界: API Abuse

API は、呼び出し元と呼び出し先の間のコントラクトです。最も一般的な API の不正使用の形態は、呼び出し元がこのコントラクトの終わりを守らないことによって発生します。たとえば、プログラムが chroot() を呼び出した後に chdir() を呼び出すのに失敗すると、アクティブなルート ディレクトリを安全に変更する方法を指定したコントラクトに違反することになります。ライブラリの悪用のもう 1 つの良い例は、呼び出し先が信頼できる DNS 情報を呼び出し元に返すことを期待することです。この場合、呼び出し元は、呼び出し先の API の動作 (戻り値が認証目的に使用できること) についてある種の仮定をすることで、呼び出し先の API を悪用します。また、相手側から、呼び出し元と呼び出し先のコントラクトを違反することもできます。例えば、コーダーが SecureRandom をサブクラス化し、ランダムではない値を返した場合、コントラクトに違反することになります。

83 見つかった項目
脆弱性

Often Misused: Exception Handling

Abstract
_alloca() 関数で、スタックオーバーフロー例外が発生し、その結果プログラムがクラッシュする可能性があります。
Explanation
_alloca() 関数によってスタックにメモリの割り当てが行われます。割り当てリクエストが使用可能なスタック容量を超過した場合、_alloca() で例外が発生します。例外がキャッチされない場合、プログラムは異常終了し、Denial of Service 攻撃が可能になる可能性があります。

Microsoft Visual Studio 2005(R) 以降、_alloca() の使用は推奨されていません。代わりに、安全性の高い_alloca_s() を使用するようにします。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 248
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[3] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[4] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 1.3
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[9] Standards Mapping - OWASP Top 10 2004 A7 Improper Error Handling
[10] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.7
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.2, Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention, Control Objective B.3.2 - Terminal Software Attack Mitigation
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention, Control Objective B.3.2 - Terminal Software Attack Mitigation
[23] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3120 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3120 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3120 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3120 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3120 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3120 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3120 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II
desc.semantic.cpp.often_misused_exception_handling._alloca

Often Misused: File System

Abstract
不適切にサイズ設定された出力バッファが Path Manipulation 関数に渡されると、Buffer Overflow の原因になります。
Explanation
Windows には、ファイル名を格納するバッファを操作するユーティリティ関数が多数用意されています。ほとんどの場合、結果は入力として渡されたバッファーの中に返されます。(通常、ファイル名がそのままの場所で変更されます。)大部分の関数には最低 MAX_PATH バイト数の長さを持つバッファが必要ですが、各関数については関連資料で確認してください。バッファサイズが処理結果を格納するのに十分でなかった場合には、Buffer Overflow が発生します。

例 1:

char *createOutputDirectory(char *name) {
	char outputDirectoryName[128];
	if (getCurrentDirectory(128, outputDirectoryName) == 0) {
		return null;
	}
	if (!PathAppend(outputDirectoryName, "output")) {
		return null;
	}
	if (!PathAppend(outputDirectoryName, name)) {
		return null;
	}
	if (SHCreateDirectoryEx(NULL, outputDirectoryName, NULL)
        != ERROR_SUCCESS) {
		return null;
	}
	return StrDup(outputDirectoryName);
}


上記の関数では、現在のディレクトリに「output\<name>」という名前のディレクトリが作成され、ヒープに割り当てたディレクトリ名のコピーを戻しています。この関数は、現在のディレクトリおよび名前パラメーターのほとんどの値で正しく機能します。ただし、name パラメーターが極端に長いと、PathAppend() への 2 度目のコールで MAX_PATH バイト数より小さなバッファである outputDirectoryName のオーバーフローを引き起こす可能性があります。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 249, CWE ID 560
[2] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[3] Standards Mapping - OWASP Top 10 2004 A5 Buffer Overflow
[4] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.5
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.2
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.2
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.2
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.2
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.2
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[16] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3590.1 CAT I
[17] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3590.1 CAT I
[18] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3590.1 CAT I
[19] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3590.1 CAT I
[20] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3590.1 CAT I
[21] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3590.1 CAT I
[22] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3590.1 CAT I
desc.semantic.cpp.often_misused_file_system.windows
Abstract
umask() に対する引数で指定されるマスクは、よく chmod() の引数と混同されます。
Explanation
umask() の man ページは、次のような間違った記述で始まります。

「umask はファイル作成モードを mask & 0777 に設定します」

この動作は、chmod() でユーザーが特定のファイルでアクセス許可を有効にするビットを設定する使用方法と呼応していますが、実際には umask() の動作は全く正反対です。 umask() はファイル作成モードを ~mask & 0777 に設定します。

umask() の man ページでは、続いて以下のように正しい umask() の使用法について述べています。

「umask は open() で使用され、新規作成ファイルに対し初期ファイル権限を設定します。 具体的には、open(2) のモード引数から umask に設定されているビットが引かれます (たとえば一般的な umask のデフォルト値は 022 ですが、モードが 0666 と指定されていると、新規ファイルは 0666 & ~022 = 0644 = rw-r--r-- のアクセス許可で作成されます)。」
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 249, CWE ID 560
[2] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[3] Standards Mapping - OWASP Top 10 2004 A5 Buffer Overflow
[4] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.5
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.2
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.2
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.2
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.2
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.2
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[16] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3590.1 CAT I
[17] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3590.1 CAT I
[18] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3590.1 CAT I
[19] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3590.1 CAT I
[20] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3590.1 CAT I
[21] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3590.1 CAT I
[22] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3590.1 CAT I
desc.semantic.java.often_misused_file_system
Abstract
この特定のコールは、シンボリックリンクをたどるメソッドを使用します。
Explanation
特定の関数は、無条件にシンボリックリンクをたどることが知られています。そのような場合、アプリケーションは、シンボリックリンクが表しているものではなくシンボリックリンクが指し示しているファイルを開いたり、読み取ったり、データ書き込みを行ったりします。攻撃者はアプリケーションを操って重要なシステム ファイルを改ざんしたり、不正なデータをアプリケーションに渡したりできます。

例 1: 次のコードは、シンボリック リンクをたどる関数を使用しています。


...
	struct stat output;
	int ret = stat(aFilePath, &output);
	// error handling omitted for this example
	struct timespec accessTime = output.st_atime;
...
References
[1] Apple Secure Coding Guide Apple
[2] Standards Mapping - Common Weakness Enumeration CWE ID 249, CWE ID 560
[3] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[4] Standards Mapping - OWASP Top 10 2004 A5 Buffer Overflow
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.5
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.2
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.2
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.2
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.2
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.2
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[17] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3590.1 CAT I
[18] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3590.1 CAT I
[19] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3590.1 CAT I
[20] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3590.1 CAT I
[21] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3590.1 CAT I
[22] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3590.1 CAT I
[23] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3590.1 CAT I
desc.semantic.objc.methods_follow_sym_links
Abstract
umask() に対する引数で指定されるマスクは、よく chmod() の引数と混同されます。
Explanation
umask() の man ページは、次のような間違った記述で始まります。

「umask はファイル作成モードを mask & 0777 に設定します」

この動作は、chmod() でユーザーが特定のファイルでアクセス許可を有効にするビットを設定する使用方法と呼応していますが、実際には umask() の動作は全く正反対です。umask() はファイル作成モードを ~mask & 0777 にセットします。

umask() の man ページでは、続いて以下のように正しい umask() の使用法について述べています。

「umask は新規作成ファイルに対して初期ファイル権限を設定するために使用されます。具体的には、モード引数から umask に設定されているビットが引かれます (たとえば一般的な umask のデフォルト値は 022 ですが、モードが 0666 と指定されていると、新規ファイルは 0666 & ~022 = 0644 = rw-r--r-- のアクセス許可で作成されます)。」
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 249, CWE ID 560
[2] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[3] Standards Mapping - OWASP Top 10 2004 A5 Buffer Overflow
[4] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.5
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.2
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.2
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.2
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.2
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.2
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[16] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3590.1 CAT I
[17] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3590.1 CAT I
[18] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3590.1 CAT I
[19] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3590.1 CAT I
[20] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3590.1 CAT I
[21] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3590.1 CAT I
[22] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3590.1 CAT I
desc.semantic.python.often_misused_file_system.umask
Abstract
このコールは、ターゲットファイルに書き込む前に、テンポラリファイルに書き込むメソッドを使用しています。
Explanation
多くの API は、テンポラリ ファイルにすべてを書き込んでからそのファイルを目的の場所にコピーすることによって、データ損失のリスクを最小限に抑えます。テンポラリ ファイルがターゲット ファイルに書き込まれる直前に、テンポラリ ファイルが攻撃者によって置き換えられる可能性があります。そのため、特定されたメソッドが、パブリック ディレクトリまたはテンポラリ ディレクトリのファイルやパスを操作しないことを確認してください。操作している場合、パブリック ディレクトリでアプリケーションが使用するファイルの内容を攻撃者に制御される可能性があります。

