界: Environment

このセクションには、ソース コード以外のものでも、作成中の製品のセキュリティにとって重要なものがすべて含まれています。この分野が対象とする問題は、ソース コードに直接関係しないため、この分野の他の部分と分けました。

656 見つかった項目
脆弱性

Struts Misconfiguration: Missing Form Bean

Abstract
存在しない form-bean を参照する Struts の action は、正しくマップされません。
Explanation
Struts は、form-bean エントリを使用して HTML フォームをアクションにマップします。<action> タグの name 属性が form-bean の名前に対応していない場合、アクションをマッピングできず、不適切な定義または誤植を示します。

例 1: 次の設定は、bean2 のマッピングを含みません。

<form-beans>
  <form-bean name="bean1" type="coreservlets.UserFormBean" />
</form-beans>

<action-mappings>
  <action path="/actions/register1" type="coreservlets.RegisterAction1" name="bean1" scope="request" />
  <action path="/actions/register2" type="coreservlets.RegisterAction2" name="bean2" scope="request" />
</action-mappings>
References
[1] Apache Struts 1.3 Specification
[2] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[3] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[4] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[5] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[6] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[7] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[8] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
desc.config.java.struts_misconfiguration_missing_form_bean

Struts Misconfiguration: Missing Form Bean Name

Abstract
name 属性なしの form-bean は使用されません。
Explanation
Struts は、form-bean の名前を使用して HTML フォームをアクションにマップします。form-bean に名前がないとアクションにマップできず、不適切な定義または誤って省略された Bean のいずれかを示します。
以下は適切な form-bean の例です。
例 1: 次の form-bean には空の name 属性があります。

<form-beans>
  <form-bean name="" type="org.apache.struts.validator.DynaValidatorForm">
    <form-property name="name" type="java.lang.String" />
    <form-property name="password" type="java.lang.String" />
  </form-bean>
</form-beans>
References
[1] Apache Struts 1.3 Specification
[2] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[3] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[4] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[5] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
desc.config.java.struts_misconfiguration_missing_form_bean_name

Struts Misconfiguration: Missing Form Bean Type

Abstract
type 属性なしの form-bean は正しくマップされません。
Explanation
Struts は、form-bean エントリを使用して HTML フォームをアクションにマップします。form-bean にタイプがないと、アクションにマップできません。
例 1: 次の form-bean には空の type 属性があります。

<form-beans>
  <form-bean name="loginForm" type="">
    <form-property name="name" type="java.lang.String" />
    <form-property name="password" type="java.lang.String" />
  </form-bean>
</form-beans>
References
[1] Apache Struts 1.3 Specification
[2] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[3] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[4] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[5] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
desc.config.java.struts_misconfiguration_missing_form_bean_type

Struts Misconfiguration: Missing Form Property Type

Abstract
type タイプ属性なしで form-property を定義するのは間違いです。
Explanation
Struts では、<form-property> タグに type 属性を含める必要があります。Struts は、タイプなしで form-property を定義したフォームを処理すると、例外をスローします。

例 1: 次の設定は、name プロパティのタイプを省略しています。

<form-bean name="loginForm" type="org.apache.struts.validator.DynaValidatorForm">
  <form-property name="name" />
  <form-property name="password" type="java.lang.String" />
</form-bean>
References
[1] Apache Struts 1.3 Specification
[2] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[3] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[4] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[5] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
desc.config.java.struts_misconfiguration_missing_form_property_type

Struts Misconfiguration: Missing Forward Name

Abstract
name 属性がない <forward> タグは、デバッグ コードが残っているか、誤植を示していることがよくあります。
Explanation
<forward> タグには、namepath 属性が必要です。名前がないと、forward は使用されません。

例 1: 次の <forward> タグには空の name 属性があります。

    <forward name="" path="/results.jsp"/>
References
[1] Apache Struts 1.3 Specification
[2] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[3] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[4] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[5] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[6] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
desc.config.java.struts_misconfiguration_missing_forward_name

Struts Misconfiguration: Missing Forward Path

Abstract
path 属性がない <forward> タグは、デバッグ コードが残っているか、誤植を示していることがよくあります。
Explanation
<forward> タグには、namepath 属性が必要です。パスを省略したり、空白のパスを指定するのは間違いです。また、すべてのパスは "/" 文字で始める必要があります。

例 1: 次の <forward> タグには path 属性がありません。

    <forward name="success" />
References
[1] Apache Struts 1.3 Specification
[2] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[3] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[4] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[5] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[6] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
desc.config.java.struts_misconfiguration_missing_forward_path

