界: Encapsulation

封裝是要劃定清楚的界限。在網頁瀏覽器中,這可能意味著確保您的行動程式碼不會被其他行動程式碼濫用。在伺服器上,這可能意味著區分經過驗證的資料與未經驗證的資料、區分一個使用者的資料與另一個使用者的資料,或區分允許使用者查看的資料與不允許查看的資料。

104 找到的項目
弱點

Flash Misconfiguration: Overly Permissive Custom Headers Policy

Abstract
程式定義過度允許的自訂表頭原則。
Explanation
依預設,Flash 應用程式需遵守相同來源策略 (Same Origin Policy),它可以確保只有在兩個 SWF 應用程式都來自相同網域時,才可以存取彼此的資料。Adobe Flash 允許開發人員在程式上或透過 crossdomain.xml 組態設定檔案的適當設定來修改策略。從 Flash Player 9,0,124,0 開始,Adobe 也引進了定義 Flash Player 可以在網域間傳送哪些自訂表頭的功能。但是,定義這些設定時應特別小心,因為將過度允許的自訂表頭策略和過度允許的跨網域策略一起套用時,會允許惡意應用程式將其選擇的表頭傳送到目標應用程式,可能會導致多種攻擊,或在不知道如何處理所接收之表頭的應用程式執行中造成錯誤。

範例 1:以下配置顯示了使用萬用字元指定 Flash Player 可以在網域間傳送哪些標頭。


  <cross-domain-policy>
    <allow-http-request-headers-from domain="*" headers="*"/>
  </cross-domain-policy>


使用 * 做為 headers 屬性的值,表示任何表頭都會在網域間傳送。
References
[1] Peleus Uhley Creating more secure SWF web applications
[2] Matt Wood and Prajakta Jagdale Auditing Adobe Flash through Static Analysis
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001368, CCI-001414
[9] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement
[12] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[13] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[15] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[25] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[39] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.config.actionscript.flash_misconfiguration_overly_permissive_custom_headers_policy

Flash Misconfiguration: Policy Restrictions Bypass

Abstract
程式使用未經驗證的使用者輸入來略過預期的跨網域策略限制。
Explanation
依預設,Flash 應用程式需遵守相同來源策略 (Same Origin Policy),它可以確保只有在兩個 SWF 應用程式都來自相同網域時,才可以存取彼此的資料。Adobe Flash 允許開發人員在程式上或透過 crossdomain.xml 組態設定檔案的適當設定來修改策略。但是,決定誰可以影響設定時應特別小心,因為過度允許的跨網域策略會允許惡意應用程式以不適當的方式與受害者應用程式通訊,導致欺騙、資料遭竊取、傳遞和其他攻擊。Policy restrictions bypass 弱點會在以下情況中出現:

1. 資料從不可信賴的來源進入應用程式。

2. 資料用來載入或修改跨網域策略設定。
範例 1:以下程式碼對載入的 SWF 檔案使用其中一個參數的值,做為載入跨網域策略檔案的來源 URL。


   ...
   var params:Object = LoaderInfo(this.root.loaderInfo).parameters;
   var url:String = String(params["url"]);
   flash.system.Security.loadPolicyFile(url);
   ...
範例 2:以下程式碼對載入的 SWF 檔案使用其中一個參數的值,以定義可信任網域的清單。


   ...
   var params:Object = LoaderInfo(this.root.loaderInfo).parameters;
   var domain:String = String(params["domain"]);
   flash.system.Security.allowDomain(domain);
   ...
References
[1] Peleus Uhley Creating more secure SWF web applications
[2] Matt Wood and Prajakta Jagdale Auditing Adobe Flash through Static Analysis
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001368, CCI-001414
[9] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement
[12] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[13] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[14] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[24] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[38] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.actionscript.flash_misconfiguration_policy_restrictions_bypass

Flash Misconfiguration: Unauthorized Data Access

Abstract
程式允許 HTTP 和 HTTPS SWF 應用程式進行通訊。
Explanation
從 Flash Player 7 開始,透過 HTTP 載入的 SWF 應用程式不允許存取預設透過 HTTPS 載入的 SWF 應用程式。Adobe Flash 允許開發人員在程式上或透過 crossdomain.xml 組態設定檔案的適當設定來修改此限制。但是,定義這些設定時應特別小心,因為 HTTP 載入的 SWF 應用程式容易遭到 man-in-the-middle 攻擊,因此不應該受信賴。

