233 見つかった項目
脆弱性

Weak Encryption: User-Controlled Key Size

Abstract
鍵サイズ パラメーターを使用する暗号関数には、汚染された鍵サイズ値を渡さないでください。
Explanation
ユーザー制御の値から鍵サイズを判別できる場合、攻撃者が空の鍵を指定できるようになり、その空の鍵で暗号化されたデータは比較的容易に復号化できます。非ゼロ値が必要な場合でも、攻撃者は可能な範囲で最小の値を指定でき、暗号化のセキュリティが損なわれます。

Weak Encryption: User-Controlled Key Size の問題は、次の場合に発生します。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。

2. ユーザー制御のデータは、鍵サイズ パラメーターに部分的に含まれるか、鍵サイズ パラメーター自体として暗号化関数の中で使用されます。

多くのソフトウェア セキュリティの脆弱性と同様、Weak Encryption: User-Controlled Key Size は目的を達成するための手段であって、目的そのものではありません。基本的には、この脆弱性は単純なものです。攻撃者は悪意のあるデータをアプリケーションに渡し、暗号化の実行中にそのデータが鍵サイズ値の全体または一部として使用されます。

ユーザー制御の鍵サイズがある場合の問題は、多様な攻撃が可能になる点です。

1. 攻撃者は、この脆弱性を利用して暗号化処理にゼロの鍵サイズを指定し、任意のデータにアクセスできるようにします。ここから、各種アルゴリズムを空の鍵とともに使用して独自のデータを復号化し、アプリケーションに使用されている暗号化実装についての情報を漏洩させようとする試みを、難なく行えるようになります。これにより、攻撃者はクラッキング作業の中で特定のアルゴリズムに的を絞ることができ、他のユーザーの暗号化データを容易に復号化できるようになります。
2. 攻撃者は、他のユーザーの暗号化鍵サイズを操作するか、または他のユーザーがゼロの (または可能な限り小さい) 暗号化鍵サイズを使用するように仕組んで、(使用されている暗号化アルゴリズムの情報を得た上で) 他のユーザーの暗号化されたデータを読み取り可能にできます。

例 1: 次のコードは、ユーザー制御の鍵サイズ パラメーターを使用して RSA 暗号化を実行します。

    ...
    RSACryptoServiceProvider rsa1 = new RSACryptoServiceProvider(Convert.ToInt32(tx.Text));
    ...
Example 1 のコードは正常に実行されますが、この機能を使用すれば誰でもテキストボックス値 tx.Text を変更することで暗号化アルゴリズムの鍵サイズ パラメーターを操作できるようになります。プログラムが頒布された後は、悪意のあるユーザーが所定の暗号化実行の鍵サイズを判別したかどうかを知るのは極めて難しいため、ユーザー制御の鍵サイズに関する問題を元に戻すのは非常に困難です。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 326
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[3] Standards Mapping - FIPS200 MP
[4] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-10 Non-Repudiation (P2), SC-12 Cryptographic Key Establishment and Management (P1), SC-13 Cryptographic Protection (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-10 Non-Repudiation, SC-12 Cryptographic Key Establishment and Management, SC-13 Cryptographic Protection
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[8] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[9] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[11] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[12] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[13] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[16] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.6.1, Requirement 6.5.8
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.6.1, Requirement 6.3.1.3, Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.6.1, Requirement 6.5.3
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.6.1, Requirement 6.5.3
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.6.1, Requirement 6.5.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.6.1, Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.6.1, Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.6.1, Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.6.1, Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.dataflow.dotnet.weak_encryption_user_controlled_key_size
Abstract
鍵サイズを受け取る暗号関数は汚染された鍵サイズ値を受け取る可能性があります。
Explanation
ユーザー制御の値から鍵サイズを判別できる場合、攻撃者が空の鍵を指定できるようになり、その空の鍵で暗号化されたデータは比較的容易に復号化できます。非ゼロ値が必要な場合でも、攻撃者は可能な範囲で最小の値を指定でき、暗号化のセキュリティが損なわれます。

脆弱な暗号化: ユーザー制御による鍵サイズの問題は、次の場合に発生します。

1.信頼できないソースからデータがプログラムに入り込んだ場合。

2.ユーザー制御のデータは、鍵サイズ パラメーターに部分的に含まれるか、鍵サイズ パラメーター自体として暗号化関数の中で使用されます。

多くのソフトウェアのセキュリティ脆弱性と同様に、脆弱な暗号化: ユーザー制御による鍵サイズは、それ自体が目的ではなく目標を達成するための手段です。基本的には、この脆弱性は単純なものです。攻撃者は悪意のあるデータをアプリケーションに渡し、暗号化を実行するためにそのデータが鍵サイズ値の全体または一部として使用されます。

ユーザー制御の鍵サイズがある場合の問題は、多様な攻撃が可能になる点です。

1.攻撃者は、この脆弱性を利用して暗号化処理にゼロの鍵サイズを指定し、任意のデータにアクセスできるようにします。各種アルゴリズムを空の鍵とともに使用して独自のデータを復号化し、アプリケーションに使用されている暗号化実装についての情報を漏洩させようとする試みを、難なく行えるようになります。これにより、攻撃者はクラッキング作業の中で特定のアルゴリズムに的を絞ることができ、他のユーザーの暗号化データを容易に復号化できるようになります。
2.攻撃者は、他のユーザーの暗号化鍵サイズを操作するか、または他のユーザーがゼロ (または別の小さい数値) の暗号化鍵サイズを使用するように仕組んで、(使用されている暗号化アルゴリズムの情報を得た上で) 他のユーザーの暗号化されたデータを読み取り可能にできます。

例 1: 次のコードはユーザー制御の導出鍵長を使用して RSA 鍵を生成します。

...
rsa.GenerateKey(random, user_input)
...
Example 1 のコードは正常に実行されますが、変数 user_input はユーザーが制御できるため、この機能を使用できる人は誰でも暗号化アルゴリズムの鍵サイズ パラメーターを操作できるようになります。ソフトウェアがリリースされた後は、ユーザー制御の鍵サイズに関する問題を元に戻すのは非常に困難です。悪意のあるユーザーが所定の暗号化実行の鍵サイズを制御したかどうかを知るのは極めて困難です。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 326
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[3] Standards Mapping - FIPS200 MP
[4] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-10 Non-Repudiation (P2), SC-12 Cryptographic Key Establishment and Management (P1), SC-13 Cryptographic Protection (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-10 Non-Repudiation, SC-12 Cryptographic Key Establishment and Management, SC-13 Cryptographic Protection
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[8] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[9] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[11] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[12] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[13] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[16] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.6.1, Requirement 6.5.8
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.6.1, Requirement 6.3.1.3, Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.6.1, Requirement 6.5.3
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.6.1, Requirement 6.5.3
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.6.1, Requirement 6.5.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.6.1, Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.6.1, Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.6.1, Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.6.1, Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.dataflow.golang.weak_encryption_user_controlled_key_size
Abstract
鍵サイズ パラメーターを使用する暗号関数には、汚染された鍵サイズ値を渡さないでください。
Explanation
ユーザー制御の値から鍵サイズを判別できる場合、攻撃者が空の鍵を指定できるようになり、その空の鍵で暗号化されたデータは比較的容易に復号化できます。非ゼロ値が必要な場合でも、攻撃者は可能な範囲で最小の値を指定でき、暗号化のセキュリティが損なわれます。

脆弱な暗号化:ユーザー制御による鍵サイズの問題は、次の場合に発生します。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。

2. ユーザー制御のデータは、鍵サイズ パラメーターに部分的に含まれるか、鍵サイズ パラメーター自体として暗号化関数の中で使用されます。

多くのソフトウェアのセキュリティ脆弱性と同様に、脆弱な暗号化:ユーザー制御による鍵サイズは、それ自体が目的ではなく目標を達成するための手段です。基本的には、この脆弱性は単純なものです。攻撃者は悪意のあるデータをアプリケーションに渡し、暗号化の実行中にそのデータが鍵サイズ値の全体または一部として使用されます。

ユーザー制御の鍵サイズがある場合の問題は、多様な攻撃が可能になる点です。

1. 攻撃者は、この脆弱性を利用して暗号化処理にゼロの鍵サイズを指定し、任意のデータにアクセスできるようにします。ここから、各種アルゴリズムを空の鍵とともに使用して独自のデータを復号化し、アプリケーションに使用されている暗号化実装についての情報を漏洩させようとする試みを、難なく行えるようになります。これにより、攻撃者はクラッキング作業の中で特定のアルゴリズムに的を絞ることができ、他のユーザーの暗号化データを容易に復号化できるようになります。
2. 攻撃者は、他のユーザーの暗号化鍵サイズを操作するか、または他のユーザーがゼロの (または可能な限り小さい) 暗号化鍵サイズを使用するように仕組んで、(使用されている暗号化アルゴリズムの情報を得た上で) 他のユーザーの暗号化されたデータを読み取り可能にできます。

例 1: 次のコードは、ユーザー制御の鍵サイズ パラメーターを使用して AES 暗号化を実行します。

...
Properties prop = new Properties();
prop.load(new FileInputStream("config.properties"));
String keySize = prop.getProperty("keySize");
...
PBEKeySpec spec = new PBEKeySpec(
                password.toCharArray(),
                saltBytes,
                pswdIterations,
                Integer.parseInt(keySize)
                );
SecretKey secretKey = factory.generateSecret(spec);
SecretKeySpec secret = new SecretKeySpec(secretKey.getEncoded(), "AES");
...
Example 1 のコードは正常に実行されますが、この機能を使用すれば誰でもプロパティ keySize を変更することで暗号化アルゴリズムの鍵サイズ パラメーターを操作できるようになります。プログラムが頒布された後は、悪意のあるユーザーが所定の暗号化実行の鍵サイズを判別したかどうかを知るのは極めて難しいため、ユーザー制御の鍵サイズに関する問題を元に戻すのは非常に困難です。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 326
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[3] Standards Mapping - FIPS200 MP
[4] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-10 Non-Repudiation (P2), SC-12 Cryptographic Key Establishment and Management (P1), SC-13 Cryptographic Protection (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-10 Non-Repudiation, SC-12 Cryptographic Key Establishment and Management, SC-13 Cryptographic Protection
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[8] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[9] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[11] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[12] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[13] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[16] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.6.1, Requirement 6.5.8
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.6.1, Requirement 6.3.1.3, Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.6.1, Requirement 6.5.3
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.6.1, Requirement 6.5.3
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.6.1, Requirement 6.5.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.6.1, Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.6.1, Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.6.1, Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.6.1, Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.dataflow.java.weak_encryption_user_controlled_key_size
Abstract
鍵サイズ パラメーターを使用する暗号関数には、汚染された鍵サイズ値を渡さないでください。
Explanation
ユーザー制御の値から鍵サイズを判別できる場合、攻撃者が空の鍵を指定できるようになり、その空の鍵で暗号化されたデータは比較的容易に復号化できます。非ゼロ値が必要な場合でも、攻撃者は可能な範囲で最小の値を指定でき、暗号化のセキュリティが損なわれます。

脆弱な暗号化:ユーザー制御による鍵サイズの問題は、次の場合に発生します。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。

2. ユーザー制御のデータは、鍵サイズ パラメーターに部分的に含まれるか、鍵サイズ パラメーター自体として暗号化関数の中で使用されます。

多くのソフトウェアのセキュリティ脆弱性と同様に、脆弱な暗号化:ユーザー制御による鍵サイズは、それ自体が目的ではなく目標を達成するための手段です。基本的には、この脆弱性は単純なものです。攻撃者は悪意のあるデータをアプリケーションに渡し、暗号化の実行中にそのデータが鍵サイズ値の全体または一部として使用されます。

ユーザー制御の鍵サイズがある場合の問題は、多様な攻撃が可能になる点です。

1. 攻撃者は、この脆弱性を利用して暗号化処理にゼロの鍵サイズを指定し、任意のデータにアクセスできるようにします。ここから、各種アルゴリズムを空の鍵とともに使用して独自のデータを復号化し、アプリケーションに使用されている暗号化実装についての情報を漏洩させようとする試みを、難なく行えるようになります。これにより、攻撃者はクラッキング作業の中で特定のアルゴリズムに的を絞ることができ、他のユーザーの暗号化データを容易に復号化できるようになります。
2. 攻撃者は、他のユーザーの暗号化鍵サイズを操作するか、または他のユーザーがゼロの (または可能な限り小さい) 暗号化鍵サイズを使用するように仕組んで、(使用されている暗号化アルゴリズムの情報を得た上で) 他のユーザーの暗号化されたデータを読み取り可能にできます。

例 1: 次のコードは、ユーザー制御の鍵サイズ パラメーターを使用して AES 暗号化を実行します。

...
@property (strong, nonatomic) IBOutlet UITextField *inputTextField;
...
CCCrypt(kCCEncrypt,
        kCCAlgorithmAES,
        kCCOptionPKCS7Padding,
        key,
        sizeof(_inputTextField.text),
        iv,
        plaintext,
        sizeof(plaintext),
        ciphertext,
        sizeof(ciphertext),
        &numBytesEncrypted);
...
Example 1 のコードは正常に実行されますが、この機能を使用すれば誰でも UITextField inputTextField のテキストを変更することで暗号化アルゴリズムの鍵サイズ パラメーターを操作できるようになります。プログラムが頒布された後は、悪意のあるユーザーが所定の暗号化実行の鍵サイズを判別したかどうかを知るのは極めて難しいため、ユーザー制御の鍵サイズに関する問題を元に戻すのは非常に困難です。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 326
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[3] Standards Mapping - FIPS200 MP
[4] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-10 Non-Repudiation (P2), SC-12 Cryptographic Key Establishment and Management (P1), SC-13 Cryptographic Protection (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-10 Non-Repudiation, SC-12 Cryptographic Key Establishment and Management, SC-13 Cryptographic Protection
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[8] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[9] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[11] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[12] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[13] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[16] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.6.1, Requirement 6.5.8
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.6.1, Requirement 6.3.1.3, Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.6.1, Requirement 6.5.3
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.6.1, Requirement 6.5.3
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.6.1, Requirement 6.5.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.6.1, Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.6.1, Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.6.1, Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.6.1, Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.dataflow.objc.weak_encryption_user_controlled_key_size
Abstract
鍵サイズ パラメーターを使用する暗号関数には、汚染された鍵サイズ値を渡さないでください。
Explanation
ユーザー制御の値から鍵サイズを判別できる場合、攻撃者が空の鍵を指定できるようになり、その空の鍵で暗号化されたデータは比較的容易に復号化できます。非ゼロ値が必要な場合でも、攻撃者は可能な範囲で最小の値を指定でき、暗号化のセキュリティが損なわれます。

脆弱な暗号化: ユーザー制御による鍵サイズの問題は、次の場合に発生します。

1.信頼できないソースからデータがプログラムに入り込んだ場合。

2.ユーザー制御のデータは、鍵サイズ パラメーターに部分的に含まれるか、鍵サイズ パラメーター自体として暗号化関数の中で使用されます。

多くのソフトウェアのセキュリティ脆弱性と同様に、脆弱な暗号化: ユーザー制御による鍵サイズは、それ自体が目的ではなく目標を達成するための手段です。基本的には、この脆弱性は単純なものです。攻撃者は悪意のあるデータをアプリケーションに渡し、暗号化の実行中にそのデータが鍵サイズ値の全体または一部として使用されます。

ユーザー制御の鍵サイズがある場合の問題は、多様な攻撃が可能になる点です。

1.攻撃者は、この脆弱性を利用して暗号化処理にゼロの鍵サイズを指定し、任意のデータにアクセスできるようにします。ここから、各種アルゴリズムを空の鍵とともに使用して独自のデータを復号化し、アプリケーションに使用されている暗号化実装についての情報を漏洩させようとする試みを、難なく行えるようになります。これにより、攻撃者はクラッキング作業の中で特定のアルゴリズムに的を絞ることができ、他のユーザーの暗号化データを容易に復号化できるようになります。
2.攻撃者は、他のユーザーの暗号化鍵サイズを操作するか、または他のユーザーがゼロの (または可能な限り小さい) 暗号化鍵サイズを使用するように仕組んで、(使用されている暗号化アルゴリズムの情報を得た上で) 他のユーザーの暗号化されたデータを読み取り可能にできます。

例 1: 次のコードはパスワードから鍵を導出しますが、ユーザー制御の導出鍵長を使用します。

...
$hash = hash_pbkdf2('sha256', $password, $random_salt, 100000, strlen($password));
...
Example 1 のコードは正常に実行されますが、変数 user_input はユーザーが制御できるため、この機能を使用できる人は誰でも暗号化アルゴリズムの鍵サイズ パラメーターを操作できるようになります。プログラムが頒布された後は、悪意のあるユーザーが所定の暗号化実行の鍵サイズを判別したかどうかを知るのは極めて難しいため、ユーザー制御の鍵サイズに関する問題を元に戻すのは非常に困難です。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 326
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[3] Standards Mapping - FIPS200 MP
[4] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-10 Non-Repudiation (P2), SC-12 Cryptographic Key Establishment and Management (P1), SC-13 Cryptographic Protection (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-10 Non-Repudiation, SC-12 Cryptographic Key Establishment and Management, SC-13 Cryptographic Protection
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[8] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[9] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[11] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[12] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[13] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[16] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.6.1, Requirement 6.5.8
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.6.1, Requirement 6.3.1.3, Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.6.1, Requirement 6.5.3
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.6.1, Requirement 6.5.3
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.6.1, Requirement 6.5.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.6.1, Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.6.1, Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.6.1, Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.6.1, Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.dataflow.php.weak_encryption_user_controlled_key_size
Abstract
鍵サイズ パラメーターを使用する暗号関数には、汚染された鍵サイズ値を渡さないでください。
Explanation
ユーザー制御の値から鍵サイズを判別できる場合、攻撃者が空の鍵を指定できるようになり、その空の鍵で暗号化されたデータは比較的容易に復号化できます。非ゼロ値が必要な場合でも、攻撃者は可能な範囲で最小の値を指定でき、暗号化のセキュリティが損なわれます。

脆弱な暗号化:ユーザー制御による鍵サイズの問題は、次の場合に発生します。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。

2. ユーザー制御のデータは、鍵サイズ パラメーターに部分的に含まれるか、鍵サイズ パラメーター自体として暗号化関数の中で使用されます。

多くのソフトウェアのセキュリティ脆弱性と同様に、脆弱な暗号化:ユーザー制御による鍵サイズは、それ自体が目的ではなく目標を達成するための手段です。基本的には、この脆弱性は単純なものです。攻撃者は悪意のあるデータをアプリケーションに渡し、暗号化の実行中にそのデータが鍵サイズ値の全体または一部として使用されます。

