225 見つかった項目
脆弱性

.NET Attribute Misuse: Authorization Bypass

Abstract
アプリケーションは、クラス レベルまたはメソッド レベルの [AllowAnonymous] 属性を使用して、[Authorize] 属性による認証をバイパスします。
Explanation
ASP.NET Core では、[Authorize] 属性をクラスまたはメソッドに追加することにより、アプリケーション アクションで認証を要求するようにできます。さらに、[AllowAnonymous] 属性を追加することで、アプリケーション クラスまたはメソッドの指定された認証要件をバイパスできます。両方を指定すると、[AllowAnonymous] 属性が優先され、[Authorize] 属性はバイパスされます。これにより、攻撃者が、機密データやアクションに対して無作為で匿名のアクセスを行う可能性があります。

例 1: 次の例は、クラス レベルの [AllowAnonymous] 属性が、メソッドに設定された [Authorize] 属性をオーバーライドしていることを示しています。[Authorize] 属性があるにもかかわらず、secretAction() メソッドは認証を要求しません。


...
[AllowAnonymous]
public class Authorization_Test
{
    [Authorize]
    public IActionResult secretAction()
    {
        
    }
}
...
例 2: 次の例は、スーパークラスのクラス レベルの [AllowAnonymous] 属性が、サブクラスのメソッドに設定された [Authorize] 属性をオーバーライドしていることを示しています。継承されたクラス Inherit_AA[AllowAnonymous] 属性があるため、secretAction() メソッドは、[Authorize] 属性を指定していても認証を要求しません。


...
[AllowAnonymous]
public abstract class Inherit_AA
{
    
}

public class Authorization_Test:Inherit_AA
{
    [Authorize]
    public IActionResult secretAction()
    {
        
    }
}
...
例 3: 以下は、[AllowAnonymous] 属性が、継承を使用して、メソッド レベルで [Authorize] 属性をオーバーライドしていることを示しています。継承されたクラス secretAction()[AllowAnonymous] 属性があるため、secretAction() メソッドは、オーバーライドするメソッドで [Authorize] 属性を指定していても認証を要求しません。


...
public abstract class Inherit_AA
{
    [AllowAnonymous]
    public abstract IActionResult secretAction()
    {
        
    }
}

public class Authorization_Test:Inherit_AA
{
    [Authorize]
    public override IActionResult secretAction()
    {
        
    }
}
...
References
[1] Rick Anderson et al. Simple authorization in ASP.NET Core Microsoft
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 4
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[7] Standards Mapping - Common Weakness Enumeration CWE ID 862, CWE ID 285
[8] Standards Mapping - Common Weakness Enumeration Top 25 2020 [25] CWE ID 862
[9] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862
[10] Standards Mapping - Common Weakness Enumeration Top 25 2022 [16] CWE ID 862
[11] Standards Mapping - Common Weakness Enumeration Top 25 2023 [11] CWE ID 862
[12] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[13] Standards Mapping - FIPS200 AC
[14] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[15] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[16] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[17] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[18] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[19] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[20] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[21] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[22] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[23] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.4.2 Access Control Architectural Requirements (L2 L3), 1.4.4 Access Control Architectural Requirements (L2 L3), 1.4.2 Access Control Architectural Requirements (L2 L3), 1.4.4 Access Control Architectural Requirements (L2 L3)
[24] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[25] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[37] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 285
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[59] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[60] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.structural.dotnet.dotnet_attribute_misuse_authorization_bypass

.NET Bad Practices: Leftover Debug Code

Abstract
デバッグ コードは、展開時に意図しない結果を引き起こす可能性があります。
Explanation
デバッグのみを目的とした API が使用されます。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 489
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[8] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 14.2.2 Dependency (L1 L2 L3), 14.3.2 Unintended Security Disclosure Requirements (L1 L2 L3)
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[21] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
desc.structural.dotnet.dotnet_bad_practices_leftover_debug_code

Access Control: Anonymous LDAP Bind

Abstract
適切な Access Control がない場合、ユーザーの制御下にある値を含む LDAP ステートメントを実行すると、攻撃者は権限のないレコードにアクセスできます。
Explanation
匿名バインドの元で、LDAP クエリを実行すると、事実上 Authentication が行われてなくても、攻撃者は脆弱な設定となっている LDAP 環境を侵害できます。

例 1: 次のコードは、匿名バインドを使用して、DirectoryEntry de を作成します。


...
de = new DirectoryEntry("LDAP://ad.example.com:389/ou=People,dc=example,dc=com");
...
de に対するすべての LDAP クエリは、Authentication および Access Control なしで実行されます。攻撃者は予期しない方法でこれらのクエリのいずれかを操作して、ディレクトリの Access Control メカニズムにより保護されている可能性があるレコードにアクセスする可能性があります。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 1
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 2
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark complete
[6] Standards Mapping - Common Weakness Enumeration CWE ID 285
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-000804, CCI-001084, CCI-002165
[8] Standards Mapping - FIPS200 AC
[9] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[12] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[13] Standards Mapping - OWASP Top 10 2007 A10 Failure to Restrict URL Access
[14] Standards Mapping - OWASP Top 10 2010 A8 Failure to Restrict URL Access
[15] Standards Mapping - OWASP Top 10 2013 A7 Missing Function Level Access Control
[16] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[17] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.1.4 Generic Web Service Security Verification Requirements (L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[20] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[21] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2, Requirement 7.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.10, Requirement 7.2
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8, Requirement 7.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8, Requirement 7.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8, Requirement 7.2
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8, Requirement 7.2
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8, Requirement 7.2
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 7.3.2
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[33] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285
[34] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 285
[35] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001540 CAT I, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[58] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.dataflow.dotnet.access_control_anonymous_ldap_bind
Abstract
適切な Access Control がない場合、ユーザーの制御下にある値を含む LDAP ステートメントを実行すると、攻撃者は権限のないレコードにアクセスできます。
Explanation
匿名バインドの元で、LDAP クエリを実行すると、事実上 Authentication が行われてなくても、攻撃者は脆弱な設定となっている LDAP 環境を侵害できます。

例 1: 次のコードは ldap_simple_bind_s() を使用して、LDAP ディレクトリを匿名でバインドします。


...
rc = ldap_simple_bind_s( ld, NULL, NULL );
  if ( rc != LDAP_SUCCESS ) {
    ...
  }
...
ld に対するすべての LDAP クエリは、Authentication および Access Control なしで実行されます。攻撃者は予期しない方法でこれらのクエリのいずれかを操作して、ディレクトリの Access Control メカニズムにより保護されている可能性があるレコードにアクセスする可能性があります。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 1
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 2
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark complete
[6] Standards Mapping - Common Weakness Enumeration CWE ID 285
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-000804, CCI-001084, CCI-002165
[8] Standards Mapping - FIPS200 AC
[9] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[12] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[13] Standards Mapping - OWASP Top 10 2007 A10 Failure to Restrict URL Access
[14] Standards Mapping - OWASP Top 10 2010 A8 Failure to Restrict URL Access
[15] Standards Mapping - OWASP Top 10 2013 A7 Missing Function Level Access Control
[16] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[17] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.1.4 Generic Web Service Security Verification Requirements (L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[20] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[21] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2, Requirement 7.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.10, Requirement 7.2
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8, Requirement 7.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8, Requirement 7.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8, Requirement 7.2
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8, Requirement 7.2
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8, Requirement 7.2
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 7.3.2
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[33] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285
[34] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 285
[35] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001540 CAT I, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[58] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.dataflow.cpp.access_control_anonymous_ldap_bind
Abstract
適切な Access Control がない場合、ユーザーの制御下にある値を含む LDAP ステートメントを実行すると、攻撃者は権限のないレコードにアクセスできます。
Explanation
匿名バインドの元で、LDAP クエリを実行すると、事実上 Authentication が行われてなくても、攻撃者は脆弱な設定となっている LDAP 環境を侵害できます。