例 1:次のコードは、脆弱なメソッドを使用して、アプリケーションの Documents ディレクトリ内の一時ファイルにアクティブな transactionId を書き込んでいます。


...
//get the documents directory:
let documentsPath = NSSearchPathForDirectoriesInDomains(.DocumentDirectory, .UserDomainMask, true)[0]
//make a file name to write the data to using the documents directory:
let fileName = NSString(format:"%@/tmp_activeTrans.txt", documentsPath)
// write data to the file
let transactionId = "TransactionId=12341234"
transactionId.writeToFile(fileName, atomically:true)
...
References
[1] Apple Secure Coding Guide Apple
[2] Apple NSString Class Reference Apple
[3] Standards Mapping - Common Weakness Enumeration CWE ID 249, CWE ID 560
[4] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[5] Standards Mapping - OWASP Top 10 2004 A5 Buffer Overflow
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.5
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.2
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.2
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.2
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.2
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.2
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[18] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3590.1 CAT I
[19] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3590.1 CAT I
[20] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3590.1 CAT I
[21] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3590.1 CAT I
[22] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3590.1 CAT I
[23] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3590.1 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3590.1 CAT I
desc.semantic.swift.methods_unsafe_on_public_or_tmp_directories

Often Misused: File Upload

Abstract
ユーザーによるファイルのアップロードを許可すると、攻撃者が危険なコンテンツを挿入したり、悪意のあるコードをサーバー上で実行したりする可能性があります。
Explanation
プログラムが記述されている言語に関係なく、最も被害が深刻な攻撃ではリモートからコード実行されることが多く、攻撃者はプログラムの権限で悪意あるコードを実行できます。攻撃者が Web からのアクセスが可能なディレクトリにファイルをアップロードし、アップロードしたファイルをコードインタプリタ (JSP、ASPX、PHP など) に渡すことができる場合、これらのファイルに含まれている悪意あるコードがサーバーで実行される可能性があります。

次のコードはアップロードされたファイルを受け取り、それを posted オブジェクトに割り当てます。FileUploadSystem.Web.UI.HtmlControls.HtmlInputFile のタイプです。
例 1:

HttpPostedFile posted = FileUpload.PostedFile;

アップロードされたファイルが Web からアクセスできないディレクトリに保存された場合であっても、攻撃者はこの機能を利用してサーバー環境に悪意のあるコンテンツを持ち込み、その他の攻撃を仕掛ける可能性があります。プログラムが Path Manipulation、Command Injection、または Dangerous File Inclusion の脆弱性の危険にさらされている場合、攻撃者は悪意のあるコンテンツを含んだファイルをアップロードし、別の脆弱性を悪用することによってそのファイルをプログラムで読み取る、あるいは実行させる可能性があります。
References
[1] Alla Bezroutchko Secure file upload in PHP web applications
[2] Standards Mapping - Common Weakness Enumeration CWE ID 434
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [16] CWE ID 434
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [15] CWE ID 434
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [10] CWE ID 434
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [10] CWE ID 434
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [10] CWE ID 434
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [10] CWE ID 434
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.2.1 File Integrity Requirements (L2 L3), 12.5.2 File Download Requirements (L1 L2 L3), 13.1.5 Generic Web Service Security Verification Requirements (L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[16] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2007 A3 Malicious File Execution
[18] Standards Mapping - OWASP Top 10 2010 A1 Injection
[19] Standards Mapping - OWASP Top 10 2013 A1 Injection
[20] Standards Mapping - OWASP Top 10 2017 A1 Injection
[21] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.4 - Web Software Attack Mitigation
[34] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 434
[35] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 434
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-003300 CAT II
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.semantic.dotnet.often_misused_file_upload
Abstract
ユーザーにファイルのアップロードを許可すると、攻撃者が危険なコンテンツを挿入したり、悪意のあるコードがサーバーを実行する可能性があります。
Explanation
プログラムが記述されている言語に関係なく、最も被害が深刻な攻撃ではリモートからコード実行されることが多く、攻撃者はプログラムの権限で悪意あるコードを実行できます。攻撃者が Web からのアクセスが可能なディレクトリにファイルをアップロードし、アップロードしたファイルをコードインタプリタ (JSP、ASPX、PHP など) に渡すことができる場合、これらのファイルに含まれている悪意あるコードがサーバーで実行される可能性があります。

例 1: 次の Spring MVC コントローラ クラスには、アップロードされたファイルの処理に使用可能なパラメーターがあります。

@Controller
public class MyFormController {
    ...
    @RequestMapping("/test")
    public String uploadFile (org.springframework.web.multipart.MultipartFile file) {
       ...
    }    ...
}


アップロードされたファイルが Web からアクセスできないディレクトリに保存された場合であっても、攻撃者はこの機能を利用してサーバー環境に悪意のあるコンテンツを持ち込み、その他の攻撃を仕掛ける可能性があります。プログラムが Path Manipulation、Command Injection、または Dangerous File Inclusion の脆弱性の危険にさらされている場合、攻撃者は悪意のあるコンテンツを含んだファイルをアップロードし、別の脆弱性を悪用することによってそのファイルをプログラムで読み取る、あるいは実行させる可能性があります。
References
[1] Alla Bezroutchko Secure file upload in PHP web applications
[2] Standards Mapping - Common Weakness Enumeration CWE ID 434
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [16] CWE ID 434
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [15] CWE ID 434
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [10] CWE ID 434
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [10] CWE ID 434
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [10] CWE ID 434
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [10] CWE ID 434
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.2.1 File Integrity Requirements (L2 L3), 12.5.2 File Download Requirements (L1 L2 L3), 13.1.5 Generic Web Service Security Verification Requirements (L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[16] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2007 A3 Malicious File Execution
[18] Standards Mapping - OWASP Top 10 2010 A1 Injection
[19] Standards Mapping - OWASP Top 10 2013 A1 Injection
[20] Standards Mapping - OWASP Top 10 2017 A1 Injection
[21] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.4 - Web Software Attack Mitigation
[34] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 434
[35] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 434
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-003300 CAT II
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.structural.java.often_misused_file_upload_spring
Abstract
ユーザーによるファイルのアップロードを許可すると、攻撃者が危険なコンテンツを挿入したり、悪意のあるコードをサーバー上で実行したりする可能性があります。
Explanation
プログラムが記述されている言語に関係なく、最も被害が深刻な攻撃ではリモートからコード実行されることが多く、攻撃者はプログラムの権限で悪意あるコードを実行できます。攻撃者が Web からのアクセスが可能なディレクトリにファイルをアップロードし、アップロードしたファイルを PHP インタプリタに渡すことができる場合、これらのファイルに含まれている悪意あるコードがサーバーで実行される可能性があります。

例 1: 次のコードはアップロードされたファイルを処理し、処理したファイルを Web ルートの下のディレクトリに移動するものです。攻撃者は悪意ある PHP ソース ファイルをこのプログラムにアップロードし、続いてそれらのファイルをサーバーにリクエストします。その結果、それらのファイルは PHP インタープリターによって実行されます。


<?php
$udir = 'upload/'; // Relative path under Web root
$ufile = $udir . basename($_FILES['userfile']['name']);
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $ufile)) {
    echo "Valid upload received\n";
} else {
    echo "Invalid upload rejected\n";
} ?>


