438 items found
Weaknesses

HTML5: CORS Functionality Abuse

Abstract
Failure to properly restrict cross domain access to sensitive resources could allow an attacker to carry out data theft or content spoofing attacks.
Explanation
Cross-Origin Resource Sharing, commonly referred to as CORS, is a technology that allows a domain to define a policy for its resources to be accessed by a web page hosted on a different domain using cross domain XML HTTP Requests (XHR). Historically, the browsers have restricted XHR requests to abide by the same origin policy. This policy sets the script execution scope to the resources available on the current domain and prohibits any communication to domains outside this scope. However, a few HTML tags, such as SCRIPT, IMG, and IFRAME, are exempt from the same origin policy and allow remote content to be loaded from a different domain. These are secure alternatives for the site that loads contents from remote domain and no special permission or cross-domain policy is required from hosting domain.
While CORS is supported on all major browsers, it also requires that the domain correctly defines the CORS policy in order to have its resources shared with another domain. These restrictions are managed by access policies typically communicated in specialized response headers, such as:

- Access-Control-Allow-Origin
- Access-Control-Allow-Headers
- Access-Control-Allow-Methods

However, caution should be taken when defining these headers because an overly permissive policy configured at server level for domain or directory on a domain can open more content for cross domains access than intended. CORS can allow a malicious application to communicate with victim application in an inappropriate way leading to information disclosure, spoofing, data theft, relay or other attacks.
Implementing CORS can increase an application's attack surface and should be used only when necessary.
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 346
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001368, CCI-001414
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement
[10] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[12] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.5.3 Token-based Session Management (L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 14.5.2 Validate HTTP Request Header Requirements (L1 L2 L3), 14.5.3 Validate HTTP Request Header Requirements (L1 L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[16] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.6 - Web Software Attack Mitigation
[25] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[39] Standards Mapping - Web Application Security Consortium Version 2.00 Abuse of Functionality (WASC-42)
desc.dynamic.html.html5_cors_functionality_abuse

Code Correctness: null Argument To Equivalence Method

Abstract
The expression obj.Equals(null) should always be false.
Explanation
The program uses the Equals() method to compare an object with null. The contract of the Equals() method requires this comparison to always return false.
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 398, CWE ID 754
[6] Standards Mapping - OWASP Application Security Verification Standard 4.0 11.1.7 Business Logic Security Requirements (L2 L3)
[7] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 754
desc.structural.dotnet.code_correctness_null_argument_to_equivalence_method
Abstract
The expression obj.equals(null) will always be false.
Explanation
The program uses the equals() method to compare an object with null. This comparison will always return false, since the object is not null. (If the object is null, the program will throw a NullPointerException).
References
[1] JavaDoc for Object Sun Microsystems
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[6] Standards Mapping - Common Weakness Enumeration CWE ID 398, CWE ID 754
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 11.1.7 Business Logic Security Requirements (L2 L3)
[8] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 754
desc.structural.java.code_correctness_null_argument_to_equivalence_method

GCP Terraform Misconfiguration: Cloud DNS DNSSEC Disabled

Abstract
A Terraform configuration does not enable the Domain Name System Security (DNSSEC) of a Cloud DNS Domain.
Explanation
DNSSEC prevents DNS spoofing by providing the ability to use digital signatures for DNS response validation. The DNSSEC of a Cloud DNS Domain is not enabled.

Example 1: The following example shows a Terraform configuration that disables DNSSEC on a Cloud DNS Domain by setting state to off in the dnssec_config block.

resource "google_dns_managed_zone" "zone-demo" {
...
  dnssec_config {
    state = "off"
    ...
  }
...
}
References
[1] HashiCorp dns_managed_zone
[2] Google Cloud Manage DNSSEC configuration
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.5
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[8] Standards Mapping - Common Weakness Enumeration CWE ID 345
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002418, CCI-002422
[10] Standards Mapping - FIPS200 SC
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-20 Secure Name/Address Resolution Service (Authoritative Source) (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-20 Secure Name/Address Resolution Service (Authoritative Source) (P1)
[13] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[15] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.1 - Authentication and Access Control
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.1 - Authentication and Access Control
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[21] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002440 CAT I, APSC-DV-002470 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002440 CAT I, APSC-DV-002470 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002440 CAT I, APSC-DV-002470 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II
desc.structural.hcl.gcp_terraform_misconfiguration_cloud_dns_dnssec_disabled

GCP Terraform Misconfiguration: Cloud SQL Backup Disabled

Abstract
A Terraform configuration sets up a database instance without backup configurations.
Explanation
Database backups are critical to protect against data loss or corruption. Automated backups of a Cloud SQL database instance should be explicitly configured and enabled.

