193 見つかった項目

脆弱性

.NET Bad Practices: Leftover Debug Code

C#/VB.NET/ASP.NET

Abstract

デバッグコードは、展開時に意図しない結果を引き起こす可能性があります。

Explanation

デバッグのみを目的とした API が使用されます。

References

[1] Standards Mapping - Common Weakness Enumeration CWE ID 489

[2] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[3] Standards Mapping - OWASP Application Security Verification Standard 4.0 14.2.2 Dependency (L1 L2 L3), 14.3.2 Unintended Security Disclosure Requirements (L1 L2 L3)

[4] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling

[5] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[6] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[7] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6

[8] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5

[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5

[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5

[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5

[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5

[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention

[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention

[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention

[18] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II

[19] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II

desc.structural.dotnet.dotnet_bad_practices_leftover_debug_code

ADF Bad Practices: Default url-invoke-disallowed Setting

Java/JSP

Abstract

暗黙のデフォルト url-invoke-disallowed 設定に依存すると、明確性に欠け、そのデフォルトが予期せず変更された場合、望ましくない動作が発生する可能性があります。

Explanation

デフォルトでは、Fusion アプリケーションのタスクフローは GET リクエストから直接アクセスできません。URL がタスクフローを呼び出そうとするたびに、HTTP 403 ステータスコードを受け取ります。しかし、暗黙的な設定に依存すると明確性に欠け、デフォルト設定が変更された場合、望ましくない動作が発生する可能性があります。

例 1: タスクフロー定義ファイルの次のスニペットは、暗黙のデフォルト url-invoke-disallowed 設定を使用して設定されたタスクフローの例を示します。


...
    <task-flow-definition id="password">
        <default-activity>PasswordPrompt</default-activity>
        <view id="PasswordPrompt">
            <page>/PasswordPrompt.jsff</page>
        </view>
        <use-page-fragments/>
    </task-flow-definition>
...

References

[1] Oracle(R) Fusion Middleware Fusion Developer's Guide for Oracle Application Development Framework, 15.6.4.How to Call a Bounded Task Flow Using a URL

[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165

[3] Standards Mapping - FIPS200 CM

[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), SC-3 Security Function Isolation (P1)

[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, SC-3 Security Function Isolation

[6] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[7] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration

[8] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[9] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[10] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[11] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[12] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[13] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[14] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[15] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[16] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[17] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[18] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[19] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[28] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)

desc.config.java.adf_bad_practices_default_url_invoke_disallowed_setting

ADF Faces Bad Practices: unsecure Attribute

Java/JSP

Abstract

unsecure 属性は、クライアント上で値を設定できる属性のリストを指定します。

Explanation

Oracle ADF Faces コンポーネントの属性値は、通常は、サーバーでのみ設定できます。ただし、多数のコンポーネントにより開発者はクライアント上で設定可能な属性のリストを定義できます。これらのコンポーネントの unsecure 属性によりこのようなリストを指定できます。

現在、unsecure 属性内に表示できる属性は、disabled のみです。この属性を使用して、クライアントはどのコンポーネントを有効または無効にするかを定義できるようになります。本来サーバーでのみ設定可能にする必要がある属性値を、クライアントが制御できるようにするのは良いアイデアではありません。

例 1: 次のコードは、ユーザーからパスワード情報を収集して unsecure 属性を使用する inputText コンポーネントを示しています。


...
    <af:inputText id="pwdBox"
                  label="#{resources.PWD}"
                  value=""#{userBean.password}
                  unsecure="disabled"
                  secret="true"
                  required="true"/>
...

