ソスyソスソスソスpソスKソスCソスhソスz

CWE-20

Weakness ID:20(Weakness Class)

Status: Draft

ソスsソスKソスリな難ソスソスヘ確ソスF

ソスソスソス

ソスソスソスソスvソスソス

ソスソスソスフ脆弱性ソスソスソスソスソス髏サソスiソスヘ、ソスvソスソスソスOソスソスソスソスソスフ撰ソスソスソスtソスソスソス[ソスソスソスソスムデソス[ソス^ソスtソスソスソス[ソスヨ影ソスソスソスソスソスyソスレゑソスソスソスソスヘに対ゑソスソスAソスKソスリな妥難ソスソスソスソス`ソスFソスbソスNソスソスソスsソスソスソスワゑソスソスソスB

ソスレ細な会ソスソス

ソス\ソスtソスgソスEソスFソスAソスノゑソスソスソスソスソスソスソスヘの妥難ソスソスソスソスフ確ソスFソスソスソスsソス\ソスソスソスネ場合ソスAソスUソスソスソスメゑソスソスソスソスフアソスvソスソスソスPソス[ソスVソスソスソスソスソスフフソスHソス[ソスソスソスノ意図ソスソスソスネゑソスソスソスソスヘゑソスソスソスソスソスツ能ソスソスソスソスソスソスソスソスワゑソスソスBソスソスソスフ難ソスソスヘはシソスXソスeソスソスソスフ一部ソスノ受け渡ソスソスソスソスAソスソスソスソスtソスソスソス[ソスフ会ソスソスソスソスソスAソスCソスモのソスソス\ソス[ソスXソスフ撰ソスソスソスAソスCソスモのコソス[ソスhソスソスソスソスソスsソスソスソスソスソスツ能ソスソスソスソスソスソスソスソスワゑソスソスB

ソスニ弱性ソスフ費ソスソスソスソスソスソスソス

ソスAソス[ソスLソスeソスNソス`ソスソスソスソスソスソスム設計
ソスソスソスソス

ソスYソスソスソスソスソスソスvソスソスソスbソスgソスtソスHソス[ソスソス

ソスソスソスソス

ソスソスソスソスノ依托ソス

ソスvソスソスソスbソスgソスtソスHソス[ソスソスソスフ補足

ソスソスソスヘに対ゑソスソスソステ難ソスソスソスソスフ確ソスFソスヘ、ソスOソスソスソスソスソスソスフデソス[ソス^ソスソスソスソスソスソスソスSソストのシソスXソスeソスソスソスノゑソスソスソスソスソスソスソスニなゑソスツ能ソスソスソスソスソスソスソスソスワゑソスソスB

ソスソスハ的ソスネ影ソスソス

 

ソスeソスソスソスソスソスけゑソスヘ茨ソス ソスeソスソス
ソスツ用ソスソス ソス\ソスソスソスソスソスネゑソスソスlソスフ難ソスソスヘにゑソスソスAソスvソスソスソスOソスソスソスソスソスソスソスNソスソスソスbソスVソスソスソスAソスソスソス驍「ソスヘソスソスソスソスソスソスソス CPU ソスソスソスフソスソス\ソス[ソスXソスソスソス゚度ソスノ擾ソスソスすソスソスツ能ソスソスソスソスソスソスソスソスワゑソスソスB
ソス@ソスソスソスソス ソスUソスソスソスメゑソスソスソスソス\ソス[ソスXソスフ参ソスニを制鯉ソスツ能ソスネ場合ソスAソス@ソスソスソスfソス[ソス^ソスソスヌみ趣ソスソスツ能ソスソスソスソスソスソスソスソスワゑソスソスB
ソスソスソスSソスソス ソスCソスモのコソス}ソスソスソスhソスソスソスsソスソスソスワめゑソスソスソスソスモゑソスソスソスソスソスヘにゑソスソスAソス\ソスソスソスソスソスネゑソスソスソスソス@ソスナデソス[ソス^ソス竦ァソスソスtソスソスソス[ソスソスソスソスソスソスソスさゑソスソスツ能ソスソスソスソスソスソスソスソスワゑソスソスB

 

ソスUソスソスソスソスソスけゑソスツ能ソスソス

ソスソスソスソス

ソスソスソスoソスソスi

ソスソスソスソスソステ的ソスソスソスソス
ソスソスソスヘの妥難ソスソスソスソス`ソスFソスbソスNソスソスソスsソス\ソスソスソスネイソスソスソスXソス^ソスソスソスXソスヘ、ソスソスソスソスソステ的ソスソスソスヘゑソスソスgソスpソスソスソス驍アソスニで鯉ソスソスoソスツ能ソスナゑソスソスB ソステ的ソスソスソスヘツソス[ソスソスソスヘアソスvソスソスソスPソス[ソスVソスソスソスソスソスソスソスLソスフ難ソスソスヘの妥難ソスソスソスソス`ソスFソスbソスNソスフ趣ソス@ソスソスヨ撰ソスソスソスソスソス閧キソス驍アソスニゑソスソスツ能ソスナゑソスソスBStrutsソスフようソスネツソス[ソスソスソスヘ、ソステ難ソスソスソスソス`ソスFソスbソスNソスフフソスソスソス[ソスソスソスソスソス[ソスNソスニゑソスソスト、ソスgソスソスソスンのナソスソスソスbソスWソスソスソスソスソスソストゑソスソスワゑソスソスBソスソスソスソスソスフツソス[ソスソスソスヘ、ソスヨ連ソスソスソスソスxソスソスソスソス}ソスソスソスソスソスソスソスソスAソスxソスソスソスフ優ソスソスxソスソスソスソスソスソスソスソスソスワゑソスソスBソスソスソスソスノゑソスソスAソス\ソスtソスgソスEソスFソスAソスフ難ソスソスヘの妥難ソスソスソスソス`ソスFソスbソスNソスソスソスソスソスンゑソスソスネゑソスソスモ擾ソスソスノ焦点ソス当てるこソスニゑソスソスツ能ソスナゑソスソスB ソスOソスiソスナ例示ソスソスソスソスソス鼾ソスソスソスソスソスソスソスAソスソスソスソスソステ的ソスソスソスヘは難ソスソスヘの妥難ソスソスソスソス`ソスFソスbソスNソスソスソスKソスリに行ソスソスソストゑソスソスソス鼾ソスAソス痰ヲソスホ、ソスZソスLソスソスソスソスソスeソスBソスソスeソスソスソスフなゑソスソスxソスソスソスソスAソスRソス[ソスhソスフ変更ソスソスvソスソスソスソスソスネゑソスソスxソスソスソスニゑソスソスソスソスソスソスtソスHソス[ソスソスソスXソス|ソスWソスeソスBソスuソスソスソスソスソスハでゑソスソスネゑソスソスツ能ソスソスソスソスソスソスソスソスワゑソスソスB

ソス闢ョソステ的ソスソスソスソス
ソスrソスWソスlソスXソスソスソス[ソスソスソスフ具ソスソスソスソスソスソスAソスJソスXソス^ソス}ソスCソスYソスソスソス黷スソスソスソスヘの妥難ソスソスソスソス`ソスFソスbソスNソスソスソスvソスソスソスソスソスソスソス鼾ソスヘ、ソステ難ソスソスソスソス`ソスFソスbソスNソスソスソスKソスリに趣ソスソスソスソスソスソスソス驍アソスニゑソスソスmソスFソスソスソス驍スソス゚に手動ソスソスソスヘゑソスソスKソスvソスナゑソスソスB

