Use of Externally-Controlled Input to Select Classes or Code (‘Unsafe Reflection’)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-470: Use of Externally-Controlled Input to Select Classes or Code (‘Unsafe Reflection’) |
| OWASP | A03:2021 - Injection |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description#
The code creates a new object using a class name that comes directly from user input, such as GET, POST, COOKIE, REQUEST, or SERVER variables. This allows attackers to control which class is instantiated, leading to unsafe behavior.
Impact#
An attacker could instantiate arbitrary classes within your application, potentially triggering dangerous code paths or bypassing security controls. In the worst case, this could result in remote code execution or full compromise of the system.