Worker interface, a ClassCastException will be thrown before the assignment to ao, but if the constructor performs operations that work in the attacker's favor, the damage will already have been done. Although this scenario is relatively benign in simple products, in larger products where complexity grows exponentially it is not unreasonable that an attacker could find a constructor to leverage as part of an attack.
Reference | Description |
---|---|
Cryptography API uses unsafe reflection when deserializing a private key | |
Database system allows attackers to bypass sandbox restrictions by using the Reflection API. |
Automated Static Analysis
Effectiveness: High
Nature | Type | ID | Name |
---|---|---|---|
MemberOf | CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. | 859 | The CERT Oracle Secure Coding Standard for Java (2011) Chapter 16 - Platform Security (SEC) |
MemberOf | ViewView - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries). | 884 | CWE Cross-section |
MemberOf | CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. | 991 | SFP Secondary Cluster: Tainted Input to Environment |
MemberOf | CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. | 1347 | OWASP Top Ten 2021 Category A03:2021 - Injection |
MemberOf | CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. | 1368 | ICS Dependencies (& Architecture): External Digital Systems |
MemberOf | CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. | 1415 | Comprehensive Categorization: Resource Control |
Usage: ALLOWED
Reason: Acceptable-Use
Rationale:
This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.Comments:
Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
---|---|---|---|
7 Pernicious Kingdoms | Unsafe Reflection | ||
The CERT Oracle Secure Coding Standard for Java (2011) | SEC06-J | Do not use reflection to increase accessibility of classes, methods, or fields |
CAPEC-ID | Attack Pattern Name |
---|---|
CAPEC-138 | Reflection Injection |
Submissions | |||
---|---|---|---|
Submission Date | Submitter | Organization | |
2006年07月19日 (CWE Draft 3, 2006年07月19日) | 7 Pernicious Kingdoms | ||
Modifications | |||
Modification Date | Modifier | Organization | |
2008年07月01日 | Eric Dalci | Cigital | |
updated Potential_Mitigations, Time_of_Introduction | |||
2008年08月01日 | KDM Analytics | ||
added/updated white box definitions | |||
2008年09月08日 | CWE Content Team | MITRE | |
updated Description, Relationships, Other_Notes, Taxonomy_Mappings | |||
2008年10月14日 | CWE Content Team | MITRE | |
updated Applicable_Platforms, Demonstrative_Examples, Description, Other_Notes | |||
2009年01月12日 | CWE Content Team | MITRE | |
updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Observed_Examples, Potential_Mitigations | |||
2009年05月27日 | CWE Content Team | MITRE | |
updated Demonstrative_Examples, Name | |||
2009年10月29日 | CWE Content Team | MITRE | |
updated Alternate_Terms, Relationships | |||
2011年03月29日 | CWE Content Team | MITRE | |
updated Demonstrative_Examples | |||
2011年06月01日 | CWE Content Team | MITRE | |
updated Common_Consequences, Relationships, Taxonomy_Mappings | |||
2012年05月11日 | CWE Content Team | MITRE | |
updated Relationships, Taxonomy_Mappings | |||
2013年02月21日 | CWE Content Team | MITRE | |
updated Relationships | |||
2014年07月30日 | CWE Content Team | MITRE | |
updated Relationships | |||
2017年11月08日 | CWE Content Team | MITRE | |
updated White_Box_Definitions | |||
2019年01月03日 | CWE Content Team | MITRE | |
updated Taxonomy_Mappings | |||
2019年06月20日 | CWE Content Team | MITRE | |
updated Relationships | |||
2020年02月24日 | CWE Content Team | MITRE | |
updated References, Relationships | |||
2020年06月25日 | CWE Content Team | MITRE | |
updated Potential_Mitigations | |||
2021年10月28日 | CWE Content Team | MITRE | |
updated Relationships | |||
2023年01月31日 | CWE Content Team | MITRE | |
updated Common_Consequences, Demonstrative_Examples, Description, Related_Attack_Patterns, Relationships | |||
2023年04月27日 | CWE Content Team | MITRE | |
updated Detection_Factors, Relationships | |||
2023年06月29日 | CWE Content Team | MITRE | |
updated Mapping_Notes | |||
2023年10月26日 | CWE Content Team | MITRE | |
updated Observed_Examples | |||
Previous Entry Names | |||
Change Date | Previous Entry Name | ||
2008年04月11日 | Unsafe Reflection | ||
2009年05月27日 | Use of Externally-Controlled Input to Select Classes or Code (aka 'Unsafe Reflection') | ||
Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2024, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.