アップロードされたファイルが Web からアクセスできないディレクトリに保存された場合であっても、攻撃者はこの機能を利用してサーバー環境に悪意のあるコンテンツを持ち込み、その他の攻撃を仕掛ける可能性があります。プログラムが Path Manipulation、Command Injection、またはリモートインクルードの脆弱性の危険にさらされている場合、攻撃者は悪意のあるコンテンツを含んだファイルをアップロードし、別の脆弱性を悪用することによってそのファイルをプログラムで読み取る、あるいは実行させる可能性があります。
References
[1] M. Achour et al. PHP Manual
[2] Alla Bezroutchko Secure file upload in PHP web applications
[3] Standards Mapping - Common Weakness Enumeration CWE ID 434
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [16] CWE ID 434
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [15] CWE ID 434
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [10] CWE ID 434
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [10] CWE ID 434
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [10] CWE ID 434
[9] Standards Mapping - Common Weakness Enumeration Top 25 2024 [10] CWE ID 434
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[11] Standards Mapping - FIPS200 SI
[12] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.2.1 File Integrity Requirements (L2 L3), 12.5.2 File Download Requirements (L1 L2 L3), 13.1.5 Generic Web Service Security Verification Requirements (L2 L3)
[16] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[17] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[18] Standards Mapping - OWASP Top 10 2007 A3 Malicious File Execution
[19] Standards Mapping - OWASP Top 10 2010 A1 Injection
[20] Standards Mapping - OWASP Top 10 2013 A1 Injection
[21] Standards Mapping - OWASP Top 10 2017 A1 Injection
[22] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.4 - Web Software Attack Mitigation
[35] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 434
[36] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 434
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-003300 CAT II
[59] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.semantic.php.often_misused_file_upload
Abstract
ユーザーによるファイルのアップロードを許可すると、攻撃者が危険なコンテンツを挿入したり、悪意のあるコードをサーバー上で実行したりする可能性があります。
Explanation
プログラムが記述されている言語に関係なく、最も被害が深刻な攻撃ではリモートからコード実行されることが多く、攻撃者はプログラムの権限で悪意あるコードを実行できます。攻撃者が Web からのアクセスが可能なディレクトリにファイルをアップロードし、アップロードしたファイルを Python インタプリタに渡すことができる場合、これらのファイルに含まれている悪意あるコードがサーバーで実行される可能性があります。

例 1: 次のコードはアップロードされたファイルを処理し、処理したファイルを Web ルートの下のディレクトリに移動するものです。攻撃者は悪意あるファイルをこのプログラムにアップロードし、続いてそれらのファイルをサーバーにリクエストします。


from django.core.files.storage import default_storage
from django.core.files.base import File
...
def handle_upload(request):
  files = request.FILES
  for f in files.values():
    path = default_storage.save('upload/', File(f))
...


アップロードされたファイルが Web からアクセスできないディレクトリに保存された場合であっても、攻撃者はこの機能を利用してサーバー環境に悪意のあるコンテンツを持ち込み、その他の攻撃を仕掛ける可能性があります。プログラムが Path Manipulation、Command Injection、またはリモートインクルードの脆弱性の危険にさらされている場合、攻撃者は悪意のあるコンテンツを含んだファイルをアップロードし、別の脆弱性を悪用することによってそのファイルをプログラムで読み取る、あるいは実行させる可能性があります。
References
[1] Django Foundation File Uploads
[2] Standards Mapping - Common Weakness Enumeration CWE ID 434
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [16] CWE ID 434
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [15] CWE ID 434
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [10] CWE ID 434
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [10] CWE ID 434
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [10] CWE ID 434
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [10] CWE ID 434
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.2.1 File Integrity Requirements (L2 L3), 12.5.2 File Download Requirements (L1 L2 L3), 13.1.5 Generic Web Service Security Verification Requirements (L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[16] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2007 A3 Malicious File Execution
[18] Standards Mapping - OWASP Top 10 2010 A1 Injection
[19] Standards Mapping - OWASP Top 10 2013 A1 Injection
[20] Standards Mapping - OWASP Top 10 2017 A1 Injection
[21] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.4 - Web Software Attack Mitigation
[34] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 434
[35] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 434
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-003300 CAT II
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.structural.python.often_misused_file_upload
Abstract
ユーザーによるファイルのアップロードを許可すると、攻撃者が危険なコンテンツを挿入したり、悪意のあるコードをサーバー上で実行したりする可能性があります。
Explanation
プログラムが記述されている言語に関係なく、最も被害が深刻な攻撃ではリモートからコード実行されることが多く、攻撃者はプログラムの権限で悪意あるコードを実行できます。一般ユーザーが実行可能なファイルが保存されるディレクトリに攻撃者がファイルをアップロードできる場合には、これらのファイルに悪意あるコードを追加して、サーバで実行する可能性があります。

アップロードされたファイルが一般ユーザーがアクセスできないディレクトリに保存された場合であっても、攻撃者はこの機能を利用してサーバー環境に悪意のあるコンテンツを持ち込み、その他の攻撃を仕掛ける可能性があります。プログラムが Path Manipulation、Command Injection、またはリモートインクルードの脆弱性の危険にさらされている場合、攻撃者は悪意のあるコンテンツを含んだファイルをアップロードし、別の脆弱性を悪用することによってそのファイルをプログラムで読み取る、あるいは実行させる可能性があります。
References
[1] Alla Bezroutchko Secure file upload in PHP web applications
[2] Standards Mapping - Common Weakness Enumeration CWE ID 434
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [16] CWE ID 434
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [15] CWE ID 434
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [10] CWE ID 434
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [10] CWE ID 434
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [10] CWE ID 434
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [10] CWE ID 434
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.2.1 File Integrity Requirements (L2 L3), 12.5.2 File Download Requirements (L1 L2 L3), 13.1.5 Generic Web Service Security Verification Requirements (L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[16] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[17] Standards Mapping - OWASP Top 10 2007 A3 Malicious File Execution
[18] Standards Mapping - OWASP Top 10 2010 A1 Injection
[19] Standards Mapping - OWASP Top 10 2013 A1 Injection
[20] Standards Mapping - OWASP Top 10 2017 A1 Injection
[21] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.4 - Web Software Attack Mitigation
[34] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 434
[35] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 434
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-003300 CAT II
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.structural.ruby.often_misused_file_upload
Abstract
ユーザーによるファイルのアップロードを許可すると、攻撃者が危険なコンテンツを挿入したり、悪意のあるコードをサーバー上で実行したりする可能性があります。
Explanation
プログラムが記述されている言語に関係なく、最も被害が深刻な攻撃ではリモートからコード実行されることが多く、攻撃者はプログラムの権限で悪意あるコードを実行できます。攻撃者が Web からのアクセスが可能なディレクトリにファイルをアップロードし、アップロードしたファイルをコードインタプリタ (JSP、ASPX、PHP など) に渡すことができる場合、これらのファイルに含まれている悪意あるコードがサーバーで実行される可能性があります。
アップロードされたファイルが Web からアクセスできないディレクトリに保存された場合であっても、攻撃者はこの機能を利用してサーバー環境に悪意のあるコンテンツを持ち込み、その他の攻撃を仕掛ける可能性があります。プログラムが Path Manipulation、Command Injection、または Dangerous File Inclusion の脆弱性の危険にさらされている場合、攻撃者は悪意のあるコンテンツを含んだファイルをアップロードし、別の脆弱性を悪用することによってそのファイルをプログラムで読み取る、あるいは実行させる可能性があります。

file タイプの <input> タグは、そのプログラムでファイルのアップロードが許可されていることを示します。
例 1:

<input type="file">
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 434
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [16] CWE ID 434
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [15] CWE ID 434
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [10] CWE ID 434
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [10] CWE ID 434
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [10] CWE ID 434
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [10] CWE ID 434
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[9] Standards Mapping - FIPS200 SI
[10] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.2.1 File Integrity Requirements (L2 L3), 12.5.2 File Download Requirements (L1 L2 L3), 13.1.5 Generic Web Service Security Verification Requirements (L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[15] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[16] Standards Mapping - OWASP Top 10 2007 A3 Malicious File Execution
[17] Standards Mapping - OWASP Top 10 2010 A1 Injection
[18] Standards Mapping - OWASP Top 10 2013 A1 Injection
[19] Standards Mapping - OWASP Top 10 2017 A1 Injection
[20] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.4 - Web Software Attack Mitigation
[33] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 434
[34] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 434
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-003300 CAT II
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.content.html.often_misused_file_upload