References

[1] Oracle ADF Faces Tag Reference

[2] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration

[3] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[4] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

desc.structural.java.adf_faces_bad_practices_unsecure_attribute

Android Bad Practices: Encryption Secret Held in Static Field

Java/JSP

Abstract

アプリケーションは暗号鍵を静的クラスフィールドに保持し、攻撃者はこれを簡単に発見してしまいます。

Explanation

静的クラスフィールドに暗号鍵を保持すると、プロセスメモリ (ルート化されたデバイスなど) やプロセスメモリダンプ (クラッシュダンプなど) にアクセスできるエンティティによって簡単に発見されてしまいます。

References

[1] Standards Mapping - Common Weakness Enumeration CWE ID 226

[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200

[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200

[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200

[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001090, CCI-001199

[6] Standards Mapping - FIPS200 IA

[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), SC-4 Information in Shared Resources (P1), SC-28 Protection of Information at Rest (P1)

[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, SC-4 Information in Shared System Resources, SC-28 Protection of Information at Rest

[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.4 Sensitive Private Data (L1 L2 L3), 8.3.6 Sensitive Private Data (L2 L3)

[11] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage

[12] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography

[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-2

[14] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage

[15] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage

[16] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage

[17] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure

[18] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure

[19] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.4, Requirement 6.5.8, Requirement 8.4

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.4, Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.4, Requirement 6.5.3, Requirement 8.4

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.4, Requirement 6.5.3, Requirement 8.2.1

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.4, Requirement 6.5.3, Requirement 8.2.1

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.4, Requirement 6.5.3, Requirement 8.2.1

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.4, Requirement 6.5.3, Requirement 8.2.1

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.5.1, Requirement 6.2.4, Requirement 8.3.1

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4, Requirement 8.3.1

[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography

[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design

[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3230.2 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3230.2 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3230.2 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3230.2 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3230.2 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3230.2 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3230.2 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II

[55] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)

[56] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage

desc.structural.java.android_bad_practices_encryption_secret_held_in_static_field

Android Bad Practices: Leftover Debug Code

Java/JSP

Abstract

デバッグコードは、パフォーマンスに影響したり、機密データを攻撃者に漏洩する場合があります。

Explanation

一般的な開発方法では、アプリケーションで配布または実装されることのないデバッグまたはテスト用の「裏口」コードを追加します。この種のデバッグコードが誤ってアプリケーションに残された場合、アプリケーションは意図しない相互作用に対して開放されていることになります。これらの裏口エントリポイントは、設計やテスト中に想定されるアプリケーションの操作状況で考慮されていないため、セキュリティリスクを発生させることになります。

References

[1] Standards Mapping - Common Weakness Enumeration CWE ID 489

[2] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[3] Standards Mapping - OWASP Application Security Verification Standard 4.0 14.2.2 Dependency (L1 L2 L3), 14.3.2 Unintended Security Disclosure Requirements (L1 L2 L3)

[4] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-RESILIENCE-4

[5] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling

[6] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[7] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[8] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6

[9] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5

[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5

[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5

[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5

[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention

[17] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention

[18] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention

[19] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II

desc.structural.java.android_bad_practices_leftover_debug_code

Android Bad Practices: Use of File Scheme Cookies

Java/JSP

Abstract

アプリケーションが cookie を好ましくないセキュリティとしての意味を持つ場合がある file:// プロトコルに使用できます。

Explanation

Cookie は、RFC 2109 による厳格な HTTP メカニズムです。 Cookie が file:// を含む HTTP 以外のプロトコルに対して動作するはずがありません。それらのプロトコルの動作や適用されるセキュリティ区分化のルールは不明です。たとえば、インターネットからローカルディスクにダウンロードされた HTML ファイルは、ローカルにインストールされた HTML コードと同じ cookie を共有するのでしょうか?