範例:以下程式碼會呼叫 allowInsecureDomain(),它會關閉以下限制:防止 HTTP 載入的 SWF 應用程式存取 HTTPS 載入之 SWF 應用程式的資料。


   flash.system.Security.allowInsecureDomain("*");
References
[1] Peleus Uhley Creating more secure SWF web applications
[2] Matt Wood and Prajakta Jagdale Auditing Adobe Flash through Static Analysis
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001368, CCI-001414
[9] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement
[12] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[13] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[15] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.4, Requirement 6.5.8
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.4, Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.4, Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.4, Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control, Control Objective 6.2 - Sensitive Data Protection
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control, Control Objective 6.2 - Sensitive Data Protection
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective 6.2 - Sensitive Data Protection, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.4.1 - Web Software Communications
[25] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 862
[26] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[40] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.semantic.actionscript.flash_misconfiguration_unauthorized_data_access

Go Bad Practices: Leftover Debug Code

Abstract
除錯程式碼可能會影響效能或洩露敏感資料給攻擊者。
Explanation
開發作業一般會為了除錯或測試目而增加一些「後門」程式碼,這些程式碼不會隨應用程式一起提供或部署。當這類除錯程式碼意外地留在應用程式中時,會導致應用程式開放在未預期的互動模式。這些後門入口點很容易造成安全問題,因為在設計或者測試期間,並沒有將它們考慮在內,並且不會出現在應用程式設計中的操作環境中。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 489
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[8] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 14.3.2 Unintended Security Disclosure Requirements (L1 L2 L3), 14.2.2 Dependency (L1 L2 L3)
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[21] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
desc.semantic.golang.go_bad_practices_leftover_debug_code

GraphQL Bad Practices: GraphiQL Enabled

Abstract
建立一個已啟用 GraphiQL 的 GraphQL 端點。
Explanation
GraphiQL 是一種瀏覽器內工具,它利用 GraphQL 結構描述自我檢查機制為 GraphQL API 開發和測試提供圖形介面。GraphiQL 可協助使用者探索 GraphQL 結構描述以及撰寫和執行 GraphQL 查詢。

不建議允許存取生產階段中的 GraphiQL,因為透過 GraphiQL 啟用 GraphQL 結構描述的自我檢查,可能會使您的整體安全態勢面臨風險。攻擊者可能使用 GraphiQL 和自我檢查從 GraphQL 結構描述中取得實作詳情,進而使他們能夠執行更具目標性的攻擊。GraphQL 結構描述可能會洩漏資訊,例如內部使用的欄位、描述和過時說明,這些資訊可能非供公開使用。

範例 1:以下程式碼將初始化一個預設啟用 GraphiQL 的 GraphQL.js 端點:

app.use('/graphql', graphqlHTTP({
    schema
}));
References
[1] OWASP OWASP Cheat Sheet Series: GraphQL Cheat Sheet
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[7] Standards Mapping - CIS Kubernetes Benchmark partial
[8] Standards Mapping - Common Weakness Enumeration CWE ID 94
[9] Standards Mapping - Common Weakness Enumeration Top 25 2019 [18] CWE ID 094
[10] Standards Mapping - Common Weakness Enumeration Top 25 2020 [17] CWE ID 094
[11] Standards Mapping - Common Weakness Enumeration Top 25 2022 [25] CWE ID 094
[12] Standards Mapping - Common Weakness Enumeration Top 25 2023 [23] CWE ID 094
[13] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[14] Standards Mapping - FIPS200 CM
[15] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[18] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[19] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[20] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[21] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[22] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[23] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[24] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.5 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.8 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[25] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[26] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[36] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 094
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3600 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3600 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3600 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3600 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3600 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3600 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3600 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.structural.javascript.graphql_bad_practices_graphiql_enabled
Abstract
建立一個已啟用 GraphiQL 的 GraphQL 端點。
Explanation
GraphiQL 是一種瀏覽器內工具,它利用 GraphQL 結構描述自我檢查機制為 GraphQL API 開發和測試提供圖形介面。GraphiQL 可協助使用者探索 GraphQL 結構描述,以及撰寫和執行 GraphQL 查詢。

不建議允許存取生產階段中的 GraphiQL,因為透過 GraphiQL 啟用 GraphQL 結構描述的自我檢查,可能會使您的整體安全態勢面臨風險。攻擊者可能使用 GraphiQL 和自我檢查從 GraphQL 結構描述中取得實作詳情,進而使他們能夠執行更具目標性的攻擊。GraphQL 結構描述可能會洩漏資訊,例如內部使用的欄位、描述和過時說明,這些資訊可能非供公開使用。