例 1: 次のコードは、匿名バインドを使用して、DirContext ctx を作成します。


...
env.put(Context.SECURITY_AUTHENTICATION, "none");
DirContext ctx = new InitialDirContext(env);
...
ctx に対するすべての LDAP クエリは、Authentication および Access Control なしで実行されます。攻撃者は予期しない方法でこれらのクエリのいずれかを操作して、ディレクトリの Access Control メカニズムにより保護されている可能性があるレコードにアクセスする可能性があります。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 1
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 2
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark complete
[6] Standards Mapping - Common Weakness Enumeration CWE ID 285
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-000804, CCI-001084, CCI-002165
[8] Standards Mapping - FIPS200 AC
[9] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[12] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[13] Standards Mapping - OWASP Top 10 2007 A10 Failure to Restrict URL Access
[14] Standards Mapping - OWASP Top 10 2010 A8 Failure to Restrict URL Access
[15] Standards Mapping - OWASP Top 10 2013 A7 Missing Function Level Access Control
[16] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[17] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.1.4 Generic Web Service Security Verification Requirements (L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[20] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[21] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2, Requirement 7.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.10, Requirement 7.2
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8, Requirement 7.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8, Requirement 7.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8, Requirement 7.2
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8, Requirement 7.2
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8, Requirement 7.2
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 7.3.2
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[33] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285
[34] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 285
[35] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001540 CAT I, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[58] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.dataflow.java.access_control_anonymous_ldap_bind
Abstract
適切な Access Control がない場合、ユーザーが制御する値を含む LDAP ステートメントを実行すると、攻撃者は権限のないレコードにアクセスできるようになる可能性があります。
Explanation
匿名バインドのもとで認証なしで効果的に LDAP クエリを実行すると、攻撃者は設定が不十分な LDAP 環境を悪用できるようになる可能性があります。

例 1: 次のコードでは、ユーザーが空のパスワードを入力した場合に匿名バインドを作成しています。


...
$ldapbind = ldap_bind ($ldap, $dn, $password = "" );
...


この接続を介して実行される、それに続くすべての LDAP クエリは、認証もアクセス制御もなく実行されます。攻撃者はこれらのクエリのいずれかを予期しない方法で操作して、ディレクトリのアクセス制御メカニズムで保護されていたはずのレコードに対するアクセス権を得る可能性があります。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 1
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 2
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark complete
[6] Standards Mapping - Common Weakness Enumeration CWE ID 285
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-000804, CCI-001084, CCI-002165
[8] Standards Mapping - FIPS200 AC
[9] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[12] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[13] Standards Mapping - OWASP Top 10 2007 A10 Failure to Restrict URL Access
[14] Standards Mapping - OWASP Top 10 2010 A8 Failure to Restrict URL Access
[15] Standards Mapping - OWASP Top 10 2013 A7 Missing Function Level Access Control
[16] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[17] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.1.4 Generic Web Service Security Verification Requirements (L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[20] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[21] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2, Requirement 7.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.10, Requirement 7.2
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8, Requirement 7.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8, Requirement 7.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8, Requirement 7.2
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8, Requirement 7.2
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8, Requirement 7.2
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 7.3.2
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[33] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285
[34] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 285
[35] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001540 CAT I, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[58] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.semantic.php.access_control_anonymous_ldap_bind

Access Control: Database

Abstract
適切な Access Control がない場合、ユーザーの制御下にある主キーを含む SQL ステートメントを実行すると、攻撃者は権限のないレコードを見ることができます。
Explanation
データベースの Access Control エラーが発生するのは次の場合です。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。


2. SQL クエリで主キーの値を特定するためにデータが使用されている場合。
例 1: 次のコードは、整数に依存するため、SQL Injection の脆弱性に対して脆弱ではないステートメントを使用して、指定された識別子と一致する領収書を検索する SQL クエリを作成し、実行します [1]。識別子は、現在の認証されたユーザーに関連付けられているすべての領収書のリストから選択されています。


DATA: id TYPE i.
...
id = request->get_form_field( 'invoiceID' ).

CONCATENATE `INVOICEID = '` id `'` INTO cl_where.
SELECT *
    FROM invoices
    INTO CORRESPONDING FIELDS OF TABLE itab_invoices
    WHERE (cl_where).
ENDSELECT.
...


問題は、開発者が ID に可能なすべての値を検討しきれていないことです。現在のユーザーに属する領収書 ID のリストがインターフェイスにより生成されますが、攻撃者はこのインターフェイスを回避して目的の領収書をリクエストする可能性があります。この例のコードの場合、リクエストされた領収書へのアクセス権限をユーザーが確保しているか確認しないため、現在のユーザーに帰属していなくても、リクエストされたとおりの領収書を表示します。
References
[1] S. J. Friedl SQL Injection Attacks by Example
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 1
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[6] Standards Mapping - CIS Kubernetes Benchmark complete
[7] Standards Mapping - Common Weakness Enumeration CWE ID 566
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [24] CWE ID 863
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[10] Standards Mapping - FIPS200 AC
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[14] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[15] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[16] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[18] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[19] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.2 General Access Control Design (L1 L2 L3), 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.4.2 GraphQL and other Web Service Data Layer Security Requirements (L2 L3)
[21] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[22] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[35] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[58] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.dataflow.abap.access_control_database
Abstract
適切な Access Control がない場合、ユーザーの制御下にある主キーを含む SQL ステートメントを実行すると、攻撃者は権限のないレコードを見ることができます。
Explanation
データベースの Access Control エラーが発生するのは次の場合です。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。


2. SQL クエリで主キーの値を特定するためにデータが使用されている場合。
例 1: 次のコードは、メタ文字をエスケープして SQL Injection の脆弱性を阻止するパラメーター化されたステートメントを使用して、指定された識別子と一致する領収書を検索する SQL クエリを作成し、実行します [1]。識別子は、現在の認証されたユーザーに関連付けられているすべての領収書のリストから選択されています。


        ...
        var params:Object = LoaderInfo(this.root.loaderInfo).parameters;
        var id:int = int(Number(params["invoiceID"]));
        var query:String = "SELECT * FROM invoices WHERE id = :id";

        stmt.sqlConnection = conn;
        stmt.text = query;
        stmt.parameters[":id"] = id;
        stmt.execute();
        ...