System Information Leak: PHP Errors

Abstract
データやデバッグ情報の開示は、システムについて攻撃者に教えることになり、攻撃の計画が立てやすくなります。
Explanation
display_errors オプションが有効に設定されている場合、エラーが Web ブラウザに表示されるので、潜在的な脆弱性が攻撃者に明らかになる可能性があります。たとえば、あるデータベースのエラーメッセージから、アプリケーションが SQL Injection 攻撃に対して脆弱であることがわかる場合があります。また、他のエラーメッセージがシステムに関する間接的な手がかりを示すことがあります。
References
[1] M. Achour et al. PHP Manual
[2] Standards Mapping - Common Weakness Enumeration CWE ID 209, CWE ID 215
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[6] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-002420, CCI-003272
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), SA-15 Development Process and Standards and Tools (P2), SC-8 Transmission Confidentiality and Integrity (P1), SI-11 Error Handling (P2)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, SA-15 Development Process and Standards and Tools, SC-8 Transmission Confidentiality and Integrity, SI-11 Error Handling
[12] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.1 Unintended Security Disclosure Requirements (L1 L2 L3), 14.3.2 Unintended Security Disclosure Requirements (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[15] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[16] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[17] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[19] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[20] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[33] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 209
[34] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 209
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3120 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3120 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3120 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3120 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3120 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3120 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3120 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[59] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.structural.php.system_information_leak_php_errors

System Information Leak: PHP Version

Abstract
詳細なシステム情報の開示は、システムについて攻撃者に教えることになり、攻撃の計画が立てやすくなります。
Explanation
expose_php オプションが有効に設定されている場合、PHP インタプリタによって作成されるすべてのレスポンスには、ホストシステムにインストールされている PHP のバージョンが含まれます。リモート サーバーで実行されている PHP のバージョンを知り得た攻撃者は、システムに対する既知の悪用方法を列挙できるため、攻撃を成功させるのにかかる労力を大幅に削減できます。
References
[1] M. Achour et al. PHP Manual
[2] Standards Mapping - Common Weakness Enumeration CWE ID 497
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[6] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-002420
[8] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), SC-8 Transmission Confidentiality and Integrity (P1), SI-11 Error Handling (P2)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, SC-8 Transmission Confidentiality and Integrity, SI-11 Error Handling
[11] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[14] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[15] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[16] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[19] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[26] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[49] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[50] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.structural.php.system_information_leak_php_version

WCF Misconfiguration: Anonymous Message Client

Abstract
Authentication を実行しないと、すべてのユーザがこのサービスにアクセスできることになります。
Explanation
クライアントを認証しないサービスでは、誰でもアクセスできます。

References
[1] Common Security Scenarios Microsoft
[2] Message Security with an Anonymous Client Microsoft
[3] Standards Mapping - Common Weakness Enumeration CWE ID 285
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-000804, CCI-002165
[5] Standards Mapping - FIPS200 IA
[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), IA-8 Identification and Authentication (Non-Organizational Users) (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, IA-8 Identification and Authentication (Non-Organizational Users)
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.1.4 Generic Web Service Security Verification Requirements (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[12] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management
[13] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[14] Standards Mapping - OWASP Top 10 2010 A3 Broken Authentication and Session Management
[15] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[16] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[17] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.3, Requirement 7.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7, Requirement 7.2
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8, Requirement 7.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10, Requirement 7.2
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10, Requirement 7.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10, Requirement 7.2
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10, Requirement 7.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 7.3.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 7.3.1
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[30] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285
[31] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 285
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.2 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.2 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.2 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.2 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.2 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.2 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.2 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authentication (WASC-01)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.semantic.dotnet.wcf_misconfiguration_anonymous_message_client

WCF Misconfiguration: Anonymous Transport Client

Abstract
Authentication を実行しないと、すべてのユーザがこのサービスにアクセスできることになります。
Explanation
クライアントを認証しないサービスでは、誰でもアクセスできます。

