1429 找到的項目

弱點

ASP.NET Bad Practices: Use of Impersonation Context

C#/VB.NET/ASP.NET

Abstract

模仿使用者憑證可讓攻擊者未經授權而存取受保護的資源。

Explanation

為了執行需特定權限的操作，Microsoft ASP.NET 應用程式能夠模擬目前使用者的安全環境或是模擬呼叫它們的程序。雖然模擬環境能夠提供多種用途 (例如減少必要 authentication 的數量)，但是擁有高度權限的程式會為整個系統的安全帶來不必要的危險。如果攻擊者利用程式中的另一個弱點，而此程式正在另一個安全環境中執行，則攻擊者能夠執行所有未授權的操作，並擁有與之對應的權限。

範例 1：以下程式碼範例說明使用 WindowsIdentity.Impersonate() 方法模擬憑證的典型方式。


using System.Security.Principal;
...

//Get the identity of the current user
IIdentity contextId = HttpContext.Current.User.Identity;
WindowsIdentity userId = (WindowsIdentity)contextId;

//Temporarily impersonate
WindowsImpersonationContext imp = userId.Impersonate();

//Perform tasks using the caller's security context
DoSecuritySensitiveTasks();

//Clean up and restore our old security context
impersonate.Undo();

Example 1 中的程式碼模擬目前使用者的安全環境，並使用此安全環境執行一個需權限的操作。呼叫 DoSecuritySensitiveTasks() 之後，程式碼企圖還原原始的安全環境，但是如果 DoSecuritySensitiveTasks() 拋出一個異常狀況，將永遠不會呼叫 Undo() 方法，而程式也將持續使用模擬的安全環境。

References

[1] Kirk Evans Security Practices: ASP.NET 2.0 Security Practices at a Glance Microsoft Corporation

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 2

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[6] Standards Mapping - Common Weakness Enumeration CWE ID 520

[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [22] CWE ID 269

[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165

[9] Standards Mapping - FIPS200 AC

[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)

[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement

[13] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control

[14] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[16] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[17] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 14.1.3 Build (L2 L3)

[19] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication

[20] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.3

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection

[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I

[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I

[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I

[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I

[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001410 CAT II, APSC-DV-001520 CAT II, APSC-DV-001530 CAT II

[53] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)

[54] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization

desc.controlflow.dotnet.asp_dotnet_bad_practices_use_of_impersonation_context

ASP.NET Middleware Out of Order: Default Cookie Configuration

C#/VB.NET/ASP.NET

Abstract

應用程式錯誤指定了 ASP.NET Cookie 原則中介軟體。

Explanation

未依正確順序新增到中介軟體管道的 ASP.NET Core 中介軟體將無法依預期般執行，進而使應用程式可能面臨各種安全問題。

範例 1：UseCookiePolicy() 方法將 Cookie 原則中介軟體新增到中介軟體管道，進而允許自訂 Cookie 原則。當以錯誤的順序指定時，程式設計師聲明的任何 Cookie 原則將被忽略。


...
var builder = WebApplication.CreateBuilder(...);
var app = builder.Build(...);
app.UseStaticFiles();
app.UseRouting();
app.UseSession();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
    ...
}

app.UseCookiePolicy();
...

References

[1] Rick Anderson, Steve Smith ASP.NET Core Middleware Microsoft

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[6] Standards Mapping - Common Weakness Enumeration CWE ID 696, CWE ID 1188, CWE ID 565

[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002418, CCI-002420, CCI-002421, CCI-002422

[8] Standards Mapping - FIPS200 MP, SC

[9] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-6 Configuration Settings (P2)

[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-6 Configuration Settings

[12] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[13] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications

[14] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[16] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[17] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.1 General Access Control Design (L1 L2 L3)

[19] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage

[20] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4

[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography

[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design, Control Objective 2.3 - Secure Defaults

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design, Control Objective 2.3 - Secure Defaults, Control Objective C.4.1 - Web Software Communications

[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[53] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)

[54] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication

desc.controlflow.dotnet.asp_dotnet_middleware_out_of_order_default_cookie_configuration