問題は、開発者が id に可能なすべての値を検討しきれていないことです。現在のユーザーに属する領収書 ID のリストがインターフェイスにより生成されますが、攻撃者はこのインターフェイスを回避して目的の領収書をリクエストする可能性があります。この例のコードの場合、リクエストされた領収書へのアクセス権限をユーザーが確保しているか確認しないため、現在のユーザーに帰属していなくても、リクエストされたとおりの領収書を表示します。
References
[1] S. J. Friedl SQL Injection Attacks by Example
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 1
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[6] Standards Mapping - CIS Kubernetes Benchmark complete
[7] Standards Mapping - Common Weakness Enumeration CWE ID 566
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [24] CWE ID 863
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[10] Standards Mapping - FIPS200 AC
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[14] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[15] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[16] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[18] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[19] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.2 General Access Control Design (L1 L2 L3), 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.4.2 GraphQL and other Web Service Data Layer Security Requirements (L2 L3)
[21] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[22] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[35] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[58] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.dataflow.actionscript.access_control_database
Abstract
適切な Access Control がない場合、ユーザー指定の主キーが含まれている可能性のある SOQL/SOSL ステートメントを実行すると、攻撃者は権限のないレコードを見ることができます。
Explanation
データベースの Access Control エラーが発生するのは次の場合です。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。


2. SOQL/SOSL クエリで主キーの値を特定するためにデータが使用されている場合。
例 1: 次のコード例では、inputID 値は事前定義されたリストから取得されていて、バインド変数は SOQL/SOSL Injection を防止するのに役立ちます。


...
result = [SELECT Name, Phone FROM Contact WHERE (IsDeleted = false AND Id=:inputID)];
...


上記の例で問題となるのは、事前定義された ID リストを使用するだけでは、ユーザーによる inputID の値の変更を防止するには不十分なことです。攻撃者がインターフェイスをバイパスし、別の値を使用してリクエストを送信できる場合は、他の連絡先情報にアクセスできてしまいます。この例のコードの場合、リクエストされた連絡先へのアクセス権限がユーザーにあるか確認しないため、ユーザーがこの連絡先を表示する権限がない場合でも、すべての連絡先が表示されます。
References
[1] Salesforce Developers Technical Library Secure Coding Guidelines - Authorization and Access Control
[2] Salesforce Developers Technical Library Testing CRUD and FLS Enforcement
[3] Salesforce Developers Technical Library Enforcing CRUD and FLS
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 1
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 566
[10] Standards Mapping - Common Weakness Enumeration Top 25 2023 [24] CWE ID 863
[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[12] Standards Mapping - FIPS200 AC
[13] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[14] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[15] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[16] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[17] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[18] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[19] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[20] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[21] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[22] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.2 General Access Control Design (L1 L2 L3), 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.4.2 GraphQL and other Web Service Data Layer Security Requirements (L2 L3)
[23] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[24] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[25] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[37] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[59] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[60] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.dataflow.apex.access_control_database
Abstract
適切な Access Control がない場合、ユーザーの制御下にある主キーを含む LINQ ステートメントを実行すると、攻撃者は権限のないレコードを見ることができます。
Explanation
データベースの Access Control エラーが発生するのは次の場合です。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。

2. LINQ クエリで主キーの値を特定するためにデータが使用されている場合。
例 1: 次のコードは、指定された識別子と一致する領収書を検索する LINQ クエリを実行します [1]。識別子は、現在の認証されたユーザーに関連付けられているすべての領収書のリストから選択されています。


...

int16 id = System.Convert.ToInt16(invoiceID.Text);
var invoice = OrderSystem.getInvoices()
	.Where(new Invoice { invoiceID = id });
...


問題は、開発者が id に可能なすべての値を検討しきれていないことです。現在のユーザーに属する領収書 ID のリストがインターフェイスにより生成されますが、攻撃者はこのインターフェイスを回避して目的の領収書をリクエストする可能性があります。この例のコードの場合、リクエストされた領収書へのアクセス権限をユーザーが確保しているか確認しないため、現在のユーザーに帰属していなくても、リクエストされたとおりの領収書を表示します。
References
[1] S. J. Friedl SQL Injection Attacks by Example
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 1
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[6] Standards Mapping - CIS Kubernetes Benchmark complete
[7] Standards Mapping - Common Weakness Enumeration CWE ID 566
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [24] CWE ID 863
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[10] Standards Mapping - FIPS200 AC
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[14] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[15] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[16] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[18] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[19] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.2 General Access Control Design (L1 L2 L3), 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.4.2 GraphQL and other Web Service Data Layer Security Requirements (L2 L3)
[21] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[22] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[35] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[58] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.dataflow.dotnet.access_control_linq
Abstract
適切な Access Control がない場合、ユーザーの制御下にある主キーを含む SQL ステートメントを実行すると、攻撃者は権限のないレコードを見ることができます。
Explanation
データベースの Access Control エラーが発生するのは次の場合です。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。


2. SQL クエリで主キーの値を特定するためにデータが使用されている場合。
例 1: 次のコードは、メタ文字をエスケープして SQL Injection の脆弱性を阻止するパラメーター化されたステートメントを使用して、指定された識別子と一致する領収書を検索する SQL クエリを作成し、実行します [1]。識別子は、現在の認証されたユーザーに関連付けられているすべての領収書のリストから選択されています。


...
CMyRecordset rs(&dbms);
rs.PrepareSQL("SELECT * FROM invoices WHERE id = ?");
rs.SetParam_int(0,atoi(r.Lookup("invoiceID").c_str()));
rs.SafeExecuteSQL();
...


問題は、開発者が id に可能なすべての値を検討しきれていないことです。現在のユーザーに属する領収書 ID のリストがインターフェイスにより生成されますが、攻撃者はこのインターフェイスを回避して目的の領収書をリクエストする可能性があります。この例のコードの場合、リクエストされた領収書へのアクセス権限をユーザーが確保しているか確認しないため、現在のユーザーに帰属していなくても、リクエストされたとおりの領収書を表示します。
References
[1] S. J. Friedl SQL Injection Attacks by Example
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 1
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[6] Standards Mapping - CIS Kubernetes Benchmark complete
[7] Standards Mapping - Common Weakness Enumeration CWE ID 566
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [24] CWE ID 863
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[10] Standards Mapping - FIPS200 AC
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[14] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[15] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[16] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[18] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[19] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.2 General Access Control Design (L1 L2 L3), 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.4.2 GraphQL and other Web Service Data Layer Security Requirements (L2 L3)
[21] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[22] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[35] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[58] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.dataflow.cpp.access_control_database
Abstract
適切な Access Control がない場合、ユーザーの制御下にある主キーを含む SQL ステートメントを実行すると、攻撃者は権限のないレコードを見ることができます。
Explanation
データベースの Access Control エラーが発生するのは次の場合です。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。


2. SQL クエリで主キーの値を特定するためにデータが使用されている場合。
例 1:次のコードは、メタ文字をエスケープして SQL Injection の脆弱性を阻止するパラメーター化されたステートメントを使用して、指定された識別子と一致する領収書を検索する SQL クエリを作成し、実行します [1]。識別子は、現在の認証されたユーザーに関連付けられているすべての領収書のリストから選択されています。 


...
ACCEPT ID.
EXEC SQL
    DECLARE C1 CURSOR FOR
    SELECT INVNO, INVDATE, INVTOTAL
    FROM INVOICES
    WHERE INVOICEID = :ID
END-EXEC.
...