範例 1:以下程式碼將初始化一個已啟用 GraphiQL 的 GraphQL 端點:

app.add_url_rule('/graphql', view_func=GraphQLView.as_view(
  'graphql',
  schema = schema,
  graphiql = True
))
References
[1] OWASP OWASP Cheat Sheet Series: GraphQL Cheat Sheet
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[7] Standards Mapping - CIS Kubernetes Benchmark partial
[8] Standards Mapping - Common Weakness Enumeration CWE ID 94
[9] Standards Mapping - Common Weakness Enumeration Top 25 2019 [18] CWE ID 094
[10] Standards Mapping - Common Weakness Enumeration Top 25 2020 [17] CWE ID 094
[11] Standards Mapping - Common Weakness Enumeration Top 25 2022 [25] CWE ID 094
[12] Standards Mapping - Common Weakness Enumeration Top 25 2023 [23] CWE ID 094
[13] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[14] Standards Mapping - FIPS200 CM
[15] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[18] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[19] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[20] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[21] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[22] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[23] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[24] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.5 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.8 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[25] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[26] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[36] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 094
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3600 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3600 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3600 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3600 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3600 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3600 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3600 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.structural.python.graphql_bad_practices_graphiql_enabled

GraphQL Bad Practices: Introspection Enabled

Abstract
建立 GraphQL 端點而不停用結構描述自我檢查。
Explanation
GraphQL 自我檢查功能讓任何人都可以查詢 GraphQL 伺服器以取得目前結構描述的相關資訊。當事人可以發出 GraphQL 自我檢查查詢來擷取結構描述的可用操作、資料類型、欄位和文件的完整檢視。

GraphQL 自我檢查在開發和共用有關 GraphQL API 的資訊的環境中提供重要的公用程式。自我檢查是一個強大的 GraphQL 功能,可以促進與各種工具的整合。例如,IDE 可以利用結構描述自我檢查來提供用於開發和測試 GraphQL API 的增強功能。

但是,允許任何人在生產階段中查詢您的 GraphQL 結構描述,可能會使您的整體安全態勢面臨風險。攻擊者可能使用自我檢查從 GraphQL 結構描述中取得實作詳情,進而使他們能夠執行更具目標性的攻擊。GraphQL 結構描述可能會洩漏資訊,例如內部使用的欄位、描述和過時說明,這些資訊可能非供公開使用。

範例 1:以下程式碼將初始化一個預設啟用結構描述自我檢查的 Hot Chocolate GraphQL 端點:

    services
        .AddGraphQLServer()
        .AddQueryType<Query>()
        .AddMutationType<Mutation>();
References
[1] OWASP OWASP Cheat Sheet Series: GraphQL Cheat Sheet
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[7] Standards Mapping - CIS Kubernetes Benchmark partial
[8] Standards Mapping - Common Weakness Enumeration CWE ID 94
[9] Standards Mapping - Common Weakness Enumeration Top 25 2019 [18] CWE ID 094
[10] Standards Mapping - Common Weakness Enumeration Top 25 2020 [17] CWE ID 094
[11] Standards Mapping - Common Weakness Enumeration Top 25 2022 [25] CWE ID 094
[12] Standards Mapping - Common Weakness Enumeration Top 25 2023 [23] CWE ID 094
[13] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[14] Standards Mapping - FIPS200 CM
[15] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[18] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[19] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[20] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[21] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[22] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[23] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[24] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.5 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.8 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[25] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[26] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[36] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 094
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3600 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3600 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3600 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3600 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3600 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3600 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3600 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.structural.dotnet.graphql_bad_practices_introspection_enabled
Abstract
建立 GraphQL 端點而不停用結構描述自我檢查。
Explanation
GraphQL 自我檢查功能讓任何人都可以查詢 GraphQL 伺服器以取得目前結構描述的相關資訊。當事人可以發出 GraphQL 自我檢查查詢來擷取結構描述的可用操作、資料類型、欄位和文件的完整檢視。

GraphQL 自我檢查在開發和共用有關 GraphQL API 的資訊的環境中提供重要的公用程式。自我檢查是一個強大的 GraphQL 功能,可以促進與各種工具的整合。例如,IDE 可以利用結構描述自我檢查來提供用於開發和測試 GraphQL API 的增強功能。