Often Misused: Mixing Template Languages

Abstract
Cross-Site Scripting 攻撃に対する保護に細工できないようにするため、複数のテンプレート言語を混在させないでください。
Explanation
テンプレート言語を混在させると、特定の言語に対して以前に実装された保護機能が機能しなくなったり、無効になったりすることがあります。最も悪意がないケースでは、機能が予測どおりに機能しなくなる可能性がありますが、この場合も、悪意のあるユーザーはエンジンの保護機能を回避することができて、Cross-site Scriptingの脆弱性にさらされる可能性があります。

例 1: 次のコードでは、AngularJS モジュールは、式の区切り文字としてデフォルト設定でなく、「[[」および「]]」を使用するよう設定されています。


myModule.config(function($interpolateProvider){
    $interpolateProvider.startSymbol("[[");
    $interpolateProvider.endSymbol("]]");
});


この設定の場合、検証を行う他のテンプレート エンジンが AngularJS 式と互換性がない可能性のある式をエスケープするようになります。そのため、ユーザーが標準検証をバイパスして、ブラウザ内で独自のコードを実行できるようになる可能性があります。
References
[1] AngularJS $interpolateProvider documentation Google
[2] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[3] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
desc.structural.javascript.often_misused_mixing_template_languages

Often Misused: Privilege Management

Abstract
最低権限の原則を遵守しないと、その他の脆弱性によってもたらされる危険性が高まります。
Explanation
UNIX 環境では、root 権限を使って実行するプログラムが原因で無数のセキュリティ被害が発生しています。多種のセキュリティ問題に対して、権限を必要とするプログラムを注意深く調べることは非常に大切です。しかし、それ以上に重要なのは、見逃された脆弱性によって発生する被害の拡大を防ぐために、権限を持ったプログラムを権限のない状態になるべく早く戻すことです。


Privilege Management 関数の動作は明確ではなく、異なる環境では異なる結果を招きます。こうした非一貫性は、root 以外のユーザー間で移動する場合にとりわけ顕著に現れます。

シグナルハンドラおよび生成されたプロセスは所有プロセスの権限で実行されます。したがって、シグナルを実行したりサブプロセスを実行したりするときに root としてプロセスを実行している場合は、シグナルハンドラまたはサブプロセスはルート権限で動作します。攻撃者はこの昇格された権限を利用して、さらに大きな打撃を与える可能性があります。
References
[1] H. Chen, D. Wagner, and D. Dean. Setuid Demystified. 11th USENIX Security Symposium
[2] B. Chess and J. West, Secure Programming with Static Analysis. Boston, MA: Addison-Wesley, 2007.
[3] Standards Mapping - Common Weakness Enumeration CWE ID 250
[4] Standards Mapping - Common Weakness Enumeration Top 25 2023 [22] CWE ID 269
[5] Standards Mapping - Common Weakness Enumeration Top 25 2024 [15] CWE ID 269
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-000381, CCI-002233, CCI-002235
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1), CM-5 Access Restrictions for Change (P1), CM-7 Least Functionality (P1), IA-5 Authenticator Management (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege, CM-5 Access Restrictions for Change, CM-7 Least Functionality, IA-5 Authenticator Management
[10] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.2.1 Authentication Architectural Requirements (L2 L3), 10.2.2 Malicious Code Search (L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[13] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[15] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 7.1.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 7.1.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 7.1.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 7.1.2
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 7.1.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 7.1.2
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 7.2.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 7.2.2
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[27] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 250
[28] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 250
[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3500 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3500 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3500 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3500 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3500 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3500 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3500 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II, APSC-DV-001795 CAT II, APSC-DV-002960 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II, APSC-DV-001795 CAT II, APSC-DV-002960 CAT II
[51] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[52] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.semantic.cpp.often_misused_privilege_management.setuid
Abstract
最小権限の原則を守らないと、他の脆弱性がもたらすリスクが増幅します。
Explanation
root 権限で実行されるプログラムは、数え切れないほどの Unix セキュリティ災害を引き起こしてきました。権限が必要なプログラムにあらゆる種類のセキュリティ上の問題がないか慎重に検討することは必要ですが、見落とされた脆弱性が引き起こす被害を最小限に抑えるために、権限が必要なプログラムの権限をできるだけ早く降格することも同様に重要です。


権限管理機能は、目立たない方法で動作することがあり、また、プラットフォームによって異なる癖があります。このような不整合は、ある非 root ユーザーから別のユーザーに移行する場合に特に顕著になります。

シグナル ハンドラーや生成されたプロセスは、所有するプロセスの権限で実行されるため、シグナルが発生したときやサブプロセスが実行されたときにプロセスが root として実行されている場合、シグナル ハンドラーやサブプロセスは root 権限で動作します。攻撃者は、これらの昇格された特権を利用して、さらなる損害を与えることができる可能性があります。
References
[1] H. Chen, D. Wagner, and D. Dean. Setuid Demystified. 11th USENIX Security Symposium
[2] Standards Mapping - Common Weakness Enumeration CWE ID 250
[3] Standards Mapping - Common Weakness Enumeration Top 25 2023 [22] CWE ID 269
[4] Standards Mapping - Common Weakness Enumeration Top 25 2024 [15] CWE ID 269
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-000381, CCI-002233, CCI-002235
[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1), CM-5 Access Restrictions for Change (P1), CM-7 Least Functionality (P1), IA-5 Authenticator Management (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege, CM-5 Access Restrictions for Change, CM-7 Least Functionality, IA-5 Authenticator Management
[9] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.2.1 Authentication Architectural Requirements (L2 L3), 10.2.2 Malicious Code Search (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[12] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[14] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 7.1.1
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 7.1.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 7.1.2
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 7.1.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 7.1.2
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 7.1.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 7.2.2
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 7.2.2
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[26] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 250
[27] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 250
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3500 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3500 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3500 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3500 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3500 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3500 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3500 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II, APSC-DV-001795 CAT II, APSC-DV-002960 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II, APSC-DV-001795 CAT II, APSC-DV-002960 CAT II
[50] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[51] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.semantic.golang.often_misused_privilege_management
Abstract
最低権限の原則を遵守しないと、その他の脆弱性によってもたらされる危険性が高まります。
Explanation
UNIX 環境では、root 権限を使って実行するプログラムが原因で無数のセキュリティ被害が発生しています。 多種のセキュリティ問題に対して、権限を必要とするプログラムを注意深く調べることは非常に大切です。しかし、それ以上に重要なのは、見逃された脆弱性によって発生する被害の拡大を防ぐために、権限を持ったプログラムを権限のない状態になるべく早く戻すことです。


Privilege Management 関数の動作は明確ではなく、異なる環境では異なる結果を招きます。こうした非一貫性は、root 以外のユーザー間で移動する場合にとりわけ顕著に現れます。