ユーザー制御の鍵サイズがある場合の問題は、多様な攻撃が可能になる点です。

1. 攻撃者は、この脆弱性を利用して暗号化処理にゼロの鍵サイズを指定し、任意のデータにアクセスできるようにします。ここから、各種アルゴリズムを空の鍵とともに使用して独自のデータを復号化し、アプリケーションに使用されている暗号化実装についての情報を漏洩させようとする試みを、難なく行えるようになります。これにより、攻撃者はクラッキング作業の中で特定のアルゴリズムに的を絞ることができ、他のユーザーの暗号化データを容易に復号化できるようになります。
2. 攻撃者は、他のユーザーの暗号化鍵サイズを操作するか、または他のユーザーがゼロの (または可能な限り小さい) 暗号化鍵サイズを使用するように仕組んで、(使用されている暗号化アルゴリズムの情報を得た上で) 他のユーザーの暗号化されたデータを読み取り可能にできます。

例 1: 次のコードはパスワードから鍵を導出しますが、ユーザー制御の導出鍵長を使用します。

...
dk = hashlib.pbkdf2_hmac('sha256', password, random_salt, 100000, dklen=user_input)
...
Example 1 のコードは正常に実行されますが、変数 user_input はユーザーが制御できるため、この機能を使用できる人は誰でも暗号化アルゴリズムの鍵サイズ パラメーターを操作できるようになります。プログラムが頒布された後は、悪意のあるユーザーが所定の暗号化実行の鍵サイズを判別したかどうかを知るのは極めて難しいため、ユーザー制御の鍵サイズに関する問題を元に戻すのは非常に困難です。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 326
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[3] Standards Mapping - FIPS200 MP
[4] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-10 Non-Repudiation (P2), SC-12 Cryptographic Key Establishment and Management (P1), SC-13 Cryptographic Protection (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-10 Non-Repudiation, SC-12 Cryptographic Key Establishment and Management, SC-13 Cryptographic Protection
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[8] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[9] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[11] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[12] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[13] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[16] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.6.1, Requirement 6.5.8
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.6.1, Requirement 6.3.1.3, Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.6.1, Requirement 6.5.3
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.6.1, Requirement 6.5.3
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.6.1, Requirement 6.5.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.6.1, Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.6.1, Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.6.1, Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.6.1, Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.dataflow.python.weak_encryption_user_controlled_key_size
Abstract
鍵サイズ パラメーターを使用する暗号関数には、汚染された鍵サイズ値を渡さないでください。
Explanation
ユーザー制御の値から鍵サイズを判別できる場合、攻撃者が空の鍵を指定できるようになり、その空の鍵で暗号化されたデータは比較的容易に復号化できます。非ゼロ値が必要な場合でも、攻撃者は可能な範囲で最小の値を指定でき、暗号化のセキュリティが損なわれます。

脆弱な暗号化:ユーザー制御による鍵サイズの問題は、次の場合に発生します。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。

2. ユーザー制御のデータは、鍵サイズ パラメーターに部分的に含まれるか、鍵サイズ パラメーター自体として暗号化関数の中で使用されます。

多くのソフトウェアのセキュリティ脆弱性と同様に、脆弱な暗号化:ユーザー制御による鍵サイズは、それ自体が目的ではなく目標を達成するための手段です。基本的には、この脆弱性は単純なものです。攻撃者は悪意のあるデータをアプリケーションに渡し、暗号化の実行中にそのデータが鍵サイズ値の全体または一部として使用されます。

ユーザー制御の鍵サイズがある場合の問題は、多様な攻撃が可能になる点です。

1. 攻撃者は、この脆弱性を利用して暗号化処理にゼロの鍵サイズを指定し、任意のデータにアクセスできるようにします。ここから、各種アルゴリズムを空の鍵とともに使用して独自のデータを復号化し、アプリケーションに使用されている暗号化実装についての情報を漏洩させようとする試みを、難なく行えるようになります。これにより、攻撃者はクラッキング作業の中で特定のアルゴリズムに的を絞ることができ、他のユーザーの暗号化データを容易に復号化できるようになります。
2. 攻撃者は、他のユーザーの暗号化鍵サイズを操作するか、または他のユーザーがゼロの (または可能な限り小さい) 暗号化鍵サイズを使用するように仕組んで、(使用されている暗号化アルゴリズムの情報を得た上で) 他のユーザーの暗号化されたデータを読み取り可能にできます。

例 1: 次のコードはパスワードから鍵を導出しますが、ユーザー制御の導出鍵長を使用します。

...
dk = OpenSSL::PKCS5.pbkdf2_hmac(password, random_salt, 100000, user_input, digest)
...
Example 1 のコードは正常に実行されますが、変数 user_input はユーザーが制御できるため、この機能を使用できる人は誰でも暗号化アルゴリズムの鍵サイズ パラメーターを操作できるようになります。プログラムが頒布された後は、悪意のあるユーザーが所定の暗号化実行の鍵サイズを判別したかどうかを知るのは極めて難しいため、ユーザー制御の鍵サイズに関する問題を元に戻すのは非常に困難です。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 326
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[3] Standards Mapping - FIPS200 MP
[4] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-10 Non-Repudiation (P2), SC-12 Cryptographic Key Establishment and Management (P1), SC-13 Cryptographic Protection (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-10 Non-Repudiation, SC-12 Cryptographic Key Establishment and Management, SC-13 Cryptographic Protection
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[8] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[9] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[11] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[12] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[13] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[16] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.6.1, Requirement 6.5.8
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.6.1, Requirement 6.3.1.3, Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.6.1, Requirement 6.5.3
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.6.1, Requirement 6.5.3
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.6.1, Requirement 6.5.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.6.1, Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.6.1, Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.6.1, Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.6.1, Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.dataflow.ruby.weak_encryption_user_controlled_key_size
Abstract
鍵サイズ パラメーターを使用する暗号関数には、汚染された鍵サイズ値を渡さないでください。
Explanation
ユーザー制御の値から鍵サイズを判別できる場合、攻撃者が空の鍵を指定できるようになり、その空の鍵で暗号化されたデータは比較的容易に復号化できます。非ゼロ値が必要な場合でも、攻撃者は可能な範囲で最小の値を指定でき、暗号化のセキュリティが損なわれます。

Weak Encryption: User-Controlled Key Size の問題は、次の場合に発生します。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。

2. ユーザー制御のデータは、鍵サイズ パラメーターに部分的に含まれるか、鍵サイズ パラメーター自体として暗号化関数の中で使用されます。

多くのソフトウェア セキュリティの脆弱性と同様、Weak Encryption: User-Controlled Key Size は目的を達成するための手段であって、目的そのものではありません。基本的には、この脆弱性は単純なものです。攻撃者は悪意のあるデータをアプリケーションに渡し、暗号化の実行中にそのデータが鍵サイズ値の全体または一部として使用されます。

ユーザー制御の鍵サイズがある場合の問題は、多様な攻撃が可能になる点です。

1. 攻撃者は、この脆弱性を利用して暗号化処理にゼロの鍵サイズを指定し、任意のデータにアクセスできるようにします。ここから、各種アルゴリズムを空の鍵とともに使用して独自のデータを復号化し、アプリケーションに使用されている暗号化実装についての情報を漏洩させようとする試みを、難なく行えるようになります。これにより、攻撃者はクラッキング作業の中で特定のアルゴリズムに的を絞ることができ、他のユーザーの暗号化データを容易に復号化できるようになります。
2. 攻撃者は、他のユーザーの暗号化鍵サイズを操作するか、または他のユーザーがゼロの (または可能な限り小さい) 暗号化鍵サイズを使用するように仕組んで、(使用されている暗号化アルゴリズムの情報を得た上で) 他のユーザーの暗号化されたデータを読み取り可能にできます。

例 1: 次のコードは、ユーザー制御の鍵サイズ パラメーターを使用して AES 暗号化を実行します。

...
@IBOutlet weak var inputTextField : UITextField!
...
let key = (inputTextField.text as NSString).dataUsingEncoding(NSUTF8StringEncoding)
let keyPointer = UnsafePointer<UInt8>(key.bytes)
let keyLength = size_t(key.length)
...
let operation : CCOperation = UInt32(kCCEncrypt)
let algoritm : CCAlgorithm = UInt32(kCCAlgorithmAES128)
let options : CCOptions = UInt32(kCCOptionPKCS7Padding)
var numBytesEncrypted :size_t = 0
CCCrypt(operation,
        algorithm,
        options,
        keyPointer,
        keyLength,
        iv,
        plaintextPointer,
        plaintextLength,
        ciphertextPointer,
        ciphertextLength,
        &numBytesEncrypted)
...
Example 1 のコードは正常に実行されますが、この機能を使用すれば誰でも UITextField inputTextField のテキストを変更することで暗号化アルゴリズムの鍵サイズ パラメーターを操作できるようになります。プログラムが頒布された後は、悪意のあるユーザーが所定の暗号化実行の鍵サイズを判別したかどうかを知るのは極めて難しいため、ユーザー制御の鍵サイズに関する問題を元に戻すのは非常に困難です。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 326
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[3] Standards Mapping - FIPS200 MP
[4] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-10 Non-Repudiation (P2), SC-12 Cryptographic Key Establishment and Management (P1), SC-13 Cryptographic Protection (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-10 Non-Repudiation, SC-12 Cryptographic Key Establishment and Management, SC-13 Cryptographic Protection
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[8] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[9] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[11] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[12] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[13] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[16] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.6.1, Requirement 6.5.8
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.6.1, Requirement 6.3.1.3, Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.6.1, Requirement 6.5.3
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.6.1, Requirement 6.5.3
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.6.1, Requirement 6.5.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.6.1, Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.6.1, Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.6.1, Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.6.1, Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.dataflow.swift.weak_encryption_user_controlled_key_size

WSE Misconfiguration: Insufficient Encryption

Abstract
シグネチャの暗号化に失敗すると、ブルートフォース攻撃が成功する可能性が高くなります。
Explanation
MessageProtectionOrder 属性を使用すると、シグネチャと暗号化を適用する順序 (およびシグネチャを暗号化するかどうか) を指定できます。MessageProtectionOrder 属性を SignBeforeEncryptAndEncryptSignature 以外に設定すると、セキュリティの問題につながる可能性があります。

次のリストは、SignBeforeEncryptAndEncryptSignature 以外に設定可能な値とそれに関連する問題です。
SignBeforeEncrypt - 暗号化されていないメッセージにシグネチャが適用されますが、シグネチャ自体は暗号化されません。
EncryptBeforeSign - メッセージの内容は暗号化されてから署名されます。

パスワードなどの低エントロピ キーで署名されたメッセージは、ブルートフォース攻撃に対する脆弱性が高まります。
References
[1] MessageProtectionOrder Enumeration Microsoft
[2] Standards Mapping - Common Weakness Enumeration CWE ID 311
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-002418, CCI-002420, CCI-002421, CCI-002422
[4] Standards Mapping - FIPS200 CM
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), SC-8 Transmission Confidentiality and Integrity (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, SC-8 Transmission Confidentiality and Integrity
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[10] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[11] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[12] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[13] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[29] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[30] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II, APP3260.1 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II, APP3260 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II, APP3260 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II, APP3260 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II, APP3260 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II, APP3260 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II, APP3260 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000260 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000260 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000260 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000260 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000260 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000260 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000260 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000260 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000260 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000260 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000260 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000260 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000260 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000260 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000260 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000260 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[54] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
[55] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.config.dotnet.wse_misconfiguration_insufficient_encryption

WSE Misconfiguration: Missing Authorization

Abstract
<authorization> タグを明示的に設定しないと、特権の昇格や匿名アクセスが発生する可能性があります。
Explanation
<authorization> 要素は、承認ルールのリストを指定します。<authorization> 要素があるが送信者にルールが適用されない場合、アクセスは拒否されます [1]。
この場合、特定された設定ファイルには <authorization> タグがなく、匿名アクセスが発生する可能性があります。
References
[1] Element Microsoft
[2] Standards Mapping - Common Weakness Enumeration CWE ID 285
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-000804, CCI-002165
[4] Standards Mapping - FIPS200 CM
[5] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), IA-8 Identification and Authentication (Non-Organizational Users) (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, IA-8 Identification and Authentication (Non-Organizational Users)
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.1.4 Generic Web Service Security Verification Requirements (L2 L3)
[10] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[11] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[12] Standards Mapping - OWASP Top 10 2007 A10 Failure to Restrict URL Access
[13] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10, Requirement 7.2
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.10, Requirement 7.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8, Requirement 7.2
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8, Requirement 7.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8, Requirement 7.2
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8, Requirement 7.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8, Requirement 7.2
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 7.3.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 7.3.2
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[29] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285
[30] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 285
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.2 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.2 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.2 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.2 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.2 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.2 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.2 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[54] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[55] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.config.dotnet.wse_misconfiguration_missing_authorization

WSE Misconfiguration: Unsigned Fault Timestamp

Abstract
署名されていないタイムスタンプがあると、SOAP メッセージが改ざんやリプレイ攻撃を受けやすくなります。
Explanation
セキュリティ タイムスタンプは、メッセージの新しさを示します。攻撃者がメッセージを傍受して後で再送信した場合、タイムスタンプでメッセージが古くなっていることが示されるため、受信者がリプレイ攻撃を拒否できます。オプションで、タイムスタンプに、セキュリティのセマンティクスを有効とする期間を厳しく制限する有効期限属性を含めることができます。

攻撃者がタイムスタンプを改ざんするのを防ぐために、タイムスタンプに署名する必要があります。署名されたタイムスタンプがないと、受信者が気づかないまま、攻撃者が SOAP メッセージを傍受し、タイムスタンプを変更し、メッセージを送信する可能性があります。このような状況では、攻撃者が、悪意のあるメッセージを受け入れるように受信者をだます可能性があります。

WSE ポリシー ファイルの次のスニペットは、タイムスタンプが SOAP フォルトに含まれていない例です。

<policies>
...
      <protection>
        <fault signatureOptions="IncludeAddressing, IncludeSoapBody" encryptBody="true" />
References
[1] Element Microsoft
[2] Standards Mapping - Common Weakness Enumeration CWE ID 345
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001453, CCI-001941, CCI-001942, CCI-002418, CCI-002420, CCI-002421, CCI-002422
[4] Standards Mapping - FIPS200 CM
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), AU-10 Non-Repudiation (P2), IA-2 Identification and Authentication (Organizational Users) (P1), SC-8 Transmission Confidentiality and Integrity (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, AU-10 Non-Repudiation, IA-2 Identification and Authentication (Organizational Users), SC-8 Transmission Confidentiality and Integrity
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.5.3 Token-based Session Management (L2 L3), 13.2.6 RESTful Web Service Verification Requirements (L2 L3)
[10] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[11] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[12] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[13] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications
[26] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3260.1 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3860 CAT II, APP3260 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3860 CAT II, APP3260 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3860 CAT II, APP3260 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3860 CAT II, APP3260 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3860 CAT II, APP3260 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3860 CAT II, APP3260 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000180 CAT II, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000180 CAT II, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000180 CAT II, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
desc.config.dotnet.wse_misconfiguration_unsigned_fault_timestamp

WSE Misconfiguration: Unsigned Request Timestamp

Abstract
署名されていないタイムスタンプがあると、SOAP メッセージが改ざんやリプレイ攻撃を受けやすくなります。
Explanation
セキュリティ タイムスタンプは、メッセージの新しさを示します。攻撃者がメッセージを傍受して後で再送信した場合、タイムスタンプでメッセージが古くなっていることが示されるため、受信者がリプレイ攻撃を拒否できます。オプションで、タイムスタンプに、セキュリティのセマンティクスを有効とする期間を厳しく制限する有効期限属性を含めることができます。

攻撃者がタイムスタンプを改ざんするのを防ぐために、タイムスタンプに署名する必要があります。署名されたタイムスタンプがないと、受信者が気づかないまま、攻撃者が SOAP メッセージを傍受し、タイムスタンプを変更し、メッセージを送信する可能性があります。このような状況では、攻撃者が、悪意のあるメッセージを受け入れるように受信者をだます可能性があります。

WSE ポリシー ファイルの次のスニペットは、タイムスタンプが SOAP メッセージ リクエストに含まれていない例です。

<policies>
...
      <protection>
        <request signatureOptions="IncludeAddressing, IncludeSoapBody" encryptBody="true" />
References
[1] Element Microsoft
[2] Standards Mapping - Common Weakness Enumeration CWE ID 345
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001453, CCI-001941, CCI-001942, CCI-002418, CCI-002420, CCI-002421, CCI-002422
[4] Standards Mapping - FIPS200 CM
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), AU-10 Non-Repudiation (P2), IA-2 Identification and Authentication (Organizational Users) (P1), SC-8 Transmission Confidentiality and Integrity (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, AU-10 Non-Repudiation, IA-2 Identification and Authentication (Organizational Users), SC-8 Transmission Confidentiality and Integrity
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.5.3 Token-based Session Management (L2 L3), 13.2.6 RESTful Web Service Verification Requirements (L2 L3)
[10] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[11] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[12] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[13] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications
[26] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3260.1 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3860 CAT II, APP3260 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3860 CAT II, APP3260 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3860 CAT II, APP3260 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3860 CAT II, APP3260 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3860 CAT II, APP3260 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3860 CAT II, APP3260 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000180 CAT II, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000180 CAT II, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000180 CAT II, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
desc.config.dotnet.wse_misconfiguration_unsigned_request_timestamp

WSE Misconfiguration: Unsigned Response Timestamp

Abstract
署名されていないタイムスタンプがあると、SOAP メッセージが改ざんやリプレイ攻撃を受けやすくなります。
Explanation
セキュリティ タイムスタンプは、メッセージの新しさを示します。攻撃者がメッセージを傍受して後で再送信した場合、タイムスタンプでメッセージが古くなっていることが示されるため、受信者がリプレイ攻撃を拒否できます。オプションで、タイムスタンプに、セキュリティのセマンティクスを有効とする期間を厳しく制限する有効期限属性を含めることができます。

攻撃者がタイムスタンプを改ざんするのを防ぐために、タイムスタンプに署名する必要があります。署名されたタイムスタンプがないと、受信者が気づかないまま、攻撃者が SOAP メッセージを傍受し、タイムスタンプを変更し、メッセージを送信する可能性があります。このような状況では、攻撃者が、悪意のあるメッセージを受け入れるように受信者をだます可能性があります。