ソスtソス@ソスWソスソスソスO
ソスtソス@ソスWソスソスソスOソスソス@ソスヘ難ソスソスヘの妥難ソスソスソスソス`ソスFソスbソスNソスフエソスソスソス[ソスソスソスoソスノ有ソスソスソスナゑソスソスBソス\ソスソスソスソスソスネゑソスソスソスソスヘゑソスソス^ソスソスソスソス黷スソス鼾ソスAソス\ソスtソスgソスEソスFソスAソスヘクソスソスソスbソスVソスソスソスソスソスソスソスソスsソスソスソスソスネ擾ソスヤになゑソスフではなゑソスソスAソスAソスvソスソスソスPソス[ソスVソスソスソスソスソスフコソスソスソスgソスソスソス[ソスソスソスノゑソスソスGソスソスソス[ソスソスソスbソスZソス[ソスWソス生撰ソスソスソスソスラゑソスソスナゑソスソスBソスソスOソスソスCソスソスソス^ソスvソスソスソス^ソスノ撰ソスソスソスソスソスソス黷スソスGソスソスソス[ソスソスソスbソスZソス[ソスWソスソスソスソスソスソスソスソスソスソスソス鼾ソスAソスソスソスヘは鯉ソスソスoソスソスソス黷クソスAソスvソスソスソスPソス[ソスVソスソスソスソスソスソスソスWソスbソスNソスナ擾ソスソスソスソスソスソス黷スソスソスソスニゑソスソスモ厄ソスソスソスソスワゑソスソスB

ソスニ趣ソスネコソス[ソスhソスソス

ソスソス 1:

 

ソスネ会ソスソスフ暦ソスヘ、ソスソスソス[ソスUソスソスソスwソスソスソスソスソス髀、ソスiソスフ撰ソスソスハゑソスソスソスヘゑソスソスAソスソスソスフ難ソスソスヘに奇ソステゑソスソスト搾ソスソスvソスソスソスzソスソスソスvソスZソスソスソスソスVソスソスソスbソスsソスソスソスOソスフ通信ソスノゑソスソスソスソスソスvソスソスソスOソスソスソスソスソスナゑソスソスB

ソスTソスソスソスvソスソスソスソスソスソスF Java ソスiソスソスソスソスソスソスj 
...
public static final double price = 20.00;
int quantity = currentUser.getAttribute("quantity");
double total = price * quantity;
chargeUser(total);
ソスc

ソスソスソス[ソスUソスヘ、ソスソスソスiソスフ会ソスソスiソスソスソス゚ゑソス price ソスマ撰ソスソス操作すソス驍アソスニはでゑソスソスワゑソスソスが、ソスソスソスハへ包ソスソスフ値ソスソスソスソスヘゑソスソス驍アソスニは撰ソスソスソスソスソスソスソストゑソスソスワゑソスソスソスBソスUソスソスソスメゑソスソスソスソスフ値ソスソスソスソスヘゑソスソスソスソス鼾ソスAソスソスソスソスフ茨ソスソスソスソスソスソスニゑソスソスフ托ソスソスソスノ、ソスUソスソスソスメの鯉ソスソスソスソスヨ難ソスソスソスソスソスソスソスソスツ能ソスソスソスソスソスソスソスソスワゑソスソスB

 

ソスソス 2:

 

ソスネ会ソスソスフ暦ソスナは、100ソスソスソスソスソスソスソスナ托ソスハ積とゑソスソスソスQソス[ソスソスソスユの包ソスソスニ搾ソスソスソス (mソス~n) ソスソスソスソスソス[ソスUソスフ難ソスソスヘにゑソスソスソス゚まゑソスソスB

ソスTソスソスソスvソスソスソスソスソスソスF C ソスiソスソスソスソスソスソスj 
...
#define MAX_DIM 100
...
/* board dimensions */
int m,n, error; 
board_square_t *board;
printf("Please specify the board height: ¥n");
error = scanf("%d", &m);
if ( EOF == error ){
die("No integer passed: Die evil hacker!¥n");
}
printf("Please specify the board width: ¥n");
error = scanf("%d", &n);
if ( EOF == error ){
die("No integer passed: Die evil hacker!¥n");
}
if ( m > MAX_DIM || n > MAX_DIM ) {
die("Value too large: Die evil hacker!¥n");
}
board = (board_square_t*) malloc( m * n * sizeof(board_square_t));
...

ソスソスソスフコソス[ソスhソスナは、ソスソスソス[ソスUソスソスソス蛯ォソスネ撰ソスソスフ値ソスフ難ソスソスヘゑソスソスmソスFソスソスソス驍アソスニで、ソスソスソスソスソスソスソスフ擾ソスソスソス゚托ソスソスソスhソスソスソスナゑソスソスワゑソスソスソスソスAソスソスソスフ撰ソスソスlソスノ対ゑソスソスソスmソスFソスソスソスsソスソスソストゑソスソスワゑソスソスソスBソスソスソスハとゑソスソスト、ソスIソス[ソスoソス[ソスtソスソスソス[ソスソスソスネゑソスソスソスツの大きソスネ包ソスソスフ値ソスソスソスwソス閧キソス驍アソスニにゑソスソスAソスcソスソスネソスソスソスソスソスソスソスソスソスソス闢厄ソストゑソスソスVソスXソスeソスソスソスソスソスNソスソスソスbソスVソスソスソスソスソスソス resource consumption (CWE-400ソスjソスUソスソスソスソスソスけゑソスツ能ソスソスソスソスソスソスソスソスワゑソスソスB ソスワゑソスソスAソスソスソスノ大きソスネ包ソスソスフ値ソスフ難ソスソスヘにゑソスソス integer overflow (CWE-190) ソスソスソスソスソスソスソスNソスソスソスソスソスAソスソスソスフ値ソスフ茨ソスソスソスソスソスソスノゑソスソス\ソスソスソスソスソスネゑソスソスソスソスソスソスソスソスソスソスツ能ソスソスソスソスソスソスソスソスワゑソスソスB

 

ソスソス 3:

 

ソスネ会ソスソスフ暦ソスナは、ソスソスソス[ソスUソスフ撰ソスソスNソスソスソスソスソスニホソス[ソスソスソスyソス[ソスWソスソス\ソスソスソスソスソスソス PHP ソスAソスvソスソスソスPソス[ソスVソスソスソスソスソスフコソス[ソスhソスソスソスソスソスソスソストゑソスソスワゑソスソスB
ソスTソスソスソスvソスソスソスソスソスソスF PHP ソスiソスソスソスソスソスソスj 
$birthday = $_GET['birthday'];
$homepage = $_GET['homepage'];
echo "Birthday: $birthday<br>Homepage: <a href=$homepage>click here</a>"

ソスvソスソスソスOソスソスソス}ソスヘ、$birthday ソスノは難ソスソスtソスフ擾ソスソスソスソスA$homepage ソスノは有ソスソスソスソス URL ソスソスソスソスソス驍アソスニゑソスzソス閧オソストゑソスソスワゑソスソスBソスソスソスソスソスソスソスAソスソスソスフ値ソスソス HTTP ソスソスソスNソスGソスXソスgソスソスソスソス謫セソスソスソス驍スソス゚、ソスUソスソスソスメゑソスソスソスソスソスソスし、birthday ソスソスソス驍「ソスソス homepage ソスノ値ソスソス^ソスソスソスソス <script>ソス^ソスOソスフ難ソスソスソスソスソス URL ソスソスソスQソスメにクソスソスソスbソスNソスソスソスソスソスソスソス鼾ソスAWebソスTソス[ソスoソスソスソスRソスソスソスeソスソスソスcソスソスヤゑソスソスロ、ソスソスソスフスソスNソスソスソスvソスgソスソスソスNソスソスソスCソスAソスソスソスgソスフブソスソスソスEソスUソスナ趣ソスソスsソスソスソスソスワゑソスソスBソスソスソスニゑソス $birthday ソスノ対ゑソスソスソスソスソスヘゑソスソスAソスソスソスソスソスニ「-ソスiソス_ソスbソスVソスソスソスjソスvソスノ撰ソスソスソスソスソスソストゑソスソスニゑソスソストゑソスソスAソスネ会ソスソスフ様ソスネ難ソスソスヘは可能ソスナゑソスソスB