References

[1] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[2] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4

desc.semantic.java.android_bad_practices_use_of_file_scheme_cookies

ASP.NET Middleware Out of Order: Default Cookie Configuration

C#/VB.NET/ASP.NET

Abstract

アプリケーションは、ASP.NET Cookie ポリシーミドルウェアを正しく指定していません。

Explanation

正しい順序でミドルウェアパイプラインに追加されていない ASP.NET Core ミドルウェアは、意図したとおりに機能せず、その結果、アプリケーションはさまざまなセキュリティの問題にさらされたままになります。

例 1:UseCookiePolicy() メソッドは、Cookie ポリシーミドルウェアをミドルウェアパイプラインに追加します。これにより、カスタマイズした Cookie ポリシーが許可されます。ここに示すように、間違った順序で指定されると、プログラマーによって指定された Cookie ポリシーはすべて無視されます。


...
var builder = WebApplication.CreateBuilder(...);
var app = builder.Build(...);
app.UseStaticFiles();
app.UseRouting();
app.UseSession();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
    ...
}

app.UseCookiePolicy();
...

References

[1] Rick Anderson, Steve Smith ASP.NET Core Middleware Microsoft

[2] Standards Mapping - Common Weakness Enumeration CWE ID 696, CWE ID 1188, CWE ID 565

[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002418, CCI-002420, CCI-002421, CCI-002422

[4] Standards Mapping - FIPS200 MP, SC

[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-6 Configuration Settings (P1), SC-8 Transmission Confidentiality and Integrity (P1)

[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-6 Configuration Settings, SC-8 Transmission Confidentiality and Integrity

[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.1 General Access Control Design (L1 L2 L3)

[9] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage

[10] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration

[11] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[12] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications

[13] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[14] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[15] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[16] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4

[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design, Control Objective 2.3 - Secure Defaults

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design, Control Objective 2.3 - Secure Defaults, Control Objective C.4.1 - Web Software Communications

[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[52] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)

[53] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication

desc.controlflow.dotnet.asp_dotnet_middleware_out_of_order_default_cookie_configuration

ASP.NET Middleware Out of Order: Insecure Transport

C#/VB.NET/ASP.NET

Abstract

アプリケーションは、デフォルトの ASP.NET HTTPS リダイレクションミドルウェアを正しく指定していません。

Explanation

正しい順序でミドルウェアパイプラインに追加されていない ASP.NET Core ミドルウェアは、意図したとおりに機能せず、その結果、アプリケーションはさまざまなセキュリティの問題にさらされたままになります。

例 1:UseHttpsRedirection() メソッドは、HTTPS リダイレクションミドルウェアをミドルウェアパイプラインに追加します。これにより、安全でない HTTP リクエストを安全な HTTPS リクエストにリダイレクトすることが可能になります。ここに示すように、間違った順序で指定されると、リダイレクト前にリストされたミドルウェアを介したリクエスト処理の前に、意味のある HTTPS のリダイレクションは行われません。これにより、HTTP リクエストを、安全な HTTPS 接続にリダイレクトされる前にアプリケーションで処理できるようになります。


...
var builder = WebApplication.CreateBuilder(...);
var app = builder.Build(...);
app.UseStaticFiles();
app.UseRouting();
app.UseSession();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
    ...
}

app.UseHttpsRedirection();
...

References

[1] Rick Anderson, Steve Smith ASP.NET Core Middleware Microsoft

[2] Standards Mapping - Common Weakness Enumeration CWE ID 696, CWE ID 200, CWE ID 311, CWE ID 319

[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200

[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200

[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200

[6] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200

[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001453, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123

[8] Standards Mapping - FIPS200 SC

[9] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), MA-4 Nonlocal Maintenance (P2), SC-2 Application Partitioning (P1), SC-8 Transmission Confidentiality and Integrity (P1)

[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, MA-4 Nonlocal Maintenance, SC-2 Separation of System and User Functionality, SC-8 Transmission Confidentiality and Integrity

[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.4 Sensitive Private Data (L1 L2 L3)

[13] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection

[14] Standards Mapping - OWASP Mobile 2024 M5 Insecure Communication

[15] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications

[16] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection

[17] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[18] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[19] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.4

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.4

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.4

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.4

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.4

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4

[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography

[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design, Control Objective C.4.1 - Web Software Communications