問題は、開発者が ID に可能なすべての値を検討しきれていないことです。現在のユーザーに属する領収書 ID のリストがインターフェイスにより生成されますが、攻撃者はこのインターフェイスを回避して目的の領収書をリクエストする可能性があります。この例のコードの場合、リクエストされた領収書へのアクセス権限をユーザーが確保しているか確認しないため、現在のユーザーに帰属していなくても、リクエストされたとおりの領収書を表示します。
References
[1] S. J. Friedl SQL Injection Attacks by Example
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 1
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[6] Standards Mapping - CIS Kubernetes Benchmark complete
[7] Standards Mapping - Common Weakness Enumeration CWE ID 566
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [24] CWE ID 863
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[10] Standards Mapping - FIPS200 AC
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[14] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[15] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[16] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[18] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[19] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.2 General Access Control Design (L1 L2 L3), 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.4.2 GraphQL and other Web Service Data Layer Security Requirements (L2 L3)
[21] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[22] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[35] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[58] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.dataflow.cobol.access_control_database
Abstract
適切なアクセス制御がない場合、ユーザー制御のデータベース名を含む deleteDatabase メソッドを実行すると、攻撃者がデータベースを削除できる可能性があります。
Explanation
データベースの Access Control エラーが発生するのは次の場合です。

1. 信頼できないソースからデータがプログラムに入力された場合。


2. データベース名の値を指定するのにデータが使用される場合。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 1
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark complete
[6] Standards Mapping - Common Weakness Enumeration CWE ID 566
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [24] CWE ID 863
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[9] Standards Mapping - FIPS200 AC
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[13] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[14] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[15] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[16] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[18] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.2 General Access Control Design (L1 L2 L3), 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.4.2 GraphQL and other Web Service Data Layer Security Requirements (L2 L3)
[20] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[21] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[22] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[34] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[56] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[57] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.dataflow.dart.access_control_database
Abstract
適切な Access Control がない場合、ユーザーの制御下にある主キーを含む SQL ステートメントを実行すると、攻撃者は権限のないレコードにアクセスできるようになります。
Explanation
データベースの Access Control エラーが発生するのは次の場合です。

1.信頼できないソースからデータがプログラムに入力された場合。


2.SQL クエリで主キーの値を特定するためにデータが使用されている場合。
例 1: 次のコードは、メタ文字をエスケープして SQL Injection の脆弱性を阻止するパラメーター化されたステートメントを使用して、指定された識別子と一致する領収書を検索する SQL クエリを作成し、実行します [1]。識別子は、現在の認証されたユーザーに関連付けられているすべての領収書のリストから選択されています。


...
id := request.FormValue("invoiceID")
query := "SELECT * FROM invoices WHERE id = ?";
rows, err := db.Query(query, id)
...


問題は、開発者が id に可能なすべての値を検討しきれていないことです。現在のユーザーに属する領収書 ID のリストがインターフェイスにより生成されますが、攻撃者はこのインターフェイスを回避して目的の領収書をリクエストする可能性があります。この例のコードの場合、リクエストされた領収書へのアクセス権限をユーザーが確保しているか確認しないため、現在のユーザーに帰属していなくても、リクエストされたとおりの領収書を表示します。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 1
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark complete
[6] Standards Mapping - Common Weakness Enumeration CWE ID 566
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [24] CWE ID 863
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[9] Standards Mapping - FIPS200 AC
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[13] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[14] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[15] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[16] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[18] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.2 General Access Control Design (L1 L2 L3), 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.4.2 GraphQL and other Web Service Data Layer Security Requirements (L2 L3)
[20] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[21] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[22] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[34] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[56] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[57] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.dataflow.golang.access_control_database
Abstract
適切な Access Control がない場合、ユーザーの制御下にある主キーを含む SQL ステートメントを実行すると、攻撃者は権限のないレコードを見ることができます。
Explanation
データベースの Access Control エラーが発生するのは次の場合です。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。


2. SQL クエリで主キーの値を特定するためにデータが使用されている場合。
例 1: 次のコードは、メタ文字をエスケープして SQL Injection の脆弱性を阻止するパラメーター化されたステートメントを使用して、指定された識別子と一致する領収書を検索する SQL クエリを作成し、実行します [1]。識別子は、現在の認証されたユーザーに関連付けられているすべての領収書のリストから選択されています。


...
id = Integer.decode(request.getParameter("invoiceID"));
String query = "SELECT * FROM invoices WHERE id = ?";
PreparedStatement stmt = conn.prepareStatement(query);
stmt.setInt(1, id);
ResultSet results = stmt.execute();
...


問題は、開発者が id に可能なすべての値を検討しきれていないことです。現在のユーザーに属する領収書 ID のリストがインターフェイスにより生成されますが、攻撃者はこのインターフェイスを回避して目的の領収書をリクエストする可能性があります。この例のコードの場合、リクエストされた領収書へのアクセス権限をユーザーが確保しているか確認しないため、現在のユーザーに帰属していなくても、リクエストされたとおりの領収書を表示します。

一部には、モバイルの世界ではデータベースの Access Control エラーのような古典的な Web アプリケーションの脆弱性は意味がなく、自分に降りかかる攻撃をするはずがない、という見方があります。しかし忘れてはならないモバイルプラットフォームの基本は、さまざまなソースからアプリケーションをダウンロードして同じデバイス上で一緒に実行することです。このため、たとえばバンキングアプリケーションのすぐ隣でマルウェアの一部を実行する可能性が高くなり、モバイルアプリケーションの攻撃面を拡張し、プロセス間通信なども含める必要があります。

例 2: 次のコードでは、Android プラットフォームにExample 1 を応用しています。


...
        String id = this.getIntent().getExtras().getString("invoiceID");
        String query = "SELECT * FROM invoices WHERE id = ?";
        SQLiteDatabase db = this.openOrCreateDatabase("DB", MODE_PRIVATE, null);
        Cursor c = db.rawQuery(query, new Object[]{id});
...


最新の Web フレームワークの多くが、ユーザー入力を検証するためのメカニズム (Struts および Struts 2 を含む) を提供しています。検証されていない入力ソースの問題を正確に反映させるために、Fortify セキュア コーディング ルールパックは、フレームワーク検証メカニズムが使用されている場合には、その証拠を示し、悪用の可能性を低く見積もり、Fortify Static Code Analyzer により報告される問題の優先度を動的に変更します。この機能は、状況依存ランキングと呼ばれます。Fortify ユーザーがさらに監査プロセスを効果的に進めることができるように、Fortify Software Security Research グループでは、入力ソースに適用される検証メカニズムを基準としたフォルダに問題をグループ化する Data Validation (データ検証) プロジェクト テンプレートのフォルダを用意しています。
References
[1] S. J. Friedl SQL Injection Attacks by Example
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 1
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[6] Standards Mapping - CIS Kubernetes Benchmark complete
[7] Standards Mapping - Common Weakness Enumeration CWE ID 566
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [24] CWE ID 863
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[10] Standards Mapping - FIPS200 AC
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[14] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[15] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[16] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[18] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[19] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.2 General Access Control Design (L1 L2 L3), 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.4.2 GraphQL and other Web Service Data Layer Security Requirements (L2 L3)
[21] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[22] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[35] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[58] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.dataflow.java.access_control_database
Abstract
適切な Access Control がない場合、ユーザーの制御下にある主キーを含む SQL ステートメントを実行すると、攻撃者は権限のないレコードを見ることができます。
Explanation
データベースの Access Control エラーが発生するのは次の場合です。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。


2. SQL クエリで主キーの値を特定するためにデータが使用されている場合。
例 1: 次のコードは、メタ文字をエスケープして SQL Injection の脆弱性を阻止するパラメーター化されたステートメントを使用して、指定された識別子と一致する領収書を検索する SQL クエリを作成し、実行します [1]。識別子は、現在の認証されたユーザーに関連付けられているすべての領収書のリストから選択されています。


	...
	var id = document.form.invoiceID.value;
	var query = "SELECT * FROM invoices WHERE id = ?";
	db.transaction(function (tx) {
		tx.executeSql(query,[id]);
		}
	)
	...