ソスiソスUソスソスソスj 
2009-01-09--

ソスソスソスフデソス[ソス^ソスソス SQL ソスXソスeソス[ソスgソスソスソスソスソスgソスナ使ソスpソスソスソス黷スソス鼾ソスAソスソスソスフ難ソスソスヘ以降ソスフスソスeソス[ソスgソスソスソスソスソスgソスソスソスRソスソスソスソスソスgソスニゑソスソスト茨ソスソスソスソスワゑソスソスBソスRソスソスソスソスソスgソスヘスソスeソス[ソスgソスソスソスソスソスgソスソスソスフ托ソスソスフセソスLソスソスソスソスソスeソスBソスヨ連ソスフソスソスWソスbソスNソス無鯉ソスソスノゑソスソスワゑソスソスBソスソスソスフ場合ソスAソスGソスソスソスRソス[ソスhソスニ難ソスソスヘの妥難ソスソスソスソスmソスFソス併用ソスソスソス驍アソスニで、ソスhソス艫ソスJソスjソスYソスソスソスヘゑソスソスLソスソスソスネゑソスソスフになゑソスワゑソスソスB

ソスソスソスソスノ、XSS (CWE-79) ソスUソスソスソスソスソスソスソス SQL injection (CWE-89) ソスヘ、ソスソスソスフ趣ソズのフソスBソス[ソスソスソスhソスフ防ソス艫ソスJソスjソスYソスソスソスノゑソスソスソスソスソスソスソスン的ソスネ鯉ソスソスハの一部ソスナゑソスソスソスソスソスソスソスワゑソスソスソスBソス@ソスRソス[ソスhソスフ前ソスソスヨ係ソスノゑソスソスソストは、CRLF Injection (CWE-93)ソスAArgument Injection (CWE-88) ソスソスACommand Injection (CWE-77) ソスソスソスソスソスソスソスNソスソスソスソスソスツ能ソスソスソスソスソスソスソスソスワゑソスソスB

 

ソスソス 4:

 

ソスネ会ソスソスフ暦ソスヘ、ソスソスソス[ソスUソスソスソスソス m ソスソス n ソスフ茨ソスgソスフ撰ソスソスソスソスフ難ソスソスヘゑソスソスけ付ソスソスソスソスソスソスフでゑソスソスB

ソスTソスソスソスvソスソスソスソスソスソスF C ソスiソスソスソスソスソスソスj 
void parse_data(char *untrusted_input){
int m, n, error;
error = sscanf(untrusted_input, "%d:%d", &m, &n);
if ( EOF == error ){
die("Did not specify integer value. Die evil hacker!¥n");
}
/* proceed assuming n and m are initialized correctly */
}

ソスソスソスフコソス[ソスhソスナはソスソス[ソスUソスノゑソス髀会ソスソスソスソスソスソスソス黷スソスソスソスヘゑソスソスソスA2ソスツゑソス int ソス^ソスフ値ソス抜ゑソスソスoソスソスソスワゑソスソスBソスソスソスソスソスソスソスAソスUソスソスソスメゑソスソスu123:ソスvソスニゑソスソスソスソスlソスソスソスソスヘゑソスソスソスソス鼾ソスAソスマ撰ソス m ソスフみ擾ソスソスソスソスソスソスソスソスソスワゑソスソスB

ソスiソスUソスソスソスj 
123:

ソスソスソスフ鯉ソスソスハ、n ソスソスソスgソスpソスソスソスソスソス uninitialized variable (CWE-457) ソスソスソスソスソスソスソスソスソスソスツ能ソスソスソスソスソスソスソスソスワゑソスソスB

 

ソスソス 5:

 

ソスネ会ソスソスフ暦ソスナは、ソスIソスuソスWソスFソスNソスgソスフ配ソスソスソスソスソスソス闢厄ソストるたソス゚、ソスソスソス[ソスUソスフ難ソスソスヘゑソスソスけ趣ソスソスAソスソスソスフ配ソスソス操作しソスワゑソスソスB
ソスTソスソスソスvソスソスソスソスソスソスF Java ソスiソスソスソスソスソスソスj 
private void buildList ( int untrustedListSize ){
if ( 0 > untrustedListSize ){
die("Negative value supplied for list size, die evil hacker!");
}
Widget[] list = new Widget [ untrustedListSize ];
list[0] = new Widget();
}

ソスソスソスフ暦ソスナは、ソスソスソス[ソスUソスソスソスwソス閧オソスソスソスlソスソスソス辜奇ソスXソスgソスソスソスソスソスAソスソスソスフ値ソスナはなゑソスソスソスソスニゑソスソスmソスFソスソスソス驍スソス゚チソスFソスbソスNソスソスソスsソスソスソスワゑソスソスBソスソスソスソスソスソスソスA0ソスソスソスソスソスヘゑソスソス黷スソス鼾ソスAソスTソスCソスYソスソス0ソスフ配ソスが撰ソスソスソスソスソスソスソスAソスナ擾ソスソスフ場所ソスノ新ソスソスソスソスWidgetソスソスソスロ托ソスソスソスソスソスワゑソスソスB

 

ソスソスソスソスソスソスソス黷スソスソスソスソス

 

ソスQソスソス ソスレ搾ソス
CVE-2008-5305 Eval injection in Perl program using an ID that should only contain hyphens and numbers.
CVE-2008-2223 SQL injection through an ID that was supposed to be numeric.
CVE-2008-3477 lack of input validation in spreadsheet program leads to buffer overflows, integer overflows, array index errors, and memory corruption.
CVE-2008-3843 insufficient validation enables XSS
CVE-2008-3174 driver in security product allows code execution due to insufficient validation
CVE-2007-3409 infinite loop from DNS packet with a label that points to itself
CVE-2006-6870 infinite loop from DNS packet with a label that points to itself
CVE-2008-1303 missing parameter leads to crash
CVE-2007-5893 HTTP request with missing protocol version number leads to crash
CVE-2006-6658 request with missing parameters leads to information leak
CVE-2008-4114 system crash with offset value that is inconsistent with packet size
CVE-2006-3790 size field that is inconsistent with packet size leads to buffer over-read
CVE-2008-2309 product uses a blacklist to identify potentially dangerous content, allowing attacker to bypass a warning
CVE-2008-3494 security bypass via an extra header
CVE-2006-5462 use of extra data in a signature allows certificate signature forging
CVE-2008-3571 empty packet triggers reboot
CVE-2006-5525 incomplete blacklist allows SQL injection
CVE-2008-1284 NUL byte in theme name cause directory traversal impact to be worse
CVE-2008-0600 kernel does not validate an incoming pointer before dereferencing it
CVE-2008-1738 anti-virus product has insufficient input validation of hooked SSDT functions, allowing code execution
CVE-2008-1737 anti-virus product allows DoS via zero-length field
CVE-2008-3464 driver does not validate input from userland to the kernel
CVE-2008-2252 kernel does not validate parameters sent in from userland, allowing code execution
CVE-2008-2374 lack of validation of string length fields allows memory consumption or buffer over-read
CVE-2008-1440 lack of validation of length field leads to infinite loop
CVE-2008-1625 lack of validation of input to an IOCTL allows code execution
CVE-2008-3177 zero-length attachment causes crash
CVE-2007-2442 zero-length input causes free of uninitialized pointer
CVE-2008-5563 crash via a malformed frame structure
CVE-2008-5285 infinite loop from a long SMTP request
CVE-2008-3812 router crashes with a malformed packet
CVE-2008-3680 packet with invalid version number leads to NULL pointer dereference
CVE-2008-3660 crash via multiple "." characters in file extension

 

ソスソスQソスフ緩和ソスソス

ソスtソスFソス[ソスYソスFソスAソス[ソスLソスeソスNソス`ソスソスソスソスソスソスム設計

ソス略ソスFソスソスソスヘの妥難ソスソスソスソス`ソスFソスbソスNソスAソスソスソスCソスuソスソスソスソスソスAソスtソスソスソス[ソスソスソスソスソス[ソスN
Struts ソスワゑソスソスソス OWASP ESAPI Validation API ソスフようソスネ、ソスソスソスヘの妥難ソスソスソスソスソスソスmソスFソスソスソスソスtソスソスソス[ソスソスソスソスソス[ソスNソスソスソスgソスpソスソスソスト会ソスソスソスソスソスソスBStruts ソスソスソスgソスpソスソスソスソス鼾ソスヘ、CWE-101 ソスJソスeソスSソスソスソスフ脆弱性ソスノ抵ソスソスモゑソスソスト会ソスソスソスソスソスソスB