References
[1] Common Security Scenarios Microsoft
[2] Transport Security with an Anonymous Client Microsoft
[3] Standards Mapping - Common Weakness Enumeration CWE ID 285
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-000804, CCI-002165
[5] Standards Mapping - FIPS200 IA
[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), IA-8 Identification and Authentication (Non-Organizational Users) (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, IA-8 Identification and Authentication (Non-Organizational Users)
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.1.4 Generic Web Service Security Verification Requirements (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[12] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management
[13] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[14] Standards Mapping - OWASP Top 10 2010 A3 Broken Authentication and Session Management
[15] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[16] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[17] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.3, Requirement 7.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7, Requirement 7.2
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8, Requirement 7.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10, Requirement 7.2
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10, Requirement 7.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10, Requirement 7.2
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10, Requirement 7.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 7.3.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 7.3.1
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[30] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285
[31] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 285
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.2 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.2 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.2 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.2 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.2 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.2 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.2 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authentication (WASC-01)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.semantic.dotnet.wcf_misconfiguration_anonymous_transport_client

WCF Misconfiguration: Debug Information

Abstract
デバッグ情報は、攻撃者がシステムについて学び、攻撃の形態を計画するのに役立ちます。
Explanation
Windows Communication Framework (WCF) サービスは、デバッグ情報を公開するように設定できます。デバッグ情報は、実運用環境では使用しないでください。<serviceDebug> タグは、WCF サービスに対してデバッグ情報機能を有効にするかどうかを定義します。



属性 includeExceptionDetailInFaultstrue に設定されている場合、アプリケーションからの例外情報がクライアントに返されます。攻撃者はデバッグ出力から得た追加情報を利用して、フレームワークやデータベースなど、アプリケーションで使用されるリソースを標的に攻撃を仕掛けることがあります。

例: 次の設定ファイルには、<serviceDebug> タグが含まれています。

<configuration>
  <system.serviceModel>
    <behaviors>
      <serviceBehaviors>
        <behavior name="MyServiceBehavior">
          <serviceDebug includeExceptionDetailInFaults="True" httpHelpPageEnabled="True"/>
...
References
[1] Microsoft
[2] Standards Mapping - Common Weakness Enumeration CWE ID 215
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[6] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-002420, CCI-003272
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SA-15 Development Process and Standards and Tools (P2), SC-8 Transmission Confidentiality and Integrity (P1), SI-11 Error Handling (P2)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SA-15 Development Process and Standards and Tools, SC-8 Transmission Confidentiality and Integrity, SI-11 Error Handling
[12] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.2 Unintended Security Disclosure Requirements (L1 L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[15] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[16] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[17] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[19] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[20] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[56] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13), Fingerprinting (WASC-45)
[57] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.config.dotnet.wcf_misconfiguration_debug_information

WCF Misconfiguration: Insufficient Audit Failure Handling

Abstract
このプログラムは、監査ログへの書き込みに失敗したときに例外を生成しないように設定されています。
Explanation
WCF が監査ログに書き込めないときに例外をスローしないように設定されている場合、プログラムは失敗を通知されず、重大なセキュリティ イベントの監査が行われない可能性があります。

例 1: 次の WCF 設定ファイルの <behavior/> 要素は、WCF が監査ログへの書き込みに失敗したときにアプリケーションに通知を行わないよう WCF クライアントに命令しています。


<behaviors>
   <serviceBehaviors>
      <behavior name="NewBehavior">
         <serviceSecurityAudit auditLogLocation="Application"
             suppressAuditFailure="true"
             serviceAuthorizationAuditLevel="Success"
             messageAuthenticationAuditLevel="Success" />
      </behavior>
   </serviceBehaviors>
</behaviors>