ASP.NET Middleware Out of Order: Insecure Transport

C#/VB.NET/ASP.NET

Abstract

應用程式錯誤指定了預設的 ASP.NET HTTPS 重新導向中介軟體。

Explanation

未依正確順序新增到中介軟體管道的 ASP.NET Core 中介軟體將無法依預期般執行，進而使應用程式可能面臨各種安全問題。

範例 1：UseHttpsRedirection() 方法將 HTTPS 重新導向中介軟體新增到中介軟體管道，進而允許將不安全的 HTTP 要求重新導向到安全的 HTTPS 要求。如果以錯誤的順序指定，則在透過重新導向之前列出的中介軟體處理要求之前，不會發生有意義的 HTTPS 重新導向。這將允許應用程式在重新導向到安全 HTTPS 連線之前處理 HTTP 要求。


...
var builder = WebApplication.CreateBuilder(...);
var app = builder.Build(...);
app.UseStaticFiles();
app.UseRouting();
app.UseSession();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
    ...
}

app.UseHttpsRedirection();
...

References

[1] Rick Anderson, Steve Smith ASP.NET Core Middleware Microsoft

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[6] Standards Mapping - Common Weakness Enumeration CWE ID 696, CWE ID 200, CWE ID 311, CWE ID 319

[7] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200

[8] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200

[9] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200

[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001453, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123

[11] Standards Mapping - FIPS200 SC

[12] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-8 Transmission Confidentiality and Integrity (P1)

[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-8 Transmission Confidentiality and Integrity

[15] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications

[16] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection

[17] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[18] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[19] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.4 Sensitive Private Data (L1 L2 L3)

[21] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection

[22] Standards Mapping - OWASP Mobile 2024 M5 Insecure Communication

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.4

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.4

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.4

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.4

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.4

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design, Control Objective C.4.1 - Web Software Communications

[34] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 319

[35] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311

[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3260.1 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3260 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3260 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3260 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3260 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3260 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3260 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[57] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)

desc.controlflow.dotnet.asp_dotnet_middleware_out_of_order_insecure_transport

ASP.NET Middleware Out of Order: Insufficient Logging

C#/VB.NET/ASP.NET

Abstract

應用程式錯誤指定了 ASP.NET Core 記錄中介軟體。

Explanation

未依正確順序新增到中介軟體管道的 ASP.NET Core 中介軟體將無法依預期般執行，進而使應用程式可能面臨各種安全問題。

範例 1：UseHttpLogging() 方法將 HTTP 記錄中介軟體新增到中介軟體管道，進而允許記錄中介軟體元件。當以錯誤的順序指定時，在呼叫 UseHttpLogging() 之前將不會記錄新增到管道的任何中介軟體。


...
var builder = WebApplication.CreateBuilder(...);
var app = builder.Build(...);
app.UseStaticFiles();
app.UseRouting();
app.UseSession();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
    ...
}

app.UseHttpLogging();
...

範例 2：UseWC3Logging() 方法將 W3C 記錄中介軟體新增到中介軟體管道，進而允許記錄中介軟體元件。當以錯誤的順序指定時，在呼叫 UseWC3Logging() 之前將不會記錄新增到管道的任何中介軟體。


...
var builder = WebApplication.CreateBuilder(...);
var app = builder.Build(...);
app.UseStaticFiles();
app.UseRouting();
app.UseSession();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
    ...
}

app.UseWC3Logging();
...

References

[1] Rick Anderson, Steve Smith ASP.NET Core Middleware Microsoft

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[6] Standards Mapping - Common Weakness Enumeration CWE ID 696, CWE ID 778

[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172

[8] Standards Mapping - FIPS200 CM

[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)

[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation

[11] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[12] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[13] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[14] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring

[15] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures

[16] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)

[17] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10, Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2

[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking

[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3680.4 CAT II, APP3680.5 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3680.4 CAT II, APP3680.5 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3680.4 CAT II, APP3680.5 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3680.4 CAT II, APP3680.5 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3680.4 CAT II, APP3680.5 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3680.4 CAT II, APP3680.5 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3680.4 CAT II, APP3680.5 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000830 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000830 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000830 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000830 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000830 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000830 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000830 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000830 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000830 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000830 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-000830 CAT II

[50] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)

desc.controlflow.dotnet.asp_dotnet_middleware_out_of_order_insufficient_logging

ASP.NET Misconfiguration: Certificate Validation Disabled

C#/VB.NET/ASP.NET

Abstract

停用憑證驗證非常危險。

Explanation

將憑證驗證模式設為 None 會停用整個憑證驗證過程，這會使應用程式暴露於 Man-in-the-Middle 攻擊之下。生產環境中永遠不應使用此模式。

References

[1] Microsoft Corporation Working with Certificates

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[6] Standards Mapping - CIS Kubernetes Benchmark complete