ソスtソスFソス[ソスYソスFソスAソス[ソスLソスeソスNソス`ソスソスソスソスソスソスム設計ソスAソスソスソスソス

ソス\ソスtソスgソスEソスFソスAソスノゑソスソスソスソスト信ソスソスソスナゑソスソスネゑソスソスソスソスヘゑソスソスけ付ソスソスソスソスモ擾ソスソスソスSソスト把ソスソスソスソスソストゑソスソスソスソスソスソスソスソスBソスソスFソスpソスソスソスソスソス[ソス^ソスソスソスソスソスソスAcookieソスAソスlソスbソスgソスソスソス[ソスNソスソスソスソスヌみ搾ソスソズ全ソスト、ソスツ具ソスソスマ撰ソスソスADNSソスフ逆ソスソスソスソスソスAソスNソスGソスソスソスソスソスハ、ソスソスソスNソスGソスXソスgソスwソスbソス_ソスAURL ソスRソスソスソス|ソス[ソスlソスソスソスgソスAe-mailソスAソスtソス@ソスCソスソスソスAソスtソス@ソスCソスソスソスソスソスAソスfソス[ソス^ソスxソス[ソスXソスAソスyソスムアソスvソスソスソスPソス[ソスVソスソスソスソスソスノデソス[ソス^ソスソス供ゑソスソスソスSソストの外ソスソスソスVソスXソスeソスソス
ソスソスソスフようソスネ難ソスソスヘゑソス API ソストび出ソスソスソスソスソスヤ接的ソスノ介しソスト行ソスソスソス驍アソスニに抵ソスソスモゑソスソストゑソスソスソスソスソスソスソスソスB

ソスtソスFソス[ソスYソスFソスソスソスソス

ソスSソストの難ソスソスヘは茨ソスソスモのゑソスソスソスソスソスフと想ソス閧オソストゑソスソスソスソスソスソスソスソスBソスdソスlソスノ鯉ソスソスソスソスノ従ソスソスソスソスソスツゑソスソスソスソスソスヘのホソスソスソスCソスgソスソスソスXソスgソスソスソスgソスpソスソスソス體呻ソスAソスソスソスmソスフ受け難ソスソスソスソスソストゑソスソスソスソスソスヘの妥難ソスソスソスソス`ソスFソスbソスNソスソス@ソスソスpソスソスソストゑソスソスソスソスソスソスソスソスBソスdソスlソスノ費ソスソスソスソスソスソスソスヘゑソスソスソスソスロゑソスソスソスAソスソスソス驍「ソスヘ難ソスソスヘゑソスソスdソスlソスノ適ソスソスソスソスソスソス`ソスノ変会ソスソスソスソスソスソストゑソスソスソスソスソスソスソスソスBソスuソスソスソスbソスNソスソスソスXソスgソスノ依托ソスソスソスソストゑソスソスワゑソスソスソスソスAソスソスソスモのゑソスソスソスAソスソスソス驍「ソスヘ不ソスソスソスネ難ソスソスヘゑソスTソスソスソスソスソスニのみに依托ソスソスソスソスネゑソスソスナゑソスソスソスソスソスソスソスソスBソスソスソスソスソスソスソスAソスuソスソスソスbソスNソスソスソスXソスgソスヘ予ソスソスソスソスソスソスソスUソスソスソスフ鯉ソスソスmソスソスAソスソスソスソスソスソスソスノ具ソスソスロゑソスソスソスラゑソスソスsソスソスソスネ難ソスソスヘゑソスソスソスソス閧キソスソスロに役立ゑソスソスワゑソスソスB

ソスソスソスヘ値ソスフ妥難ソスソスソスソスソスソス`ソスFソスbソスNソスソスソスソスロ、ソスヨ連ソスソスソスソスソスソスソスネ全ソストの要ソスfソスiソスソスソスソスソスAソスソスソスヘタソスCソスvソスAソスソスソスeソスソスソスソスlソスフ範囲、ソスソスソスヘの過不ソスソスソスAソス\ソスソスソスAソスヨ連ソスソスソスソスtソスBソス[ソスソスソスhソスヤの茨ソスム撰ソスソスAソスyソスムビソスWソスlソスXソスソスソス[ソスソスソスフ茨ソスvソスAソスソスソスjソスノつゑソスソスト考ソスソスソスソスソストゑソスソスソスソスソスソスソスソスBソスrソスWソスlソスXソスソスソス[ソスソスソスフ暦ソスニゑソスソスト、"boat" ソスヘ英ソスソスソスソスソスソスソスソスソスワまなゑソスソスソスソス゚構ソスソスソスIソスノ有ソスソスソスナゑソスソスソスソスAソスソスソスソスソスJソスソスソスメゑソス "red" ソスソス "blue" ソスフようソスネ色ソスフ厄ソスソスOソスソスzソス閧キソスソス鼾ソスノは有ソスソスソスナはなゑソスソスAソスニゑソスソスソスソスソスソスWソスbソスNソスソスソスソスソスソスソスソスソスワゑソスソスB

ソスtソスFソス[ソスYソスFソスAソス[ソスLソスeソスNソス`ソスソスソスソスソスソスム設計

CWE-602 ソスソスhソスソスソスソスソス゚に、ソスNソスソスソスCソスAソスソスソスgソスソスソスナ行ソスソスソスソスSソストのセソスLソスソスソスソスソスeソスBソス`ソスFソスbソスNソスソスソスTソス[ソスoソスソスソスナゑソスソスソスソスlソスノ行ソスソスソストゑソスソス驍アソスニゑソスソスmソスFソスソスソストゑソスソスソスソスソスソスソスソスBソスUソスソスソスメはチソスFソスbソスNソスソスソスsソスソス黷スソスソスソスニに値ソスソスソスソスソスソスソスすゑソスAソスソスソス驍「ソスヘチソスFソスbソスNソスソスソスソスソスSソスノ擾ソスソスソスソスソスソス驍アソスニで、ソスNソスソスソスCソスAソスソスソスgソスソスソスフチソスFソスbソスNソスソスソスソスソスソスソスソス驍アソスニゑソスソスツ能ソスナゑソスソスBソスソスソスフ場合ソスAソスソスソスソスソスされたソスlソスソスソスTソス[ソスoソスノ托ソスソスMソスソスソスソスワゑソスソスB

ソスTソス[ソスoソスソスソスノ対ゑソスソスAソスNソスソスソスCソスAソスソスソスgソスソスソスナのチソスFソスbソスNソスソスソスナ擾ソスソスソスソスフソスソスソスソスbソスgソスソスソスソスソスネゑソスソス鼾ソスナゑソスソスAソスネ会ソスソスフ点ソスノゑソスソスソスソスト役立ゑソスソスワゑソスソスB
ソスEソスNソスソスソスCソスAソスソスソスgソスソスソスナ具ソスソスロゑソスソスソスソスヘゑソスソスフ不ソスソスソスネ難ソスソスヘゑソスソスTソス[ソスoソスノ受け渡ソスソスソス黷スソス鼾ソスヘ攻ソスソスソスフ抵ソスソスソスナゑソスソスソスツ能ソスソスソスソスソスソスソス驍スソス゚、ソスNソスソスソスソスソスmソスニゑソスソスト機ソス\ソスソスソスワゑソスソスB
ソスEソスNソスソスソスCソスAソスソスソスgソスソスソスナのエソスソスソス[ソス`ソスFソスbソスNソスヘ奇ソスソスメゑソスソスソスソステ難ソスソスネ難ソスソスヘの参ソスlソスニなゑソスtソスBソス[ソスhソスoソスbソスNソスソス供ゑソスソスワゑソスソスB
ソスEソスずソスソスソスナはゑソスソスソスワゑソスソスソスソスAソス\ソスzソスOソスフ難ソスソスヘエソスソスソス[ソスノ対ゑソスソスAソスTソス[ソスoソスソスソスフ擾ソスソスソスソスソスソスヤの削減ソスニなゑソスワゑソスソスB