References
[1] Microsoft Developer Network (MSDN)
[2] Standards Mapping - Common Weakness Enumeration CWE ID 778
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000018, CCI-000130, CCI-000139, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-001464, CCI-001814, CCI-001858, CCI-002130, CCI-002234, CCI-002884
[4] Standards Mapping - FIPS200 AU
[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-2 Account Management (P1), AC-6 Least Privilege (P1), AU-3 Content of Audit Records (P1), AU-5 Response to Audit Processing Failures (P1), AU-12 Audit Generation (P1), AU-14 Session Audit (P0), CM-5 Access Restrictions for Change (P1), MA-4 Nonlocal Maintenance (P2)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-2 Account Management, AC-6 Least Privilege, AU-3 Content of Audit Records, AU-5 Response to Audit Logging Process Failures, AU-12 Audit Record Generation, AU-14 Session Audit, CM-5 Access Restrictions for Change, MA-4 Nonlocal Maintenance
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[10] Standards Mapping - OWASP Top 10 2004 A7 Improper Error Handling
[11] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[12] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[13] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.7
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.2, Requirement 6.5.6
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 10.3.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 10.3.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 10.3.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.3.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 10.2.2
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[27] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3120 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3120 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3120 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3120 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3120 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3120 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3120 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000340 CAT II, APSC-DV-000350 CAT II, APSC-DV-000360 CAT II, APSC-DV-000370 CAT II, APSC-DV-000420 CAT II, APSC-DV-000520 CAT II, APSC-DV-000620 CAT II, APSC-DV-000630 CAT II, APSC-DV-000640 CAT II, APSC-DV-000660 CAT II, APSC-DV-000680 CAT II, APSC-DV-000690 CAT II, APSC-DV-000700 CAT II, APSC-DV-000710 CAT II, APSC-DV-000720 CAT II, APSC-DV-000730 CAT II, APSC-DV-000740 CAT II, APSC-DV-000750 CAT II, APSC-DV-000760 CAT II, APSC-DV-000770 CAT II, APSC-DV-000780 CAT II, APSC-DV-000790 CAT II, APSC-DV-000800 CAT II, APSC-DV-000810 CAT II, APSC-DV-000820 CAT II, APSC-DV-000830 CAT II, APSC-DV-000840 CAT II, APSC-DV-000850 CAT II, APSC-DV-000860 CAT II, APSC-DV-000870 CAT II, APSC-DV-000880 CAT II, APSC-DV-000910 CAT II, APSC-DV-000940 CAT II, APSC-DV-000950 CAT II, APSC-DV-000960 CAT II, APSC-DV-000970 CAT II, APSC-DV-001100 CAT II, APSC-DV-001110 CAT II, APSC-DV-001420 CAT II, APSC-DV-001930 CAT II, APSC-DV-003360 CAT III