問題は、開発者が id に可能なすべての値を検討しきれていないことです。現在のユーザーに属する領収書 ID のリストがインターフェイスにより生成されますが、攻撃者はこのインターフェイスを回避して目的の領収書をリクエストする可能性があります。この例のコードの場合、リクエストされた領収書へのアクセス権限をユーザーが確保しているか確認しないため、現在のユーザーに帰属していなくても、リクエストされたとおりの領収書を表示します。
References
[1] S. J. Friedl SQL Injection Attacks by Example
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 1
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[6] Standards Mapping - CIS Kubernetes Benchmark complete
[7] Standards Mapping - Common Weakness Enumeration CWE ID 566
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [24] CWE ID 863
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[10] Standards Mapping - FIPS200 AC
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[14] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[15] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[16] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[18] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[19] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.2 General Access Control Design (L1 L2 L3), 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.4.2 GraphQL and other Web Service Data Layer Security Requirements (L2 L3)
[21] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[22] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[35] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[58] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.dataflow.javascript.access_control_database
Abstract
適切な Access Control がない場合、この特定のメソッドは攻撃者の制御下にある主キーを含む SQL ステートメントを実行できるため、攻撃者は権限のないレコードをアクセスすることができます。
Explanation
データベースの Access Control エラーが発生するのは次の場合です。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。


2. SQL クエリで主キーの値を特定するためにデータが使用されている場合。
例 1: 次のコードは、メタ文字をエスケープして SQL Injection の脆弱性を阻止するパラメーター化されたステートメントを使用して、指定された識別子と一致する領収書を検索する SQL クエリを作成し、実行します。識別子は、現在の認証されたユーザーに関連付けられているすべての領収書のリストから選択されています。


...

        NSManagedObjectContext *context = [appDelegate managedObjectContext];
        NSEntityDescription *entityDesc = [NSEntityDescription entityForName:@"Invoices" inManagedObjectContext:context];
        NSFetchRequest *request = [[NSFetchRequest alloc] init];
        [request setEntity:entityDesc];
        NSPredicate *pred = [NSPredicate predicateWithFormat:@"(id = %@)", invoiceId.text];
        [request setPredicate:pred];

        NSManagedObject *matches = nil;
        NSError *error;
        NSArray *objects = [context executeFetchRequest:request error:&error];

        if ([objects count] == 0) {
                 status.text = @"No records found.";
        } else {
                matches = [objects objectAtIndex:0];
                invoiceReferenceNumber.text = [matches valueForKey:@"invRefNum"];
                orderNumber.text = [matches valueForKey:@"orderNumber"];
                status.text = [NSString stringWithFormat:@"%d records found", [objects count]];
        }
        [request release];
...


問題は、開発者が id に可能なすべての値を検討しきれていないことです。現在のユーザーに属する領収書 ID のリストがインターフェイスにより生成されますが、攻撃者はこのインターフェイスを回避して目的の領収書をリクエストする可能性があります。この例のコードの場合、リクエストされた領収書へのアクセス権限をユーザーが確保しているか確認しないため、現在のユーザーに帰属していなくても、リクエストされたとおりの領収書を表示します。
References
[1] S. J. Friedl SQL Injection Attacks by Example
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 1
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[6] Standards Mapping - CIS Kubernetes Benchmark complete
[7] Standards Mapping - Common Weakness Enumeration CWE ID 566
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [24] CWE ID 863
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[10] Standards Mapping - FIPS200 AC
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[14] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[15] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[16] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[18] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[19] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.2 General Access Control Design (L1 L2 L3), 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.4.2 GraphQL and other Web Service Data Layer Security Requirements (L2 L3)
[21] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[22] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[35] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[58] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.dataflow.objc.access_control_database
Abstract
適切な Access Control がない場合、ユーザーの制御下にある主キーを含む SQL ステートメントを実行すると、攻撃者は権限のないレコードを見ることができます。
Explanation
データベースの Access Control エラーが発生するのは次の場合です。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。


2. SQL クエリで主キーの値を特定するためにデータが使用されている場合。
例 1: 次のコードは、メタ文字をエスケープして SQL Injection の脆弱性を阻止するパラメーター化されたステートメントを使用して、指定された識別子と一致する領収書を検索する SQL クエリを作成し、実行します [1]。識別子は、現在の認証されたユーザーに関連付けられているすべての領収書のリストから選択されています。


        ...
	$id = $_POST['id'];
	$query = "SELECT * FROM invoices WHERE id = ?";
	$stmt = $mysqli->prepare($query);
	$stmt->bind_param('ss',$id);
	$stmt->execute();
        ...


問題は、開発者が id に可能なすべての値を検討しきれていないことです。現在のユーザーに属する領収書 ID のリストがインターフェイスにより生成されますが、攻撃者はこのインターフェイスを回避して目的の領収書をリクエストする可能性があります。この例のコードの場合、リクエストされた領収書へのアクセス権限をユーザーが確保しているか確認しないため、現在のユーザーに帰属していなくても、リクエストされたとおりの領収書を表示します。

最新の Web フレームワークの多くが、ユーザー入力を検証するためのメカニズム (Struts および Struts 2 を含む) を提供しています。検証されていない入力ソースの問題を正確に反映させるために、Fortify セキュア コーディング ルールパックは、フレームワーク検証メカニズムが使用されている場合には、その証拠を示し、悪用の可能性を低く見積もり、Fortify Static Code Analyzer により報告される問題の優先度を動的に変更します。この機能は、状況依存ランキングと呼ばれます。Fortify ユーザーがさらに監査プロセスを効果的に進めることができるように、Fortify Software Security Research グループでは、入力ソースに適用される検証メカニズムを基準としたフォルダに問題をグループ化する Data Validation (データ検証) プロジェクト テンプレートのフォルダを用意しています。
References
[1] S. J. Friedl SQL Injection Attacks by Example
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 1
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[6] Standards Mapping - CIS Kubernetes Benchmark complete
[7] Standards Mapping - Common Weakness Enumeration CWE ID 566
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [24] CWE ID 863
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[10] Standards Mapping - FIPS200 AC
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[14] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[15] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[16] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[18] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[19] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.2 General Access Control Design (L1 L2 L3), 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.4.2 GraphQL and other Web Service Data Layer Security Requirements (L2 L3)
[21] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[22] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[35] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[58] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.dataflow.php.access_control_database
Abstract
適切な Access Control がない場合、ユーザーの制御下にある主キーを含む SQL ステートメントを実行すると、攻撃者は権限のないレコードを見ることができます。
Explanation
データベースの Access Control エラーが発生するのは次の場合です。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。