ソスtソスFソス[ソスYソスFソスAソス[ソスLソスeソスNソス`ソスソスソスソスソスソスム設計

ソスソスソスモのゑソスソスソスソスソスヘの鯉ソスソスmソスソスoソスヘのエソスソスソスRソス[ソスhソスノゑソスソスソスソスト、ソスuソスソスソスbソスNソスソスソスXソスgソスノゑソスソスソスソスヘの妥難ソスソスソスソスフ確ソスFソスヘ奇ソスソスSソスナはゑソスソスソスワゑソスソスソス(CWE-184)ソスBソスソスツの包ソスソスソスソスソスソスGソスソスソスRソス[ソスhソスソスソスソスソスソス@ソスヘ托ソスソスソスソスソスソスンゑソスソス驍スソス゚、ソスソスソスソスソスニゑソスソスソスソスソスソスソスソスソスソスソスツ能ソスソスソスソスソスソスソスソスワゑソスソスB

ソスtソスFソス[ソスYソスFソスソスソスソス

ソスAソスvソスソスソスPソス[ソスVソスソスソスソスソスソスソスソスソスソスソスフ擾ソス源ゑソスソスソスgソスン搾ソスソスせソストデソス[ソス^ソスソスソス成ソスソスソスソス鼾ソスAソスfソス[ソス^ソスソスソスソスソスソスソスソスソスソスソスソスナ妥難ソスソスソスソスフ確ソスFソスソスソスsソスソスソストゑソスソスソスソスソスソスソスソスBソスツ々ソスフデソス[ソス^ソスvソスfソスソスソステ難ソスソスソスソスフ確ソスFソスソスハ過ゑソスソスソスソスニゑソスソストゑソスソスAソスgソスン搾ソスソスソスソスソスソスfソス[ソス^ソスソスソステ難ソスソスソスソスフ確ソスFソスソスハ過ゑソスソスソスニは鯉ソスソスソスワゑソスソスソスB

ソスtソスFソス[ソスYソスFソスソスソスソス

ソスCソスソスソス^ソス[ソスvソスソスソス^ソス^ソスソスソス黷ゥソスソスlソスCソスeソスBソスuソスRソス[ソスhソスヨ難ソスソスAソスソスソスソスフバソスCソスiソスソスソスソスソスワゑソスソスソスソスナコソス[ソスhソスソスソスソスソスソスソスnソスソスソス鼾ソスノは、ソスソスソスノ抵ソスソスモゑソスソスト難ソスソスヘの妥難ソスソスソスソスフ確ソスFソスソスソスsソスソスソストゑソスソスソスソスソスソスソスソスBソスソスソスソスoソスCソスiソスソスソスヤで予ソスソスソスソスソスネゑソスソスソスソスン搾ソスpソスソスソスソスソスソスソスソスソスソスツ能ソスソスソスソスソスソスソスソスワゑソスソスBソスソスソスソスソスnソスソスソスRソス[ソスhソスソスソスAソスソスソスソスソスnソスソスソスソスフ鯉ソスソスソスノとゑソスソスト予ソスソスソスソスソストゑソスソスネゑソスソスソスソスヘでなゑソスソスソスソスmソスFソスソスソストゑソスソスソスソスソスソスソスソスBソス痰ヲソスホ、Java ソスヘバソスbソスtソス@ソスIソス[ソスoソス[ソスtソスソスソス[ソスフ影ソスソスソスソスソスけにゑソスソスソスソスナゑソスソスソスソスAソスlソスCソスeソスBソスuソスRソス[ソスhソスフ呼び出ソスソスソスノゑソスソスソスソスソス蛯ォソスネ茨ソスソスソスソスフ受け渡ソスソスソスノゑソスソスAソスIソス[ソスoソス[ソスtソスソスソス[ソスソスソスソスソスソスソスNソスソスソスソスソスツ能ソスソスソスソスソスソスソスソスワゑソスソスB

ソスtソスFソス[ソスYソスFソスソスソスソス

ソスソスソスソスソスから数ソスソスソスヨの変奇ソスソスヨ撰ソスソスソスソスgソスpソスソスソスソスネど、ソスソスソスヘゑソスソス黷スソスfソス[ソス^ソスソス\ソスソスソスソスソス黷スソスfソス[ソス^ソスフ趣ソズに変奇ソスソスソスソスト会ソスソスソスソスソスソスBソスマ奇ソスソスソスヘ、ソスlソスソスソス\ソスソスソスソスソス黷スソスヘ囲に趣ソスソスワゑソスソストゑソスソス驍ゥソスAソスソスソスソスソスフフソスBソス[ソスソスソスhソスヤにゑソスソスソスソスト茨ソスム撰ソスソスソスソスロゑソスソスソストゑソスソス驍ゥソスmソスFソスソスソスト会ソスソスソスソスソスソスB

ソスtソスFソス[ソスYソスFソスソスソスソス

ソステ難ソスソスソスソスソスソスmソスFソスソスソスソスOソスノ難ソスソスヘゑソスソスfソスRソス[ソスhソスソスソスAソスAソスvソスソスソスPソス[ソスVソスソスソスソスソスフ鯉ソスソスンの難ソスソスソスソス\ソスソスソスノ撰ソスソスKソスソスソスソスソスト会ソスソスソスソスソス(CWE-180ソスA CWE-181)ソスBソスワゑソスソスAソスAソスvソスソスソスPソス[ソスVソスソスソスソスソスソスソスソスソスソスソスソスソスヘゑソスソスソスネ擾ソスfソスRソス[ソスhソスソスソストゑソスソスワゑソスネゑソスソス謔、ソスmソスFソスソスソスト会ソスソスソスソスソス(CWE-174)ソスBソスソスソスフようソスネエソスソスソス[ソスヘチソスFソスbソスNソスマみの危険ソスネ難ソスソスヘゑソスソストび搾ソスソズゑソスソスニにゑソスソスAソスzソスソスソスCソスgソスソスソスXソスgソスソスソスソスソスソスソスソス驍アソスニに暦ソスソスpソスソスソスソスワゑソスソスBOWASP ESAPI Canonicalization control ソスフようソスネソスソスCソスuソスソスソスソスソスソスソスgソスpソスソスソスト会ソスソスソスソスソスソスB

ソスソスソスソスネ擾ソスマ会ソスソスソスソスネゑソスソスネゑソスワで難ソスソスヘの撰ソスソスKソスソスソスソスソスJソスソスヤゑソスソスト会ソスソスソスソスソスソスBソスソスソスソスノゑソスソスAソスソスdソスfソスRソス[ソスhソスソズ趣ソスソスソスソス骭サソスロゑソスhソスソスソスソスソスニゑソスソスツ能ソスナゑソスソスBソスソスソスソスソスソスソスソスソスフ場合ソスAソスKソスリにエソスソスソスRソス[ソスhソスソスソス黷スソス険ソスネコソスソスソスeソスソスソスcソスソスソスワむ難ソスソスヘゑソスソスソスソスソスソスソスソスソスソストゑソスソスワゑソスソスツ能ソスソスソスソスソスソスソスソスワゑソスソスB

ソスtソスFソス[ソスYソスFソスソスソスソス

ソスRソスソスソス|ソス[ソスlソスソスソスgソスヤでデソス[ソス^ソスソスソスソスソスソス閧キソスソス鼾ソスAソスソスソスソスソスフコソスソスソス|ソス[ソスlソスソスソスgソスソスソスソスソスソスソスソスソスソスソスGソスソスソスRソス[ソスhソスソスソスsソスソスソストゑソスソス驍アソスニゑソスソスmソスFソスソスソスト会ソスソスソスソスソスソスBソスソスソス黷シソスソスフイソスソスソス^ソス[ソスtソスFソス[ソスXソスノゑソスソスソスソスト、ソスKソスリにエソスソスソスRソス[ソスfソスBソスソスソスOソスソスソスsソスソスソストゑソスソス驍アソスニゑソスソスmソスFソスソスソストゑソスソスソスソスソスソスソスソスBソスvソスソスソスgソスRソスソスソスソスツ能ソスネ鯉ソスソスソスAソスGソスソスソスRソス[ソスhソス明趣ソスソスIソスノ設定しソスト会ソスソスソスソスソスソスB