[7] Standards Mapping - Common Weakness Enumeration CWE ID 296

[8] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287, [25] CWE ID 295

[9] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287

[10] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287

[11] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287

[12] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287

[13] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000185, CCI-001941, CCI-001942

[14] Standards Mapping - FIPS200 CM

[15] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-17 Public Key Infrastructure Certificates (P1)

[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-17 Public Key Infrastructure Certificates

[18] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[19] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[20] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[21] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[22] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures

[23] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[24] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 9.2.1 Server Communications Security Requirements (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)

[25] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection

[26] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10

[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10

[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10

[34] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[35] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[36] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[37] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection

[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3305 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3305 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3305 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3305 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3305 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3305 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3305 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[59] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)

[60] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication

desc.config.dotnet.asp_dotnet_misconfiguration_certificate_validation_disabled

ASP.NET Misconfiguration: Cookie Protection Disabled

C#/VB.NET/ASP.NET

Abstract

未受保護的 cookie 內容可能會被攻擊者查看或修改。

Explanation

Cookie 常用來儲存使用者的重要資訊，比如個人資訊、Authentication 標記以及作業的歷史資訊。如果此資訊是以純文字方式儲存，那麼任何人只要能夠存取與應用程式互動的機器，都能夠存取儲存在 cookie 中的資訊。更糟糕的是，如果攻擊者可以隨意修改 cookie 中的資料，他們便能夠偽造提供給應用程式的資訊，有可能改變系統的運作方式以對他們有利。

在許多情況下，應用程式可以根據所在的環境來驗證由 cookie 提供的輸入，但 ASP.NET 的驗證框架提供了一個非常好的方法，可保護 cookie 的內容並驗證 cookie 未遭到非期望的修改。如不使用此方法，想要建立所有輸入都經過驗證的高層級信任是非常困難、甚至是不可能的。

References

[1] forms Element for authentication (ASP.NET Settings Schema) Microsoft Corporation

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[6] Standards Mapping - CIS Kubernetes Benchmark complete

[7] Standards Mapping - Common Weakness Enumeration CWE ID 565

[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002418, CCI-002420, CCI-002421, CCI-002422

[9] Standards Mapping - FIPS200 CM, SC

[10] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-8 Transmission Confidentiality and Integrity (P1)

[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-8 Transmission Confidentiality and Integrity

[13] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[14] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications

[15] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection

[16] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[17] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[18] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[19] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.1 General Access Control Design (L1 L2 L3)

[21] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage

[22] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications

[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[55] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)

[56] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication

desc.config.dotnet.asp_dotnet_misconfiguration_cookie_protection_disabled

ASP.NET Misconfiguration: Debug Information

C#/VB.NET/ASP.NET

Abstract

除錯訊息可幫助攻擊者了解系統並計劃攻擊形式。

Explanation

可設定 ASP .NET 應用程式來產生除錯二進位程式。這些二進位程式提供了詳細的除錯訊息，不應該在生產的環境中使用。<compilation> 標籤的 debug 屬性定義編譯後的二進位程式是否應包含除錯資訊。

使用除錯二進位程式會使應用程式提供許多有關其本身的資訊給使用者。除錯二進位程式只能用於開發或測試的環境中，如果將它們部署在生產的環境中，會有安全上的風險。攻擊者可能利用這些從除錯輸出得到的額外資訊，來發動針對架構、資料庫或應用程式所使用的其他資源的攻擊。

References

[1] compilation Element (ASP.NET Settings Schema) Microsoft

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[6] Standards Mapping - CIS Kubernetes Benchmark complete

[7] Standards Mapping - Common Weakness Enumeration CWE ID 11

[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-002420, CCI-003272

[9] Standards Mapping - FIPS200 CM

[10] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-11 Error Handling (P2)

[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-11 Error Handling

[13] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[14] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling

[15] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[16] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[17] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[18] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[19] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 14.1.3 Build (L2 L3)

[21] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[22] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention

[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3120 CAT II, APP3620 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3120 CAT II, APP3620 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3120 CAT II, APP3620 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3120 CAT II, APP3620 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3120 CAT II, APP3620 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3120 CAT II, APP3620 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3120 CAT II, APP3620 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[55] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)

[56] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage

desc.config.dotnet.asp_dotnet_misconfiguration_debug_info