[35] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000340 CAT II, APSC-DV-000350 CAT II, APSC-DV-000360 CAT II, APSC-DV-000370 CAT II, APSC-DV-000420 CAT II, APSC-DV-000520 CAT II, APSC-DV-000620 CAT II, APSC-DV-000630 CAT II, APSC-DV-000640 CAT II, APSC-DV-000660 CAT II, APSC-DV-000680 CAT II, APSC-DV-000690 CAT II, APSC-DV-000700 CAT II, APSC-DV-000710 CAT II, APSC-DV-000720 CAT II, APSC-DV-000730 CAT II, APSC-DV-000740 CAT II, APSC-DV-000750 CAT II, APSC-DV-000760 CAT II, APSC-DV-000770 CAT II, APSC-DV-000780 CAT II, APSC-DV-000790 CAT II, APSC-DV-000800 CAT II, APSC-DV-000810 CAT II, APSC-DV-000820 CAT II, APSC-DV-000830 CAT II, APSC-DV-000840 CAT II, APSC-DV-000850 CAT II, APSC-DV-000860 CAT II, APSC-DV-000870 CAT II, APSC-DV-000880 CAT II, APSC-DV-000910 CAT II, APSC-DV-000940 CAT II, APSC-DV-000950 CAT II, APSC-DV-000960 CAT II, APSC-DV-000970 CAT II, APSC-DV-001100 CAT II, APSC-DV-001110 CAT II, APSC-DV-001420 CAT II, APSC-DV-001930 CAT II, APSC-DV-003360 CAT III
[36] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000340 CAT II, APSC-DV-000350 CAT II, APSC-DV-000360 CAT II, APSC-DV-000370 CAT II, APSC-DV-000420 CAT II, APSC-DV-000520 CAT II, APSC-DV-000620 CAT II, APSC-DV-000630 CAT II, APSC-DV-000640 CAT II, APSC-DV-000660 CAT II, APSC-DV-000680 CAT II, APSC-DV-000690 CAT II, APSC-DV-000700 CAT II, APSC-DV-000710 CAT II, APSC-DV-000720 CAT II, APSC-DV-000730 CAT II, APSC-DV-000740 CAT II, APSC-DV-000750 CAT II, APSC-DV-000760 CAT II, APSC-DV-000770 CAT II, APSC-DV-000780 CAT II, APSC-DV-000790 CAT II, APSC-DV-000800 CAT II, APSC-DV-000810 CAT II, APSC-DV-000820 CAT II, APSC-DV-000830 CAT II, APSC-DV-000840 CAT II, APSC-DV-000850 CAT II, APSC-DV-000860 CAT II, APSC-DV-000870 CAT II, APSC-DV-000880 CAT II, APSC-DV-000910 CAT II, APSC-DV-000940 CAT II, APSC-DV-000950 CAT II, APSC-DV-000960 CAT II, APSC-DV-000970 CAT II, APSC-DV-001100 CAT II, APSC-DV-001110 CAT II, APSC-DV-001420 CAT II, APSC-DV-001930 CAT II, APSC-DV-003360 CAT III
[37] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000340 CAT II, APSC-DV-000350 CAT II, APSC-DV-000360 CAT II, APSC-DV-000370 CAT II, APSC-DV-000420 CAT II, APSC-DV-000520 CAT II, APSC-DV-000620 CAT II, APSC-DV-000630 CAT II, APSC-DV-000640 CAT II, APSC-DV-000660 CAT II, APSC-DV-000680 CAT II, APSC-DV-000690 CAT II, APSC-DV-000700 CAT II, APSC-DV-000710 CAT II, APSC-DV-000720 CAT II, APSC-DV-000730 CAT II, APSC-DV-000740 CAT II, APSC-DV-000750 CAT II, APSC-DV-000760 CAT II, APSC-DV-000770 CAT II, APSC-DV-000780 CAT II, APSC-DV-000790 CAT II, APSC-DV-000800 CAT II, APSC-DV-000810 CAT II, APSC-DV-000820 CAT II, APSC-DV-000830 CAT II, APSC-DV-000840 CAT II, APSC-DV-000850 CAT II, APSC-DV-000860 CAT II, APSC-DV-000870 CAT II, APSC-DV-000880 CAT II, APSC-DV-000910 CAT II, APSC-DV-000940 CAT II, APSC-DV-000950 CAT II, APSC-DV-000960 CAT II, APSC-DV-000970 CAT II, APSC-DV-001100 CAT II, APSC-DV-001110 CAT II, APSC-DV-001420 CAT II, APSC-DV-001930 CAT II, APSC-DV-003360 CAT III
[38] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000340 CAT II, APSC-DV-000350 CAT II, APSC-DV-000360 CAT II, APSC-DV-000370 CAT II, APSC-DV-000420 CAT II, APSC-DV-000520 CAT II, APSC-DV-000620 CAT II, APSC-DV-000630 CAT II, APSC-DV-000640 CAT II, APSC-DV-000660 CAT II, APSC-DV-000680 CAT II, APSC-DV-000690 CAT II, APSC-DV-000700 CAT II, APSC-DV-000710 CAT II, APSC-DV-000720 CAT II, APSC-DV-000730 CAT II, APSC-DV-000740 CAT II, APSC-DV-000750 CAT II, APSC-DV-000760 CAT II, APSC-DV-000770 CAT II, APSC-DV-000780 CAT II, APSC-DV-000790 CAT II, APSC-DV-000800 CAT II, APSC-DV-000810 CAT II, APSC-DV-000820 CAT II, APSC-DV-000830 CAT II, APSC-DV-000840 CAT II, APSC-DV-000850 CAT II, APSC-DV-000860 CAT II, APSC-DV-000870 CAT II, APSC-DV-000880 CAT II, APSC-DV-000910 CAT II, APSC-DV-000940 CAT II, APSC-DV-000950 CAT II, APSC-DV-000960 CAT II, APSC-DV-000970 CAT II, APSC-DV-001100 CAT II, APSC-DV-001110 CAT II, APSC-DV-001420 CAT II, APSC-DV-001930 CAT II, APSC-DV-003360 CAT III