ソスtソスFソス[ソスYソスFソスeソスXソスg

ソス{ソスニ弱性ソスソスソスソスソスoソスツ能ソスネ趣ソスソスソスソステ的ソスソスソスヘツソス[ソスソスソスソスソスgソスpソスソスソストゑソスソスソスソスソスソスソスソスBソスナ近の托ソスソスソスソスフ趣ソス@ソスヘ、ソスtソスHソス[ソスソスソスXソス|ソスWソスeソスBソスuソスソスソスナ擾ソスソスソスソスソスソス驍スソス゚にデソス[ソス^ソスtソスソスソス[ソスソスソスヘゑソスソスgソスpソスソスソストゑソスソスワゑソスソスBソスcソス[ソスソスソスノゑソスソス 100% ソスフ撰ソスソスxソスソスJソスoソス[ソスフ範囲は趣ソスソスソスソスsソスツ能ソスナゑソスソス驍スソス゚、ソスソスソスソスソスネ会ソスソスソスソスソスナはゑソスソスソスワゑソスソスソスB

ソスtソスFソス[ソスYソスFソスeソスXソスg

ソスtソス@ソスYソスeソスXソスg(ソスtソス@ソスWソスソスソスO)ソスAソスソスソスoソスXソスgソスlソスXソスeソスXソスg(ソス謖抵ソスソスソスフテソスXソスg)ソスソスAソスtソスHソス[ソスソスソスgソスCソスソスソスWソスFソスNソスVソスソスソスソス(ソスGソスソスソス[ソスソスソスざソスニ起ソスソスソスソスソスeソスXソスg)ソスソスソスAソスソスソス多ソスlソスネ難ソスソスヘゑソスソスソスソスツ膨ソスソスネテソスXソスgソスPソス[ソスXソスソスソスgソスpソスソスソストソソスtソスgソスEソスFソスAソス分析ゑソスソスソスAソスソスソスIソスネツソス[ソスソスソスソスZソスpソスソスソスgソスpソスソスソストゑソスソスソスソスソスソスソスソスBソス\ソスtソスgソスEソスFソスAソスフ擾ソスソスソスソスソスソスxソスヘ低下ソスソスソスワゑソスソスソスソスAソスソスソスソスソスソスソスsソスソスソスソスノなゑソスソスソスソスソスAソスNソスソスソスbソスVソスソスソスソスソスソスAソスsソスソスソスmソスネ鯉ソスソスハゑソスソスoソスソスソスニゑソスソスソスソスソスソスソスソスニはゑソスソスソスワゑソスソスソスB

ソスヨ係ソスソス

 

Nature Type ID Name View(s) this relationship pertains to
ChildOf Category 19 Data Handling Development Concepts (primary)699
ChildOf Weakness Class 693 Protection Mechanism Failure Research Concepts (primary)1000
ChildOf Category 722 OWASP Top Ten 2004 Category A1 - Unvalidated Input Weaknesses in OWASP Top Ten (2004) (primary)711
ChildOf Category 738 CERT C Secure Coding Section 04 - Integers (INT) Weaknesses Addressed by the CERT C Secure Coding Standard (primary)734
ChildOf Category 742 CERT C Secure Coding Section 08 - Memory Management (MEM) Weaknesses Addressed by the CERT C Secure Coding Standard734
ChildOf Category 746 CERT C Secure Coding Section 12 - Error Handling (ERR) Weaknesses Addressed by the CERT C Secure Coding Standard734
ChildOf Category 747 CERT C Secure Coding Section 49 - Miscellaneous (MSC) Weaknesses Addressed by the CERT C Secure Coding Standard734
ChildOf Category 751 Insecure Interaction Between Components Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors (primary)750
CanPrecede Weakness Class 22 Path Traversal Research Concepts1000
CanPrecede Weakness Base 41 Failure to Resolve Path Equivalence Research Concepts1000
CanPrecede Weakness Class 74 Failure to Sanitize Data into a Different Plane (aka 'Injection') Research Concepts1000
CanPrecede Weakness Base 15 External Control of System or Configuration Setting Seven Pernicious Kingdoms (primary)700
ParentOf Category 21 Pathname Traversal and Equivalence Errors Development Concepts (primary)699
ParentOf Weakness Class 73 External Control of File Name or Path Development Concepts (primary)699
Seven Pernicious Kingdoms (primary)700
ParentOf Weakness Class 77 Failure to Sanitize Data into a Control Plane (aka 'Command Injection') Seven Pernicious Kingdoms (primary)700
ParentOf Weakness Base 79 Failure to Preserve Web Page Structure (aka 'Cross-site Scripting') Seven Pernicious Kingdoms (primary)700
ParentOf Weakness Base 89 Failure to Preserve SQL Query Structure (aka 'SQL Injection') Seven Pernicious Kingdoms (primary)700
ParentOf Weakness Base 99 Insufficient Control of Resource Identifiers (aka 'Resource Injection') Seven Pernicious Kingdoms (primary)700
ParentOf Weakness Class 100 Technology-Specific Input Validation Problems Development Concepts (primary)699
Research Concepts (primary)1000
ParentOf Weakness Variant 102 Struts: Duplicate Validation Forms Seven Pernicious Kingdoms (primary)700
ParentOf Weakness Variant 103 Struts: Incomplete validate() Method Definition Seven Pernicious Kingdoms (primary)700
ParentOf Weakness Variant 104 Struts: Form Bean Does Not Extend Validation Class Seven Pernicious Kingdoms (primary)700
ParentOf Weakness Variant 105 Struts: Form Bean Does Not Extend Validation Class Seven Pernicious Kingdoms (primary)700
Research Concepts (primary)1000
ParentOf Weakness Variant 106 Struts: Plug-in Framework not in Use Seven Pernicious Kingdoms (primary)700
ParentOf Weakness Variant 107 Struts: Unused Validation Form Seven Pernicious Kingdoms (primary)700
ParentOf Weakness Variant 108 Struts: Unvalidated Action Form Seven Pernicious Kingdoms (primary)700
Research Concepts (primary)1000
ParentOf Weakness Variant 109 Struts: Validator Turned Off Seven Pernicious Kingdoms (primary)700
ParentOf Weakness Variant 110 Struts: Validator Without Form Field Seven Pernicious Kingdoms (primary)700
ParentOf Weakness Base 111 Direct Use of Unsafe JNI Development Concepts (primary)699
Seven Pernicious Kingdoms (primary)700
ParentOf Weakness Base 112 Missing XML Validation Development Concepts (primary)699
Seven Pernicious Kingdoms (primary)700
Research Concepts (primary)1000
ParentOf Weakness Base 113 Failure to Sanitize CRLF Sequences in HTTP Headers (aka 'HTTP Response Splitting') Seven Pernicious Kingdoms (primary)700
ParentOf Weakness Base 114 Process Control Development Concepts (primary)699
Seven Pernicious Kingdoms (primary)700
Research Concepts (primary)1000
ParentOf Weakness Base 117 Incorrect Output Sanitization for Logs Development Concepts (primary)699
Seven Pernicious Kingdoms (primary)700
ParentOf Weakness Class 119 Failure to Constrain Operations within the Bounds of a Memory Buffer Development Concepts (primary)699
Seven Pernicious Kingdoms (primary)700
ParentOf Compound Element: Composite 120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') Seven Pernicious Kingdoms (primary)700
ParentOf Weakness Base 129 Improper Validation of Array Index Development Concepts (primary)699
Research Concepts (primary)1000
ParentOf Weakness Base 134 Uncontrolled Format String Seven Pernicious Kingdoms (primary)700
ParentOf Weakness Base 170 Improper Null Termination Seven Pernicious Kingdoms (primary)700
ParentOf Weakness Base 190 Integer Overflow or Wraparound Seven Pernicious Kingdoms (primary)700
ParentOf Weakness Base 466 Return of Pointer Value Outside of Expected Range Seven Pernicious Kingdoms (primary)700
ParentOf Weakness Base 470 Use of Externally-Controlled Input to Select Classes or Code (aka 'Unsafe Reflection') Development Concepts (primary)699
Seven Pernicious Kingdoms (primary)700
ParentOf Weakness Variant 554 ASP.NET Misconfiguration: Not Using Input Validation Framework Development Concepts (primary)699
Research Concepts (primary)1000
ParentOf Weakness Variant 601 URL Redirection to Untrusted Site (aka 'Open Redirect') Development Concepts (primary)699
ParentOf Weakness Base 606 Unchecked Input for Loop Condition Development Concepts (primary)699
Research Concepts (primary)1000
ParentOf Weakness Base 621 Variable Extraction Error Development Concepts (primary)699
ParentOf Weakness Variant 622 Unvalidated Function Hook Arguments Development Concepts (primary)699
Research Concepts (primary)1000
ParentOf Weakness Variant 626 Null Byte Interaction Error (Poison Null Byte) Development Concepts (primary)699
Research Concepts (primary)1000
ParentOf Compound Element: Chain 680 Integer Overflow to Buffer Overflow Research Concepts (primary)1000
ParentOf Compound Element: Chain 690 Unchecked Return Value to NULL Pointer Dereference Research Concepts (primary)1000
ParentOf Compound Element: Chain 692 Incomplete Blacklist to Cross-Site Scripting Research Concepts (primary)1000
ParentOf Weakness Variant 781 Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code Development Concepts (primary)699
Research Concepts (primary)1000
ParentOf Weakness Variant 785 Use of Path Manipulation Function without Maximum-sized Buffer Development Concepts (primary)699
Seven Pernicious Kingdoms (primary)700
ParentOf Weakness Variant 789 Uncontrolled Memory Allocation Research Concepts1000
MemberOf View 635 Weaknesses Used by NVD Weaknesses Used by NVD (primary)635
MemberOf View 700 Seven Pernicious Kingdoms Seven Pernicious Kingdoms (primary)700