WSE ポリシー ファイルの次のスニペットは、タイムスタンプが SOAP メッセージ レスポンスに含まれていない例です。

<policies>
...
      <protection>
        <response signatureOptions="IncludeAddressing, IncludeSoapBody" encryptBody="true" />
References
[1] Element Microsoft
[2] Standards Mapping - Common Weakness Enumeration CWE ID 345
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001453, CCI-001941, CCI-001942, CCI-002418, CCI-002420, CCI-002421, CCI-002422
[4] Standards Mapping - FIPS200 CM
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), AU-10 Non-Repudiation (P2), IA-2 Identification and Authentication (Organizational Users) (P1), SC-8 Transmission Confidentiality and Integrity (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, AU-10 Non-Repudiation, IA-2 Identification and Authentication (Organizational Users), SC-8 Transmission Confidentiality and Integrity
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.5.3 Token-based Session Management (L2 L3), 13.2.6 RESTful Web Service Verification Requirements (L2 L3)
[10] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[11] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[12] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[13] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications
[26] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3260.1 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3860 CAT II, APP3260 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3860 CAT II, APP3260 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3860 CAT II, APP3260 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3860 CAT II, APP3260 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3860 CAT II, APP3260 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3860 CAT II, APP3260 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000180 CAT II, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000180 CAT II, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000180 CAT II, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
desc.config.dotnet.wse_misconfiguration_unsigned_response_timestamp

XML Entity Expansion Injection

Abstract
文書型定義 (DTD) エンティティ レゾリューションを回避または制限するように構成していない XML パーサーを使用すると、パーサーは、XML Entity Expansion injection にさらされる可能性があります。
Explanation
XML Bombs としても知られている XML Entity Expansion injection は、有効で巧妙に形成された XML ブロックからメリットを得る DoS 攻撃で、サーバーの割り当て済みリソースを使い果たすまで急激に拡大します。XML では、文字列置き換えマクロとして機能するカスタム エンティティを定義できます。反復エンティティ レゾリューションをネスト化することで、攻撃者は簡単にサーバーのリソースをクラッシュさせる可能性があります。

次の XML ドキュメントは、XML Bomb の例を示しています。

    <?xml version="1.0"?>
    <!DOCTYPE lolz [
      <!ENTITY lol "lol">
      <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
      <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
      <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
      <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
      <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
      <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
      <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
      <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
    ]>
    <lolz>&lol9;</lolz>


このテストは、メモリ内で小さい XML ドキュメントを 3 GB を超える大きさに拡大してサーバーをクラッシュさせることができます。
References
[1] XML External Entity (XXE) Processing OWASP
[2] Testing for XML Injection OWASP
[3] XML External Entities The Web Application Security Consortium
[4] Standards Mapping - Common Weakness Enumeration CWE ID 776
[5] Standards Mapping - Common Weakness Enumeration Top 25 2024 [24] CWE ID 400
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310, CCI-002385
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[9] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.1.2 File Upload Requirements (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[12] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[14] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[15] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[16] Standards Mapping - OWASP Top 10 2010 A1 Injection
[17] Standards Mapping - OWASP Top 10 2013 A1 Injection
[18] Standards Mapping - OWASP Top 10 2017 A4 XML External Entities (XXE)
[19] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2.2 - Web Software Attack Mitigation
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I
[53] Standards Mapping - Web Application Security Consortium Version 2.00 XML Entity Expansion (WASC-44)
[54] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.abap.xml_entity_expansion_injection
Abstract
文書型定義 (DTD) エンティティ レゾリューションを回避または制限するように構成していない XML パーサーを使用すると、パーサーは、XML Entity Expansion injection 攻撃にさらされる可能性があります
Explanation
XML Entity Expansion Injection 攻撃は、有効で形式も正しい XML ブロックが、サーバーに割り当てられたリソースを使い果たすまで増殖する DoS 攻撃です。XML では、文字列置換マクロとして動作するカスタムエンティティを定義することができます。反復するエンティティ レゾリューションをネストすることで、攻撃者は容易にサーバー リソースをクラッシュさせることができます。

次の XML ドキュメントは、XML Bomb 攻撃の例です。

<?xml version="1.0"?>
<!DOCTYPE lolz [
  <!ENTITY lol "lol">
  <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
  <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
  <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
  <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
  <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
  <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
  <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
  <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>


このテストでは、小さな XML ドキュメントをメモリ上で 3GB 以上に展開することで、サーバーをクラッシュできます。
References
[1] XML Denial of Service Attacks and Defenses MSDN Magazine
[2] XML External Entity (XXE) Processing OWASP
[3] Testing for XML Injection OWASP
[4] XML External Entities The Web Application Security Consortium
[5] Standards Mapping - Common Weakness Enumeration CWE ID 776
[6] Standards Mapping - Common Weakness Enumeration Top 25 2024 [24] CWE ID 400
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310, CCI-002385
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[10] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.1.2 File Upload Requirements (L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[13] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[15] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[16] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2010 A1 Injection
[18] Standards Mapping - OWASP Top 10 2013 A1 Injection
[19] Standards Mapping - OWASP Top 10 2017 A4 XML External Entities (XXE)
[20] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2.2 - Web Software Attack Mitigation
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I
[54] Standards Mapping - Web Application Security Consortium Version 2.00 XML Entity Expansion (WASC-44)
[55] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.dotnet.xml_entity_expansion_injection
Abstract
文書型定義 (DTD) エンティティ レゾリューションを回避または制限するように構成していない XML パーサーを使用すると、パーサーは、XML Entity Expansion injection にさらされる可能性があります。
Explanation
XML Entity Expansion Injection (XML Bombs とも呼ぶ) 攻撃は、有効で形式も正しい XML ブロックが、サーバーに割り当てられたリソースを使い果たすまで増殖する Denial Of Service (DoS) 攻撃です。XML では、文字列置換マクロとして動作するカスタムエンティティを定義することができます。反復するエンティティ レゾリューションをネストすることで、攻撃者は容易にサーバー リソースをクラッシュさせることができます。

次の XML ドキュメントは、XML Bomb 攻撃の例です。

<?xml version="1.0"?>
<!DOCTYPE lolz [
  <!ENTITY lol "lol">
  <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
  <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
  <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
  <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
  <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
  <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
  <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
  <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>


このテストでは、小さな XML ドキュメントをメモリ上で 3GB 以上に展開することで、サーバーをクラッシュできます。
References
[1] XML External Entity (XXE) Processing OWASP
[2] Testing for XML Injection OWASP
[3] XML External Entities The Web Application Security Consortium
[4] INJECT-5: Restrict XML inclusion Oracle
[5] Standards Mapping - Common Weakness Enumeration CWE ID 776
[6] Standards Mapping - Common Weakness Enumeration Top 25 2024 [24] CWE ID 400
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310, CCI-002385
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[10] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.1.2 File Upload Requirements (L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[13] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[15] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[16] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2010 A1 Injection
[18] Standards Mapping - OWASP Top 10 2013 A1 Injection
[19] Standards Mapping - OWASP Top 10 2017 A4 XML External Entities (XXE)
[20] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2.2 - Web Software Attack Mitigation
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I
[54] Standards Mapping - Web Application Security Consortium Version 2.00 XML Entity Expansion (WASC-44)
[55] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.java.xee_injection
Abstract
文書型定義 (DTD) エンティティ レゾリューションを回避または制限するように構成していない XML パーサーを使用すると、パーサーは、XML Entity Expansion injection にさらされる可能性があります。
Explanation
XML Bombs としても知られている XML Entity Expansion injection は、有効で巧妙に形成された XML ブロックからメリットを得る DoS 攻撃で、サーバーの割り当て済みリソースを使い果たすまで急激に拡大します。XML では、文字列置き換えマクロとして機能するカスタム エンティティを定義できます。反復エンティティ レゾリューションをネスト化することで、攻撃者は簡単にサーバーのリソースをクラッシュさせる可能性があります。

次の XML ドキュメントは、XML Bomb の例を示しています。

    <?xml version="1.0"?>
    <!DOCTYPE lolz [
      <!ENTITY lol "lol">
      <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
      <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
      <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
      <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
      <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
      <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
      <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
      <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
    ]>
    <lolz>&lol9;</lolz>


このテストは、メモリ内で小さい XML ドキュメントを 3 GB を超える大きさに拡大してサーバーをクラッシュさせることができます。
References
[1] XML External Entity (XXE) Processing OWASP
[2] Testing for XML Injection OWASP
[3] XML External Entities The Web Application Security Consortium
[4] Standards Mapping - Common Weakness Enumeration CWE ID 776
[5] Standards Mapping - Common Weakness Enumeration Top 25 2024 [24] CWE ID 400
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310, CCI-002385
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[9] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.1.2 File Upload Requirements (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[12] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[14] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[15] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[16] Standards Mapping - OWASP Top 10 2010 A1 Injection
[17] Standards Mapping - OWASP Top 10 2013 A1 Injection
[18] Standards Mapping - OWASP Top 10 2017 A4 XML External Entities (XXE)
[19] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2.2 - Web Software Attack Mitigation
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I
[53] Standards Mapping - Web Application Security Consortium Version 2.00 XML Entity Expansion (WASC-44)
[54] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.php.xml_entity_expansion_injection
Abstract
文書型定義 (DTD) エンティティ レゾリューションを回避または制限するように構成していない XML パーサーを使用すると、パーサーは、XML Entity Expansion injection にさらされる可能性があります。
Explanation
XML Entity Expansion Injection (XML Bombs とも呼ぶ) 攻撃は、有効で形式も正しい XML ブロックが、サーバーに割り当てられたリソースを使い果たすまで増殖する DoS 攻撃です。XML では、文字列置換マクロとして動作するカスタムエンティティを定義することができます。反復するエンティティ レゾリューションをネストすることで、攻撃者は容易にサーバー リソースをクラッシュさせることができます。

次の XML ドキュメントは、XML Bomb 攻撃の例です。

<?xml version="1.0"?>
<!DOCTYPE lolz [
  <!ENTITY lol "lol">
  <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
  <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
  <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
  <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
  <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
  <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
  <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
  <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>


このテストでは、小さな XML ドキュメントをメモリ上で 3GB 以上に展開することで、サーバーをクラッシュできます。
References
[1] XML vulnerabilities
[2] Announcing defusedxml, Fixes for XML Security Issues
[3] defusedxml
[4] defusedexpat
[5] XML External Entity (XXE) Processing OWASP
[6] Testing for XML Injection OWASP
[7] XML External Entities The Web Application Security Consortium
[8] Standards Mapping - Common Weakness Enumeration CWE ID 776
[9] Standards Mapping - Common Weakness Enumeration Top 25 2024 [24] CWE ID 400
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310, CCI-002385
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[13] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.1.2 File Upload Requirements (L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[16] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[18] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[19] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[20] Standards Mapping - OWASP Top 10 2010 A1 Injection
[21] Standards Mapping - OWASP Top 10 2013 A1 Injection
[22] Standards Mapping - OWASP Top 10 2017 A4 XML External Entities (XXE)
[23] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2.2 - Web Software Attack Mitigation
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I
[57] Standards Mapping - Web Application Security Consortium Version 2.00 XML Entity Expansion (WASC-44)
[58] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.python.xee_injection
Abstract
文書型定義 (DTD) エンティティ レゾリューションを回避または制限するように構成していない XML パーサーを使用すると、パーサーは、XML Entity Expansion injection にさらされる可能性があります。
Explanation
XML Entity Expansion Injection (XML Bombs とも呼ぶ) 攻撃は、有効で形式も正しい XML ブロックが、サーバーに割り当てられたリソースを使い果たすまで増殖する DoS 攻撃です。XML では、文字列置換マクロとして動作するカスタムエンティティを定義することができます。反復するエンティティ レゾリューションをネストすることで、攻撃者は容易にサーバー リソースをクラッシュさせることができます。

次の XML ドキュメントは、XML Bomb 攻撃の例です。

<?xml version="1.0"?>
<!DOCTYPE lolz [
  <!ENTITY lol "lol">
  <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
  <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
  <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
  <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
  <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
  <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
  <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
  <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>


このテストでは、小さな XML ドキュメントをメモリ上で 3GB 以上に展開することで、サーバーをクラッシュできます。
References
[1] XML External Entity (XXE) Processing OWASP
[2] Testing for XML Injection OWASP
[3] XML External Entities The Web Application Security Consortium
[4] Standards Mapping - Common Weakness Enumeration CWE ID 776
[5] Standards Mapping - Common Weakness Enumeration Top 25 2024 [24] CWE ID 400
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310, CCI-002385
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[9] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.1.2 File Upload Requirements (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[12] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[14] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[15] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[16] Standards Mapping - OWASP Top 10 2010 A1 Injection
[17] Standards Mapping - OWASP Top 10 2013 A1 Injection
[18] Standards Mapping - OWASP Top 10 2017 A4 XML External Entities (XXE)
[19] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2.2 - Web Software Attack Mitigation
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I
[53] Standards Mapping - Web Application Security Consortium Version 2.00 XML Entity Expansion (WASC-44)
[54] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.ruby.xee_injection

XML External Entity Injection

Abstract
外部エンティティ レゾリューションを回避または制限するように構成していない XML パーサーを使用すると、パーサーは、XML External Entities 攻撃にさらされる可能性があります
Explanation
XML External Entity 攻撃は、処理の際に動的にドキュメントを作成する XML の機能を利用しています。XML エンティティは、特定のリソースから動的にデータを取り込むことができます。外部エンティティでは、XML ドキュメントに外部 URI からのデータを含めることができます。別途設定をしない限り、外部エンティティは XML パーサーに対し、URI で指定されたリソース (ローカル マシン上またはリモート システム上のファイルなど) へのアクセスを強制します。この動作は、アプリケーションを XML External Entity (XXE) 攻撃にさらします。それによって、ローカル システムの Denial of Service、ローカル マシン上のファイルへの未許可のアクセス、リモート マシンのスキャン、リモート システムの Denial of Service が実行される可能性があります。

次の ABAP コードは安全でない XML パースを示しています。

...
DATA(ixml) = cl_ixml=>create( ).
DATA(stream_factory) = ixml->create_stream_factory( ).
istream = stream_factory->create_istream_string(
  `<?xml version="1.0" encoding="UTF-8"?> ` &&
  `<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> ` &&
  `<stockCheck>&xxe;</stockCheck>` ).
istream->set_dtd_restriction( level = 0 ).
DATA(document) = ixml->create_document( ).
parser = ixml->create_parser(
                          stream_factory = stream_factory
                          istream        = istream
                          document       = document ).
parser->set_validating( mode = `0` ).
DATA(rc) = parser->parse( ).
...


この例では、XML パーサーがエンティティをファイルの内容と置き換えようとすると、Linux システム上の '/etc/passwd' パスワード ファイルの内容が公開される可能性があります。
References
[1] XML Denial of Service Attacks and Defenses MSDN Magazine
[2] XML External Entity (XXE) Processing OWASP
[3] Testing for XML Injection OWASP
[4] XML External Entities The Web Application Security Consortium
[5] Standards Mapping - Common Weakness Enumeration CWE ID 611
[6] Standards Mapping - Common Weakness Enumeration Top 25 2019 [17] CWE ID 611
[7] Standards Mapping - Common Weakness Enumeration Top 25 2020 [19] CWE ID 611
[8] Standards Mapping - Common Weakness Enumeration Top 25 2021 [23] CWE ID 611
[9] Standards Mapping - Common Weakness Enumeration Top 25 2022 [24] CWE ID 611
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310, CCI-002385, CCI-002754
[11] Standards Mapping - FIPS200 SI
[12] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[16] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.5.2 Deserialization Prevention Requirements (L1 L2 L3)
[20] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage
[21] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[22] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-STORAGE-2
[23] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[24] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[25] Standards Mapping - OWASP Top 10 2010 A1 Injection
[26] Standards Mapping - OWASP Top 10 2013 A1 Injection
[27] Standards Mapping - OWASP Top 10 2017 A4 XML External Entities (XXE)
[28] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2.2 - Web Software Attack Mitigation
[41] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Web Application Security Consortium Version 2.00 XML External Entities (WASC-43)
desc.dataflow.abap.xml_external_entity_injection
Abstract
外部エンティティ レゾリューションを回避または制限するように構成していない XML パーサーを使用すると、パーサーは、XML External Entities 攻撃にさらされる可能性があります
Explanation
XML External Entities 攻撃は、処理の際に動的にドキュメントを作成する XML の機能を利用しています。XML エンティティは、特定のリソースから動的にデータを取り込むことができます。外部エンティティでは、XML ドキュメントに外部 URI からのデータを含めることができます。別途設定をしない限り、外部エンティティは XML パーサーに URI で指定されたリソース (たとえば、ローカルマシンまたはリモートシステム上のファイル) へのアクセスを強制します。この動作は、アプリケーションを XML External Entity (XXE) 攻撃にさらします。この攻撃は、ローカルシステムサービスの拒否、ローカルマシン上のファイルへの未許可のアクセス、リモートマシンのスキャン、および、リモートシステムのサービスの拒否をするのに使用されます。

次の XML ドキュメントは、XXE 攻撃の例です。

<?xml version="1.0" encoding="ISO-8859-1"?>
 <!DOCTYPE foo [
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///c:/winnt/win.ini" >]><foo>&xxe;</foo>


この例では、XML パーサーがエンティティをファイルの内容と置き換えようとすると、C:\winnt\win.ini システムファイルの内容が公開される可能性があります。
References
[1] XML Denial of Service Attacks and Defenses MSDN Magazine
[2] XML External Entity (XXE) Processing OWASP
[3] Testing for XML Injection OWASP
[4] XML External Entities The Web Application Security Consortium
[5] Standards Mapping - Common Weakness Enumeration CWE ID 611
[6] Standards Mapping - Common Weakness Enumeration Top 25 2019 [17] CWE ID 611
[7] Standards Mapping - Common Weakness Enumeration Top 25 2020 [19] CWE ID 611
[8] Standards Mapping - Common Weakness Enumeration Top 25 2021 [23] CWE ID 611
[9] Standards Mapping - Common Weakness Enumeration Top 25 2022 [24] CWE ID 611
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310, CCI-002385, CCI-002754
[11] Standards Mapping - FIPS200 SI
[12] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[16] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.5.2 Deserialization Prevention Requirements (L1 L2 L3)
[20] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage
[21] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[22] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-STORAGE-2
[23] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[24] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[25] Standards Mapping - OWASP Top 10 2010 A1 Injection
[26] Standards Mapping - OWASP Top 10 2013 A1 Injection
[27] Standards Mapping - OWASP Top 10 2017 A4 XML External Entities (XXE)
[28] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2.2 - Web Software Attack Mitigation
[41] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Web Application Security Consortium Version 2.00 XML External Entities (WASC-43)
desc.controlflow.dotnet.xml_external_entity_injection
Abstract
この特定のメソッドは、外部エンティティの参照を許可しています。このコールにより、攻撃者は XML 外部エンティティを XML 文書に挿入して、ファイルの内容または内部ネットワークリソースを開示する可能性があります。
Explanation
次の場合に XML External Entity (XXE) injection が発生します。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。