2. SQL クエリで主キーの値を特定するためにデータが使用されている場合。
例 1: 次のコードは、メタ文字をエスケープして SQL Injection の脆弱性を阻止するパラメーター化されたステートメントを使用して、指定された識別子と一致する領収書を検索する SQL クエリを作成し、実行します [1]。識別子は、現在の認証されたユーザーに関連付けられているすべての領収書のリストから選択されています。


procedure get_item (
itm_cv IN OUT ItmCurTyp,
id in varchar2)
is
open itm_cv for ' SELECT * FROM items WHERE ' ||
'invoiceID = :invid' ||
     	using id;
end get_item;


問題は、開発者が id に可能なすべての値を検討しきれていないことです。現在のユーザーに属する領収書 ID のリストがインターフェイスにより生成されますが、攻撃者はこのインターフェイスを回避して目的の領収書をリクエストする可能性があります。この例のコードの場合、リクエストされた領収書へのアクセス権限をユーザーが確保しているか確認しないため、現在のユーザーに帰属していなくても、リクエストされたとおりの領収書を表示します。
References
[1] S. J. Friedl SQL Injection Attacks by Example
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 1
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[6] Standards Mapping - CIS Kubernetes Benchmark complete
[7] Standards Mapping - Common Weakness Enumeration CWE ID 566
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [24] CWE ID 863
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[10] Standards Mapping - FIPS200 AC
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[14] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[15] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[16] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[18] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[19] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.2 General Access Control Design (L1 L2 L3), 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.4.2 GraphQL and other Web Service Data Layer Security Requirements (L2 L3)
[21] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[22] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[35] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[58] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.dataflow.sql.access_control_database
Abstract
適切な Access Control がない場合、ユーザーの制御下にある主キーを含む SQL ステートメントを実行すると、攻撃者は権限のないレコードを見ることができます。
Explanation
データベースの Access Control エラーが発生するのは次の場合です。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。


2. SQL クエリで主キーの値を特定するためにデータが使用されている場合。
例 1: 次のコードは、メタ文字をエスケープして SQL Injection の脆弱性を阻止するパラメーター化されたステートメントを使用して、指定された識別子と一致する領収書を検索する SQL クエリを作成し、実行します [1]。識別子は、現在の認証されたユーザーに関連付けられているすべての領収書のリストから選択されています。


...
id = request.POST['id']
c = db.cursor()
stmt = c.execute("SELECT * FROM invoices WHERE id = %s", (id,))
...


問題は、開発者が id に可能なすべての値を検討しきれていないことです。現在のユーザーに属する領収書 ID のリストがインターフェイスにより生成されますが、攻撃者はこのインターフェイスを回避して目的の領収書をリクエストする可能性があります。この例のコードの場合、リクエストされた領収書へのアクセス権限をユーザーが確保しているか確認しないため、現在のユーザーに帰属していなくても、リクエストされたとおりの領収書を表示します。
References
[1] S. J. Friedl SQL Injection Attacks by Example
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 1
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[6] Standards Mapping - CIS Kubernetes Benchmark complete
[7] Standards Mapping - Common Weakness Enumeration CWE ID 566
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [24] CWE ID 863
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[10] Standards Mapping - FIPS200 AC
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[14] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[15] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[16] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[18] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[19] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.2 General Access Control Design (L1 L2 L3), 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.4.2 GraphQL and other Web Service Data Layer Security Requirements (L2 L3)
[21] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[22] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[35] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[58] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.dataflow.python.access_control_database
Abstract
適切な Access Control がない場合、ユーザーの制御下にある主キーを含む SQL ステートメントを実行すると、攻撃者は権限のないレコードを見ることができます。
Explanation
データベースの Access Control エラーが発生するのは次の場合です。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。


2. SQL クエリで主キーの値を特定するためにデータが使用されている場合。
例 1: 次のコードは、メタ文字をエスケープして SQL Injection の脆弱性を阻止するパラメーター化されたステートメントを使用して、指定された識別子と一致する領収書を検索する SQL クエリを作成し、実行します [1]。識別子は、現在の認証されたユーザーに関連付けられているすべての領収書のリストから選択されています。


...
id = req['invoiceID'].respond_to(:to_int)
query = "SELECT * FROM invoices WHERE id=?"
stmt = conn.prepare(query)
stmt.execute(id)
...


問題は、開発者が id に可能なすべての値を検討しきれていないことです。現在のユーザーに属する領収書 ID のリストがインターフェイスにより生成されますが、攻撃者はこのインターフェイスを回避して目的の領収書をリクエストする可能性があります。この例のコードの場合、リクエストされた領収書へのアクセス権限をユーザーが確保しているか確認しないため、現在のユーザーに帰属していなくても、リクエストされたとおりの領収書を表示します。
References
[1] S. J. Friedl SQL Injection Attacks by Example
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 1
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[6] Standards Mapping - CIS Kubernetes Benchmark complete
[7] Standards Mapping - Common Weakness Enumeration CWE ID 566
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [24] CWE ID 863
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[10] Standards Mapping - FIPS200 AC
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[14] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[15] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[16] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[18] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[19] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.2 General Access Control Design (L1 L2 L3), 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.4.2 GraphQL and other Web Service Data Layer Security Requirements (L2 L3)
[21] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[22] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[35] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[58] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.dataflow.ruby.access_control_database
Abstract
適切な Access Control がない場合、ユーザーの制御下にある主キーを含む SQL ステートメントを実行すると、攻撃者は権限のないレコードを見ることができます。
Explanation
データベースの Access Control エラーが発生するのは次の場合です。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。


2. SQL クエリで主キーの値を特定するためにデータが使用されている場合。
例 1: 次のコードは、メタ文字をエスケープして SQL Injection の脆弱性を阻止するパラメーター化されたステートメントを使用して、指定された識別子と一致する領収書を検索する SQL クエリを作成し、実行します [1]。 識別子は、現在の認証されたユーザーに関連付けられているすべての領収書のリストから選択されています。


  def searchInvoice(value:String) = Action.async { implicit request =>
    val result: Future[Seq[Invoice]] = db.run {
      sql"select * from invoices where id=$value".as[Invoice]
    }
    ...
  }


問題は、開発者が id に可能なすべての値を検討しきれていないことです。現在のユーザーに属する領収書 ID のリストがインターフェイスにより生成されますが、攻撃者はこのインターフェイスを回避して目的の領収書をリクエストする可能性があります。この例のコードの場合、リクエストされた領収書へのアクセス権限をユーザーが確保しているか確認しないため、現在のユーザーに帰属していなくても、リクエストされたとおりの領収書を表示します。
References
[1] S. J. Friedl SQL Injection Attacks by Example
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 1
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[6] Standards Mapping - CIS Kubernetes Benchmark complete
[7] Standards Mapping - Common Weakness Enumeration CWE ID 566
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [24] CWE ID 863
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[10] Standards Mapping - FIPS200 AC
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[14] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[15] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[16] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[18] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[19] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.2 General Access Control Design (L1 L2 L3), 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.4.2 GraphQL and other Web Service Data Layer Security Requirements (L2 L3)
[21] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[22] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[35] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[58] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.dataflow.scala.access_control_database
Abstract
適切な Access Control がない場合、この特定のメソッドは攻撃者の制御下にある主キーを含む SQL ステートメントを実行できるため、攻撃者は権限のないレコードをアクセスすることができます。
Explanation
データベースの Access Control エラーが発生するのは次の場合です。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。