[39] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000340 CAT II, APSC-DV-000350 CAT II, APSC-DV-000360 CAT II, APSC-DV-000370 CAT II, APSC-DV-000420 CAT II, APSC-DV-000520 CAT II, APSC-DV-000620 CAT II, APSC-DV-000630 CAT II, APSC-DV-000640 CAT II, APSC-DV-000660 CAT II, APSC-DV-000680 CAT II, APSC-DV-000690 CAT II, APSC-DV-000700 CAT II, APSC-DV-000710 CAT II, APSC-DV-000720 CAT II, APSC-DV-000730 CAT II, APSC-DV-000740 CAT II, APSC-DV-000750 CAT II, APSC-DV-000760 CAT II, APSC-DV-000770 CAT II, APSC-DV-000780 CAT II, APSC-DV-000790 CAT II, APSC-DV-000800 CAT II, APSC-DV-000810 CAT II, APSC-DV-000820 CAT II, APSC-DV-000830 CAT II, APSC-DV-000840 CAT II, APSC-DV-000850 CAT II, APSC-DV-000860 CAT II, APSC-DV-000870 CAT II, APSC-DV-000880 CAT II, APSC-DV-000910 CAT II, APSC-DV-000940 CAT II, APSC-DV-000950 CAT II, APSC-DV-000960 CAT II, APSC-DV-000970 CAT II, APSC-DV-001100 CAT II, APSC-DV-001110 CAT II, APSC-DV-001420 CAT II, APSC-DV-001930 CAT II, APSC-DV-003360 CAT III
[40] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000340 CAT II, APSC-DV-000350 CAT II, APSC-DV-000360 CAT II, APSC-DV-000370 CAT II, APSC-DV-000420 CAT II, APSC-DV-000520 CAT II, APSC-DV-000620 CAT II, APSC-DV-000630 CAT II, APSC-DV-000640 CAT II, APSC-DV-000660 CAT II, APSC-DV-000680 CAT II, APSC-DV-000690 CAT II, APSC-DV-000700 CAT II, APSC-DV-000710 CAT II, APSC-DV-000720 CAT II, APSC-DV-000730 CAT II, APSC-DV-000740 CAT II, APSC-DV-000750 CAT II, APSC-DV-000760 CAT II, APSC-DV-000770 CAT II, APSC-DV-000780 CAT II, APSC-DV-000790 CAT II, APSC-DV-000800 CAT II, APSC-DV-000810 CAT II, APSC-DV-000820 CAT II, APSC-DV-000830 CAT II, APSC-DV-000840 CAT II, APSC-DV-000850 CAT II, APSC-DV-000860 CAT II, APSC-DV-000870 CAT II, APSC-DV-000880 CAT II, APSC-DV-000910 CAT II, APSC-DV-000940 CAT II, APSC-DV-000950 CAT II, APSC-DV-000960 CAT II, APSC-DV-000970 CAT II, APSC-DV-001100 CAT II, APSC-DV-001110 CAT II, APSC-DV-001420 CAT II, APSC-DV-001930 CAT II, APSC-DV-003360 CAT III
[41] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000340 CAT II, APSC-DV-000350 CAT II, APSC-DV-000360 CAT II, APSC-DV-000370 CAT II, APSC-DV-000420 CAT II, APSC-DV-000520 CAT II, APSC-DV-000620 CAT II, APSC-DV-000630 CAT II, APSC-DV-000640 CAT II, APSC-DV-000660 CAT II, APSC-DV-000680 CAT II, APSC-DV-000690 CAT II, APSC-DV-000700 CAT II, APSC-DV-000720 CAT II, APSC-DV-000730 CAT II, APSC-DV-000740 CAT II, APSC-DV-000750 CAT II, APSC-DV-000760 CAT II, APSC-DV-000770 CAT II, APSC-DV-000780 CAT II, APSC-DV-000790 CAT II, APSC-DV-000800 CAT II, APSC-DV-000810 CAT II, APSC-DV-000820 CAT II, APSC-DV-000830 CAT II, APSC-DV-000840 CAT II, APSC-DV-000850 CAT II, APSC-DV-000860 CAT II, APSC-DV-000870 CAT II, APSC-DV-000880 CAT II, APSC-DV-000910 CAT II, APSC-DV-000940 CAT II, APSC-DV-000950 CAT II, APSC-DV-000960 CAT II, APSC-DV-000970 CAT II, APSC-DV-001100 CAT II, APSC-DV-001110 CAT II, APSC-DV-001420 CAT II, APSC-DV-001930 CAT II, APSC-DV-003360 CAT III