シグナルハンドラおよび生成されたプロセスは所有プロセスの権限で実行されます。したがって、シグナルを実行したりサブプロセスを実行したりするときに root としてプロセスを実行している場合は、シグナルハンドラまたはサブプロセスはルート権限で動作します。攻撃者はこの昇格された権限を利用して、さらに大きな打撃を与える可能性があります。
References
[1] H. Chen, D. Wagner, and D. Dean. Setuid Demystified. 11th USENIX Security Symposium
[2] Standards Mapping - Common Weakness Enumeration CWE ID 250
[3] Standards Mapping - Common Weakness Enumeration Top 25 2023 [22] CWE ID 269
[4] Standards Mapping - Common Weakness Enumeration Top 25 2024 [15] CWE ID 269
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-000381, CCI-002233, CCI-002235
[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1), CM-5 Access Restrictions for Change (P1), CM-7 Least Functionality (P1), IA-5 Authenticator Management (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege, CM-5 Access Restrictions for Change, CM-7 Least Functionality, IA-5 Authenticator Management
[9] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.2.1 Authentication Architectural Requirements (L2 L3), 10.2.2 Malicious Code Search (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[12] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[14] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 7.1.1
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 7.1.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 7.1.2
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 7.1.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 7.1.2
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 7.1.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 7.2.2
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 7.2.2
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[26] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 250
[27] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 250
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3500 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3500 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3500 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3500 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3500 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3500 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3500 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II, APSC-DV-001795 CAT II, APSC-DV-002960 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II, APSC-DV-001795 CAT II, APSC-DV-002960 CAT II
[50] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[51] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.semantic.java.often_misused_privilege_management
Abstract
最低権限の原則を遵守しないと、その他の脆弱性によってもたらされる危険性が高まります。
Explanation
UNIX 環境では、root 権限を使って実行するプログラムが原因で無数のセキュリティ被害が発生しています。多種のセキュリティ問題に対して、権限を必要とするプログラムを注意深く調べることは非常に大切です。しかし、それ以上に重要なのは、見逃された脆弱性によって発生する被害の拡大を防ぐために、権限を持ったプログラムを権限のない状態になるべく早く戻すことです。


Privilege Management 関数の動作は明確ではなく、異なる環境では異なる結果を招きます。こうした非一貫性は、root 以外のユーザー間で移動する場合にとりわけ顕著に現れます。

シグナルハンドラおよび生成されたプロセスは所有プロセスの権限で実行されます。したがって、シグナルを実行したりサブプロセスを実行したりするときに root としてプロセスを実行している場合は、シグナルハンドラまたはサブプロセスはルート権限で動作します。攻撃者はこの昇格された権限を利用して、さらに大きな打撃を与える可能性があります。
References
[1] H. Chen, D. Wagner, and D. Dean. Setuid Demystified. 11th USENIX Security Symposium
[2] Standards Mapping - Common Weakness Enumeration CWE ID 250
[3] Standards Mapping - Common Weakness Enumeration Top 25 2023 [22] CWE ID 269
[4] Standards Mapping - Common Weakness Enumeration Top 25 2024 [15] CWE ID 269
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-000381, CCI-002233, CCI-002235
[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1), CM-5 Access Restrictions for Change (P1), CM-7 Least Functionality (P1), IA-5 Authenticator Management (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege, CM-5 Access Restrictions for Change, CM-7 Least Functionality, IA-5 Authenticator Management
[9] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.2.1 Authentication Architectural Requirements (L2 L3), 10.2.2 Malicious Code Search (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[12] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[14] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 7.1.1
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 7.1.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 7.1.2
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 7.1.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 7.1.2
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 7.1.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 7.2.2
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 7.2.2
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[26] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 250
[27] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 250
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3500 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3500 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3500 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3500 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3500 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3500 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3500 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II, APSC-DV-001795 CAT II, APSC-DV-002960 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II, APSC-DV-001795 CAT II, APSC-DV-002960 CAT II
[50] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[51] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.dataflow.python.often_misused_privilege_management

Often Misused: SMS

Abstract
アプリケーションが、iOS 固有の SMS 関連の操作を実行しています。
Explanation
iOS 固有の SMS 関連の操作は、アプリケーションのコア機能に必要でない限り実行しないでください。 モバイル デバイス向けに作成されたマルウェアはしばしば、こうした機能を悪用してユーザーからお金やデータを盗みます。

例 1: 次のケースでは、アプリケーションは SMS メッセージを送信するか、SMS メッセージを事前作成して、送信するかキャンセルするかの判断を求めるメッセージをユーザーに提示します。

...
Device.OpenUri("sms:+12345678910");
...
References
[1] Apple UIApplication Class Reference
[2] Apple MFMessageComposeViewController Class Reference
[3] Xamarin Messaging Plugin for Xamarin and Windows
[4] Standards Mapping - Common Weakness Enumeration CWE ID 265
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165
[6] Standards Mapping - FIPS200 AC
[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.5 Configuration Architectural Requirements (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[12] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[14] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[15] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.2, Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.2, Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[28] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285
[29] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 285
[30] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[45] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[46] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.semantic.dotnet.often_misused_sms
Abstract
アプリケーションが SMS 関連の操作を実行しています。
Explanation
SMS 関連の操作は、アプリケーションのコア機能に必要でない限り実行しないでください。モバイル デバイス向けに作成されたマルウェアはしばしば、こうした機能を悪用してユーザーからお金やデータを盗みます。

例 1: 次のケースでは、アプリケーションは SMS メッセージを送信するか、SMS メッセージを事前作成して、送信するかキャンセルするかの判断を求めるメッセージをユーザーに提示します。

...
[[CTMessageCenter sharedMessageCenter] sendSMSWithText:@"Hello world!" serviceCenter:nil toAddress:@"+12345678910"];
...

// or

...
[[UIApplication sharedApplication] openURL:[NSURL URLWithString:@"sms:+12345678910"]];
...

// or

...
MFMessageComposeViewController *messageComposerVC = [[MFMessageComposeViewController alloc] init];

[messageComposerVC setMessageComposeDelegate:self];
[messageComposerVC setBody:@"Hello World!"];
[messageComposerVC setRecipients:[NSArray arrayWithObject:@"+12345678910"]];

[self presentViewController:messageComposerVC animated:YES completion:nil];
...
References
[1] Apple UIApplication Class Reference
[2] Apple MFMessageComposeViewController Class Reference
[3] Standards Mapping - Common Weakness Enumeration CWE ID 265
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165
[5] Standards Mapping - FIPS200 AC
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.5 Configuration Architectural Requirements (L2 L3)
[10] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[11] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[12] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[13] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[14] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.2, Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.2, Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[27] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285
[28] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 285
[29] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[44] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[45] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.semantic.objc.often_misused_sms
Abstract
アプリケーションが SMS 関連の操作を実行しています。
Explanation
SMS 関連の操作は、アプリケーションのコア機能に必要でない限り実行しないでください。モバイル デバイス向けに作成されたマルウェアはしばしば、こうした機能を悪用してユーザーからお金やデータを盗みます。

例 1: 次のケースでは、アプリケーションは SMS メッセージを送信するか、SMS メッセージを事前作成して、送信するかキャンセルするかの判断を求めるメッセージをユーザーに提示します。


...
UIApplication.sharedApplication().openURL(NSURL(string: "sms:+12345678910"))
...


または


...
let messageComposeVC = MFMessageComposeViewController()
messageComposeVC.messageComposeDelegate = self
messageComposeVC.body = "Hello World!"
messageComposeVC.recipients = ["+12345678910"]

presentViewController(messageComposeVC, animated: true, completion: nil)
...
References
[1] Apple UIApplication Class Reference
[2] Apple MFMessageComposeViewController Class Reference
[3] Standards Mapping - Common Weakness Enumeration CWE ID 265
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165
[5] Standards Mapping - FIPS200 AC
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.5 Configuration Architectural Requirements (L2 L3)
[10] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[11] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[12] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[13] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[14] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.2, Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.2, Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[27] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285
[28] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 285
[29] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[44] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[45] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.structural.swift.often_misused_sms

