Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CWE-470:Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
Weakness ID:470
Version:v4.17
Weakness Name:Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
Vulnerability Mapping:Allowed
Abstraction:Base
Structure:Simple
Status:Draft
Likelihood of Exploit:
DetailsContent HistoryObserved CVE ExamplesReports
▼Description

The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.

▼Extended Description

If the product uses external inputs to determine which class to instantiate or which method to invoke, then an attacker could supply values to select unexpected classes or methods. If this occurs, then the attacker could create control flow paths that were not intended by the developer. These paths could bypass authentication or access control checks, or otherwise cause the product to behave in an unexpected manner. This situation becomes a doomsday scenario if the attacker can upload files into a location that appears on the product's classpath (CWE-427) or add new entries to the product's classpath (CWE-426). Under either of these conditions, the attacker can use reflection to introduce new, malicious behavior into the product.

▼Alternate Terms
Reflection Injection

▼Relationships
Relevant to the view"Research Concepts - (1000)"
NatureMappingTypeIDName
ChildOfAllowed-with-ReviewC913Improper Control of Dynamically-Managed Code Resources
ChildOfDiscouragedC610Externally Controlled Reference to a Resource in Another Sphere
Nature: ChildOf
Mapping: Allowed-with-Review
Type: Class
ID: 913
Name: Improper Control of Dynamically-Managed Code Resources
Nature: ChildOf
Mapping: Discouraged
Type: Class
ID: 610
Name: Externally Controlled Reference to a Resource in Another Sphere
▼Memberships
NatureMappingTypeIDName
MemberOfProhibitedC399Resource Management Errors
MemberOfProhibitedC859The CERT Oracle Secure Coding Standard for Java (2011) Chapter 16 - Platform Security (SEC)
MemberOfProhibitedV884CWE Cross-section
MemberOfProhibitedC991SFP Secondary Cluster: Tainted Input to Environment
MemberOfProhibitedC1347OWASP Top Ten 2021 Category A03:2021 - Injection
MemberOfProhibitedC1368ICS Dependencies (& Architecture): External Digital Systems
MemberOfProhibitedC1415Comprehensive Categorization: Resource Control
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 399
Name: Resource Management Errors
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 859
Name: The CERT Oracle Secure Coding Standard for Java (2011) Chapter 16 - Platform Security (SEC)
Nature: MemberOf
Mapping: Prohibited
Type:View
ID: 884
Name: CWE Cross-section
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 991
Name: SFP Secondary Cluster: Tainted Input to Environment
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1347
Name: OWASP Top Ten 2021 Category A03:2021 - Injection
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1368
Name: ICS Dependencies (& Architecture): External Digital Systems
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1415
Name: Comprehensive Categorization: Resource Control
▼Tags
NatureMappingTypeIDName
MemberOfProhibitedBSBOSS-293Interpreted Weaknesses
MemberOfProhibitedBSBOSS-311Execute Unauthorized Code or Commands (impact)
MemberOfProhibitedBSBOSS-312Other (impact)
MemberOfProhibitedBSBOSS-324DoS: Crash, Exit, or Restart (impact)
MemberOfProhibitedBSBOSS-328Read Application Data (impact)
MemberOfProhibitedBSBOSS-330Alter Execution Logic (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-293
Name: Interpreted Weaknesses
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-311
Name: Execute Unauthorized Code or Commands (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-312
Name: Other (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-324
Name: DoS: Crash, Exit, or Restart (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-328
Name: Read Application Data (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-330
Name: Alter Execution Logic (impact)
▼Relevant To View
Relevant to the view"OWASP Top Ten (2021) - (1344)"
NatureMappingTypeIDName
MemberOfProhibitedC1347OWASP Top Ten 2021 Category A03:2021 - Injection
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 1347
Name: OWASP Top Ten 2021 Category A03:2021 - Injection
Relevant to the view"SEI ETF Categories of Security Vulnerabilities in ICS - (1358)"
NatureMappingTypeIDName
MemberOfProhibitedC1368ICS Dependencies (& Architecture): External Digital Systems
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 1368
Name: ICS Dependencies (& Architecture): External Digital Systems
Relevant to the view"Software Development - (699)"
NatureMappingTypeIDName
MemberOfProhibitedC399Resource Management Errors
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 399
Name: Resource Management Errors
Relevant to the view"Software Fault Pattern (SFP) Clusters - (888)"
NatureMappingTypeIDName
MemberOfProhibitedC991SFP Secondary Cluster: Tainted Input to Environment
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 991
Name: SFP Secondary Cluster: Tainted Input to Environment
▼Background Detail

▼Common Consequences
ScopeLikelihoodImpactNote
IntegrityConfidentialityAvailabilityOtherN/AExecute Unauthorized Code or CommandsAlter Execution Logic

The attacker might be able to execute code that is not directly accessible to the attacker. Alternately, the attacker could call unexpected code in the wrong place or the wrong time, possibly modifying critical system state.

AvailabilityOtherN/ADoS: Crash, Exit, or RestartOther

The attacker might be able to use reflection to call the wrong code, possibly with unexpected arguments that violate the API (CWE-227). This could cause the product to exit or hang.

ConfidentialityN/ARead Application Data

By causing the wrong code to be invoked, the attacker might be able to trigger a runtime error that leaks sensitive information in the error message, such as CWE-536.

Scope: Integrity, Confidentiality, Availability, Other
Likelihood: N/A
Impact: Execute Unauthorized Code or Commands, Alter Execution Logic
Note:

The attacker might be able to execute code that is not directly accessible to the attacker. Alternately, the attacker could call unexpected code in the wrong place or the wrong time, possibly modifying critical system state.