[32] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 319

[33] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311

[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3260.1 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3260 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3260 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3260 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3260 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3260 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3260 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[57] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)

desc.controlflow.dotnet.asp_dotnet_middleware_out_of_order_insecure_transport

ASP.NET Middleware Out of Order: Insufficient Logging

C#/VB.NET/ASP.NET

Abstract

アプリケーションは、ASP.NET Core ロギングミドルウェアを正しく指定していません。

Explanation

正しい順序でミドルウェアパイプラインに追加されていない ASP.NET Core ミドルウェアは、意図したとおりに機能せず、その結果、アプリケーションはさまざまなセキュリティの問題にさらされたままになります。

例 1:UseHttpLogging() メソッドは、HTTP ロギングミドルウェアをミドルウェアパイプラインに追加します。これにより、ミドルウェアコンポーネントによるログ記録が可能になります。ここに示すように、間違った順序で指定されると、UseHttpLogging() への呼び出しの前にパイプラインに追加されたミドルウェアはログを記録しません。


...
var builder = WebApplication.CreateBuilder(...);
var app = builder.Build(...);
app.UseStaticFiles();
app.UseRouting();
app.UseSession();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
    ...
}

app.UseHttpLogging();
...

例 2:UseWC3Logging() メソッドは、W3C ロギングミドルウェアをミドルウェアパイプラインに追加します。これにより、ミドルウェアコンポーネントによるログ記録が可能になります。ここに示すように、間違った順序で指定されると、UseWC3Logging() への呼び出しの前にパイプラインに追加されたミドルウェアはログを記録しません。


...
var builder = WebApplication.CreateBuilder(...);
var app = builder.Build(...);
app.UseStaticFiles();
app.UseRouting();
app.UseSession();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
    ...
}

app.UseWC3Logging();
...

References

[1] Rick Anderson, Steve Smith ASP.NET Core Middleware Microsoft

[2] Standards Mapping - Common Weakness Enumeration CWE ID 696, CWE ID 778

[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172

[4] Standards Mapping - FIPS200 CM

[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-10 Non-Repudiation (P2), AU-12 Audit Generation (P1)

[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-10 Non-Repudiation, AU-12 Audit Record Generation

[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)

[8] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[9] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[10] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[11] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[12] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring

[13] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10, Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2

[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking

[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking

[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking

[26] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3680.4 CAT II, APP3680.5 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3680.4 CAT II, APP3680.5 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3680.4 CAT II, APP3680.5 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3680.4 CAT II, APP3680.5 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3680.4 CAT II, APP3680.5 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3680.4 CAT II, APP3680.5 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3680.4 CAT II, APP3680.5 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000830 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000830 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000830 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000830 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000830 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000830 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000830 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000830 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000830 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000830 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-000830 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000590 CAT II, APSC-DV-000830 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000590 CAT II, APSC-DV-000830 CAT II

[49] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)

desc.controlflow.dotnet.asp_dotnet_middleware_out_of_order_insufficient_logging

ASP.NET MVC Bad Practices: Controller Action Not Restricted to POST

C#/VB.NET/ASP.NET

Abstract

コントローラーアクションは、以下のいずれかの HTTP 動詞のみを受け入れるように制限することでメリットが得られます。Post、Put、Patch、または Delete。

Explanation

書き込み、更新、または削除によりデータを変更する ASP.NET MVC コントローラーアクションは、以下のいずれかの HTTP 動詞のみを受け入れるように制限することでメリットが得られる可能性があります。Post、Put、Patch、または Delete。誤ってリンクをクリックしても、アクションの実行が起きないため、これによりクロスサイトリクエスト forgery の難易度が増加します。