Often Misused: Spring Remote Service

Abstract
リモートサービスは Spring アプリケーションで設定されます。デフォルトでは、これらのリモート サービスは認証を必要とせず、このサービスとの間で転送される情報は平文です。そのため、攻撃者が特権操作にアクセスしたり、機密データを公開したりする可能性があります。
Explanation
Spring は、Spring が管理する Bean を、RMI、HTTP、Burlap、Hessian、および JMX プロトコルを介して外部に公開されるオブジェクトに変換する、簡単なメカニズムを提供します。リモート化された Spring Bean のパブリック メソッドはすべて外部から呼び出すことができ、クライアントとリモート化されたオブジェクトの間で渡されるデータは平文です。これらのサービスの主な問題は、デフォルトでオープンになっており、すぐに機密性や整合性を保証できないことです。
References
[1] Anirvan Chakraborty , Jessica Ditt , Aleksa Vukotic , Jan Machacek ProSpring 2.5
[2] Gary Mak , Daniel Rubio , Josh Long Spring Recipes
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-000804, CCI-001084, CCI-002165
[4] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), IA-8 Identification and Authentication (Non-Organizational Users) (P1), SC-3 Security Function Isolation (P1), SC-8 Transmission Confidentiality and Integrity (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, IA-8 Identification and Authentication (Non-Organizational Users), SC-3 Security Function Isolation, SC-8 Transmission Confidentiality and Integrity
[7] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[8] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[9] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[10] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[12] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1, Requirement 6.5.10
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4, Requirement 6.5.9
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.4, Requirement 6.5.8
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.4, Requirement 6.5.8
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.4, Requirement 6.5.8
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.4, Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.4, Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control, Control Objective 6.2 - Sensitive Data Protection
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control, Control Objective 6.2 - Sensitive Data Protection
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective 6.2 - Sensitive Data Protection, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.4.1 - Web Software Communications
[25] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3260.1 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3260 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3260 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3260 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3260 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3260 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3260 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[48] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.configuration.java.often_misused_spring_remote_service

Often Misused: Spring Web Service

Abstract
Web サービスは Spring アプリケーションで設定されます。デフォルトでは、これらの Web サービスは認証を必要とせず、このサービスとの間で転送される情報は平文です。そのため、攻撃者が特権操作にアクセスしたり、機密データを公開したりする可能性があります。
Explanation
Spring は、Spring WS または XFire を介して Spring が管理する Bean を Web サービスに変換する簡単なメカニズムを提供します。リモート化された Spring Bean のパブリック メソッドはすべて外部から呼び出すことができ、クライアントと Web サービスが有効化されたオブジェクトの間で渡されるデータは平文です。これらのサービスの主な問題は、デフォルトでオープンになっており、すぐに機密性や整合性を保証できないことです。
References
[1] Anirvan Chakraborty , Jessica Ditt , Aleksa Vukotic , Jan Machacek ProSpring 2.5
[2] Gary Mak , Daniel Rubio , Josh Long Spring Recipes
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-000804, CCI-001084, CCI-002165
[4] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), IA-8 Identification and Authentication (Non-Organizational Users) (P1), SC-3 Security Function Isolation (P1), SC-8 Transmission Confidentiality and Integrity (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, IA-8 Identification and Authentication (Non-Organizational Users), SC-3 Security Function Isolation, SC-8 Transmission Confidentiality and Integrity
[7] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[8] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[9] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[10] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[12] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1, Requirement 6.5.10
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4, Requirement 6.5.9
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.4, Requirement 6.5.8
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.4, Requirement 6.5.8
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.4, Requirement 6.5.8
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.4, Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.4, Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control, Control Objective 6.2 - Sensitive Data Protection
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control, Control Objective 6.2 - Sensitive Data Protection
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective 6.2 - Sensitive Data Protection, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.4.1 - Web Software Communications
[25] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3260.1 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3260 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3260 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3260 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3260 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3260 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3260 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[48] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.configuration.java.often_misused_spring_web_service

Often Misused: Strings

Abstract
マルチバイト文字列と Unicode 文字列の変換を実行する関数では、Buffer Overflow が発生しやすくなります。
Explanation
Windows では、MultiByteToWideChar()WideCharToMultiByte()UnicodeToBytes()、および BytesToUnicode() といった関数で任意のマルチバイト文字列 (通常ANSI) と Unicode 文字列 (ワイド文字) を変換します。こうした関数へ渡すサイズ引数は、1 つの関数ではバイト数、他方では文字数と異なる単位で指定されるため、エラーが発生しやすくなります。マルチバイト文字列では各文字のバイト数が異なるため、文字列の長さはバイトの合計サイズを使うと簡単に指定できます。一方 Unicode では、文字は常に固定サイズであるため、文字列の長さは通常、含まれる文字数で決まります。サイズ引数を間違った単位で指定すると、Buffer Overflow の原因となる可能性があります。

例 1: 次の関数では、マルチバイト文字列として指定されたユーザー名およびユーザー情報を格納する構造体へのポインターを受け取り、構造体に指定ユーザーに関する情報を代入しています。Windows の Authentication ではユーザー名に Unicode が使用されるため、まずユーザー名引数をマルチバイト文字列から Unicode 文字列に変換しています。


void getUserInfo(char *username, struct _USER_INFO_2 info){
WCHAR unicodeUser[UNLEN+1];
MultiByteToWideChar(CP_ACP, 0, username, -1,
     unicodeUser, sizeof(unicodeUser));
NetUserGetInfo(NULL, unicodeUser, 2, (LPBYTE *)&info);
}


この関数は unicodeUser のサイズを、文字数でなく、誤ってバイト単位で渡しています。このため、MultiByteToWideChar() へのコールにより最大で (UNLEN+1)*sizeof(WCHAR) 個のワイド文字、または (UNLEN+1)*sizeof(WCHAR)*sizeof(WCHAR) バイトを unicodeUser 配列に書き込むことが可能ですが、この配列には (UNLEN+1)*sizeof(WCHAR) バイトしか割り当てられていません。username 文字列に含まれる文字数が UNLEN 字を超えている場合、MultiByteToWideChar() のコールにより、バッファ unicodeUser はオーバーフローします。
References
[1] Security Considerations: International Features Microsoft
[2] Standards Mapping - Common Weakness Enumeration CWE ID 176, CWE ID 251
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002824
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-16 Memory Protection (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-16 Memory Protection
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.2 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[11] Standards Mapping - OWASP Top 10 2004 A5 Buffer Overflow
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.5
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.2
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.2
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.2
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.2
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[24] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3590.1 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3590.1 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3590.1 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3590.1 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3590.1 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3590.1 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3590.1 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002590 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002590 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002590 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002590 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002590 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002590 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002590 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002590 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002590 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002590 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002590 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002590 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002590 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002590 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002590 CAT I
[46] Standards Mapping - Web Application Security Consortium Version 2.00 Buffer Overflow (WASC-07)
[47] Standards Mapping - Web Application Security Consortium 24 + 2 Buffer Overflow
desc.semantic.cpp.often_misused_strings.multibytewidechar

Often Misused: sun.misc.Unsafe

Abstract
アプリケーションは、sun.misc.Unsafe の機能を使用します。このクラスのすべての機能は本質的に安全に使用できず、リフレクション経由でのみアクセスできます。
Explanation
sun.misc.Unsafe クラスは、安全でない低レベルの操作を実行するためのものであり、開発者による使用を目的としていません。
Unsafe クラスは信頼できるコードによってのみ取得でき、通常はリフレクションを通じて取得されます。これは、このクラスがシステムの破損やヒープ メモリの手動割り当てに使用される可能性があり、適切に処理しないとシステムに悪影響を及ぼす可能性があるためです。sun.misc.Unsafe に関するすべての機能を慎重にレビューし、問題がないことをテストすることが不可欠です。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 676
[2] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[3] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[4] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[9] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[10] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[11] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[12] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 676
[13] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP2060.4 CAT II, APP3590.2 CAT I
[14] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP2060.4 CAT II, APP3590.2 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP2060.4 CAT II, APP3590.2 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP2060.4 CAT II, APP3590.2 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP2060.4 CAT II, APP3590.2 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP2060.4 CAT II, APP3590.2 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP2060.4 CAT II, APP3590.2 CAT II
desc.structural.java.often_misused_sun_misc_unsafe

Password Management: Weak Redundancy

Abstract
パスワード確認のため、新しいパスワードは、複製したものではなく、2 回入力する必要があります。
Explanation
パスワードの変更または新しいユーザー アカウントの作成では、通常、確認のために新しいパスワードを 2 回入力する必要があります。パスワードを 2 回渡すのではなく、複製したパスワードを渡すと、ユーザーのパスワード入力ミスではないことを API が確認できず、パスワード確認のセーフティ メカニズムをすり抜けることになります。

例 1:

