界: Environment

このセクションには、ソースコード以外のものでも、作成中の製品のセキュリティにとって重要なものがすべて含まれています。この分野が対象とする問題は、ソースコードに直接関係しないため、この分野の他の部分と分けました。

WCF Misconfiguration: Throttling Not Enabled

C#/VB.NET/ASP.NET

Abstract

システムリソースの使用に制限を設けないと、リソースが枯渇し、最終的に Denial of Service につながる可能性があります。

Explanation

Windows Communication Foundation (WCF) は、サービスリクエストをスロットリングする機能を提供します。許可するクライアントリクエストが多すぎると、システムが許容レベルを超え、リソースの枯渇につながる可能性があります。一方、サービスに対して許容するリクエスト数を少なくしすぎると、正当なユーザーがサービスを使用できなくなる可能性があります。各サービスは、適切な量のリソースを許可するように個別に調整および設定する必要があります。

References

[1] Microsoft

[2] Standards Mapping - Common Weakness Enumeration CWE ID 400, CWE ID 770

[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [20] CWE ID 400

[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [23] CWE ID 400

[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [23] CWE ID 400

[6] Standards Mapping - Common Weakness Enumeration Top 25 2024 [24] CWE ID 400

[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094

[8] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)

[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection

[11] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.1.4 General Data Protection (L2 L3), 11.1.3 Business Logic Security Requirements (L1 L2 L3), 11.1.4 Business Logic Security Requirements (L1 L2 L3), 12.1.1 File Upload Requirements (L1 L2 L3), 12.1.3 File Upload Requirements (L2 L3), 13.2.4 RESTful Web Service Verification Requirements (L2 L3)

[13] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[14] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service

[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[16] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[17] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9

[19] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 770

[20] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II, APP3760 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II, APP3760 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II, APP3760 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II, APP3760 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II, APP3760 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II, APP3760 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002400 CAT II

[43] Standards Mapping - Web Application Security Consortium Version 2.00 Brute Force (WASC-11), Insufficient Anti-automation (WASC-21)

[44] Standards Mapping - Web Application Security Consortium 24 + 2 Brute Force, Insufficient Anti-automation

desc.config.dotnet.wcf_misconfiguration_throttling_not_enabled