次のコントローラアクションはデフォルトでどの動詞も許可するため、Cross-Site Request Forgery 攻撃の影響を受けやすいと考えられます。


public ActionResult UpdateWidget(Model model)
{
  // ... controller logic
}

References

[1] Don't use Delete Links because they create Security Holes

[2] Standards Mapping - Common Weakness Enumeration CWE ID 352

[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [9] CWE ID 352

[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [9] CWE ID 352

[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [9] CWE ID 352

[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [9] CWE ID 352

[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [9] CWE ID 352

[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [4] CWE ID 352

[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-001941, CCI-001942

[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-2 Identification and Authentication (Organizational Users) (P1), SC-23 Session Authenticity (P1), SI-10 Information Input Validation (P1)

[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-2 Identification and Authentication (Organizational Users), SC-23 Session Authenticity, SI-10 Information Input Validation

[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.5.3 Token-based Session Management (L2 L3), 4.2.2 Operation Level Access Control (L1 L2 L3), 13.2.3 RESTful Web Service Verification Requirements (L1 L2 L3)

[13] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication

[14] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization

[15] Standards Mapping - OWASP Top 10 2007 A5 Cross Site Request Forgery (CSRF)

[16] Standards Mapping - OWASP Top 10 2010 A5 Cross-Site Request Forgery (CSRF)

[17] Standards Mapping - OWASP Top 10 2013 A8 Cross-Site Request Forgery (CSRF)

[18] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.5

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.9

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.9

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.9

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.9

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.9

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[30] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 352

[31] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 352

[32] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 352

[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3585 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3585 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3585 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3585 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3585 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3585 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3585 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[56] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Request Forgery (WASC-09)

[57] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Request Forgery

desc.structural.dotnet.aspnet_mvc_bad_practices_action_not_post_only

ASP.NET MVC Bad Practices: Model With Optional and Required Properties

C#/VB.NET/ASP.NET

Abstract

モデルクラスには必要なプロパティと必要でないプロパティがあるため、over-posting 攻撃の影響を受けやすいと考えられます。

Explanation

必要な ([Required] 属性でマークされた) プロパティとオプションの ([Required] 属性でマークされていない) プロパティを持つモデルクラスは、攻撃者が想定以上のデータを含む要求を送信した場合に問題を引き起こす可能性があります。

ASP.NET MVC フレームワークは、リクエストパラメータをモデルのプロパティにバインドしようとします。

モデルバインドを行うパラメーターを明示的に通知せず、必要度が混在している場合、内部用のモデルプロパティがあるけれども、攻撃者による制御が可能であることを示す場合があります。

次のコードで定義されるモデルクラス例には、[Required] を含むプロパティと [Required] を含まないプロパティがあります。


public class MyModel
{
    [Required]
    public String UserName { get; set; }

    [Required]
    public String Password { get; set; }

    public Boolean IsAdmin { get; set; }
}

オプションのパラメーターによってアプリケーションの挙動が変わる場合は、攻撃者はオプションのパラメーターをリクエストで送信することにより実際にその挙動を変えることができます。

References

[1] Input Validation vs. Model Validation in ASP.NET MVC

[2] BindAttribute Class

[3] RequiredAttribute Class

[4] Standards Mapping - Common Weakness Enumeration CWE ID 345

[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002422

[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-8 Transmission Confidentiality and Integrity (P1)

[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-8 Transmission Confidentiality and Integrity

[8] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization

[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.5.3 Token-based Session Management (L2 L3), 13.2.6 RESTful Web Service Verification Requirements (L2 L3)

[10] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[11] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input

[12] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws

[13] Standards Mapping - OWASP Top 10 2010 A1 Injection

[14] Standards Mapping - OWASP Top 10 2013 A1 Injection

[15] Standards Mapping - OWASP Top 10 2017 A1 Injection

[16] Standards Mapping - OWASP Top 10 2021 A03 Injection

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6

[18] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002470 CAT II

[19] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002470 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002470 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002470 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002470 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002470 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002470 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002470 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002470 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002470 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002470 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002470 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002470 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002470 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002470 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002470 CAT II