Scope: Availability, Other
Likelihood: N/A
Impact: DoS: Crash, Exit, or Restart, Other
Note:

The attacker might be able to use reflection to call the wrong code, possibly with unexpected arguments that violate the API (CWE-227). This could cause the product to exit or hang.

Scope: Confidentiality
Likelihood: N/A
Impact: Read Application Data
Note:

By causing the wrong code to be invoked, the attacker might be able to trigger a runtime error that leaks sensitive information in the error message, such as CWE-536.

▼Potential Mitigations
Phase:Architecture and Design
Mitigation ID:
Strategy:
Effectiveness:
Description:

Refactor your code to avoid using reflection.

Note:


Phase:Architecture and Design
Mitigation ID:
Strategy:
Effectiveness:
Description:

Do not use user-controlled inputs to select and load classes or code.

Note:


Phase:Implementation
Mitigation ID:
Strategy:
Effectiveness:
Description:

Apply strict input validation by using allowlists or indirect selection to ensure that the user is only selecting allowable classes or code.

Note:

▼Modes Of Introduction
Phase: Architecture and Design
Note:

N/A

Phase: Implementation
Note:

N/A

▼Applicable Platforms
Languages
Class: Java(Undetermined Prevalence)
Class: PHP(Undetermined Prevalence)
Class: Interpreted(Sometimes Prevalence)
▼Demonstrative Examples
Example 1

A common reason that programmers use the reflection API is to implement their own command dispatcher. The following example shows a command dispatcher that does not use reflection:

Language: ( code)
N/A

Language: Java(Good code)
String ctl = request.getParameter("ctl"); Worker ao = null; if (ctl.equals("Add")) { ao = new AddCommand(); } else if (ctl.equals("Modify")) { ao = new ModifyCommand(); } else { throw new UnknownActionError(); } ao.doAction(request);

Language: ( code)
N/A

A programmer might refactor this code to use reflection as follows:

Language: Java(Bad code)
String ctl = request.getParameter("ctl"); Class cmdClass = Class.forName(ctl + "Command"); Worker ao = (Worker) cmdClass.newInstance(); ao.doAction(request);

Language: ( code)
N/A

The refactoring initially appears to offer a number of advantages. There are fewer lines of code, the if/else blocks have been entirely eliminated, and it is now possible to add new command types without modifying the command dispatcher. However, the refactoring allows an attacker to instantiate any object that implements the Worker interface. If the command dispatcher is still responsible for access control, then whenever programmers create a new class that implements the Worker interface, they must remember to modify the dispatcher's access control code. If they do not modify the access control code, then some Worker classes will not have any access control.

Language: ( code)
N/A

One way to address this access control problem is to make the Worker object responsible for performing the access control check. An example of the re-refactored code follows:

Language: Java(Bad code)
String ctl = request.getParameter("ctl"); Class cmdClass = Class.forName(ctl + "Command"); Worker ao = (Worker) cmdClass.newInstance(); ao.checkAccessControl(request); ao.doAction(request);

Language: ( code)
N/A

Although this is an improvement, it encourages a decentralized approach to access control, which makes it easier for programmers to make access control mistakes. This code also highlights another security problem with using reflection to build a command dispatcher. An attacker can invoke the default constructor for any kind of object. In fact, the attacker is not even constrained to objects that implement the Worker interface; the default constructor for any object in the system can be invoked. If the object does not implement the Worker interface, a ClassCastException will be thrown before the assignment to ao, but if the constructor performs operations that work in the attacker's favor, the damage will already have been done. Although this scenario is relatively benign in simple products, in larger products where complexity grows exponentially it is not unreasonable that an attacker could find a constructor to leverage as part of an attack.

▼Observed Examples
ReferenceDescription
CVE-2018-1000613
Cryptography API uses unsafe reflection when deserializing a private key
CVE-2004-2331
Database system allows attackers to bypass sandbox restrictions by using the Reflection API.
Reference: CVE-2018-1000613
Description:
Cryptography API uses unsafe reflection when deserializing a private key
Reference: CVE-2004-2331
Description:
Database system allows attackers to bypass sandbox restrictions by using the Reflection API.
▼Affected Resources
    ▼Functional Areas
      ▼Weakness Ordinalities
      OrdinalityDescription
      ▼Detection Methods
      Automated Static Analysis
      Detection Method ID:DM-14
      Description:

      Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

      Effectiveness:High
      Note:

      N/A

      ▼Vulnerability Mapping Notes
      Usage:Allowed
      Reason:Acceptable-Use
      Rationale:

      This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.

      Comments:

      Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

      Suggestions:
      ▼Notes
      ▼Taxonomy Mappings
      Taxonomy NameEntry IDFitEntry Name
      7 Pernicious KingdomsN/AN/AUnsafe Reflection
      The CERT Oracle Secure Coding Standard for Java (2011)SEC06-JN/ADo not use reflection to increase accessibility of classes, methods, or fields
      Taxonomy Name: 7 Pernicious Kingdoms
      Entry ID: N/A
      Fit: N/A
      Entry Name: Unsafe Reflection
      Taxonomy Name: The CERT Oracle Secure Coding Standard for Java (2011)
      Entry ID: SEC06-J
      Fit: N/A
      Entry Name: Do not use reflection to increase accessibility of classes, methods, or fields
      ▼Related Attack Patterns
      IDName
      CAPEC-138
      Reflection Injection
      ID: CAPEC-138
      Name: Reflection Injection
      ▼References
      Reference ID: REF-6
      Title: Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors
      Author: Katrina Tsipenyuk, Brian Chess, Gary McGraw
      Section:
      Publication:
      NIST Workshop on Software Security Assurance Tools Techniques and Metrics
      Publisher:NIST
      Edition:
      URL:https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf
      URL Date:
      Day:07
      Month:11
      Year:2005
      Details not found