 

ソスヨ係ソスソスソスフ補足

ソス\ソスzソスソスソスソス驛ソスbソスZソス[ソスWソスフ難ソスソスソスソスノゑソスソスソストは、ソスKソスリな難ソスソスヘ確ソスFソスヘ、ソスソスソス齦カソスソスソスソスソスソスソスbソスZソス[ソスWソスフ意厄ソスソスソスマ会ソスソスソスソスソスソス驍アソスニゑソスソスヤ接的ソスノ防ソスソスソスソスソス゚、CWE-116 ソスニ近ゑソスソスヨ係ソスノゑソスソスソスワゑソスソスBソス痰ヲソスホ、ソスソスソスl ID ソスtソスBソス[ソスソスソスhソスヘ、0-9ソスフ包ソスソスソスソスフみ含まゑソストゑソスソス驍アソスニゑソスソスmソスFソスソスソス驍アソスニで、ソスCソスソスソスWソスFソスNソスVソスソスソスソスソスUソスソスソスソスソスソスソスハ的ソスノ防ソスソスソスソスソスニゑソスソスツ能ソスナゑソスソスB

ソスソスソスソスソスソスソスAソスソスソスRソス`ソスソスソスフテソスLソスXソスgソスネど、ソスソスソスノデソス[ソス^ソスフ趣ソズゑソスソスソスソスソスソスソスソスソスソスソスソスナゑソスソスネゑソスソス鼾ソスAソスソスソスヘ確ソスFソスソスソスソスノ有ソスソスソスナゑソスソスソスニは鯉ソスソスソスワゑソスソスソスB
ソスNソスGソスソスソスノ厄ソスソスソスソスソス}ソスソスソスソスソスソス SQL ソスCソスソスソスWソスFソスNソスVソスソスソスソスソスフシソスiソスソスソスIソスソスソスノ具ソスソスソスソスワゑソスソスBソスuO'Reillyソスvソスヘ英ソスソスナはよくソスソスソス髢シソスソスソスフゑソスソス゚、ソスソスソスヘの妥難ソスソスソスソスフ確ソスFソスソスハ過ゑソスソスソス謔、ソスノ鯉ソスソスソスソスワゑソスソスソスソスAソスAソス|ソスXソスgソスソスソスtソスBソスソスソスワまゑソストゑソスソス驍スソス゚、ソスGソスXソスPソス[ソスvソスソスソスソスソス竭シソスフ擾ソスソスソスソスソスソスソスソスソスKソスvソスソスソスソスソスソスワゑソスソスBソスソスソスフ場合ソスAソスAソス|ソスXソスgソスソスソスtソスBソスソスソスソス闖懶ソスソスソスソスソスニゑソス SQL ソスCソスソスソスWソスFソスNソスVソスソスソスソスソスフソスソスXソスNソスソスソスソスソス轤キソスソスソスニゑソスソスナゑソスソスワゑソスソスソスソスAソスsソスソスソスmソスネ厄ソスソスOソスソスoソス^ソスソスソストゑソスソスワゑソスソスソスソス゚、ソス動ソスソスソスソスソスソスソスソスNソスソスソスソスソスツ能ソスソスソスソスソスソスソスソスワゑソスソスB.

ソスvソスソスソスソスソスソスソスソス ソスiCWE ソスフ鯉ソスソスソスソスj

ソスソスソスヘの妥難ソスソスソスソス`ソスFソスbソスNソスフ趣ソス@ソスソスAソス`ソスFソスbソスNソスソスソスsソスソスソスAソスvソスソスソスPソス[ソスVソスソスソスソスソスノゑソス髟ェソズの鯉ソスソスソスソスヘまゑソスソス\ソスソスソスナはゑソスソスソスワゑソスソスソスBソスソスソス\ソスソスソスソストゑソスソスソスニ弱性ソスフ托ソスソスソスソスヘ、ソスPソスノ「ソスソスソスヘの妥難ソスソスソスソス`ソスFソスbソスNソスvソスフ厄ソスソスニゑソスソスソスソスLソスqソスソスソスソスAソス`ソスFソスbソスNソスソス@ソスソスソスソスソスソスAソスソスソスソスソスソスソスツ能ソスネ脆弱性ソスノつゑソスソスト暦ソスソスソスソスソス[ソス゚ゑソスソスソス謔、ソスネ詳細擾ソスソスヘ提供ゑソスソスソストゑソスソスワゑソスソスソスBソステ難ソスソスソスソス`ソスFソスbソスNソスヘ、ソスtソスBソスソスソス^ソスソスソスソスソスOソスソスマ奇ソスソスノゑソス驪ュソスソスソスソスソスAソスソスソスフ托ソスソスフ厄ソスソスソスソスソスソスフ趣ソス@ソスニ対比しソスト、ソス゚度ソスノ具ソスソスソスソスソスソスソストゑソスソスワゑソスソスBvulnerability theory paper ソスソスソスQソスニゑソスソストゑソスソスソスソスソスソスソスソスB

ソスソスソスフ補足

ソスuソスソスソスヘの妥難ソスソスソスソス`ソスFソスbソスNソスvソスニゑソスソスソスソスpソスソスヘ極めて茨ソスハ的ソスナゑソスソスソスソスAソスpソスソスフ使ソスソスソスソスソスヘ様ソスXソスナゑソスソスBソスソスソスソスソスツゑソスソスフケソス[ソスXソスナは、ソスソスソス{ソスIソスネ脆弱性ソスソスBソスソスソスノゑソスソス驍スソス゚ゑソスAソスヨ連ソスソスソスソスソスソスソスGソスネ趣ソスソスロゑソスソスBソスソスソスソスソスニゑソスレ的ソスニゑソスソスト使ソスソスソスワゑソスソスB