[34] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)

desc.structural.dotnet.aspnet_mvc_bad_practices_mixed_required_model

ASP.NET MVC Bad Practices: Model With Required Non-Nullable Property

C#/VB.NET/ASP.NET

Abstract

モデルクラスには必須の non-nullable プロパティがあるので、under-posting 攻撃の影響を受けやすいことが考えられます。

Explanation

必須の ([Required] 属性でマークされた) non-nullable プロパティを持つモデルクラスを使用すると、攻撃者から想定より少ないデータを含んでいるリクエストが送信された場合に問題を引き起こす可能性があります。

ASP.NET MVC フレームワークは、リクエストパラメータをモデルのプロパティにバインドしようとします。

モデルに必須の non-nullable パラメーターが含まれており、攻撃者がその必須パラメーターをリクエストで送信しない場合、つまり攻撃者が under-posting 攻撃を利用する場合、プロパティにはデフォルト値 (通常はゼロ) が与えられ、[Required] 検証属性を満たします。この場合、アプリケーションが不測の挙動を起こします。

次のコードで定義されるモデルクラス例には、non-nullable の必須 enum が含まれています。


public enum ArgumentOptions
{
    OptionA = 1,
    OptionB = 2
}

public class Model
{
    [Required]
    public String Argument { get; set; }

    [Required]
    public ArgumentOptions Rounding { get; set; }
}

References

[1] Input Validation vs. Model Validation in ASP.NET MVC

[2] Standards Mapping - Common Weakness Enumeration CWE ID 345

[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002422

[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-8 Transmission Confidentiality and Integrity (P1)

[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-8 Transmission Confidentiality and Integrity

[6] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization

[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.5.3 Token-based Session Management (L2 L3), 13.2.6 RESTful Web Service Verification Requirements (L2 L3)

[8] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[9] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input

[10] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws

[11] Standards Mapping - OWASP Top 10 2010 A1 Injection

[12] Standards Mapping - OWASP Top 10 2013 A1 Injection

[13] Standards Mapping - OWASP Top 10 2017 A1 Injection

[14] Standards Mapping - OWASP Top 10 2021 A03 Injection

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6

[16] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002470 CAT II

[17] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002470 CAT II

[18] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002470 CAT II

[19] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002470 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002470 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002470 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002470 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002470 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002470 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002470 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002470 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002470 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002470 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002470 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002470 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002470 CAT II

[32] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)

desc.structural.dotnet.aspnet_mvc_bad_practices_required_non_nullable_in_model

ASP.NET MVC Bad Practices: Optional Submodel With Required Property

C#/VB.NET/ASP.NET

Abstract

モデルクラスには必須のプロパティが含まれており、そのタイプは親モデルタイプのオプションメンバーなので、under-posting 攻撃の影響を受けやすいことが考えられます。

Explanation

モデルクラスに必須のプロパティが含まれており、そのタイプが親モデルクラスのオプションメンバーの場合、攻撃者が想定より少ない量のデータを含んでいるリクエストを送信すると under-posting 攻撃の影響を受ける可能性があります。

ASP.NET MVC フレームワークは、サブモデルを含むモデルのプロパティにリクエストパラメータをバインドしようとします。

サブモデルがオプションの場合、つまり親モデルに [Required] 属性なしのプロパティが含まれる場合、攻撃者がそのサブモデルを送信しないと、親プロパティには null 値が与えられ、子モデルの必須フィールドはモデル検証によってアサートされません。これは under-posting 攻撃の 1 つの形態です。

以下のモデルクラス定義を考慮してください。


public class ChildModel
{
    public ChildModel()
    {
    }

    [Required]
    public String RequiredProperty { get; set; }
}

public class ParentModel
{
    public ParentModel()
    {
    }

    public ChildModel Child { get; set; }
}

攻撃者が ParentModel.Child プロパティの値を送信しない場合、ChildModel.RequiredProperty プロパティにはアサートされない [Required] が与えられます。この場合、問題となる不測の結果が生じる可能性があります。