[42] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000340 CAT II, APSC-DV-000350 CAT II, APSC-DV-000360 CAT II, APSC-DV-000370 CAT II, APSC-DV-000420 CAT II, APSC-DV-000520 CAT II, APSC-DV-000620 CAT II, APSC-DV-000630 CAT II, APSC-DV-000640 CAT II, APSC-DV-000660 CAT II, APSC-DV-000680 CAT II, APSC-DV-000690 CAT II, APSC-DV-000700 CAT II, APSC-DV-000720 CAT II, APSC-DV-000730 CAT II, APSC-DV-000740 CAT II, APSC-DV-000750 CAT II, APSC-DV-000760 CAT II, APSC-DV-000770 CAT II, APSC-DV-000780 CAT II, APSC-DV-000790 CAT II, APSC-DV-000800 CAT II, APSC-DV-000810 CAT II, APSC-DV-000820 CAT II, APSC-DV-000830 CAT II, APSC-DV-000840 CAT II, APSC-DV-000850 CAT II, APSC-DV-000860 CAT II, APSC-DV-000870 CAT II, APSC-DV-000880 CAT II, APSC-DV-000910 CAT II, APSC-DV-000940 CAT II, APSC-DV-000950 CAT II, APSC-DV-000960 CAT II, APSC-DV-000970 CAT II, APSC-DV-001100 CAT II, APSC-DV-001110 CAT II, APSC-DV-001420 CAT II, APSC-DV-001930 CAT II, APSC-DV-003360 CAT III
[43] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000340 CAT II, APSC-DV-000350 CAT II, APSC-DV-000360 CAT II, APSC-DV-000370 CAT II, APSC-DV-000420 CAT II, APSC-DV-000520 CAT II, APSC-DV-000620 CAT II, APSC-DV-000630 CAT II, APSC-DV-000640 CAT II, APSC-DV-000660 CAT II, APSC-DV-000680 CAT II, APSC-DV-000690 CAT II, APSC-DV-000700 CAT II, APSC-DV-000720 CAT II, APSC-DV-000730 CAT II, APSC-DV-000740 CAT II, APSC-DV-000750 CAT II, APSC-DV-000760 CAT II, APSC-DV-000770 CAT II, APSC-DV-000780 CAT II, APSC-DV-000790 CAT II, APSC-DV-000800 CAT II, APSC-DV-000810 CAT II, APSC-DV-000820 CAT II, APSC-DV-000830 CAT II, APSC-DV-000840 CAT II, APSC-DV-000850 CAT II, APSC-DV-000860 CAT II, APSC-DV-000870 CAT II, APSC-DV-000880 CAT II, APSC-DV-000910 CAT II, APSC-DV-000940 CAT II, APSC-DV-000950 CAT II, APSC-DV-000960 CAT II, APSC-DV-000970 CAT II, APSC-DV-001100 CAT II, APSC-DV-001110 CAT II, APSC-DV-001420 CAT II, APSC-DV-001930 CAT II, APSC-DV-003360 CAT III
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000340 CAT II, APSC-DV-000350 CAT II, APSC-DV-000360 CAT II, APSC-DV-000370 CAT II, APSC-DV-000420 CAT II, APSC-DV-000520 CAT II, APSC-DV-000620 CAT II, APSC-DV-000630 CAT II, APSC-DV-000640 CAT II, APSC-DV-000660 CAT II, APSC-DV-000680 CAT II, APSC-DV-000690 CAT II, APSC-DV-000700 CAT II, APSC-DV-000710 CAT II, APSC-DV-000720 CAT II, APSC-DV-000730 CAT II, APSC-DV-000740 CAT II, APSC-DV-000750 CAT II, APSC-DV-000760 CAT II, APSC-DV-000770 CAT II, APSC-DV-000780 CAT II, APSC-DV-000790 CAT II, APSC-DV-000800 CAT II, APSC-DV-000810 CAT II, APSC-DV-000820 CAT II, APSC-DV-000830 CAT II, APSC-DV-000840 CAT II, APSC-DV-000850 CAT II, APSC-DV-000860 CAT II, APSC-DV-000870 CAT II, APSC-DV-000880 CAT II, APSC-DV-000910 CAT II, APSC-DV-000940 CAT II, APSC-DV-000950 CAT II, APSC-DV-000960 CAT II, APSC-DV-000970 CAT II, APSC-DV-001100 CAT II, APSC-DV-001110 CAT II, APSC-DV-001420 CAT II, APSC-DV-001930 CAT II, APSC-DV-003360 CAT III