但是,允許任何人在生產階段中查詢您的 GraphQL 結構描述,可能會使您的整體安全態勢面臨風險。攻擊者可能使用自我檢查從 GraphQL 結構描述中取得實作詳情,進而使他們能夠執行更具目標性的攻擊。GraphQL 結構描述可能會洩漏資訊,例如內部使用的欄位、描述和過時說明,這些資訊可能非供公開使用。

範例 1:以下程式碼將初始化一個預設啟用結構描述自我檢查的 GraphQL.js 端點:

app.use('/graphql', graphqlHTTP({
    schema
}));
References
[1] OWASP OWASP Cheat Sheet Series: GraphQL Cheat Sheet
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[7] Standards Mapping - CIS Kubernetes Benchmark partial
[8] Standards Mapping - Common Weakness Enumeration CWE ID 94
[9] Standards Mapping - Common Weakness Enumeration Top 25 2019 [18] CWE ID 094
[10] Standards Mapping - Common Weakness Enumeration Top 25 2020 [17] CWE ID 094
[11] Standards Mapping - Common Weakness Enumeration Top 25 2022 [25] CWE ID 094
[12] Standards Mapping - Common Weakness Enumeration Top 25 2023 [23] CWE ID 094
[13] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[14] Standards Mapping - FIPS200 CM
[15] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[18] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[19] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[20] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[21] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[22] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[23] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[24] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.5 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.8 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[25] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[26] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[36] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 094
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3600 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3600 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3600 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3600 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3600 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3600 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3600 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.dataflow.javascript.graphql_bad_practices_introspection_enabled
Abstract
建立 GraphQL 端點而不停用結構描述自我檢查。
Explanation
GraphQL 自我檢查功能讓任何人都可以查詢 GraphQL 伺服器以取得目前結構描述的相關資訊。任何當事人可以發出 GraphQL 自我檢查查詢來擷取結構描述的可用操作、資料類型、欄位和文件的完整檢視。

GraphQL 自我檢查在開發和共用有關 GraphQL API 的資訊的環境中提供重要的公用程式。自我檢查是一個強大的 GraphQL 功能,可以促進與各種工具的整合。例如,IDE 可以利用結構描述自我檢查來提供用於開發和測試 GraphQL API 的增強功能。

但是,允許任何人在生產階段中查詢您的 GraphQL 結構描述,可能會使您的整體安全態勢面臨風險。攻擊者可能使用自我檢查從 GraphQL 結構描述中取得實作詳情,進而使他們能夠執行更具目標性的攻擊。GraphQL 結構描述可能會洩漏資訊,例如內部使用的欄位、描述和過時說明,這些資訊可能非供公開使用。

範例 1:以下程式碼將初始化一個預設啟用結構描述自我檢查的 GraphQL 端點:

app.add_url_rule('/graphql', view_func=GraphQLView.as_view(
  'graphql',
  schema = schema
))
References
[1] OWASP OWASP Cheat Sheet Series: GraphQL Cheat Sheet
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[7] Standards Mapping - CIS Kubernetes Benchmark partial
[8] Standards Mapping - Common Weakness Enumeration CWE ID 94
[9] Standards Mapping - Common Weakness Enumeration Top 25 2019 [18] CWE ID 094
[10] Standards Mapping - Common Weakness Enumeration Top 25 2020 [17] CWE ID 094
[11] Standards Mapping - Common Weakness Enumeration Top 25 2022 [25] CWE ID 094
[12] Standards Mapping - Common Weakness Enumeration Top 25 2023 [23] CWE ID 094
[13] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[14] Standards Mapping - FIPS200 CM
[15] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[18] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[19] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[20] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[21] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[22] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[23] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[24] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.5 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.8 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[25] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[26] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[36] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 094
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3600 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3600 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3600 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3600 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3600 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3600 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3600 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.dataflow.python.graphql_bad_practices_introspection_enabled

Hardcoded Domain in HTML

Abstract
包含其他網域的 script,這表示,這個網頁的安全性依賴另一個網域的安全性。
Explanation
包含另外一個網站中可執行的內容是有風險的。這樣會導致您網站的安全性與另一個網站息息相關。

範例: 請思考以下 script 標籤。

  <script src="http://www.example.com/js/fancyWidget.js"></script>


如果這個標籤出現在 www.example.com 以外的網站上,則該網站依賴 www.example.com 提供正確且無惡意的程式碼。如果攻擊者能危害 www.example.com,他們就能修改 fancyWidget.js 的內容來破壞網站的安全性。例如,他們可以新增程式碼至 fancyWidget.js 來竊取使用者的機密資料。
desc.content.html.hardcoded_domain