2. データは XML 文書内の DTD (Document Type Definition) の<ENTITY> 要素に書き込まれます。

アプリケーションは、通常、XML を使用してデータを保存したりメッセージを送信したりします。XML がデータの保存に使用される場合、XML 文書はデータベースのように扱われ、重要な情報が含まれる場合があります。XML メッセージは、Web サービスでも頻繁に使用されており、重要な情報を送信するときにも使用される場合があります。XML メッセージは、認証情報を送信するときに使用されることさえあります。

攻撃者にユーザー加工前の XML への書き込みができる場合、XML 文書およびメッセージのセマンティクスが改変される場合があります。最も害のない場合でも、攻撃者はネスト化されたエンティティ参照を挿入し、XML パーサーに大量の CPU リソースを消費させ続けることができます。より悪質な XML External Entity Injection の場合、攻撃者は、ローカルの File System リソースの内容を開示したり内部ネットワーク リソースの存在を明らかにしたりする XML 要素を追加できる可能性があります。

例 1: XXE 攻撃に対して脆弱な Objective-C コードの例を次に示します。


- (void) parseSomeXML: (NSString *) rawXml {

    BOOL success;
    NSData *rawXmlConvToData = [rawXml dataUsingEncoding:NSUTF8StringEncoding];
    NSXMLParser *myParser = [[NSXMLParser alloc] initWithData:rawXmlConvToData];
    [myParser setShouldResolveExternalEntities:YES];
    [myParser setDelegate:self];
}


次のような XML で攻撃者が rawXml を制御できると考えてみます。


 <?xml version="1.0" encoding="ISO-8859-1"?>
 <!DOCTYPE foo [
   <!ELEMENT foo ANY >
   <!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo>


XML がサーバーによって評価される場合、<foo> 要素には boot.ini ファイルの内容が含まれます。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 611
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [17] CWE ID 611
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [19] CWE ID 611
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [23] CWE ID 611
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [24] CWE ID 611
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310, CCI-002385, CCI-002754
[7] Standards Mapping - FIPS200 SI
[8] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[10] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[11] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[12] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.5.2 Deserialization Prevention Requirements (L1 L2 L3)
[16] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage
[17] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[18] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-STORAGE-2
[19] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[20] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[21] Standards Mapping - OWASP Top 10 2010 A1 Injection
[22] Standards Mapping - OWASP Top 10 2013 A1 Injection
[23] Standards Mapping - OWASP Top 10 2017 A4 XML External Entities (XXE)
[24] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2.2 - Web Software Attack Mitigation
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Web Application Security Consortium Version 2.00 XML External Entities (WASC-43)
desc.semantic.cpp.xml_external_entity_injection
Abstract
外部エンティティ レゾリューションを回避または制限するように構成していない XML パーサーを使用すると、パーサーは、XML External Entities 攻撃にさらされる可能性があります
Explanation
XML External Entities 攻撃は、処理の際に動的にドキュメントを作成する XML の機能を利用しています。XML エンティティは、特定のリソースから動的にデータを取り込むことができます。外部エンティティでは、XML ドキュメントに外部 URI からのデータを含めることができます。別途設定をしない限り、外部エンティティは XML パーサーに URI で指定されたリソース (たとえば、ローカルマシンまたはリモートシステム上のファイル) へのアクセスを強制します。この動作は、アプリケーションを XML External Entity (XXE) 攻撃にさらします。この攻撃は、ローカルシステムサービスの拒否、ローカルマシン上のファイルへの未許可のアクセス、リモートマシンのスキャン、および、リモートシステムのサービスの拒否をするのに使用されます。
例 1: 次の XML ドキュメントは、XXE 攻撃の例を示しています。

<?xml version="1.0" encoding="ISO-8859-1"?>
 <!DOCTYPE foo [
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///dev/random" >]><foo>&xxe;</foo>


この例では、XML パーサーがエンティティを /dev/random ファイルの内容に置き換えようとすると、サーバー (UNIX システム) がクラッシュする可能性があります。

例 2: 次の Java コードは、XML パーサーを悪用して XXE 攻撃を実行する方法を示しています。

String xml = "...";
...
try {
    SAXParserFactory factory = SAXParserFactory.newInstance();
    SAXParser saxParser = factory.newSAXParser();

    DefaultHandler handler = new DefaultHandler() {
        @Override
        public void characters(char[] ch, int start, int length) throws SAXException {
            System.out.println(new String(ch, start, length));
        }
    };

    saxParser.parse(new InputSource(new StringReader(xml)), handler);
} catch (Exception e) {
    e.printStackTrace();
}
...

この例では、Java コードは外部エンティティ参照を含む XML 文字列を使用します。外部エンティティ レゾリューションを無効にするように適切に構成されていない場合、UNIX システムでサーバーがクラッシュする可能性があります。
References
[1] XML External Entity (XXE) Processing OWASP
[2] Testing for XML Injection OWASP
[3] XML External Entities The Web Application Security Consortium
[4] IDS17-J. Prevent XML External Entity Attacks CERT
[5] DOS-1: Beware of activities that may use disproportionate resources Oracle
[6] INJECT-5: Restrict XML inclusion Oracle
[7] Standards Mapping - Common Weakness Enumeration CWE ID 611
[8] Standards Mapping - Common Weakness Enumeration Top 25 2019 [17] CWE ID 611
[9] Standards Mapping - Common Weakness Enumeration Top 25 2020 [19] CWE ID 611
[10] Standards Mapping - Common Weakness Enumeration Top 25 2021 [23] CWE ID 611
[11] Standards Mapping - Common Weakness Enumeration Top 25 2022 [24] CWE ID 611
[12] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310, CCI-002385, CCI-002754
[13] Standards Mapping - FIPS200 SI
[14] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[16] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[17] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[18] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[19] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[20] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.5.2 Deserialization Prevention Requirements (L1 L2 L3)
[22] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage
[23] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[24] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-STORAGE-2
[25] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[26] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[27] Standards Mapping - OWASP Top 10 2010 A1 Injection
[28] Standards Mapping - OWASP Top 10 2013 A1 Injection
[29] Standards Mapping - OWASP Top 10 2017 A4 XML External Entities (XXE)
[30] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[38] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[39] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[41] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[42] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2.2 - Web Software Attack Mitigation
[43] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[65] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[66] Standards Mapping - Web Application Security Consortium Version 2.00 XML External Entities (WASC-43)
desc.semantic.java.xxe_injection
Abstract
外部エンティティ レゾリューションの回避も制限もしない XML プロセッサーを使用すると、アプリケーションが XML External Entity 攻撃にさらされる可能性があります。
Explanation
XML External Entity 攻撃は、実行時にドキュメントを動的に作成する XML の機能を利用しています。XML エンティティは、特定のリソースからデータを動的に取り込めるようにします。外部エンティティでは、XML ドキュメントに外部 URI からのデータを含めることができます。別途設定をしない限り、外部エンティティは XML パーサーに対し、URI で指定されたリソース (ローカル マシン上またはリモート システム上のファイルなど) へのアクセスを強制します。この動作は、アプリケーションを XML External Entity (XXE) 攻撃にさらします。これにより攻撃者は、ローカル システムのサービス妨害、ローカル マシン上のファイルへの不正アクセス、リモート マシンのスキャン、リモート システムのサービス妨害を実行できるようになります。


例 1: 次の XML ドキュメントは、XXE 攻撃の例を示しています。

<?xml version="1.0" encoding="ISO-8859-1"?>
 <!DOCTYPE foo [
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///dev/random" >]><foo>&xxe;</foo>


この例では、XML パーサーがエンティティを /dev/random ファイルの内容に置き換えようとすると、サーバー (UNIX システム上) がクラッシュする可能性があります。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 611
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [17] CWE ID 611
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [19] CWE ID 611
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [23] CWE ID 611
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [24] CWE ID 611
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310, CCI-002385, CCI-002754
[7] Standards Mapping - FIPS200 SI
[8] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[10] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[11] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[12] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.5.2 Deserialization Prevention Requirements (L1 L2 L3)
[16] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage
[17] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[18] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-STORAGE-2
[19] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[20] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[21] Standards Mapping - OWASP Top 10 2010 A1 Injection
[22] Standards Mapping - OWASP Top 10 2013 A1 Injection
[23] Standards Mapping - OWASP Top 10 2017 A4 XML External Entities (XXE)
[24] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2.2 - Web Software Attack Mitigation
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Web Application Security Consortium Version 2.00 XML External Entities (WASC-43)
desc.dataflow.javascript.xxe_injection
Abstract
この特定のメソッドは、外部エンティティの参照を許可しています。このコールにより、攻撃者は XML 外部エンティティを XML 文書に挿入して、ファイルの内容または内部ネットワークリソースを開示する可能性があります。
Explanation
次の場合に XML External Entity (XXE) injection が発生します。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。

2. XML 文書内の DTD (Document Type Definition) の <ENTITY> 要素にデータが書き込まれた場合。

アプリケーションは、通常、XML を使用してデータを保存したりメッセージを送信したりします。XML がデータの保存に使用される場合、XML 文書はデータベースのように扱われ、重要な情報が含まれる場合があります。XML メッセージは、Web サービスでも頻繁に使用されており、重要な情報を送信するときにも使用される場合があります。XML メッセージは、認証情報を送信するときに使用されることさえあります。

攻撃者にユーザー加工前の XML への書き込みができる場合、XML 文書およびメッセージのセマンティクスが改変される場合があります。最も害のない場合でも、攻撃者はネスト化されたエンティティ参照を挿入し、XML パーサーに大量の CPU リソースを消費させ続けることができます。より悪質な XML External Entity Injection の場合、攻撃者は、ローカルの File System リソースの内容を開示したり内部ネットワーク リソースの存在を明らかにしたりする XML 要素を追加できる可能性があります。

例 1: XXE 攻撃に対して脆弱なコードの例を次に示します。


- (void) parseSomeXML: (NSString *) rawXml {

    BOOL success;
    NSData *rawXmlConvToData = [rawXml dataUsingEncoding:NSUTF8StringEncoding];
    NSXMLParser *myParser = [[NSXMLParser alloc] initWithData:rawXmlConvToData];
    [myParser setShouldResolveExternalEntities:YES];
    [myParser setDelegate:self];
}


次のような XML で攻撃者が rawXml を制御できると考えてみます。


 <?xml version="1.0" encoding="ISO-8859-1"?>
 <!DOCTYPE foo [
   <!ELEMENT foo ANY >
   <!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo>


XML がサーバーによって評価される場合、<foo> 要素には boot.ini ファイルの内容が含まれます。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 611
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [17] CWE ID 611
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [19] CWE ID 611
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [23] CWE ID 611
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [24] CWE ID 611
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310, CCI-002385, CCI-002754
[7] Standards Mapping - FIPS200 SI
[8] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[10] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[11] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[12] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.5.2 Deserialization Prevention Requirements (L1 L2 L3)
[16] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage
[17] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[18] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-STORAGE-2
[19] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[20] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[21] Standards Mapping - OWASP Top 10 2010 A1 Injection
[22] Standards Mapping - OWASP Top 10 2013 A1 Injection
[23] Standards Mapping - OWASP Top 10 2017 A4 XML External Entities (XXE)
[24] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2.2 - Web Software Attack Mitigation
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Web Application Security Consortium Version 2.00 XML External Entities (WASC-43)
desc.semantic.objc.xml_external_entity_injection
Abstract
未検証の XML 文書を処理することによって、攻撃者が、XML の構造およびコンテンツを改竄したり、ホストサーバーのポートをスキャンしたり、内部ネットワークをホストスキャンしたり、ファイルシステム内の任意のファイルや、アプリケーションの Denial of Service の原因を組み込む可能性があります。
Explanation
次の場合に XML External Entity (XXE) injection が発生します。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。

2. このデータは、XML 文書に書き込まれます。

アプリケーションは、通常、XML を使用してデータを保存したりメッセージを送信したりします。XML がデータの保存に使用される場合、XML 文書はデータベースのように扱われ、重要な情報が含まれる場合があります。XML メッセージは、Web サービスでも頻繁に使用されており、重要な情報を送信するときにも使用される場合があります。XML メッセージは、認証情報を送信するときに使用されることさえあります。

攻撃者にユーザー加工前の XML への書き込みができる場合、XML 文書およびメッセージのセマンティクスが改変される場合があります。最も害のない場合でも、攻撃者はネスト化されたエンティティ参照を挿入し、XML パーサーに大量の CPU リソースを消費させ続けることができます。より悪質な XML External Entity Injection の場合、攻撃者はローカルの File System リソースの内容を開示したり、内部ネットワーク リソースの存在を明らかにしたり、バックエンド コンテンツ自体を危険にさらす XML 要素を追加できる可能性があります。

例 1: XXE 攻撃に対して脆弱なコードの例を次に示します。

攻撃者は以下のコードへの XML 入力を制御できるものと仮定します。


...
<?php
$goodXML = $_GET["key"];
$doc = simplexml_load_string($goodXml);
echo $doc->testing;
?>
...


ここで、攻撃者からExample 2 のコードに以下の XML が渡されると仮定してください。



<?xml version="1.0" encoding="ISO-8859-1"?>
 <!DOCTYPE foo [
   <!ELEMENT foo ANY >
   <!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo>



この XML を処理するとき、<foo> 要素のコンテンツにはシステムの boot.ini ファイルのコンテンツが埋め込まれます。攻撃者は、データを盗み出したり、ネットワーク リソースの存在に関する情報を取得するために、クライアントに返される XML 要素を利用することができます。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 611
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [17] CWE ID 611
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [19] CWE ID 611
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [23] CWE ID 611
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [24] CWE ID 611
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310, CCI-002385, CCI-002754
[7] Standards Mapping - FIPS200 SI
[8] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[10] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[11] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[12] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.5.2 Deserialization Prevention Requirements (L1 L2 L3)
[16] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage
[17] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[18] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-STORAGE-2
[19] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[20] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[21] Standards Mapping - OWASP Top 10 2010 A1 Injection
[22] Standards Mapping - OWASP Top 10 2013 A1 Injection
[23] Standards Mapping - OWASP Top 10 2017 A4 XML External Entities (XXE)
[24] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2.2 - Web Software Attack Mitigation
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Web Application Security Consortium Version 2.00 XML External Entities (WASC-43)
desc.dataflow.php.xml_external_entity_injection
Abstract
外部エンティティ レゾリューションの回避も制限もしない XML プロセッサーを使用すると、アプリケーションが XML External Entities 攻撃にさらされる可能性があります。
Explanation
XML External Entities 攻撃は、実行時にドキュメントを動的に作成する XML の機能を利用しています。XML エンティティは、特定のリソースからデータを動的に取り込めるようにします。外部エンティティでは、XML ドキュメントに外部 URI からのデータを含めることができます。別途設定をしない限り、外部エンティティは XML パーサーに対し、URI で指定されたリソース (ローカル マシン上またはリモート システム上のファイルなど) へのアクセスを強制します。この動作は、アプリケーションを XML External Entity (XXE) 攻撃にさらします。これは攻撃者が、ローカル システムのサービス妨害、ローカル マシン上のファイルへの未許可のアクセス、リモート マシンのスキャン、リモート システムのサービス妨害をするのに使用します。


例 1: 次の XML ドキュメントは、XXE 攻撃の例です。

<?xml version="1.0" encoding="ISO-8859-1"?>
 <!DOCTYPE foo [
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///dev/random" >]><foo>&xxe;</foo>


この例では、XML パーサーがエンティティを /dev/random ファイルの内容に置き換えようとすると、サーバー (UNIX システム) がクラッシュする可能性があります。
References
[1] XML vulnerabilities
[2] Announcing defusedxml, Fixes for XML Security Issues
[3] defusedxml
[4] defusedexpat
[5] XML External Entity (XXE) Processing OWASP
[6] Testing for XML Injection (OWASP-DV-008) OWASP
[7] XML External Entities The Web Application Security Consortium
[8] Standards Mapping - Common Weakness Enumeration CWE ID 611
[9] Standards Mapping - Common Weakness Enumeration Top 25 2019 [17] CWE ID 611
[10] Standards Mapping - Common Weakness Enumeration Top 25 2020 [19] CWE ID 611
[11] Standards Mapping - Common Weakness Enumeration Top 25 2021 [23] CWE ID 611
[12] Standards Mapping - Common Weakness Enumeration Top 25 2022 [24] CWE ID 611
[13] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310, CCI-002385, CCI-002754
[14] Standards Mapping - FIPS200 SI
[15] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[16] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[17] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[18] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[19] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[20] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[21] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[22] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.5.2 Deserialization Prevention Requirements (L1 L2 L3)
[23] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage
[24] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[25] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-STORAGE-2
[26] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[27] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[28] Standards Mapping - OWASP Top 10 2010 A1 Injection
[29] Standards Mapping - OWASP Top 10 2013 A1 Injection
[30] Standards Mapping - OWASP Top 10 2017 A4 XML External Entities (XXE)
[31] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[38] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[39] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[40] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[41] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[42] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[43] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2.2 - Web Software Attack Mitigation
[44] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[65] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[66] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[67] Standards Mapping - Web Application Security Consortium Version 2.00 XML External Entities (WASC-43)
desc.dataflow.python.xxe_injection
Abstract
外部エンティティ レゾリューションを回避または制限するように構成していない XML パーサーを使用すると、パーサーは、XML External Entities 攻撃にさらされる可能性があります
Explanation
XML External Entities 攻撃は、処理の際に動的にドキュメントを作成する XML の機能を利用しています。XML エンティティは、特定のリソースから動的にデータを取り込むことができます。外部エンティティでは、XML ドキュメントに外部 URI からのデータを含めることができます。別途設定をしない限り、外部エンティティは XML パーサーに URI で指定されたリソース (たとえば、ローカルマシンまたはリモートシステム上のファイル) へのアクセスを強制します。この動作は、アプリケーションを XML External Entity (XXE) 攻撃にさらします。この攻撃は、ローカルシステムサービスの拒否、ローカルマシン上のファイルへの未許可のアクセス、リモートマシンのスキャン、および、リモートシステムのサービスの拒否をするのに使用されます。