2. SQL クエリで主キーの値を特定するためにデータが使用されている場合。
例 1: 次のコードは、メタ文字をエスケープして SQL Injection の脆弱性を阻止するパラメーター化されたステートメントを使用して、指定された識別子と一致する領収書を検索する SQL クエリを作成し、実行します。識別子は、現在の認証されたユーザーに関連付けられているすべての領収書のリストから選択されています。


...
let fetchRequest = NSFetchRequest()
let entity = NSEntityDescription.entityForName("Invoices", inManagedObjectContext: managedContext)
fetchRequest.entity = entity
let pred : NSPredicate = NSPredicate(format:"(id = %@)", invoiceId.text)
fetchRequest.setPredicate = pred
do {
    let results = try managedContext.executeFetchRequest(fetchRequest)
    let result : NSManagedObject = results.first!
    invoiceReferenceNumber.text = result.valueForKey("invRefNum")
    orderNumber.text = result.valueForKey("orderNumber")
    status.text = "\(results.count) records found"
} catch let error as NSError {
    print("Error \(error)")
}
...


問題は、開発者が id に可能なすべての値を検討しきれていないことです。現在のユーザーに属する領収書 ID のリストがインターフェイスにより生成されますが、攻撃者はこのインターフェイスを回避して目的の領収書をリクエストする可能性があります。この例のコードの場合、リクエストされた領収書へのアクセス権限をユーザーが確保しているか確認しないため、現在のユーザーに帰属していなくても、リクエストされたとおりの領収書を表示します。
References
[1] S. J. Friedl SQL Injection Attacks by Example
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 1
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[6] Standards Mapping - CIS Kubernetes Benchmark complete
[7] Standards Mapping - Common Weakness Enumeration CWE ID 566
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [24] CWE ID 863
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[10] Standards Mapping - FIPS200 AC
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[14] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[15] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[16] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[18] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[19] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.2 General Access Control Design (L1 L2 L3), 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.4.2 GraphQL and other Web Service Data Layer Security Requirements (L2 L3)
[21] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[22] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[35] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[58] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.dataflow.swift.access_control_database
Abstract
適切な Access Control がない場合、ユーザーの制御下にある主キーを含む SQL ステートメントを実行すると、攻撃者は権限のないレコードを見ることができます。
Explanation
データベースの Access Control エラーが発生するのは次の場合です。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。


2. SQL クエリで主キーの値を特定するためにデータが使用されている場合。
例 1: 次のコードは、メタ文字をエスケープして SQL Injection の脆弱性を阻止するパラメーター化されたステートメントを使用して、指定された識別子と一致する領収書を検索する SQL クエリを作成し、実行します [1]。識別子は、現在の認証されたユーザーに関連付けられているすべての領収書のリストから選択されています。


	...
	id = Request.Form("invoiceID")
	strSQL = "SELECT * FROM invoices WHERE id = ?"
	objADOCommand.CommandText = strSQL
	objADOCommand.CommandType = adCmdText
	set objADOParameter = objADOCommand.CreateParameter("id" , adString, adParamInput, 0, 0)
	objADOCommand.Parameters("id") = id
	...



問題は、開発者が id に可能なすべての値を検討しきれていないことです。現在のユーザーに属する領収書 ID のリストがインターフェイスにより生成されますが、攻撃者はこのインターフェイスを回避して目的の領収書をリクエストする可能性があります。この例のコードの場合、リクエストされた領収書へのアクセス権限をユーザーが確保しているか確認しないため、現在のユーザーに帰属していなくても、リクエストされたとおりの領収書を表示します。
References
[1] S. J. Friedl SQL Injection Attacks by Example
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 1
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[6] Standards Mapping - CIS Kubernetes Benchmark complete
[7] Standards Mapping - Common Weakness Enumeration CWE ID 566
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [24] CWE ID 863
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[10] Standards Mapping - FIPS200 AC
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[14] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[15] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[16] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[18] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[19] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.2 General Access Control Design (L1 L2 L3), 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.4.2 GraphQL and other Web Service Data Layer Security Requirements (L2 L3)
[21] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[22] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[35] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[58] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.dataflow.vb.access_control_database

Access Control: Form Authentication Bypass

Abstract
アプリケーションは、ネイティブ API への未検証の入力を許可するプロパティを設定し、攻撃者が認証をバイパスできるようにする可能性があります。
Explanation
デフォルトでは、ASP.NET フォーム認証は、認証プロセス中に、ユーザー資格情報を、ネイティブ API に渡す前に検証します。問題は、aspnet:UseLegacyFormsAuthenticationTicketCompatibility 設定を使用してこの機能を変更できる点です。これにより、未検証の入力がネイティブ API に渡され、攻撃者が認証をバイパスできるようになる可能性があります。攻撃者がこの脆弱性の悪用に成功すると、パスワードなしで、既知のユーザー名の ASP.NET フォーム認証をバイパスする可能性があります。続いて攻撃者が、被害者ユーザーのコンテキストで任意のアクション (サイトで任意のコマンドを実行するなど) を実行する可能性があります。

例 1: 次の例では、aspnet:UseLegacyFormsAuthenticationTicketCompatibilitytrue に設定されています。

...
  <appSettings>
    <add key="aspnet:UseLegacyFormsAuthenticationTicketCompatibility" value="true" />
  </appSettings>
...
References
[1] ASP.NET appSettings Element Microsoft
[2] Microsoft Security Bulletin MS11-100 - Critical Microsoft
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 4
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[8] Standards Mapping - FIPS200 AC
[9] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[12] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management
[13] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[14] Standards Mapping - OWASP Top 10 2010 A3 Broken Authentication and Session Management
[15] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[16] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[17] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[18] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[19] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[31] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3610 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3610 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3610 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3610 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001540 CAT I, APSC-DV-002360 CAT II
[50] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authentication (WASC-01)
[51] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.configuration.dotnet.access_control_form_authentication_bypass

Access Control: LDAP

Abstract
適切な Access Control がない場合、ユーザーの制御下にある値を含む LDAP ステートメントを実行すると、攻撃者は権限のないディレクトリエントリにアクセスできます。
Explanation
データベースの Access Control エラーが発生するのは次の場合です。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。

2. データが LDAP クエリのデータ値を指定するために使用される場合。
例 1: 現在認証されているユーザーの従業員 ID は、クライアントサイドインターフェイスからの各リクエストで自動的に送信されます。次のコードは、LDAP クエリの構築に使用する前に、許可リストを使用して従業員の名前を検証します。この検証により、LDAP Injection の脆弱性を防ぐことができますが、コードは脆弱なままとなります。


static string AllowlistVerify(string name) {
    Regex pattern = new Regex(@"^[a-zA-Z\-\.']+$");
    if (pattern.IsMatch(name)) {
        return name;
    }
    return null;
}