    String password=request.getParameter("password");
    ...
    DefaultUser user = (DefaultUser) ESAPI.authenticator().createUser(username, password, password);
References
[1] OWASP ESAPI Secure Coding API: User
[2] Standards Mapping - Common Weakness Enumeration CWE ID 521
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[9] Standards Mapping - FIPS200 IA
[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.1.11 Password Security Requirements (L1 L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.1 Service Authentication Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[13] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 6.5.4, Requirement 6.5.6, Requirement 8.3.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 6.5.4, Requirement 6.5.6, Requirement 8.3.1
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography, Control Objective C.2.1.2 - Web Software Access Controls
desc.structural.java.password_management_weak_redundancy

Poor Style: Explicit Call to finalize()

Abstract
finalize() メソッドは、オブジェクトがガベージコレクトされた後に JVM にコールされるようにします。
Explanation
Java Language Specification では、オブジェクトの finalize() メソッドを finalizer 外部からコールすることができます。通常は、これは良い考えではありません。たとえば、finalize() をコールすることは、finalize() が 2 回以上コールされることを明示的に意味しています。一回目は明示的なコールで、最後はオブジェクトがガベージコレクトされた後に行われるコールです。

例 1: 次のコードフラグメントは、finalize() を明示的にコールします。


// time to clean up
widget.finalize();
References
[1] MET12-J. Do not use finalizers CERT
[2] Standards Mapping - Common Weakness Enumeration CWE ID 586
desc.structural.java.poor_style_explicit_call_to_finalize

React Bad Practices: Dangerously Set InnerHTML

Abstract
dangerouslySetInnerHTML 属性は、不必要にコードから HTML を設定します。
Explanation
React の dangerouslySetInnerHTML 属性は、ブラウザー DOM での innerHTML の使用に代わるものです。API 名は、これを使用することによる潜在的な危険性を伝えるために変更されています。一般に、コードから HTML を設定することは危険です。ユーザーを誤って Cross-Site Scripting (XSS) 攻撃にさらす可能性が高いためです。
例 1: 次のコードは、HTML をコードから dangerouslySetInnerHTML 属性に設定します。

      function MyComponent(data) {
        return (
          <div
            dangerouslySetInnerHTML={{__html: data.innerHTML}}
          />
        );
      }
desc.structural.javascript.react_bad_practices_dangerously_set_innerhtml

Restricted Method

Abstract
このメソッドは制限されています。このメソッドを使用するたびに、問題としてフラグが付けられます。
Explanation
Foreign Function and Memory API 内では、一部のメソッドは、誤って使用すると JVM のクラッシュやメモリ破損につながる可能性があるため、制限されていると見なされます。
References
[1] Oracle Foreign Function and Memory API: Restricted Methods
[2] Standards Mapping - Common Weakness Enumeration CWE ID 749
[3] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-16 Memory Protection (P1)
[4] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-16 Memory Protection
[5] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.4.2 Memory/String/Unmanaged Code Requirements (L1 L2 L3)
[6] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 676
desc.structural.java.ffr_restricted_methods

SQL Bad Practices: Direct Update

Abstract
Direct Open SQL 書き込み操作は好ましくない方法ですので避けてください。
Explanation
一般的に、Direct Open SQL 書き込み操作 (Insert/Update/Modify/Delete) は好ましくない方法ですので避けてください。これは、システムの完全性と安全性を台無しにするので使用すべきではありません。



Direct Open SQL 書き込み操作は、エラーを発生し易いので、システムが予期しない動作をする可能性があります。SAP で注意すべき問題は以下のとおりです。

- 複数のデータベース LUW にまたがる可能性がある SAP LUW (論理作業単位) 内でのデータの整合性を確保するために、「バンドルの更新」テクニックの使用をお勧めします。バンドルを更新せずにテーブル エントリを変更すると、SAP トランザクションが一貫性のないままになる可能性があります。

- Direct Open SQL 書き込み操作では、データベース レベルのロックのみを設定し、SAP アプリケーションのロックをバイパスします。これによって、デッドロックが発生し、データが破損する可能性があります。

- Direct Open SQL 書き込み操作では、アプリケーション プログラム内での SAP 認証チェックをバイパスします。

- テーブル エントリの書き込み、チェックの編集、監査トレールに標準のメカニズムが使用される場合、その後の更新 (たとえば、ドキュメントの変更など) のすべてが正しく実行されます。これは、Direct Open SQL 書き込み操作が使用される場合には該当しません。

References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 662
[2] Standards Mapping - Common Weakness Enumeration Top 25 2022 [22] CWE ID 362
[3] Standards Mapping - Common Weakness Enumeration Top 25 2023 [21] CWE ID 362
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002235
[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege
[8] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000500 CAT II
[9] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000500 CAT II
[10] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000500 CAT II
desc.structural.abap.sql_bad_practices_direct_update

SQL Bad Practices: Underspecified Identifier

Abstract
スキーマのない識別子を、実行者権限パッケージでは使用すべきではありません。
Explanation
実行者権限または AUTHID CURRENT_USER パッケージでは、現在のユーザースキーマに対して識別子が最初に解決されます。その結果、識別子がどのスキーマに属しているのかをコードの定義が明示していない場合、予期せぬ動作が引き起こされる可能性があります。

例 1: 次のコードは権限テーブルでユーザーを検索して、ユーザーがアクションを実行する権限を持っているかどうかを確認します。大半のユーザーは SYS.PERMISSIONS に対してのみ読み取りアクセスが許可されるようになり、定義済みの権限を変更できません。


CREATE or REPLACE FUNCTION check_permissions(
  p_name IN VARCHAR2, p_action IN VARCHAR2)
  RETURN BOOLEAN
  AUTHID CURRENT_USER
IS
  r_count NUMBER;
  perm BOOLEAN := FALSE;
BEGIN
  SELECT count(*) INTO r_count FROM PERMISSIONS
    WHERE name = p_name AND action = p_action;
  IF r_count > 0 THEN
    perm := TRUE;
  END IF;
  RETURN perm;
END check_permissions
check_permissions 関数をコールするユーザーがスキーマで PERMISSIONS テーブルを定義する場合、データベースが識別子を解決して、ローカルテーブルを参照します。ユーザーは新しいテーブルに対する書き込み権限を付与されるため、データベースを変更することによって本来付与されないはずの権限を取得できるようになります。
References
[1] Oracle Oracle Database PL/SQL Language Reference
[2] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
desc.structural.sql.sql_bad_practices_underspecified_identifier

Struts 2 Bad Practices: Application Map Tampering

Abstract
Struts 2.x Action はクラスを実装しており、これにより攻撃者はセッション、アプリケーション、またはリクエストサーバー側のオブジェクトに任意のデータをバインドすることでアプリケーションのビジネスロジックを修正することができます。
Explanation
Apache Struts 2.x は、新しい Aware インターフェイスにより、開発者が、Actions コードに、関連する実行時情報を持つマップを容易に挿入できます。このインターフェイスには、org.apache.struts2.interceptor.ApplicationtAwareorg.apache.struts2.interceptor.SessionAwareorg.apache.struts2.interceptor.RequestAware があります。Actions コードに挿入されたこれらのデータマップのいずれかを取得するには、開発者は、インターフェイスで指定されたセッター (たとえば SessionAware インターフェイスでは setSession) を実装する必要があります。

public class VulnerableAction extends ActionSupport implements SessionAware {

  protected Map<String, Object> session;

  @Override
  public void setSession(Map<String, Object> session) {
    this.session = session;
  }

一方、Struts 2.x は、Action で定義されているパブリックアクセッサーにより、ユーザーから受信したリクエストデータを Action のプロパティに自動的にバインドします。Aware インターフェイスでは、そこで定義されたパブリックセッターの実装が必要なので、このセッターも自動的に、Aware インターフェイスのセッター名に一致するリクエストパラメーターにバインドされます。このことにより、SessionAwareRequestAwareApplicationAware のインターフェイスで示したように、影響を受けたインターフェイスを実装しているアプリケーションに対する巧妙なパラメーターを使用して、リモートの攻撃者が実行環境のデータ値を修正する可能性があります。