次の XML ドキュメントは、XXE 攻撃の例です。

<?xml version="1.0" encoding="ISO-8859-1"?>
 <!DOCTYPE foo [
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>


例の XML ドキュメントでは、/etc/passwd のコンテンツを読み込み、それらをドキュメントに含めます。

例 1: 次のコードでは、安全でない XML パーサーを使用して HTTP リクエストからの信頼されていない入力を処理します。 


def readFile() = Action { request =>
    val xml = request.cookies.get("doc")
    val doc = XMLLoader.loadString(xml)
    ...
}
References
[1] XML External Entity (XXE) Processing OWASP
[2] Testing for XML Injection OWASP
[3] XML External Entities The Web Application Security Consortium
[4] IDS17-J. Prevent XML External Entity Attacks CERT
[5] DOS-1: Beware of activities that may use disproportionate resources Oracle
[6] INJECT-5: Restrict XML inclusion Oracle
[7] Standards Mapping - Common Weakness Enumeration CWE ID 611
[8] Standards Mapping - Common Weakness Enumeration Top 25 2019 [17] CWE ID 611
[9] Standards Mapping - Common Weakness Enumeration Top 25 2020 [19] CWE ID 611
[10] Standards Mapping - Common Weakness Enumeration Top 25 2021 [23] CWE ID 611
[11] Standards Mapping - Common Weakness Enumeration Top 25 2022 [24] CWE ID 611
[12] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310, CCI-002385, CCI-002754
[13] Standards Mapping - FIPS200 SI
[14] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[16] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[17] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[18] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[19] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[20] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.5.2 Deserialization Prevention Requirements (L1 L2 L3)
[22] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage
[23] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[24] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-STORAGE-2
[25] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[26] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[27] Standards Mapping - OWASP Top 10 2010 A1 Injection
[28] Standards Mapping - OWASP Top 10 2013 A1 Injection
[29] Standards Mapping - OWASP Top 10 2017 A4 XML External Entities (XXE)
[30] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[38] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[39] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[41] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[42] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2.2 - Web Software Attack Mitigation
[43] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[65] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[66] Standards Mapping - Web Application Security Consortium Version 2.00 XML External Entities (WASC-43)
desc.dataflow.scala.xml_external_entity_injection
Abstract
この特定のメソッドは、外部エンティティの参照を許可しています。このコールにより、攻撃者は XML 外部エンティティを XML 文書に挿入して、ファイルの内容または内部ネットワークリソースを開示する可能性があります。
Explanation
次の場合に XML External Entity (XXE) injection が発生します。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。

2. データは XML 文書内の DTD (Document Type Definition) の<ENTITY> 要素に書き込まれます。

アプリケーションは、通常、XML を使用してデータを保存したりメッセージを送信したりします。XML がデータの保存に使用される場合、XML 文書はデータベースのように扱われ、重要な情報が含まれる場合があります。XML メッセージは、Web サービスでも頻繁に使用されており、重要な情報を送信するときにも使用される場合があります。XML メッセージは、認証情報を送信するときに使用されることさえあります。

攻撃者にユーザー加工前の XML への書き込みができる場合、XML 文書およびメッセージのセマンティクスが改変される場合があります。最も害のない場合でも、攻撃者はネスト化されたエンティティ参照を挿入し、XML パーサーに大量の CPU リソースを消費させ続けることができます。より悪質な XML External Entity Injection の場合、攻撃者は、ローカルの File System リソースの内容を開示したり内部ネットワーク リソースの存在を明らかにしたりする XML 要素を追加できる可能性があります。

例 1: XXE 攻撃に対して脆弱なコードの例を次に示します。


func parseXML(xml: String) {
    parser = NSXMLParser(data: rawXml.dataUsingEncoding(NSUTF8StringEncoding)!)
    parser.delegate = self
    parser.shouldResolveExternalEntities = true
    parser.parse()
}


XML が以下のようになっている rawXml コンテンツを攻撃者が制御できる場合を考えてみましょう。


 <?xml version="1.0" encoding="ISO-8859-1"?>
 <!DOCTYPE foo [
   <!ELEMENT foo ANY >
   <!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo>


XML がサーバーによって評価される場合、<foo> 要素には boot.ini ファイルの内容が含まれます。
References
[1] XML External Entity (XXE) Processing OWASP
[2] Testing for XML Injection OWASP
[3] XML External Entities The Web Application Security Consortium
[4] Standards Mapping - Common Weakness Enumeration CWE ID 611
[5] Standards Mapping - Common Weakness Enumeration Top 25 2019 [17] CWE ID 611
[6] Standards Mapping - Common Weakness Enumeration Top 25 2020 [19] CWE ID 611
[7] Standards Mapping - Common Weakness Enumeration Top 25 2021 [23] CWE ID 611
[8] Standards Mapping - Common Weakness Enumeration Top 25 2022 [24] CWE ID 611
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310, CCI-002385, CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.5.2 Deserialization Prevention Requirements (L1 L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage
[20] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[21] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-STORAGE-2
[22] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[23] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[24] Standards Mapping - OWASP Top 10 2010 A1 Injection
[25] Standards Mapping - OWASP Top 10 2013 A1 Injection
[26] Standards Mapping - OWASP Top 10 2017 A4 XML External Entities (XXE)
[27] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2.2 - Web Software Attack Mitigation
[40] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Web Application Security Consortium Version 2.00 XML External Entities (WASC-43)
desc.structural.swift.xml_external_entity_injection

XML Injection

Abstract
XML 文書に未検証のデータを書き込むことによって、攻撃者に XML の構造およびコンテンツの改竄を許す可能性があります。
Explanation
次の場合に XML Injection が発生します。

1.信頼できないソースからデータがプログラムに入力された場合。

2.このデータは、XML 文書に書き込まれます。

アプリケーションは、通常、XML を使用してデータを保存したりメッセージを送信したりします。XML がデータの保存に使用される場合、XML 文書はデータベースのように扱われ、重要な情報が含まれる場合があります。XML メッセージは、Web サービスでも頻繁に使用されており、重要な情報を送信するときにも使用される場合があります。XML メッセージは、認証情報を送信するときに使用されることさえあります。

攻撃者が XML に書き込みが可能な場合、XML 文書およびメッセージのセマンティクスが改変される場合があります。攻撃者は余分なタグを挿入して、XML パーサーで例外を発生させることもできます。悪質な場合、攻撃者は認証情報を変更する XML 要素を追加したり、XML を使用する e コマース データベースで価格を改変する可能性があります。また、XML Injection により、Cross-Site Scripting や Dynamic Code Evaluation が引き起こされる場合もあります。

例 1:

以下の XML の shoes を攻撃者が制御できる場合を考えてみましょう。

<order>
   <price>100.00</price>
   <item>shoes</item>
</order>


ここで、この XML がバックエンドの Web サービス リクエストに追加され、一足の靴が注文されるとします。攻撃者がリクエストを変更して、shoesshoes</item><price>1.00</price><item>shoes に置き換えるとします。新しい XML は以下のようになります。

<order>
    <price>100.00</price>
    <item>shoes</item><price>1.00</price><item>shoes</item>
</order>


ABAP iXML パーサーを使用すると、2 番目の <price> の値により最初の <price> タグの値が上書きされます。これにより、攻撃者は $100 の靴を $1 で購入できます。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 91
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.10 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[13] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[15] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[16] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2010 A1 Injection
[18] Standards Mapping - OWASP Top 10 2013 A1 Injection
[19] Standards Mapping - OWASP Top 10 2017 A1 Injection
[20] Standards Mapping - OWASP Top 10 2021 A03 Injection
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Web Application Security Consortium Version 2.00 XML Injection (WASC-23)
desc.dataflow.abap.xml_injection
Abstract
XML 文書に未検証のデータを書き込むことによって、攻撃者に XML の構造およびコンテンツの改竄を許す可能性があります。
Explanation
次の場合に XML Injection が発生します。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。

2. このデータは、XML 文書に書き込まれます。

アプリケーションは、通常、XML を使用してデータを保存したりメッセージを送信したりします。XML がデータの保存に使用される場合、XML 文書はデータベースのように扱われ、重要な情報が含まれる場合があります。XML メッセージは、Web サービスでも頻繁に使用されており、重要な情報を送信するときにも使用される場合があります。XML メッセージは、認証情報を送信するときに使用されることさえあります。

攻撃者が XML に書き込みが可能な場合、XML 文書およびメッセージのセマンティクスが改変される場合があります。攻撃者は余分なタグを挿入して、XML パーサーで例外を発生させることもできます。悪質な場合、攻撃者は認証情報を変更する XML 要素を追加したり、XML を使用する e コマース データベースで価格を改変する可能性があります。また、XML Injection により、Cross-Site Scripting や Dynamic Code Evaluation が引き起こされる場合もあります。

例 1:

以下の XML の shoes を攻撃者が制御できる場合を考えてみましょう。

<order>
   <price>100.00</price>
   <item>shoes</item>
</order>


ここで、この XML がバックエンドの Web サービスリクエストに追加され、一足の靴が注文されるとします。攻撃者がリクエストを変更して、shoesshoes</item><price>1.00</price><item>shoes に置き換えるとします。新しい XML は以下のようになります。

<order>
   <price>100.00</price>
   <item>shoes</item><price>1.00</price><item>shoes</item>
</order>


SAX パーサーを使用すると、2 番目の <price> の値により最初の <price> タグの値が上書きされます。これにより、攻撃者は $100 の靴を $1 で購入できます。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 91
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.10 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[13] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[15] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[16] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2010 A1 Injection
[18] Standards Mapping - OWASP Top 10 2013 A1 Injection
[19] Standards Mapping - OWASP Top 10 2017 A1 Injection
[20] Standards Mapping - OWASP Top 10 2021 A03 Injection
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Web Application Security Consortium Version 2.00 XML Injection (WASC-23)
desc.dataflow.dotnet.xml_injection
Abstract
この特定のメソッドは、未検証の XML 入力を書き込みます。このコールにより、攻撃者は任意の要素や属性を XML 文書に挿入する可能性があります。
Explanation
次の場合に XML Injection が発生します。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。


2. このデータは、XML 文書に書き込まれます。

アプリケーションは、通常、XML を使用してデータを保存したりメッセージを送信したりします。XML がデータの保存に使用される場合、XML 文書はデータベースのように扱われ、重要な情報が含まれる場合があります。XML メッセージは、Web サービスでも頻繁に使用されており、重要な情報を送信するときにも使用される場合があります。XML メッセージは、認証情報を送信するときに使用されることさえあります。

攻撃者が XML に書き込みが可能な場合、XML 文書およびメッセージのセマンティクスが改変される場合があります。攻撃者は余分なタグを挿入して、XML パーサーで例外を発生させることもできます。悪質な場合、攻撃者は認証情報を変更する XML 要素を追加したり、XML を使用する e コマース データベースで価格を改変する可能性があります。また、XML Injection により、Cross-Site Scripting や Dynamic Code Evaluation が引き起こされる場合もあります。

例 1:

以下の XML の shoes を攻撃者が制御できる場合を考えてみましょう。

<order>
   <price>100.00</price>
   <item>shoes</item>
</order>


ここで、この XML がバックエンドの Web サービスリクエストに追加され、一足の靴が注文されるとします。攻撃者がリクエストを変更して、shoesshoes</item><price>1.00</price><item>shoes に置き換えるとします。新しい XML は以下のようになります。

<order>
    <price>100.00</price>
    <item>shoes</item><price>1.00</price><item>shoes</item>
</order>


SAX パーサーを使用すると、2 番目の <price> の値により最初の <price> タグの値が上書きされます。これにより、攻撃者は $100 の靴を $1 で購入できます。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 91
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.10 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[13] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[15] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[16] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2010 A1 Injection
[18] Standards Mapping - OWASP Top 10 2013 A1 Injection
[19] Standards Mapping - OWASP Top 10 2017 A1 Injection
[20] Standards Mapping - OWASP Top 10 2021 A03 Injection
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Web Application Security Consortium Version 2.00 XML Injection (WASC-23)
desc.dataflow.cpp.xml_injection
Abstract
XML 文書に未検証のデータを書き込むことによって、攻撃者に XML の構造およびコンテンツの改竄を許す可能性があります。
Explanation
次の場合に XML Injection が発生します。

1.信頼できないソースからデータがプログラムに入力された場合。

2.このデータは、XML 文書に書き込まれます。

アプリケーションは、通常、XML を使用してデータを保存したりメッセージを送信したりします。XML がデータの保存に使用される場合、XML 文書はデータベースのように扱われ、重要な情報が含まれる場合があります。XML メッセージは、Web サービスでも頻繁に使用されており、重要な情報を送信するときにも使用される場合があります。XML メッセージは、認証情報を送信するときに使用されることさえあります。

攻撃者が XML に書き込みが可能な場合、XML 文書およびメッセージのセマンティクスが改変される場合があります。攻撃者は余分なタグを挿入して、XML パーサーで例外を発生させることもできます。悪質な場合、攻撃者は認証情報を変更する XML 要素を追加したり、XML を使用する e コマース データベースで価格を改変する可能性があります。また、XML Injection により、Cross-Site Scripting や Dynamic Code Evaluation が引き起こされる場合もあります。

例 1:

以下の XML の shoes を攻撃者が制御できる場合を考えてみましょう。

<order>
   <price>100.00</price>
   <item>shoes</item>
</order>


ここで、この XML がバックエンドの Web サービス リクエストに追加され、一足の靴が注文されるとします。攻撃者がリクエストを変更して、shoesshoes</item><price>1.00</price><item>shoes に置き換えるとします。新しい XML は以下のようになります。

<order>
    <price>100.00</price>
    <item>shoes</item><price>1.00</price><item>shoes</item>
</order>


SAX パーサーを使用すると、2 番目の <price> の値により最初の <price> タグの値が上書きされます。これにより、攻撃者は $100 の靴を $1 で購入できます。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 91
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.10 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[13] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[15] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[16] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2010 A1 Injection
[18] Standards Mapping - OWASP Top 10 2013 A1 Injection
[19] Standards Mapping - OWASP Top 10 2017 A1 Injection
[20] Standards Mapping - OWASP Top 10 2021 A03 Injection
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Web Application Security Consortium Version 2.00 XML Injection (WASC-23)
desc.dataflow.golang.xml_injection
Abstract
XML 文書に未検証のデータを書き込むことによって、攻撃者に XML の構造およびコンテンツの改竄を許す可能性があります。
Explanation
次の場合に XML Injection が発生します。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。

2. このデータは、XML 文書に書き込まれます。

アプリケーションは、通常、XML を使用してデータを保存したりメッセージを送信したりします。XML がデータの保存に使用される場合、XML 文書はデータベースのように扱われ、重要な情報が含まれる場合があります。XML メッセージは、Web サービスでも頻繁に使用されており、重要な情報を送信するときにも使用される場合があります。XML メッセージは、認証情報を送信するときに使用されることさえあります。

攻撃者が XML に書き込みが可能な場合、XML 文書およびメッセージのセマンティクスが改変される場合があります。攻撃者は余分なタグを挿入して、XML パーサーで例外を発生させることもできます。悪質な場合、攻撃者は認証情報を変更する XML 要素を追加したり、XML を使用する e コマース データベースで価格を改変する可能性があります。また、XML Injection により、Cross-Site Scripting や Dynamic Code Evaluation が引き起こされる場合もあります。

例 1:

以下の XML の shoes を攻撃者が制御できる場合を考えてみましょう。

<order>
   <price>100.00</price>
   <item>shoes</item>
</order>


ここで、この XML がバックエンドの Web サービスリクエストに追加され、一足の靴が注文されるとします。攻撃者がリクエストを変更して、shoesshoes</item><price>1.00</price><item>shoes に置き換えるとします。新しい XML は以下のようになります。

<order>
    <price>100.00</price>
    <item>shoes</item><price>1.00</price><item>shoes</item>
</order>


SAX パーサーを使用すると、2 番目の <price> の値により最初の <price> タグの値が上書きされます。これにより、攻撃者は $100 の靴を $1 で購入できます。
References
[1] IDS16-J. Prevent XML Injection CERT
[2] INJECT-3: XML and HTML generation requires care Oracle
[3] Standards Mapping - Common Weakness Enumeration CWE ID 91
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[5] Standards Mapping - FIPS200 SI
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[10] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.10 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[15] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[17] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[18] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[19] Standards Mapping - OWASP Top 10 2010 A1 Injection
[20] Standards Mapping - OWASP Top 10 2013 A1 Injection
[21] Standards Mapping - OWASP Top 10 2017 A1 Injection
[22] Standards Mapping - OWASP Top 10 2021 A03 Injection
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Web Application Security Consortium Version 2.00 XML Injection (WASC-23)
desc.dataflow.java.xml_injection
Abstract
XML 文書に未検証のデータを書き込むことによって、攻撃者に XML の構造およびコンテンツの改竄を許す可能性があります。
Explanation
次の場合に XML Injection が発生します。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。


2. このデータは、XML 文書に書き込まれます。

アプリケーションは、通常、XML を使用してデータを保存したりメッセージを送信したりします。XML がデータの保存に使用される場合、XML 文書はデータベースのように扱われ、重要な情報が含まれる場合があります。XML メッセージは、Web サービスでも頻繁に使用されており、重要な情報を送信するときにも使用される場合があります。XML メッセージは、認証情報を送信するときに使用されることさえあります。

攻撃者が XML に書き込みが可能な場合、XML 文書およびメッセージのセマンティクスが改変される場合があります。攻撃者は余分なタグを挿入して、XML パーサーで例外を発生させることもできます。悪質な場合、攻撃者は認証情報を変更する XML 要素を追加したり、XML を使用する e コマース データベースで価格を改変する可能性があります。また、XML Injection により、Cross-Site Scripting や Dynamic Code Evaluation が引き起こされる場合もあります。

例 1:

以下の XML の shoes を攻撃者が制御できる場合を考えてみましょう。

<order>
   <price>100.00</price>
   <item>shoes</item>
</order>


ここで、この XML がバックエンドの Web サービスリクエストに追加され、一足の靴が注文されるとします。攻撃者がリクエストを変更して、shoesshoes</item><price>1.00</price><item>shoes に置き換えるとします。新しい XML は以下のようになります。

<order>
    <price>100.00</price>
    <item>shoes</item><price>1.00</price><item>shoes</item>
</order>