...
string verifiedName = AllowlistVerify(managerName.Text.trim());
if(verifiedName != null) {
    DirectorySearcher src = new DirectorySearcher("(manager=" + verifiedName + ")");
    src.SearchRoot = de;
    src.SearchScope = SearchScope.Subtree;

    foreach(SearchResult res in src.FindAll()) {
        ...
    }
}


この問題は、開発者が empName に攻撃者が別の値を指定したときにどのような動作が起こりうるかを検討していない点にあります。このインターフェイスは、現在のユーザーの従業員 ID を自動的に送信しますが、攻撃者は悪意あるリクエストの一部として別の値を送信できる場合があります。この例のコードは、匿名バインドでクエリを実行しているため、現在認証されているユーザーの ID に関わらず、すべての有効な従業員 ID のディレクトリエントリを返します。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 1
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark complete
[6] Standards Mapping - Common Weakness Enumeration CWE ID 639
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [24] CWE ID 863
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[9] Standards Mapping - FIPS200 AC
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[13] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[14] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[15] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[16] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[18] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.2 General Access Control Design (L1 L2 L3), 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3)
[20] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[21] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[22] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[34] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001540 CAT I, APSC-DV-002360 CAT II
[56] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[57] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.dataflow.dotnet.access_control_ldap
Abstract
適切な Access Control がない場合、ユーザーの制御下にある値を含む LDAP ステートメントを実行すると、攻撃者は権限のないディレクトリエントリにアクセスできます。
Explanation
データベースの Access Control エラーが発生するのは次の場合です。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。

2. データが LDAP クエリのデータ値を指定するために使用される場合。
例 1: 次のコードは、LDAP クエリの構築に使用する前に、許可リストを使用してソケットから読み取った従業員の名前を検証します。この検証により、LDAP Injection の脆弱性を防ぐことができますが、コードは脆弱なままとなります。


char* allowlist_verify(char* name) {
    const char *error;
    int errOffset;
    char* regex = "^[a-zA-Z\\-\\.']+$";
    pcre* re = pcre_compile(regex, 0, &err, &errOffset, NULL);
    int rc = pcre_exec(re, NULL, name, strlen(name), 0, 0, NULL, 0);
    if (rc == 1)
        return name;
    return NULL;
}
...
fgets(managerName, sizeof(managerName), socket);
char* verified_name = allowlist_verify(managerName);
if(verified_name != NULL) {
    snprintf(filter, sizeof(filter), "(manager=%s)", verified_name);
    if ( ( rc = ldap_search_ext_s( ld, FIND_DN, LDAP_SCOPE_BASE,
            filter, NULL, 0, NULL, NULL, LDAP_NO_LIMIT,
            LDAP_NO_LIMIT, &result ) ) == LDAP_SUCCESS ) {
    ...
    }
}


この問題は、開発者が username に攻撃者が別の値を指定したときにどのような動作が起こりうるかを検討していない点にあります。この例のコードは、匿名バインドでクエリを実行しているため、現在認証されているユーザーの ID に関わらず、すべての有効な従業員 ID のディレクトリエントリを返します。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 1
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark complete
[6] Standards Mapping - Common Weakness Enumeration CWE ID 639
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [24] CWE ID 863
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[9] Standards Mapping - FIPS200 AC
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[13] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[14] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[15] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[16] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[18] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.2 General Access Control Design (L1 L2 L3), 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3)
[20] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[21] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[22] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[34] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001540 CAT I, APSC-DV-002360 CAT II
[56] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[57] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.dataflow.cpp.access_control_ldap
Abstract
適切な Access Control がない場合、ユーザーの制御下にある値を含む LDAP ステートメントを実行すると、攻撃者は権限のないディレクトリエントリにアクセスできます。
Explanation
データベースの Access Control エラーが発生するのは次の場合です。

1. 信頼できないソースからデータがプログラムに入り込んだ場合。

2. データが LDAP クエリのデータ値を指定するために使用される場合。
例 1: 現在認証されているユーザーの従業員 ID は、クライアントサイドインターフェイスからの各リクエストで自動的に送信されます。次のコードは、LDAP クエリの構築に使用する前に、整数として従業員 ID を適切に検証します。この検証により、LDAP Injection の脆弱性を防ぐことができますが、コードは脆弱なままとなります。


...
env.put(Context.SECURITY_AUTHENTICATION, "none");
DirContext ctx = new InitialDirContext(env);

String empID = request.getParameter("empID");

try
{
  int id = Integer.parseInt(empID);

  BasicAttribute attr = new BasicAttribute("empID", empID);

  NamingEnumeration employee =
            ctx.search("ou=People,dc=example,dc=com",attr);
...



この問題は、開発者が empID に攻撃者が別の値を指定したときにどのような動作が起こりうるかを検討していない点にあります。このインターフェイスは、現在のユーザーの従業員 ID を自動的に送信しますが、攻撃者は悪意あるリクエストの一部として別の値を送信できる場合があります。この例のコードは、匿名バインドでクエリを実行しているため、現在認証されているユーザーの ID に関わらず、すべての有効な従業員 ID のディレクトリエントリを返します。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 1
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark complete
[6] Standards Mapping - Common Weakness Enumeration CWE ID 639
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [24] CWE ID 863
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[9] Standards Mapping - FIPS200 AC
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[13] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[14] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[15] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[16] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[18] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.2 General Access Control Design (L1 L2 L3), 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3)
[20] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[21] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[22] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[34] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001540 CAT I, APSC-DV-002360 CAT II
[56] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[57] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.dataflow.java.access_control_ldap

ASP.NET Bad Practices: Compression Over Encrypted WebSocket Connection

Abstract
このアプリケーションは、危険な圧縮を有効にします。
Explanation

このコードは、"permessage-deflate" の WebSocket 拡張機能を有効にする DangerousEnableCompressiontrue に設定します。暗号化された接続を介してこの圧縮を有効にすると、アプリケーションは CRIME 攻撃や BREACH 攻撃を受ける危険にさらされます。

例 1: 次のコードは、DangerousEnableCompressiontrue に設定します。


    app.Run(async context => {
      using var websocket = await context.WebSockets.AcceptWebSocketAsync(new WebSocketAcceptContext() { DangerousEnableCompression = true });
      await websocket.SendAsync(...);
      await websocket.ReceiveAsync(...);
      await websocket.CloseAsync(WebSocketCloseStatus.NormalClosure, null, default);
    });
References
[1] WebSocketAcceptContext DangerousEnableCompression Property, Microsoft
[2] CRIME, CVE
[3] BREACH, CVE
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[5] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[6] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[7] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[8] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 9.1.1 Communications Security Requirements (L1 L2 L3), 9.1.1 Communications Security Requirements (L1 L2 L3), 9.1.1 Communications Security Requirements (L1 L2 L3)
[11] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[13] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II, APP3150.1 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II, APP3150.1 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II, APP3150.1 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II, APP3150.1 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II, APP3150.1 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II, APP3150.1 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II, APP3150.1 CAT II
desc.semantic.dotnet.asp_dotnet_bad_practices_compression_over_encrypted_websocket_connection