次の URL では、攻撃者がセッションマップ中の "roles" 属性を上書きできるため、攻撃者が管理者として振る舞う可能性があります。

http://server/VulnerableAction?session.roles=admin


これらのインターフェイスは、セッターアクセッサーの実装のみを必要としますが、対応するゲッターも実装されている場合、マップコレクションに対する変更は、現在のリクエスト範囲のみでなく、セッション範囲にも及びます。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 20
[2] Standards Mapping - Common Weakness Enumeration Top 25 2021 [4] CWE ID 020
[3] Standards Mapping - Common Weakness Enumeration Top 25 2022 [4] CWE ID 020
[4] Standards Mapping - Common Weakness Enumeration Top 25 2023 [6] CWE ID 020
[5] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001082, CCI-002754
[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-2 Application Partitioning (P1), SI-10 Information Input Validation (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-2 Separation of System and User Functionality, SI-10 Information Input Validation
[10] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[13] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[14] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[15] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[16] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[18] Standards Mapping - OWASP Top 10 2021 A03 Injection
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[46] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Process Validation (WASC-40)
desc.structural.java.struts2_bad_practices_application_map_tampering

Struts 2 Bad Practices: Dynamic Method Invocation

Abstract
Struts 2 アクションは、アクションの execute() メソッドを上書きするエンドユーザーによって呼び出すことのできる public メソッドを開示します。
Explanation
Struts 2 には「Dynamic Method Invocation」という機能があり、これにより Action によって execute() 以外のメソッドを開示できます。! (感嘆符) 文字または method: プレフィックスを Action URL に使用して、「Dynamic Method Invocation」が有効に設定されていれば Action でどの public メソッドでも呼び出すことができます。この機能を知らない開発者は、内部のビジネスロジックを攻撃者に対して無防備に開示してしまう可能性があります。

たとえば、Action に getUserPassword() という public メソッドが含まれており、何の引数もともなわず「Dynamic Method Invocation」機能を無効にできない場合、攻撃者はこれに目を付けて以下の URL を閲覧できます。 http://server/app/recoverpassword!getPassword.action
References
[1] Struts 2 Security Vulnerability - Dynamic Method Invocation
[2] Struts 2 - Dynamic Method Invocation
[3] Standards Mapping - Common Weakness Enumeration CWE ID 285
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001764, CCI-001774, CCI-002165
[5] Standards Mapping - FIPS200 AC
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), CM-7 Least Functionality (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, CM-7 Least Functionality
[9] Standards Mapping - OWASP API 2023 API5 Broken Function Level Authorization
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.1.4 Generic Web Service Security Verification Requirements (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[12] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[13] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[14] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[15] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[16] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[17] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[30] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285
[31] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 285
[32] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 862
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.structural.java.struts2_bad_practices_dynamic_method_invocation

Struts 2 Bad Practices: Request Map Tampering

Abstract
Struts 2.x Action はクラスを実装しており、これにより攻撃者はセッション、アプリケーション、またはリクエストサーバー側のオブジェクトに任意のデータをバインドすることでアプリケーションのビジネスロジックを修正することができます。
Explanation
Apache Struts 2.x は、新しい Aware インターフェイスにより、開発者が、Actions コードに、関連する実行時情報を持つマップを容易に挿入できます。このインターフェイスには、org.apache.struts2.interceptor.ApplicationtAwareorg.apache.struts2.interceptor.SessionAwareorg.apache.struts2.interceptor.RequestAware があります。Actions コードに挿入されたこれらのデータマップのいずれかを取得するには、開発者は、インターフェイスで指定されたセッター (たとえば SessionAware インターフェイスでは setSession) を実装する必要があります。

public class VulnerableAction extends ActionSupport implements SessionAware {

  protected Map<String, Object> session;

  @Override
  public void setSession(Map<String, Object> session) {
    this.session = session;
  }

一方、Struts 2.x は、Action で定義されているパブリックアクセッサーにより、ユーザーから受信したリクエストデータを Action のプロパティに自動的にバインドします。Aware インターフェイスでは、そこで定義されたパブリックセッターの実装が必要なので、このセッターも自動的に、Aware インターフェイスのセッター名に一致するリクエストパラメーターにバインドされます。このことにより、SessionAwareRequestAwareApplicationAware のインターフェイスで示したように、影響を受けたインターフェイスを実装しているアプリケーションに対する巧妙なパラメーターを使用して、リモートの攻撃者が実行環境のデータ値を修正する可能性があります。

次の URL では、攻撃者がセッションマップ中の "roles" 属性を上書きできるため、攻撃者が管理者として振る舞う可能性があります。

http://server/VulnerableAction?session.roles=admin


これらのインターフェイスは、セッターアクセッサーの実装のみを必要としますが、対応するゲッターも実装されている場合、マップコレクションに対する変更は、現在のリクエスト範囲のみでなく、セッション範囲にも及びます。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 20
[2] Standards Mapping - Common Weakness Enumeration Top 25 2021 [4] CWE ID 020
[3] Standards Mapping - Common Weakness Enumeration Top 25 2022 [4] CWE ID 020
[4] Standards Mapping - Common Weakness Enumeration Top 25 2023 [6] CWE ID 020
[5] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001082, CCI-002754
[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-2 Application Partitioning (P1), SI-10 Information Input Validation (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-2 Separation of System and User Functionality, SI-10 Information Input Validation
[10] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[13] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[14] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[15] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[16] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[18] Standards Mapping - OWASP Top 10 2021 A03 Injection
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[31] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[46] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Process Validation (WASC-40)
desc.structural.java.struts2_bad_practices_request_map_tampering

Struts 2 Bad Practices: Session Map Tampering

Abstract
Struts 2.x Action はクラスを実装しており、これにより攻撃者はセッション、アプリケーション、またはリクエストサーバー側のオブジェクトに任意のデータをバインドすることでアプリケーションのビジネスロジックを修正することができます。
Explanation
Apache Struts 2.x は、新しい Aware インターフェイスにより、開発者が、Actions コードに、関連する実行時情報を持つマップを容易に挿入できます。このインターフェイスには、org.apache.struts2.interceptor.ApplicationtAwareorg.apache.struts2.interceptor.SessionAwareorg.apache.struts2.interceptor.RequestAware があります。Actions コードに挿入されたこれらのデータマップのいずれかを取得するには、開発者は、インターフェイスで指定されたセッター (たとえば SessionAware インターフェイスでは setSession) を実装する必要があります。

public class VulnerableAction extends ActionSupport implements SessionAware {

  protected Map<String, Object> session;

  @Override
  public void setSession(Map<String, Object> session) {
    this.session = session;
  }

一方、Struts 2.x は、Action で定義されているパブリックアクセッサーにより、ユーザーから受信したリクエストデータを Action のプロパティに自動的にバインドします。Aware インターフェイスでは、そこで定義されたパブリックセッターの実装が必要なので、このセッターも自動的に、Aware インターフェイスのセッター名に一致するリクエストパラメーターにバインドされます。このことにより、SessionAwareRequestAwareApplicationAware のインターフェイスで示したように、影響を受けたインターフェイスを実装しているアプリケーションに対する巧妙なパラメーターを使用して、リモートの攻撃者が実行環境のデータ値を修正する可能性があります。

次の URL では、攻撃者がセッションマップ中の "roles" 属性を上書きできるため、攻撃者が管理者として振る舞う可能性があります。

http://server/VulnerableAction?session.roles=admin


これらのインターフェイスは、セッターアクセッサーの実装のみを必要としますが、対応するゲッターも実装されている場合、マップコレクションに対する変更は、現在のリクエスト範囲のみでなく、セッション範囲にも及びます。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 20
[2] Standards Mapping - Common Weakness Enumeration Top 25 2021 [4] CWE ID 020
[3] Standards Mapping - Common Weakness Enumeration Top 25 2022 [4] CWE ID 020
[4] Standards Mapping - Common Weakness Enumeration Top 25 2023 [6] CWE ID 020
[5] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001082, CCI-002754
[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-2 Application Partitioning (P1), SI-10 Information Input Validation (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-2 Separation of System and User Functionality, SI-10 Information Input Validation
[10] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[13] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[14] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[15] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[16] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[18] Standards Mapping - OWASP Top 10 2021 A03 Injection
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[46] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Process Validation (WASC-40)
desc.structural.java.struts2_bad_practices_session_map_tampering