これにより、攻撃者は $100 の靴を $1 で購入できてしまうことがあります。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 91
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.10 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[13] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[15] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[16] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2010 A1 Injection
[18] Standards Mapping - OWASP Top 10 2013 A1 Injection
[19] Standards Mapping - OWASP Top 10 2017 A1 Injection
[20] Standards Mapping - OWASP Top 10 2021 A03 Injection
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Web Application Security Consortium Version 2.00 XML Injection (WASC-23)
desc.dataflow.javascript.xml_injection
Abstract
この特定のメソッドは、未検証の XML 入力を書き込みます。このコールにより、攻撃者は任意の要素や属性を XML 文書に挿入する可能性があります。
Explanation
次の場合に XML Injection が発生します。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。


2. このデータは、XML 文書に書き込まれます。

アプリケーションは、通常、XML を使用してデータを保存したりメッセージを送信したりします。XML がデータの保存に使用される場合、XML 文書はデータベースのように扱われ、重要な情報が含まれる場合があります。XML メッセージは、Web サービスでも頻繁に使用されており、重要な情報を送信するときにも使用される場合があります。XML メッセージは、認証情報を送信するときに使用されることさえあります。

攻撃者が XML に書き込みが可能な場合、XML 文書およびメッセージのセマンティクスが改変される場合があります。攻撃者は余分なタグを挿入して、XML パーサーで例外を発生させることもできます。悪質な場合、攻撃者は認証情報を変更する XML 要素を追加したり、XML を使用する e コマース データベースで価格を改変する可能性があります。また、XML Injection により、Cross-Site Scripting や Dynamic Code Evaluation が引き起こされる場合もあります。

例 1:

以下の XML の shoes を攻撃者が制御できる場合を考えてみましょう。

<order>
   <price>100.00</price>
   <item>shoes</item>
</order>


ここで、この XML がバックエンドの Web サービスリクエストに追加され、一足の靴が注文されるとします。攻撃者がリクエストを変更して、shoesshoes</item><price>1.00</price><item>shoes に置き換えるとします。新しい XML は以下のようになります。

<order>
    <price>100.00</price>
    <item>shoes</item><price>1.00</price><item>shoes</item>
</order>


SAX パーサーを使用すると、2 番目の <price> の値により最初の <price> タグの値が上書きされます。これにより、攻撃者は $100 の靴を $1 で購入できます。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 91
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.10 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[13] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[15] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[16] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2010 A1 Injection
[18] Standards Mapping - OWASP Top 10 2013 A1 Injection
[19] Standards Mapping - OWASP Top 10 2017 A1 Injection
[20] Standards Mapping - OWASP Top 10 2021 A03 Injection
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Web Application Security Consortium Version 2.00 XML Injection (WASC-23)
desc.dataflow.objc.xml_injection
Abstract
XML 文書に未検証のデータを書き込むことによって、攻撃者に XML の構造およびコンテンツの改竄を許す可能性があります。
Explanation
次の場合に XML Injection が発生します。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。

2. このデータは、XML 文書に書き込まれます。

アプリケーションは、通常、XML を使用してデータを保存したりメッセージを送信したりします。XML がデータの保存に使用される場合、XML 文書はデータベースのように扱われ、重要な情報が含まれる場合があります。XML メッセージは、Web サービスでも頻繁に使用されており、重要な情報を送信するときにも使用される場合があります。XML メッセージは、認証情報を送信するときに使用されることさえあります。

攻撃者が XML に書き込みが可能な場合、XML 文書およびメッセージのセマンティクスが改変される場合があります。攻撃者は余分なタグを挿入して、XML パーサーで例外を発生させることもできます。悪質な場合、攻撃者は認証情報を変更する XML 要素を追加したり、XML を使用する e コマース データベースで価格を改変する可能性があります。また、XML Injection により、Cross-Site Scripting や Dynamic Code Evaluation が引き起こされる場合もあります。

例 1:

以下の XML の shoes を攻撃者が制御できる場合を考えてみましょう。

<order>
   <price>100.00</price>
   <item>shoes</item>
</order>


ここで、この XML がバックエンドの Web サービスリクエストに追加され、一足の靴が注文されるとします。攻撃者がリクエストを変更して、shoesshoes</item><price>1.00</price><item>shoes に置き換えるとします。新しい XML は以下のようになります。

<order>
    <price>100.00</price>
    <item>shoes</item><price>1.00</price><item>shoes</item>
</order>


XML パーサーを使用すると、2 番目の <price> の値により最初の <price> タグの値が上書きされます。これにより、攻撃者は $100 の靴を $1 で購入できます。


XML External Entity (XXE) Injection と呼ばれる、この攻撃のより深刻な状態が、攻撃者が解析される XML 文書のフロントまたはすべてを制御する際に発生します。

例 2: XXE 攻撃に対して脆弱なコードの例を次に示します。

攻撃者は以下のコードへの XML 入力を制御できるものと仮定します。


...
<?php
$goodXML = $_GET["key"];
$doc = simplexml_load_string($goodXml);
echo $doc->testing;
?>
...


ここで、攻撃者からExample 2 のコードに以下の XML が渡されると仮定してください。



<?xml version="1.0" encoding="ISO-8859-1"?>
 <!DOCTYPE foo [
   <!ELEMENT foo ANY >
   <!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]><foo>&xxe;</foo>



この XML を処理するとき、<foo> 要素のコンテンツにはシステムの boot.ini ファイルのコンテンツが埋め込まれます。攻撃者は、データを盗み出したり、ネットワーク リソースの存在に関する情報を取得するために、クライアントに返される XML 要素を利用することができます。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 91
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.10 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[13] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[15] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[16] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2010 A1 Injection
[18] Standards Mapping - OWASP Top 10 2013 A1 Injection
[19] Standards Mapping - OWASP Top 10 2017 A1 Injection
[20] Standards Mapping - OWASP Top 10 2021 A03 Injection
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Web Application Security Consortium Version 2.00 XML Injection (WASC-23)
desc.dataflow.php.xml_injection
Abstract
XML 文書に未検証のデータを書き込むことによって、攻撃者に XML の構造およびコンテンツの改竄を許す可能性があります。
Explanation
次の場合に XML Injection が発生します。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。

2. このデータは、XML 文書に書き込まれます。

アプリケーションは、通常、XML を使用してデータを保存したりメッセージを送信したりします。XML がデータの保存に使用される場合、XML 文書はデータベースのように扱われ、重要な情報が含まれる場合があります。XML メッセージは、Web サービスでも頻繁に使用されており、重要な情報を送信するときにも使用される場合があります。XML メッセージは、認証情報を送信するときに使用されることさえあります。

攻撃者が XML に書き込みが可能な場合、XML 文書およびメッセージのセマンティクスが改変される場合があります。攻撃者は余分なタグを挿入して、XML パーサーで例外を発生させることもできます。悪質な場合、攻撃者は認証情報を変更する XML 要素を追加したり、XML を使用する e コマース データベースで価格を改変する可能性があります。また、XML Injection により、Cross-Site Scripting や Dynamic Code Evaluation が引き起こされる場合もあります。

例 1:

以下の XML の shoes を攻撃者が制御できる場合を考えてみましょう。

<order>
    <price>100.00</price>
    <item>shoes</item>
</order>


ここで、この XML がバックエンドの Web サービスリクエストに追加され、一足の靴が注文されるとします。攻撃者がリクエストを変更して、shoesshoes</item><price>1.00</price><item>shoes に置き換えるとします。新しい XML は以下のようになります。

<order>
    <price>100.00</price>
    <item>shoes</item><price>1.00</price><item>shoes</item>
</order>


SAX パーサーを使用すると、2 番目の <price> の値により最初の <price> タグの値が上書きされます。これにより、攻撃者は $100 の靴を $1 で購入できます。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 91
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.10 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[13] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[15] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[16] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2010 A1 Injection
[18] Standards Mapping - OWASP Top 10 2013 A1 Injection
[19] Standards Mapping - OWASP Top 10 2017 A1 Injection
[20] Standards Mapping - OWASP Top 10 2021 A03 Injection
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Web Application Security Consortium Version 2.00 XML Injection (WASC-23)
desc.dataflow.python.xml_injection
Abstract
XML 文書に未検証のデータを書き込むと、攻撃者に XML の構造やコンテンツの改竄を許可してしまいます。未検証の XML をパースすると、サービス妨害、機密情報の漏えい、さらにはリモートでのコードの実行を招くことがあります。
Explanation
次の場合に XML Injection が発生します。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。

2.このデータは、XML 文書に書き込まれるか、XML としてパースされます。

アプリケーションは、通常、XML を使用してデータを保存したりメッセージを送信したりします。XML がデータの保存に使用される場合、XML 文書はデータベースのように扱われ、重要な情報が含まれる場合があります。XML メッセージは、Web サービスでも頻繁に使用されており、重要な情報を送信するときにも使用される場合があります。XML メッセージは、認証情報を送信するときに使用されることさえあります。

攻撃者が XML に書き込みが可能な場合、XML 文書およびメッセージのセマンティクスが改変される場合があります。攻撃者は余分なタグを挿入して、XML パーサーで例外を発生させることもできます。悪質な場合、攻撃者は認証情報を変更する XML 要素を追加したり、XML を使用する e コマース データベースで価格を改変する可能性があります。また、XML Injection により、Cross-Site Scripting や Dynamic Code Evaluation が引き起こされる場合もあります。

例 1:

以下の XML の shoes を攻撃者が制御できる場合を考えてみましょう。

<order>
    <price>100.00</price>
    <item>shoes</item>
</order>


ここで、この XML がバックエンドの Web サービスリクエストに追加され、一足の靴が注文されるとします。攻撃者がリクエストを変更して、shoesshoes</item><price>1.00</price><item>shoes に置き換えるとします。新しい XML は以下のようになります。

<order>
    <price>100.00</price>
    <item>shoes</item><price>1.00</price><item>shoes</item>
</order>


SAX パーサーを使用すると、2 番目の <price> の値により最初の <price> タグの値が上書きされます。これにより、攻撃者は $100 の靴を $1 で購入できます。
References
[1] Introduction to Software Security: XML Injection Atacks University of Wisconsin-Madison
[2] Exploitation: XML External Entity (XXE) Injection Depth Security
[3] Standards Mapping - Common Weakness Enumeration CWE ID 91
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[5] Standards Mapping - FIPS200 SI
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[10] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.10 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[15] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[17] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[18] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[19] Standards Mapping - OWASP Top 10 2010 A1 Injection
[20] Standards Mapping - OWASP Top 10 2013 A1 Injection
[21] Standards Mapping - OWASP Top 10 2017 A1 Injection
[22] Standards Mapping - OWASP Top 10 2021 A03 Injection
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Web Application Security Consortium Version 2.00 XML Injection (WASC-23)
desc.dataflow.ruby.xml_injection
Abstract
XML 文書に未検証のデータを書き込むと、攻撃者に XML の構造やコンテンツの改竄を許可してしまいます。未検証の XML をパースすると、サービス妨害、機密情報の漏えい、さらにはリモートでのコードの実行を招くことがあります。
Explanation
次の場合に XML Injection が発生します。

1.信頼できないソースからデータがプログラムに入り込んだ場合。

2.このデータは、XML 文書に書き込まれるか、XML としてパースされます。

アプリケーションは、通常、XML を使用してデータを保存したりメッセージを送信したりします。XML がデータの保存に使用される場合、XML 文書はデータベースのように扱われ、重要な情報が含まれる場合があります。XML メッセージは、Web サービスでも頻繁に使用されており、重要な情報を送信するときにも使用される場合があります。XML メッセージは、認証情報を送信するときに使用されることさえあります。

攻撃者が XML に書き込みが可能な場合、XML 文書およびメッセージのセマンティクスが改変される場合があります。攻撃者は余分なタグを挿入して、XML パーサーで例外を発生させることもできます。悪質な場合、攻撃者は認証情報を変更する XML 要素を追加したり、XML を使用する e コマース データベースで価格を改変する可能性があります。また、XML Injection により、Cross-Site Scripting や Dynamic Code Evaluation が引き起こされる場合もあります。

例 1:

以下の XML の shoes を攻撃者が制御できる場合を考えてみましょう。

<order>
   <price>100.00</price>
   <item>shoes</item>
</order>


ここで、この XML がバックエンドの Web サービスリクエストに追加され、一足の靴が注文されるとします。攻撃者がリクエストを変更して、shoesshoes</item><price>1.00</price><item>shoes に置き換えるとします。新しい XML は以下のようになります。

<order>
    <price>100.00</price>
    <item>shoes</item><price>1.00</price><item>shoes</item>
</order>


SAX パーサーを使用すると、2 番目の <price> の値により最初の <price> タグの値が上書きされます。これにより、攻撃者は $100 の靴を $1 で購入できます。
References
[1] IDS16-J. Prevent XML Injection CERT
[2] INJECT-3: XML and HTML generation requires care Oracle
[3] Standards Mapping - Common Weakness Enumeration CWE ID 91
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[5] Standards Mapping - FIPS200 SI
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[10] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.10 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[15] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[17] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[18] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[19] Standards Mapping - OWASP Top 10 2010 A1 Injection
[20] Standards Mapping - OWASP Top 10 2013 A1 Injection
[21] Standards Mapping - OWASP Top 10 2017 A1 Injection
[22] Standards Mapping - OWASP Top 10 2021 A03 Injection
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Web Application Security Consortium Version 2.00 XML Injection (WASC-23)
desc.dataflow.scala.xml_injection
Abstract
この特定のメソッドは、未検証の XML 入力を書き込みます。このコールにより、攻撃者は任意の要素や属性を XML 文書に挿入する可能性があります。
Explanation
次の場合に XML Injection が発生します。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。


2. このデータは、XML 文書に書き込まれます。

アプリケーションは、通常、XML を使用してデータを保存したりメッセージを送信したりします。XML がデータの保存に使用される場合、XML 文書はデータベースのように扱われ、重要な情報が含まれる場合があります。XML メッセージは、Web サービスでも頻繁に使用されており、重要な情報を送信するときにも使用される場合があります。XML メッセージは、認証情報を送信するときに使用されることさえあります。

攻撃者が XML に書き込みが可能な場合、XML 文書およびメッセージのセマンティクスが改変される場合があります。攻撃者は余分なタグを挿入して、XML パーサーで例外を発生させることもできます。悪質な場合、攻撃者は認証情報を変更する XML 要素を追加したり、XML を使用する e コマース データベースで価格を改変する可能性があります。また、XML Injection により、Cross-Site Scripting や Dynamic Code Evaluation が引き起こされる場合もあります。

例 1:

以下の XML の shoes を攻撃者が制御できる場合を考えてみましょう。

<order>
   <price>100.00</price>
   <item>shoes</item>
</order>


ここで、この XML がバックエンドの Web サービスリクエストに追加され、一足の靴が注文されるとします。攻撃者がリクエストを変更して、shoesshoes</item><price>1.00</price><item>shoes に置き換えるとします。新しい XML は以下のようになります。

<order>
    <price>100.00</price>
    <item>shoes</item><price>1.00</price><item>shoes</item>
</order>


SAX パーサーを使用すると、2 番目の <price> の値により最初の <price> タグの値が上書きされます。これにより、攻撃者は $100 の靴を $1 で購入できます。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 91
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.10 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[13] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[15] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[16] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2010 A1 Injection
[18] Standards Mapping - OWASP Top 10 2013 A1 Injection
[19] Standards Mapping - OWASP Top 10 2017 A1 Injection
[20] Standards Mapping - OWASP Top 10 2021 A03 Injection
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Web Application Security Consortium Version 2.00 XML Injection (WASC-23)
desc.dataflow.swift.xml_injection

XML Injection: Open XML

Abstract
Open XML 文書に未検証のデータを書き込むことによって、攻撃者に基盤となる XML の構造およびコンテンツの改竄を許す可能性があります。
Explanation
XML Injection: Open XML は次の場合に発生します:

1.信頼できないソースからデータがプログラムに入り込んだ場合。


2.このデータは、Open XML 文書に書き込まれます。

Open XML 文書は通常、他のユーザーに提示する情報を保存するために使用され、多くの場合機密情報が含まれています。

攻撃者が未加工の XML に書き込みが可能な場合、Open XML 文書のセマンティクスが改変される場合があります。攻撃者は余分なタグを挿入して、Open XML パーサーで例外を発生させることもできます。悪質な場合、攻撃者は重要な情報を指定する XML 要素を変更、追加、または削除する可能性があります。また、XML Injection により、Cross-Site Scripting や Dynamic Code Evaluation が引き起こされる場合もあります。

例 1:

攻撃者が次の Open XML 文書から a:t タグを制御できると仮定します。

<a:t>YoY results: up 10%</a:t>


ここで、会社が株主に提供している Powerpoint プレゼンテーションにこの XML が含まれているとします。この場合、会社には顧客向けサイトに文書をアップロードするサービスがあり、XML Injection の脆弱性が含まれています。攻撃者が文書を変更して「YoY results: down 10%」に書き換えたとします。この重大な更新により、会社の株価が大きく変動する可能性があります。変更を加えなくても、この機密情報が公知となる前にアクセスできるユーザーは、インサイダー取引のように株式市場でこの情報を活用できる可能性があります。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 91
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.10 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[8] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[9] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[11] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[12] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[13] Standards Mapping - OWASP Top 10 2010 A1 Injection
[14] Standards Mapping - OWASP Top 10 2013 A1 Injection
[15] Standards Mapping - OWASP Top 10 2017 A1 Injection
[16] Standards Mapping - OWASP Top 10 2021 A03 Injection
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3810 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3810 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3810 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3810 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3810 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3810 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Web Application Security Consortium Version 2.00 XML Injection (WASC-23)
desc.dataflow.dotnet.xml_injection_open_xml

XPath Injection

Abstract
ユーザー入力を使用して XPath クエリを動的に構築すると、攻撃者によりステートメントの意味が改変される可能性があります。
Explanation
次の場合に XPath Injection が発生します。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。



2. データが XPath クエリの動的な構築に使用された場合。

例 1: 以下のコードは、指定されたアカウント ID の電子メールアドレスを取得する XPath クエリを動的に構築して実行します。このアカウント ID は、HTTP リクエストから読み取られるため、信頼することはできません。


...
string acctID = Request["acctID"];
string query = null;
if(acctID != null) {
       StringBuffer sb = new StringBuffer("/accounts/account[acctID='");
       sb.append(acctID);
       sb.append("']/email/text()");
       query = sb.toString();
}

XPathDocument docNav = new XPathDocument(myXml);
XPathNavigator nav = docNav.CreateNavigator();
nav.Evaluate(query);
...


