Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')ID: 470 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: DRAFT |
Abstraction Type: Base |
Description
The application uses external input with reflection to select
which classes or code to use, but it does not sufficiently prevent the input
from selecting improper classes or code.
Extended DescriptionIf the application uses external inputs to determine which class to
instantiate or which method to invoke, then an attacker could supply values
to select unexpected classes or methods. If this occurs, then the attacker
could create control flow paths that were not intended by the developer.
These paths could bypass authentication or access control checks, or
otherwise cause the application to behave in an unexpected manner. This
situation becomes a doomsday scenario if the attacker can upload files into
a location that appears on the application's classpath (CWE-427) or add new
entries to the application's classpath (CWE-426). Under either of these
conditions, the attacker can use reflection to introduce new, malicious
behavior into the application.
Applicable PlatformsLanguage: JavaLanguage: PHPLanguage Class: SometimesLanguage Class: Interpreted languages
Time Of Introduction
- Architecture and Design
- Implementation
Common Consequences
Scope | Technical Impact | Notes |
---|
IntegrityConfidentialityAvailabilityOther | Execute unauthorized code or
commandsAlter execution
logic | The attacker might be able to execute code that is not directly
accessible to the attacker. Alternately, the attacker could call
unexpected code in the wrong place or the wrong time, possibly modifying
critical system state. |
AvailabilityOther | DoS: crash / exit /
restartOther | The attacker might be able to use reflection to call the wrong code,
possibly with unexpected arguments that violate the API (CWE-227). This
could cause the application to exit or hang. |
Confidentiality | Read application
data | By causing the wrong code to be invoked, the attacker might be able to
trigger a runtime error that leaks sensitive information in the error
message, such as CWE-536. |
Detection MethodsNone
Potential Mitigations
Phase | Strategy | Description | Effectiveness | Notes |
---|
Architecture and Design | | Refactor your code to avoid using reflection. | | |
Architecture and Design | | Do not use user-controlled inputs to select and load classes or
code. | | |
Implementation | | Apply strict input validation by using whitelists or indirect
selection to ensure that the user is only selecting allowable classes or
code. | | |
Relationships
Related CWE | Type | View | Chain |
---|
CWE-470 ChildOf CWE-896 | Category | CWE-888 | |
Demonstrative Examples (Details)
- A common reason that programmers use the reflection API is to
implement their own command dispatcher. The following example shows a
command dispatcher that does not use reflection:
Observed Examples
- CVE-2004-2331 : Database system allows attackers to bypass sandbox restrictions by using the Reflection APi.
For more examples, refer to CVE relations in the bottom box.
White Box DefinitionsA weakness where code path has:1. start statement that accepts input2. end statement that performs reflective operation and where the
input is part of the target name of the reflective operation
Black Box Definitions None
Taxynomy Mappings
Taxynomy | Id | Name | Fit |
---|
7 Pernicious Kingdoms | | Unsafe Reflection | |
CERT Java Secure Coding | SEC06-J | Do not use reflection to increase accessibility of classes,
methods, or fields | |
References:None