ソスtソスBソスソスソス^ソスソスソスソスソスOソスAソスソスソスKソスソスソスソスGソスXソスPソス[ソスvソスフようソスネ、ソスソスソスヘゑソスソスKソスリでゑソスソス驍アソスニゑソスソスmソスFソスソスソスソスlソスXソスネ厄ソスソスソスソスソスソスソスiソスソスソスJソスoソス[ソスソスソスソスAソスソスソスソスソスIソスネ用ソスソスニゑソスソストゑソスソスgソスpソスソスソスソスワゑソスソスBソスワゑソスソスAソスソスソスソスソスニ具ソスソスソスソスソスソスソスソスノゑソスソスソスソスト単ソスソスソスノ「ソスソスソスヘゑソスソスマ会ソスソスソスソスソスソスAソスソスソスメゑソスソスソスソスlソスナゑソスソス驍アソスニの確ソスFソスvソスニゑソスソスソスソスモ厄ソスソスナゑソスソスgソスpソスソスソスソストゑソスソスワゑソスソスBCWEソスナはゑソスソスフ具ソスソスソスソスソスソスソスソスフ会ソスソス゚ゑソスソスgソスpソスソスソスワゑソスソスB

ソスソスソスgソスDソスナの包ソスソスソス

 

ソスgソスDソスソスソスワゑソスソスヘ組ソスDソスナの包ソスソスソス ソスmソス[ソスh ID CWEソスフ包ソスソズとの適ソスソスソスx ソスソスソズ厄ソス
7 Pernicious Kingdoms Input validation and representation
OWASP Top Ten 2004 A1 CWE ソスフ包ソスソスソスソスレ搾ソス Unvalidated Input
CERT C Secure Coding ERR07-C Prefer functions that support error checking over equivalent functions that don't
CERT C Secure Coding INT06-C Use strtol() or a related function to convert a string token to an integer
CERT C Secure Coding MEM10-C Define and use a pointer validation function
CERT C Secure Coding MSC08-C Library functions should validate their parameters
WASC 20 Improper Input Handling

 

ソスヨ連ソスソスソスソスUソスソスソスpソス^ソス[ソスソス

 

CAPEC-ID ソスUソスソスソスpソス^ソス[ソスソスソスソス (CAPEC Version 1.5)
3 Using Leading 'Ghost' Character Sequences to Bypass Input Filters
7 Blind SQL Injection
8 Buffer Overflow in an API Call
9 Buffer Overflow in Local Command-Line Utilities
10 Buffer Overflow via Environment Variables
13 Subverting Environment Variable Values
14 Client-side Injection-induced Buffer Overflow
22 Exploiting Trust in Client (aka Make the Client Invisible)
24 Filter Failure through Buffer Overflow
28 Fuzzing
31 Accessing/Intercepting/Modifying HTTP Cookies
42 MIME Conversion
43 Exploiting Multiple Input Interpretation Layers
88 OS Command Injection
45 Buffer Overflow via Symbolic Links
46 Overflow Variables and Tags
47 Buffer Overflow via Parameter Expansion
52 Embedding NULL Bytes
53 Postfix, Null Terminate, and Backslash
101 Server Side Include (SSI) Injection
64 Using Slashes and URL Encoding Combined to Bypass Validation Logic
66 SQL Injection
67 String Format Overflow in syslog()
72 URL Encoding
73 User-Controlled Filename
78 Using Escaped Slashes in Alternate Encoding
79 Using Slashes in Alternate Encoding
99 XML Parser Attack
83 XPath Injection
85 Client Network Footprinting (using AJAX/XSS)
86 Embedding Script (XSS ) in HTTP Headers
32 Embedding Scripts in HTTP Query Strings
18 Embedding Scripts in Nonscript Elements
63 Simple Script Injection
71 Using Unicode Encoding to Bypass Validation Logic
80 Using UTF-8 Encoding to Bypass Validation Logic
81 Web Logs Tampering
91 XSS in IMG Tags
104 Cross Zone Scripting
106 Cross Site Scripting through Log Files
108 Command Line Execution through SQL Injection
109 Object Relational Mapping Injection
110 SQL Injection through SOAP Parameter Tampering
171 Variable Manipulation

 

ソスQソスソス

Jim Manico. "Input Validation with ESAPI - Very Important ". 2008-08-15. <http://manicode.blogspot.com/2008/08/input-validation-with-esapi.html>.
"OWASP Enterprise Security API (ESAPI) Project". <http://www.owasp.org/index.php/ESAPI>.
Joel Scambray, Mike Shema and Caleb Sima. "Hacking Exposed Web Applications, Second Edition". Input Validation Attacks. McGraw-Hill. 2006-06-05. 
Jeremiah Grossman. "Input validation or output filtering, which is better?". 2007-01-30. <http://jeremiahgrossman.blogspot.com/2007/01/input-validation-or-output-filtering.html>.
Kevin Beaver. "The importance of input validation". 2006-09-06. <http://searchsoftwarequality.techtarget.com/tip/0,289483,sid92_gci1214373,00.html>.
[REF-11] M. Howard and D. LeBlanc. "Writing Secure Code". Chapter 10, "All Input Is Evil!" Page 341. 2nd Edition. Microsoft. 2002.

ソスロ趣ソス竭ォ

ソスソスソスヘの妥難ソスソスソスソス`ソスFソスbソスNソスソス(ソスソスソスソスソスソスソス驍「ソスヘ不ソスKソスリでゑソスソスソスソスソスソスニゑソスソストゑソス)ソスAソスlソスXソスネ脆弱性ソスノ対ゑソスソスソスZソスLソスソスソスAソスJソスソスソスフ一部ソスニゑソスソスト必ソスvソスsソスツ鯉ソスソスナゑソスソスソスAソスワゑソスソスLソスソスソスmソスソスソストゑソスソスワゑソスソスBソス`ソスソスソスIソスノ、ソスoソスbソスtソス@ソスIソス[ソスoソス[ソスtソスソスソス[ソスソス XSS ソスフようソスネ厄ソスソスヘ、ソスソスソスヘの妥難ソスソスソスソス`ソスFソスbソスNソスフ厄ソスソスナゑソスソスソスニセソスLソスソスソスソスソスeソスBソスフ撰ソスソスニにゑソスソスソスト包ソスソズゑソスソスソスワゑソスソスBソスソスソスソスソスソスソスAソスソスソスヘの妥難ソスソスソスソス`ソスFソスbソスNソスヘ、ソスソスソスフようソスネ厄ソスソスノゑソスソスソスソスト唯ソスソスLソスソスソスネ会ソスソスソスソスソスニゑソスソスソスソスけソスナはなゑソスソスAソスワゑソスソスソスソスソス鼾ソスノは難ソスソスヘの妥難ソスソスソスソス`ソスFソスbソスNソスナは不ソス\ソスソスソスネケソス[ソスXソスソスソスソスソスソスワゑソスソスBCWE ソス`ソス[ソスソスソスヘ、ソスミとまとめにゑソスソスソストゑソスソス驍アソスソスソスフ違いソスソス Research Concepts view (CWE-1000) ソスノゑソスソスソスソスト撰ソスソスソスソスソスソスnソス゚まゑソスソスソスソスソスソスAソスワゑソスソスソスソスソスソスフ鯉ソスソスソスソスソスソスKソスvソスナゑソスソスB

ソスXソスVソスソスソスソス

[2021ソスN06ソスソス30ソスソス]
   2021ソスN06ソスソス30ソスソスソスソスソス_ソスフデソス[ソス^ソスソスソスソスソスノ、ソスソスソスフ補足ソスフ掲ソスレ位置ソスニ難ソスソスeソスソスマ更
[2011ソスN04ソスソス21ソスソス]
  2010ソスN10ソスソス12ソスソスソスソスソス_ソスフデソス[ソス^ソスソスソスソスソスノ更ソスV
[2009ソスN06ソスソス29ソスソス]
  2009ソスN02ソスソス02ソスソスソスソスソス_ソスフ会ソスソスL URL ソスソスソスソスソスノ作成
    http://cwe.mitre.org/data/definitions/20.html

ソスoソス^ソスソス 2011/04/21

ソスナ終ソスXソスVソスソス 2023/04/04

OSZAR »