アカウント番号 1 に属する電子メールアドレスを検索するような通常の状況では、このコードが実行するクエリは次のようになります。

/accounts/account[acctID='1']/email/text()

ただし、クエリは定数ベースのクエリ文字列とユーザー入力の文字列を連結して動的に構築されるため、acctID に単一引用符が含まれない場合のみクエリは正しく動作します。攻撃者が acctID に文字列「1' or '1' = '1」を入力すると、クエリは次のようになります。

/accounts/account[acctID='1' or '1' = '1']/email/text()1' or '1' = '1 条件を追加すると、where 句は常に真 (true) の評価をします。そのため、このクエリは次のような単純なクエリと論理的に等しくなります。

//email/text()

このクエリの単純化により攻撃者は、クエリが返すのは認証済みユーザーが所有するアイテムのみでなければならないという要件を回避できます。クエリは、特定の所有者に関係なく、文書内に格納されているすべての電子メール アドレスを返すようになりました。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 643
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.1 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.10 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[13] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[15] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[16] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2010 A1 Injection
[18] Standards Mapping - OWASP Top 10 2013 A1 Injection
[19] Standards Mapping - OWASP Top 10 2017 A1 Injection
[20] Standards Mapping - OWASP Top 10 2021 A03 Injection
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Web Application Security Consortium Version 2.00 XPath Injection (WASC-39)
[57] Standards Mapping - Web Application Security Consortium 24 + 2 XPath Injection
desc.dataflow.dotnet.xpath_injection
Abstract
この特定のメソッドは、未検証の入力を使用して構築された XPath クエリを呼び出します。このコールにより、攻撃者は、ステートメントの意味を改変したり、任意の XPath クエリを実行したりできるようになります。
Explanation
次の場合に XPath Injection が発生します。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。




2. データが XPath クエリの動的な構築に使用された場合。

例 1: C API をコールする次の Objective-C コードは、指定されたアカウント ID の電子メール アドレスを取得する XPath クエリを動的に構築して実行します。このアカウント ID は、HTTP リクエストから読み取られるため、信頼することはできません。


...
    NSString *accountStr = account.text;

    xmlXPathContextPtr xpathCtx;
    NSString *query = @"/accounts/account[actId='" + accountStr + @"']/email/text()";

    xpathCtx = xmlXPathNewContext(doc);

    /* Evaluate XPath expression */
    xmlChar *queryString =
        (xmlChar *)[query cStringUsingEncoding:NSUTF8StringEncoding];
    xpathObj = xmlXPathEvalExpression(queryString, xpathCtx);
...


アカウント番号 1 に属する電子メールアドレスを検索するような通常の状況では、このコードが実行するクエリは次のようになります。

/accounts/account[acctID='1']/email/text()

ただし、クエリは定数ベースのクエリ文字列とユーザー入力の文字列を連結して動的に構築されるため、acctID に単一引用符が含まれない場合のみクエリは正しく動作します。攻撃者が acctID に文字列「1' or '1' = '1」を入力すると、クエリは次のようになります。

/accounts/account[acctID='1' or '1' = '1']/email/text()1' or '1' = '1 条件を追加すると、where 句は常に真 (true) の評価を行います。そのため、このクエリは次のような単純なクエリと論理的に等しくなります。

//email/text()

このクエリの単純化により攻撃者は、クエリが返すのは認証済みユーザーが所有するアイテムのみでなければならないという要件を回避できます。クエリは、特定の所有者に関係なく、文書内に格納されているすべての電子メール アドレスを返すようになりました。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 643
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.1 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.10 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[13] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[15] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[16] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2010 A1 Injection
[18] Standards Mapping - OWASP Top 10 2013 A1 Injection
[19] Standards Mapping - OWASP Top 10 2017 A1 Injection
[20] Standards Mapping - OWASP Top 10 2021 A03 Injection
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Web Application Security Consortium Version 2.00 XPath Injection (WASC-39)
[57] Standards Mapping - Web Application Security Consortium 24 + 2 XPath Injection
desc.dataflow.cpp.xpath_injection
Abstract
ユーザー入力を使用して XPath クエリを動的に構築すると、攻撃者によりステートメントの意味が改変される可能性があります。
Explanation
次の場合に XPath Injection が発生します。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。



2. データが XPath クエリの動的な構築に使用された場合。

例 1: 以下のコードは、指定されたアカウント ID の電子メールアドレスを取得する XPath クエリを動的に構築して実行します。このアカウント ID は、HTTP リクエストから読み取られるため、信頼することはできません。


query = "/accounts/account[acctID='" & url.acctID & "']/email/text()";
selectedElements = XmlSearch(myxmldoc, query);


アカウント番号 1 に属する電子メールアドレスを検索するような通常の状況では、このコードが実行するクエリは次のようになります。

/accounts/account[acctID='1']/email/text()

ただし、クエリは定数ベースのクエリ文字列とユーザー入力の文字列を連結して動的に構築されるため、acctID に単一引用符が含まれない場合のみクエリは正しく動作します。攻撃者が acctID に文字列「1' or '1' = '1」を入力すると、クエリは次のようになります。

/accounts/account[acctID='1' or '1' = '1']/email/text()1' or '1' = '1 条件を追加すると、where 句は常に真 (true) の評価をします。そのため、このクエリは次のような単純なクエリと論理的に等しくなります。

//email/text()

このクエリの単純化により攻撃者は、クエリが返すのは認証済みユーザーが所有するアイテムのみでなければならないという要件を回避できます。クエリは、特定の所有者に関係なく、文書内に格納されているすべての電子メール アドレスを返すようになりました。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 643
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.1 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.10 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[13] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[15] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[16] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2010 A1 Injection
[18] Standards Mapping - OWASP Top 10 2013 A1 Injection
[19] Standards Mapping - OWASP Top 10 2017 A1 Injection
[20] Standards Mapping - OWASP Top 10 2021 A03 Injection
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Web Application Security Consortium Version 2.00 XPath Injection (WASC-39)
[57] Standards Mapping - Web Application Security Consortium 24 + 2 XPath Injection
desc.dataflow.cfml.xpath_injection
Abstract
ユーザー入力を使用して XPath クエリを動的に構築すると、攻撃者によりステートメントの意味が改変される可能性があります。
Explanation
次の場合に XPath Injection が発生します。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。



2. データが XPath クエリの動的な構築に使用された場合。

例 1: 以下のコードは、指定されたアカウント ID の電子メールアドレスを取得する XPath クエリを動的に構築して実行します。このアカウント ID は、HTTP リクエストから読み取られるため、信頼することはできません。


...
String acctID = request.getParameter("acctID");
String query = null;
if(acctID != null) {
       StringBuffer sb = new StringBuffer("/accounts/account[acctID='");
       sb.append(acctID);
       sb.append("']/email/text()");
       query = sb.toString();
}

DocumentBuilderFactory domFactory = DocumentBuilderFactory.newInstance();
domFactory.setNamespaceAware(true);
DocumentBuilder builder = domFactory.newDocumentBuilder();
Document doc = builder.parse("accounts.xml");
XPathFactory factory = XPathFactory.newInstance();
XPath xpath = factory.newXPath();
XPathExpression expr = xpath.compile(query);
Object result = expr.evaluate(doc, XPathConstants.NODESET);
...


アカウント番号 1 に属する電子メールアドレスを検索するような通常の状況では、このコードが実行するクエリは次のようになります。

/accounts/account[acctID='1']/email/text()

ただし、クエリは定数ベースのクエリ文字列とユーザー入力の文字列を連結して動的に構築されるため、acctID に単一引用符が含まれない場合のみクエリは正しく動作します。攻撃者が acctID に文字列「1' or '1' = '1」を入力すると、クエリは次のようになります。

/accounts/account[acctID='1' or '1' = '1']/email/text()1' or '1' = '1 条件を追加すると、where 句は常に真 (true) の評価をします。そのため、このクエリは次のような単純なクエリと論理的に等しくなります。

//email/text()

このクエリの単純化により攻撃者は、クエリが返すのは認証済みユーザーが所有するアイテムのみでなければならないという要件を回避できます。クエリは、特定の所有者に関係なく、文書内に格納されているすべての電子メール アドレスを返すようになりました。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 643
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.1 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.10 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[13] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[15] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[16] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2010 A1 Injection
[18] Standards Mapping - OWASP Top 10 2013 A1 Injection
[19] Standards Mapping - OWASP Top 10 2017 A1 Injection
[20] Standards Mapping - OWASP Top 10 2021 A03 Injection
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Web Application Security Consortium Version 2.00 XPath Injection (WASC-39)
[57] Standards Mapping - Web Application Security Consortium 24 + 2 XPath Injection
desc.dataflow.java.xpath_injection
Abstract
この特定のメソッドは、未検証の入力を使用して構築された XPath クエリを呼び出します。このコールにより、攻撃者は、ステートメントの意味を改変したり、任意の XPath クエリを実行したりできるようになります。
Explanation
次の場合に XPath Injection が発生します。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。




2. データが XPath クエリの動的な構築に使用された場合。

例 1: 以下のコードは、指定されたアカウント ID の電子メールアドレスを取得する XPath クエリを動的に構築して実行します。このアカウント ID は、HTTP リクエストから読み取られるため、信頼することはできません。


...
    NSString *accountStr = account.text;

    xmlXPathContextPtr xpathCtx;
    NSString *query = @"/accounts/account[actId='" + accountStr + @"']/email/text()";

    xpathCtx = xmlXPathNewContext(doc);

    /* Evaluate XPath expression */
    xmlChar *queryString =
        (xmlChar *)[query cStringUsingEncoding:NSUTF8StringEncoding];
    xpathObj = xmlXPathEvalExpression(queryString, xpathCtx);
...


アカウント番号 1 に属する電子メールアドレスを検索するような通常の状況では、このコードが実行するクエリは次のようになります。

/accounts/account[acctID='1']/email/text()

ただし、クエリは定数ベースのクエリ文字列とユーザー入力の文字列を連結して動的に構築されるため、acctID に単一引用符が含まれない場合のみクエリは正しく動作します。攻撃者が acctID に文字列「1' or '1' = '1」を入力すると、クエリは次のようになります。

/accounts/account[acctID='1' or '1' = '1']/email/text()1' or '1' = '1 条件を追加すると、where 句は常に真 (true) の評価をします。そのため、このクエリは次のような単純なクエリと論理的に等しくなります。

//email/text()

このクエリの単純化により攻撃者は、クエリが返すのは認証済みユーザーが所有するアイテムのみでなければならないという要件を回避できます。クエリは、特定の所有者に関係なく、文書内に格納されているすべての電子メール アドレスを返すようになりました。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 643
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.1 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.10 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[13] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[15] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[16] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2010 A1 Injection
[18] Standards Mapping - OWASP Top 10 2013 A1 Injection
[19] Standards Mapping - OWASP Top 10 2017 A1 Injection
[20] Standards Mapping - OWASP Top 10 2021 A03 Injection
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Web Application Security Consortium Version 2.00 XPath Injection (WASC-39)
[57] Standards Mapping - Web Application Security Consortium 24 + 2 XPath Injection
desc.dataflow.objc.xpath_injection
Abstract
ユーザー入力を使用して XPath クエリを動的に構築すると、攻撃者によりステートメントの意味が改変される可能性があります。
Explanation
次の場合に XPath Injection が発生します。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。



2. データが XPath クエリの動的な構築に使用されます。

例 1: 以下のコードは、指定されたアカウント ID の電子メールアドレスを取得する XPath クエリを動的に構築して実行します。このアカウント ID は、HTTP リクエストから読み取られるため、信頼することはできません。


...
<?php
load('articles.xml');
 
$xpath = new DOMXPath($doc);
$emailAddrs = $xpath->query(&quot;/accounts/account[acctID='&quot; . $_GET[&quot;test1&quot;] . &quot;']/email/text()&quot;);
//$arts = $xpath->evaluate(&quot;/accounts/account[acctID='&quot; . $_GET[&quot;test1&quot;] . &quot;']/email/text()&quot;)
 
foreach ($emailAddrs as $email)
{
    echo $email->nodeValue."";
}
	?>
...


アカウント番号 1 に属する電子メールアドレスを検索するような通常の状況では、このコードが実行するクエリは次のようになります。

/accounts/account[acctID='1']/email/text()

ただし、クエリは定数のクエリ文字列とユーザー入力の文字列を連結して動的に構築されるため、acctID に単一引用符が含まれない場合のみクエリは正しく動作します。攻撃者が acctID に文字列「1' or '1' = '1」を入力すると、クエリは次のようになります。

/accounts/account[acctID='1' or '1' = '1']/email/text()1' or '1' = '1 条件を追加すると、where 句は常に真 (true) の評価をします。そのため、このクエリは次のような単純なクエリと論理的に等しくなります。

//email/text()

このクエリの単純化により攻撃者は、クエリが返すのは認証済みユーザーが所有するアイテムのみでなければならないという要件を回避できます。クエリは、特定の所有者に関係なく、文書内に格納されているすべての電子メール アドレスを返すようになりました。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 643
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.1 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.10 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[13] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[15] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[16] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2010 A1 Injection
[18] Standards Mapping - OWASP Top 10 2013 A1 Injection
[19] Standards Mapping - OWASP Top 10 2017 A1 Injection
[20] Standards Mapping - OWASP Top 10 2021 A03 Injection
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Web Application Security Consortium Version 2.00 XPath Injection (WASC-39)
[57] Standards Mapping - Web Application Security Consortium 24 + 2 XPath Injection
desc.dataflow.php.xpath_injection
Abstract
ユーザー入力を使用して XPath クエリを動的に構築すると、攻撃者によりステートメントの意味が改変される可能性があります。
Explanation
次の場合に XPath Injection が発生します。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。



2. データが XPath クエリの動的な構築に使用されます。

例 1: 以下のコードは、指定されたアカウント ID の電子メールアドレスを取得する XPath クエリを動的に構築して実行します。このアカウント ID は、HTTP リクエストから読み取られるため、信頼することはできません。


...
tree = etree.parse('articles.xml')
emailAddrs = "/accounts/account[acctID=" + request.GET["test1"] + "]/email/text()"
r = tree.xpath(emailAddrs)
...


アカウント番号 1 に属する電子メールアドレスを検索するような通常の状況では、このコードが実行するクエリは次のようになります。

/accounts/account[acctID='1']/email/text()

ただし、クエリは定数のクエリ文字列とユーザー入力の文字列を連結して動的に構築されるため、acctID に単一引用符が含まれない場合のみクエリは正しく動作します。攻撃者が acctID に文字列「1' or '1' = '1」を入力すると、クエリは次のようになります。

/accounts/account[acctID='1' or '1' = '1']/email/text()1' or '1' = '1 条件を追加すると、where 句は常に真 (true) の評価をします。そのため、このクエリは次のような単純なクエリと論理的に等しくなります。

//email/text()

このクエリの単純化により攻撃者は、クエリが返すのは認証済みユーザーが所有するアイテムのみでなければならないという要件を回避できます。クエリは、特定の所有者に関係なく、文書内に格納されているすべての電子メール アドレスを返すようになりました。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 643
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.1 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.10 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[13] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[15] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[16] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2010 A1 Injection
[18] Standards Mapping - OWASP Top 10 2013 A1 Injection
[19] Standards Mapping - OWASP Top 10 2017 A1 Injection
[20] Standards Mapping - OWASP Top 10 2021 A03 Injection
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Web Application Security Consortium Version 2.00 XPath Injection (WASC-39)
[57] Standards Mapping - Web Application Security Consortium 24 + 2 XPath Injection
desc.dataflow.python.xpath_injection

XQuery Injection

Abstract
動的な XQuery 式の構築にユーザー入力を使用すると、攻撃者によるステートメントの改変が可能になります。
Explanation
次の場合に XQuery Injection が発生します。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。



2. データが XQuery 式の動的な構築に使用された場合。

例 1: 以下のコードは、特定のユーザー名とパスワードの組み合わせでユーザー アカウントを検索する XQuery 式を動的に構築し、実行します。ユーザー名とパスワードは HTTP リクエストから返されたものであり、したがって、信頼できません。


  ...

  String squery = "for \$user in doc(users.xml)//user[username='" + Request["username"] + "'and pass='" + Request["password"] + "'] return \$user";

  Processor processor = new Processor();

  XdmNode indoc = processor.NewDocumentBuilder().Build(new Uri(Server.MapPath("users.xml")));

  StreamReader query = new StreamReader(squery);
  XQueryCompiler compiler = processor.NewXQueryCompiler();
  XQueryExecutable exp = compiler.Compile(query.ReadToEnd());
  XQueryEvaluator eval = exp.Load();
  eval.ContextItem = indoc;

  Serializer qout = new Serializer();
  qout.SetOutputProperty(Serializer.METHOD, "xml");
  qout.SetOutputProperty(Serializer.DOCTYPE_PUBLIC, "-//W3C//DTD XHTML 1.0 Strict//EN");
  qout.SetOutputProperty(Serializer.DOCTYPE_SYSTEM, "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd");
  qout.SetOutputProperty(Serializer.INDENT, "yes");
  qout.SetOutputProperty(Serializer.OMIT_XML_DECLARATION, "no");

  qout.SetOutputWriter(Response.Output);
  eval.Run(qout);

  ...