Example 1: The following example shows a Terraform configuration that disables database instance backup configurations by setting enabled to false.

resource "google_sql_database_instance" "database_instance_demo" {
  ...
  settings {
    backup_configuration {
      enabled = false
      ...
    }
  }
}
References
[1] HashiCorp google_sql_database_instance
[2] Google Cloud About Cloud SQL backups
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Cloud Computing Platform Benchmark partial
[8] Standards Mapping - CIS Google Kubernetes Engine Benchmark availability
[9] Standards Mapping - Common Weakness Enumeration CWE ID 1188
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000366, CCI-003109
[11] Standards Mapping - FIPS200 CM
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-38 Operations Security (P0)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-38 Operations Security
[14] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[16] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.1.5 General Data Protection (L3)
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 12.10.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 12.10.1
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 2.2 - Secure Defaults
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 2.2 - Secure Defaults
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 2.2 - Secure Defaults
desc.structural.hcl.gcp_terraform_misconfiguration_cloud_sql_backup_disabled

GCP Terraform Misconfiguration: GKE Cluster Node Auto-Repair Disabled

Abstract
A Terraform configuration disables node auto-repair for a GKE node pool.
Explanation
Every cloud service security feature is designed to prevent or mitigate a known threat. When disabled by intent or negligence, it offers no protection.

By default, if a GKE node repeatedly reports an unhealthy status over a given period, GKE initiates a repair process for that node. Disabling node auto-repair prevents timely and automated replacements of unhealthy nodes on which mission-critical workloads might run.

Example 1: The following Terraform configuration disables node auto-repair of a node pool by setting auto_repair to false in the management block.

resource "google_container_node_pool" "node-pool-demo" {
...
  management {
    auto_repair = false
    ...
  }
...
}
References
[1] HashiCorp google_container_node_pool
[2] Google Cloud Auto-repairing nodes
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 4
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Cloud Computing Platform Benchmark partial
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark availability
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-2 Flaw Remediation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-2 Flaw Remediation
[11] Standards Mapping - OWASP Top 10 2017 A9 Using Components with Known Vulnerabilities
[12] Standards Mapping - OWASP Top 10 2021 A06 Vulnerable and Outdated Components
[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.2
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.3.3
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 10.2 - Threat and Vulnerability Management
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 10.2 - Threat and Vulnerability Management
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 10.2 - Threat and Vulnerability Management, Control Objective C.1.6 - Web Software Components & Services
desc.structural.hcl.gcp_terraform_misconfiguration_gke_cluster_node_auto_repair_disabled

GCP Terraform Misconfiguration: GKE Container-Optimized OS Not In Use

Abstract
A Terraform configuration sets up GKE nodes that do not run Container-Optimized OS.
Explanation
By default, GKE nodes run with Container-Optimized OS (COS). COS is an operating system image that is optimized to run GKE nodes on Google Compute Engine instances. Opting out of the default forgoes the benefits of enhanced security and efficiency.

Example 1: The following example Terraform configuration sets up a pool of GKE nodes that do not run COS because image_type is set to a non-COS image in the node_config block.

resource "google_container_node_pool" "node_pool_demo" {
  ...
  node_config {
    image_type = "UBUNTU"
    ...
  }
  ...
}
References
[1] HashiCorp google_container_node_pool
[2] Google Cloud Setting the default node image type
[3] Google Cloud Container-Optimized OS Overview
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 4
[5] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[6] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[7] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[8] Standards Mapping - CIS Google Cloud Computing Platform Benchmark complete
[9] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[10] Standards Mapping - CIS Kubernetes Benchmark complete
[11] Standards Mapping - FIPS200 CM
[12] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-2 Flaw Remediation (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-2 Flaw Remediation
[15] Standards Mapping - OWASP Top 10 2017 A9 Using Components with Known Vulnerabilities
[16] Standards Mapping - OWASP Top 10 2021 A06 Vulnerable and Outdated Components
[17] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.3.3
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 10.2 - Threat and Vulnerability Management
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 10.2 - Threat and Vulnerability Management
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 10.2 - Threat and Vulnerability Management, Control Objective C.1.6 - Web Software Components & Services
desc.structural.hcl.gcp_terraform_misconfiguration_gke_container_optimized_os_not_in_use

GCP Terraform Misconfiguration: GKE Node Auto-Upgrade Disabled

Abstract
A Terraform configuration disables automatic upgrades of Kubernetes nodes.
Explanation
By default, GKE automatically upgrades Kubernetes nodes to newer stable versions. Automatic upgrades, which ensure timely patching of known software vulnerabilities, are disabled.

Example 1: The following example Terraform configuration disables automatic upgrades of Kubernetes nodes by setting auto_upgrade to false in the management block.

resource "google_container_node_pool" "node_pool_demo" {
...
  management {
    auto_upgrade = false
    ...
  }
...
}
References
[1] HashiCorp google_container_node_pool
[2] Google Cloud Auto-upgrading nodes
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 4.5
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Cloud Computing Platform Benchmark complete
[8] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[9] Standards Mapping - CIS Kubernetes Benchmark complete
[10] Standards Mapping - FIPS200 CM
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-2 Flaw Remediation (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-2 Flaw Remediation
[14] Standards Mapping - OWASP Top 10 2017 A9 Using Components with Known Vulnerabilities
[15] Standards Mapping - OWASP Top 10 2021 A06 Vulnerable and Outdated Components
[16] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.2
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.3.3
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 10.2 - Threat and Vulnerability Management
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 10.2 - Threat and Vulnerability Management
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 10.2 - Threat and Vulnerability Management, Control Objective C.1.6 - Web Software Components & Services
desc.structural.hcl.gcp_terraform_misconfiguration_gke_node_auto_upgrade_disabled