Reino: Encapsulation

La encapsulación consiste en crear límites fuertes. En un explorador web esto puede suponer la seguridad de que tu codificación móvil no se vea comprometido por otro código móvil. En el servidor puede significar la diferenciación entre los datos validados y los que no lo están, entre los datos de un usuario y los de otro, o entre los diferentes usuarios, los datos que pueden ver y los que no.

Hidden Field

Abstract

El programa crea un campo de formulario oculto.

Explanation

A menudo, los programadores confían en el contenido de los campos ocultos, suponiendo que los usuarios no podrán verlos ni manipular su contenido. Los atacantes pueden burlar estas suposiciones. Examinan los valores escritos en los campos ocultos y los alteran o reemplazan si contenido por datos de ataque.

Ejemplo:


  HtmlInputHidden hidden = new HtmlInputHidden();

Si los campos ocultos contienen información confidencial, esta se incluirá en la caché al igual que el resto de la página. Esto provoca que la información confidencial se almacene en la caché del explorador sin que el usuario lo sepa.

References

[1] Standards Mapping - Common Weakness Enumeration CWE ID 472

[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002420

[3] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-8 Transmission Confidentiality and Integrity (P1)

[4] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-8 Transmission Confidentiality and Integrity

[5] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage

[6] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-2

[7] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design

[8] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 642

[9] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3610 CAT I

[10] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3610 CAT I

[11] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3610 CAT I

[12] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3610 CAT I

[13] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3610 CAT I

[14] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3610 CAT I

[15] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3610 CAT I

[16] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002485 CAT I

[17] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002485 CAT I

[18] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002485 CAT I

[19] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002485 CAT I

[20] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002485 CAT I

[21] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002485 CAT I

[22] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002485 CAT I

[23] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002485 CAT I

[24] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002485 CAT I

[25] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002485 CAT I

[26] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002485 CAT I

[27] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002485 CAT I

[28] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002485 CAT I

[29] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002485 CAT I

[30] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002485 CAT I

[31] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)

[32] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage

desc.semantic.dotnet.hidden_field

Abstract

El programa crea un campo de formulario oculto.

Explanation


  Hidden hidden = new Hidden(element);

References

[1] IDS14-J. Do not trust the contents of hidden form fields CERT

[2] Standards Mapping - Common Weakness Enumeration CWE ID 472

[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002420

[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-8 Transmission Confidentiality and Integrity (P1)

[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-8 Transmission Confidentiality and Integrity

[6] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage

[7] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-2

[8] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design

[9] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 642

[10] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3610 CAT I

[11] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3610 CAT I

[12] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3610 CAT I

[13] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3610 CAT I

[14] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3610 CAT I

[15] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3610 CAT I

[16] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3610 CAT I

[17] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002485 CAT I

[18] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002485 CAT I

[19] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002485 CAT I

[20] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002485 CAT I

[21] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002485 CAT I

[22] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002485 CAT I

[23] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002485 CAT I

[24] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002485 CAT I

[25] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002485 CAT I

[26] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002485 CAT I

[27] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002485 CAT I

[28] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002485 CAT I

[29] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002485 CAT I

[30] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002485 CAT I

[31] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002485 CAT I

[32] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)

[33] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage

desc.semantic.java.hidden_field

Abstract

Se utiliza un campo de formulario oculto.

Explanation


<input type="hidden">