適切なユーザー名とパスワードを持つユーザー アカウントを検索するような通常の状況では、このコードが実行する式は次のようになります。

for \$user in doc(users.xml)//user[username='test_user' and pass='pass123'] return \$user

ただし、式は定数ベースのクエリ文字列とユーザー入力の文字列を連結して動的に構築されるため、 username または password に単一引用符が含まれない場合のみクエリは正しく動作します。攻撃者が username に文字列「admin' or 1=1 or ''='」を入力すると、クエリは次のようになります。

for \$user in doc(users.xml)//user[username='admin' or 1=1 or ''='' and password='x' or ''=''] return \$useradmin' or 1=1 or ''=' 条件を追加すると、XQuery 式は常に真 (true) の評価をします。そのため、このクエリは次のような単純なクエリと論理的に等しくなります。

//user[username='admin']

クエリをこのように単純化すると、攻撃者がクエリはパスワードにマッチしていることという要件を迂回することを許します。このクエリは、入力されたパスワードが何であろうと、文書内に格納されている管理者ユーザーを返します。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 652
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[7] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[8] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[9] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[10] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[11] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[12] Standards Mapping - OWASP Top 10 2010 A1 Injection
[13] Standards Mapping - OWASP Top 10 2013 A1 Injection
[14] Standards Mapping - OWASP Top 10 2017 A1 Injection
[15] Standards Mapping - OWASP Top 10 2021 A03 Injection
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Web Application Security Consortium Version 2.00 XQuery Injection (WASC-46)
desc.dataflow.dotnet.xquery_injection
Abstract
動的な XQuery 式の構築にユーザー入力を使用すると、攻撃者によるステートメントの改変が可能になります。
Explanation
次の場合に XQuery Injection が発生します。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。



2. データが XQuery 式の動的な構築に使用された場合。

例 1: 以下のコードは、特定のユーザー名とパスワードの組み合わせでユーザー アカウントを検索する XQuery 式を動的に構築し、実行します。ユーザー名とパスワードは HTTP リクエストから返されたものであり、したがって、信頼できません。


  ...
  XQDataSource xqs = new XQDataSource();
  XQConnection conn = xqs.getConnection();
  String query = "for \$user in doc(users.xml)//user[username='" + request.getParameter("username") + "'and pass='" + request.getParameter("password") + "'] return \$user";

  XQPreparedExpression xqpe = conn.prepareExpression(query);

  XQResultSequence rs = xqpe.executeQuery();

  ...


適切なユーザー名とパスワードを持つユーザー アカウントを検索するような通常の状況では、このコードが実行する式は次のようになります。

for \$user in doc(users.xml)//user[username='test_user' and pass='pass123'] return \$user

ただし、式は定数ベースのクエリ文字列とユーザー入力の文字列を連結して動的に構築されるため、 username または password に単一引用符が含まれない場合のみクエリは正しく動作します。攻撃者が username に文字列「admin' or 1=1 or ''='」を入力すると、クエリは次のようになります。

for \$user in doc(users.xml)//user[username='admin' or 1=1 or ''='' and password='x' or ''=''] return \$useradmin' or 1=1 or ''=' 条件を追加すると、XQuery 式は常に真 (true) の評価をします。そのため、このクエリは次のような単純なクエリと論理的に等しくなります。

//user[username='admin']

クエリをこのように単純化すると、攻撃者がクエリはパスワードにマッチしていることという要件を迂回することを許します。このクエリは、入力されたパスワードが何であろうと、文書内に格納されている管理者ユーザーを返します。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 652
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[7] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[8] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[9] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[10] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[11] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[12] Standards Mapping - OWASP Top 10 2010 A1 Injection
[13] Standards Mapping - OWASP Top 10 2013 A1 Injection
[14] Standards Mapping - OWASP Top 10 2017 A1 Injection
[15] Standards Mapping - OWASP Top 10 2021 A03 Injection
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Web Application Security Consortium Version 2.00 XQuery Injection (WASC-46)
desc.dataflow.java.xquery_injection
Abstract
動的な XQuery 式の構築にユーザー入力を使用すると、攻撃者によるステートメントの改変が可能になります。
Explanation
次の場合に XQuery Injection が発生します。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。



2. データが XQuery 式の動的な構築に使用されます。

例 1: 以下のコードは、特定のユーザー名とパスワードの組み合わせでユーザー アカウントを検索する XQuery 式を動的に構築し、実行します。ユーザー名とパスワードは HTTP リクエストから返されたものであり、したがって、信頼できません。


...

$memstor = InMemoryStore::getInstance();
$z = Zorba::getInstance($memstor);

try {
  // get data manager
  $dataman = $z->getXmlDataManager();

  // load external XML document
  $dataman->loadDocument('users.xml', file_get_contents('users.xml'));

  // create and compile query
  $express =
"for \$user in doc(users.xml)//user[username='" . $_GET["username"] . "'and pass='" . $_GET["password"] . "'] return \$user"

  $query = $zorba->compileQuery($express);

  // execute query
  $result = $query->execute();



?>
...


適切なユーザー名とパスワードを持つユーザー アカウントを検索するような通常の状況では、このコードが実行する式は次のようになります。

for \$user in doc(users.xml)//user[username='test_user' and pass='pass123'] return \$user

ただし、式は定数のクエリ文字列とユーザー入力の文字列を連結して動的に構築されるため、username または password に単一引用符が含まれない場合のみクエリは正しく動作します。攻撃者が username に文字列「admin' or 1=1 or ''='」を入力すると、クエリは次のようになります。

for \$user in doc(users.xml)//user[username='admin' or 1=1 or ''='' and password='x' or ''=''] return \$useradmin' or 1=1 or ''=' 条件を追加すると、XQuery 式は常に真 (true) の評価をします。そのため、このクエリは次のような単純なクエリと論理的に等しくなります。

//user[username='admin']

クエリをこのように単純化すると、攻撃者がクエリはパスワードにマッチしていることという要件を迂回することを許します。このクエリは、入力されたパスワードが何であろうと、文書内に格納されている管理者ユーザーを返します。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 652
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[7] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[8] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[9] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[10] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[11] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[12] Standards Mapping - OWASP Top 10 2010 A1 Injection
[13] Standards Mapping - OWASP Top 10 2013 A1 Injection
[14] Standards Mapping - OWASP Top 10 2017 A1 Injection
[15] Standards Mapping - OWASP Top 10 2021 A03 Injection
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Web Application Security Consortium Version 2.00 XQuery Injection (WASC-46)
desc.dataflow.php.xquery_injection

XSLT Injection

Abstract
未検証の XSL スタイルシートを処理することによって、攻撃者が、結果として得られる XML の構造およびコンテンツを改竄したり、ファイルシステムに任意のファイルを挿入したり、任意のコードを実行することを許す可能性があります。
Explanation
次の場合に XSLT Injection が発生します。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。

2. このデータは、XSL スタイルシートに書き込まれます。


アプリケーションは通常 XSL スタイルシートを使用して XML 文書のフォーマット変換を行います。XSL スタイルシートには変換プロセスを強化する特殊な関数が含まれているので、適切に使用しないと、脆弱性が増加します。

攻撃者が XSL スタイルシート内の XSL 要素に書き込みが可能な場合、XSL スタイルシートおよび処理のセマンティクスが改変される場合があります。攻撃者は XSS (Cross-Site Scripting) 攻撃を仕掛けられるようにスタイルシートの出力を改変し、ローカルファイルシステムのリソースのコンテンツを露出させ、あるいは任意のコードを実行することができます。

例 1: XSLT Injection に対して脆弱なコードの例を次に示します。


  ...
  String xmlUrl = Request["xmlurl"];
  String xslUrl = Request["xslurl"];

  XslCompiledTransform xslt = new XslCompiledTransform();
  xslt.Load(xslUrl);

  xslt.Transform(xmlUrl, "books.html");
  ...


攻撃者が特定の XSL を XSTL プロセッサに渡す権限を獲得している場合、Example 1 は次のような 3 種類の結果を引き起こします。

1. XSS:



  <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
    <xsl:template match="/">
      <script>alert(123)</script>
    </xsl:template>
  </xsl:stylesheet>


XSL スタイルシートを処理するとき、<script> タグは対象者のブラウザーでレンダリングされ、Cross-site Scripting 攻撃の実行を許します。

2. サーバーのファイルシステムから任意のファイルを読み込みます。



  <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
    <xsl:template match="/">
      <xsl:copy-of select="document('file:///c:/winnt/win.ini')"/>
    </xsl:template>
  </xsl:stylesheet>


上記の XSL スタイルシートは、/etc/passwd ファイルのコンテンツを返します。

3. 任意のコードを実行します。

XSLT プロセッサーは、ネイティブの言語メソッドを XSLT 関数として (それらが無効でない限り) 露出させる機能があります。



  <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:App="http://www.tempuri.org/App">
    <msxsl:script implements-prefix="App" language="C#">
      <![CDATA[
        public string ToShortDateString(string date)
          {
              System.Diagnostics.Process.Start("cmd.exe");
              return "01/01/2001";
          }
      ]]>
    </msxsl:script>
    <xsl:template match="ArrayOfTest">
      <TABLE>
        <xsl:for-each select="Test">
          <TR>
          <TD>
            <xsl:value-of select="App:ToShortDateString(TestDate)" />
          </TD>
          </TR>
        </xsl:for-each>
      </TABLE>
    </xsl:template>
  </xsl:stylesheet>


上記のスタイルシートは、サーバー上で "cmd.exe" コマンドを実行します。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 494
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.2 Configuration Architectural Requirements (L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.3 File Execution Requirements (L1 L2 L3), 14.2.3 Dependency (L1 L2 L3)
[8] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[9] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[11] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[12] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[13] Standards Mapping - OWASP Top 10 2010 A1 Injection
[14] Standards Mapping - OWASP Top 10 2013 A1 Injection
[15] Standards Mapping - OWASP Top 10 2017 A1 Injection
[16] Standards Mapping - OWASP Top 10 2021 A03 Injection
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.dotnet.xslt_injection
Abstract
未検証の XSL スタイルシートを処理することによって、攻撃者が、結果として得られる XML の構造およびコンテンツを改竄したり、ファイルシステムに任意のファイルを挿入したり、任意のコードを実行することを許す可能性があります。
Explanation
次の場合に XSLT Injection が発生します。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。

2. このデータは、XSL スタイルシートに書き込まれます。


アプリケーションは通常 XSL スタイルシートを使用して XML 文書のフォーマット変換を行います。XSL スタイルシートには変換プロセスを強化する特殊な関数が含まれているので、適切に使用しないと、脆弱性が増加します。

攻撃者が XSL スタイルシート内の XSL 要素に書き込みが可能な場合、XSL スタイルシートおよび処理のセマンティクスが改変される場合があります。攻撃者は XSS (Cross-Site Scripting) 攻撃を仕掛けられるようにスタイルシートの出力を改変し、ローカルファイルシステムのリソースのコンテンツを露出させ、あるいは任意のコードを実行することができます。

例 1: XSLT Injection に対して脆弱なコードの例を次に示します。


  ...
  InputStream xmlUrl = Utils.getFromURL(request.getParameter("xmlurl"));
  InputStream xsltUrl = Utils.getFromURL(request.getParameter("xslurl"));

  Source xmlSource = new StreamSource(xmlUrl);
  Source xsltSource = new StreamSource(xsltUrl);
  Result result = new StreamResult(System.out);

  TransformerFactory transFact = TransformerFactory.newInstance();
  Transformer trans = transFact.newTransformer(xsltSource);
  trans.transform(xmlSource, result);
  ...


攻撃者が特定の XSL を XSTL プロセッサに渡す権限を獲得している場合、Example 1 のコードは次のような 3 種類の結果を引き起こします。

1. XSS:



  <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
    <xsl:template match="/">
      <script>alert(123)</script>
    </xsl:template>
  </xsl:stylesheet>


XSL スタイルシートを処理するとき、<script> タグは対象者のブラウザーでレンダリングされ、Cross-site Scripting 攻撃の実行を許します。

2. サーバーのファイルシステムから任意のファイルを読み込みます。



  <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
    <xsl:template match="/">
      <xsl:copy-of select="document('/etc/passwd')"/>
    </xsl:template>
  </xsl:stylesheet>


上記の XSL スタイルシートは、/etc/passwd ファイルのコンテンツを返します。

3. 任意の Java コードを実行します。

XSLT プロセッサーは、ネイティブの Java 言語メソッドを XSLT 関数として (それらが無効でない限り) 露出させる機能があります。



  <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime" xmlns:ob="http://xml.apache.org/xalan/java/java.lang.Object">
    <xsl:template match="/">
      <xsl:variable name="rtobject" select="rt:getRuntime()"/>
      <xsl:variable name="process" select="rt:exec($rtobject,'ls')"/>
      <xsl:variable name="processString" select="ob:toString($process)"/>
      <xsl:value-of select="$processString"/>
    </xsl:template>
  </xsl:stylesheet>


上記のスタイルシートは、サーバー上で "ls" コマンドを実行します。
References
[1] INJECT-8: Take care interpreting untrusted code Oracle
[2] Standards Mapping - Common Weakness Enumeration CWE ID 494
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[4] Standards Mapping - FIPS200 SI
[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.2 Configuration Architectural Requirements (L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.3 File Execution Requirements (L1 L2 L3), 14.2.3 Dependency (L1 L2 L3)
[9] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[10] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[11] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[12] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[13] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[14] Standards Mapping - OWASP Top 10 2010 A1 Injection
[15] Standards Mapping - OWASP Top 10 2013 A1 Injection
[16] Standards Mapping - OWASP Top 10 2017 A1 Injection
[17] Standards Mapping - OWASP Top 10 2021 A03 Injection
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[53] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.java.xslt_injection
Abstract
未検証の XSL スタイルシートを処理することによって、攻撃者が、結果として得られる XML の構造およびコンテンツを改竄したり、ファイルシステムに任意のファイルを挿入したり、任意のコードを実行することを許す可能性があります。
Explanation
次の場合に XSLT Injection が発生します。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。

2. このデータは、XSL スタイルシートに書き込まれます。


アプリケーションは通常 XSL スタイルシートを使用して XML 文書のフォーマット変換を行います。XSL スタイルシートには変換プロセスを強化する特殊な関数が含まれているので、適切に使用しないと、脆弱性が増加します。

攻撃者が XSL スタイルシート内の XSL 要素に書き込みが可能な場合、XSL スタイルシートおよび処理のセマンティクスが改変される場合があります。攻撃者は XSS (Cross-Site Scripting) 攻撃を仕掛けられるようにスタイルシートの出力を改変し、ローカルファイルシステムのリソースのコンテンツを露出させ、あるいは任意のコードを実行することができます。攻撃者がアプリケーションに対して発行されたスタイルシートについて完全な制御権を獲得した場合、攻撃者は XXE (XML External Entity) Injection 攻撃を実行することもできます。

例 1: XSLT Injection に対して脆弱なコードの例を次に示します。


...
<?php

$xml = new DOMDocument;
$xml->load('local.xml');

$xsl = new DOMDocument;
$xsl->load($_GET['key']);

$processor = new XSLTProcessor;
$processor->registerPHPFunctions();
$processor->importStyleSheet($xsl);

echo $processor->transformToXML($xml);

?>
...


攻撃者が特定の XSL を XSTL プロセッサに渡す権限を獲得している場合、Example 1 のコードは次のような 3 種類の結果を引き起こします。

1. XSS:



<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl">
<xsl:template match="/">
<script>alert(123)</script>
</xsl:template>
</xsl:stylesheet>



XSL スタイルシートを処理するとき、<script> タグは対象者のブラウザーでレンダリングされ、Cross-site Scripting 攻撃の実行を許します。

2. サーバーのファイルシステムから任意のファイルを読み込みます。



<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl">
<xsl:template match="/">
<xsl:copy-of select="document('/etc/passwd')"/>
</xsl:template>
</xsl:stylesheet>



上記の XSL スタイルシートは、/etc/passwd ファイルのコンテンツを返します。

3. 任意の PHP コードを実行します。

XSLT プロセッサーは、"registerPHPFunctions" を有効にすることで、ネイティブの PHP 言語メソッドを XSLT 関数として露出させる機能があります。



<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl">
<xsl:template match="/">
<xsl:value-of select="php:function('passthru','ls -la')"/>
</xsl:template>
</xsl:stylesheet>



上記のスタイルシートはサーバーで実行される "ls" コマンドの結果を出力します。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 494
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.2 Configuration Architectural Requirements (L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.3 File Execution Requirements (L1 L2 L3), 14.2.3 Dependency (L1 L2 L3)
[8] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[9] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[11] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[12] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[13] Standards Mapping - OWASP Top 10 2010 A1 Injection
[14] Standards Mapping - OWASP Top 10 2013 A1 Injection
[15] Standards Mapping - OWASP Top 10 2017 A1 Injection
[16] Standards Mapping - OWASP Top 10 2021 A03 Injection
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.php.xslt_injection
Abstract
未検証の XSL スタイルシートを処理することによって、攻撃者が、結果として得られる XML の構造およびコンテンツを改竄したり、ファイルシステムに任意のファイルを挿入したり、任意のコードを実行することを許す可能性があります。
Explanation
次の場合に XSLT Injection が発生します。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。

2. このデータは、XSL スタイルシートに書き込まれます。


アプリケーションは通常 XSL スタイルシートを使用して XML 文書のフォーマット変換を行います。XSL スタイルシートには変換プロセスを強化する特殊な関数が含まれているので、適切に使用しないと、脆弱性が増加します。

攻撃者が XSL スタイルシート内の XSL 要素に書き込みが可能な場合、XSL スタイルシートおよび処理のセマンティクスが改変される場合があります。攻撃者は XSS (Cross-Site Scripting) 攻撃を仕掛けられるようにスタイルシートの出力を改変し、ローカルファイルシステムのリソースのコンテンツを露出させ、あるいは任意のコードを実行することができます。

例 1: XSLT Injection に対して脆弱なコードの例を次に示します。


...
xml = StringIO.StringIO(request.POST['xml'])
xslt = StringIO.StringIO(request.POST['xslt'])

xslt_root = etree.XML(xslt)
transform = etree.XSLT(xslt_root)
result_tree = transform(xml)
return render_to_response(template_name, {'result': etree.tostring(result_tree)})
...


攻撃者が特定の XSL を XSTL プロセッサに渡す権限を獲得している場合、Example 1 のコードは次のような 3 種類の結果を引き起こします。

1. XSS:



<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
  <xsl:template match="/">
    <script>alert(123)</script>
  </xsl:template>
</xsl:stylesheet>



XSL スタイルシートを処理するとき、<script> タグは対象者のブラウザーでレンダリングされ、Cross-site Scripting 攻撃の実行を許します。

2. サーバーのファイルシステムから任意のファイルを読み込みます。



<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
  <xsl:template match="/">
    <xsl:copy-of select="document('/etc/passwd')"/>
  </xsl:template>
</xsl:stylesheet>



上記の XSL スタイルシートは、/etc/passwd ファイルのコンテンツを返します。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 494
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[3] Standards Mapping - FIPS200 SI
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.2 Configuration Architectural Requirements (L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.3 File Execution Requirements (L1 L2 L3), 14.2.3 Dependency (L1 L2 L3)
[8] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[9] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[11] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[12] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[13] Standards Mapping - OWASP Top 10 2010 A1 Injection
[14] Standards Mapping - OWASP Top 10 2013 A1 Injection
[15] Standards Mapping - OWASP Top 10 2017 A1 Injection
[16] Standards Mapping - OWASP Top 10 2021 A03 Injection
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.python.xslt_injection