[45] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000340 CAT II, APSC-DV-000350 CAT II, APSC-DV-000360 CAT II, APSC-DV-000370 CAT II, APSC-DV-000420 CAT II, APSC-DV-000520 CAT II, APSC-DV-000620 CAT II, APSC-DV-000630 CAT II, APSC-DV-000640 CAT II, APSC-DV-000660 CAT II, APSC-DV-000680 CAT II, APSC-DV-000690 CAT II, APSC-DV-000700 CAT II, APSC-DV-000720 CAT II, APSC-DV-000730 CAT II, APSC-DV-000740 CAT II, APSC-DV-000750 CAT II, APSC-DV-000760 CAT II, APSC-DV-000770 CAT II, APSC-DV-000780 CAT II, APSC-DV-000790 CAT II, APSC-DV-000800 CAT II, APSC-DV-000810 CAT II, APSC-DV-000820 CAT II, APSC-DV-000830 CAT II, APSC-DV-000840 CAT II, APSC-DV-000850 CAT II, APSC-DV-000860 CAT II, APSC-DV-000870 CAT II, APSC-DV-000880 CAT II, APSC-DV-000910 CAT II, APSC-DV-000940 CAT II, APSC-DV-000950 CAT II, APSC-DV-000960 CAT II, APSC-DV-000970 CAT II, APSC-DV-001100 CAT II, APSC-DV-001110 CAT II, APSC-DV-001420 CAT II, APSC-DV-001930 CAT II, APSC-DV-003360 CAT III
[46] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000340 CAT II, APSC-DV-000350 CAT II, APSC-DV-000360 CAT II, APSC-DV-000370 CAT II, APSC-DV-000420 CAT II, APSC-DV-000520 CAT II, APSC-DV-000620 CAT II, APSC-DV-000630 CAT II, APSC-DV-000640 CAT II, APSC-DV-000660 CAT II, APSC-DV-000680 CAT II, APSC-DV-000690 CAT II, APSC-DV-000700 CAT II, APSC-DV-000720 CAT II, APSC-DV-000730 CAT II, APSC-DV-000740 CAT II, APSC-DV-000750 CAT II, APSC-DV-000760 CAT II, APSC-DV-000770 CAT II, APSC-DV-000780 CAT II, APSC-DV-000790 CAT II, APSC-DV-000800 CAT II, APSC-DV-000810 CAT II, APSC-DV-000820 CAT II, APSC-DV-000830 CAT II, APSC-DV-000840 CAT II, APSC-DV-000850 CAT II, APSC-DV-000860 CAT II, APSC-DV-000870 CAT II, APSC-DV-000880 CAT II, APSC-DV-000910 CAT II, APSC-DV-000940 CAT II, APSC-DV-000950 CAT II, APSC-DV-000960 CAT II, APSC-DV-000970 CAT II, APSC-DV-001100 CAT II, APSC-DV-001110 CAT II, APSC-DV-001420 CAT II, APSC-DV-001930 CAT II, APSC-DV-003360 CAT III
[47] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000340 CAT II, APSC-DV-000350 CAT II, APSC-DV-000360 CAT II, APSC-DV-000370 CAT II, APSC-DV-000420 CAT II, APSC-DV-000520 CAT II, APSC-DV-000620 CAT II, APSC-DV-000630 CAT II, APSC-DV-000640 CAT II, APSC-DV-000660 CAT II, APSC-DV-000680 CAT II, APSC-DV-000690 CAT II, APSC-DV-000700 CAT II, APSC-DV-000720 CAT II, APSC-DV-000730 CAT II, APSC-DV-000740 CAT II, APSC-DV-000750 CAT II, APSC-DV-000760 CAT II, APSC-DV-000770 CAT II, APSC-DV-000780 CAT II, APSC-DV-000790 CAT II, APSC-DV-000800 CAT II, APSC-DV-000810 CAT II, APSC-DV-000820 CAT II, APSC-DV-000830 CAT II, APSC-DV-000840 CAT II, APSC-DV-000850 CAT II, APSC-DV-000860 CAT II, APSC-DV-000870 CAT II, APSC-DV-000880 CAT II, APSC-DV-000910 CAT II, APSC-DV-000940 CAT II, APSC-DV-000950 CAT II, APSC-DV-000960 CAT II, APSC-DV-000970 CAT II, APSC-DV-001100 CAT II, APSC-DV-001110 CAT II, APSC-DV-001120 CAT II, APSC-DV-001420 CAT II, APSC-DV-001930 CAT II, APSC-DV-003360 CAT III
[48] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000340 CAT II, APSC-DV-000350 CAT II, APSC-DV-000360 CAT II, APSC-DV-000370 CAT II, APSC-DV-000420 CAT II, APSC-DV-000520 CAT II, APSC-DV-000620 CAT II, APSC-DV-000630 CAT II, APSC-DV-000640 CAT II, APSC-DV-000660 CAT II, APSC-DV-000680 CAT II, APSC-DV-000690 CAT II, APSC-DV-000700 CAT II, APSC-DV-000720 CAT II, APSC-DV-000730 CAT II, APSC-DV-000740 CAT II, APSC-DV-000750 CAT II, APSC-DV-000760 CAT II, APSC-DV-000770 CAT II, APSC-DV-000780 CAT II, APSC-DV-000790 CAT II, APSC-DV-000800 CAT II, APSC-DV-000810 CAT II, APSC-DV-000820 CAT II, APSC-DV-000830 CAT II, APSC-DV-000840 CAT II, APSC-DV-000850 CAT II, APSC-DV-000860 CAT II, APSC-DV-000870 CAT II, APSC-DV-000880 CAT II, APSC-DV-000910 CAT II, APSC-DV-000940 CAT II, APSC-DV-000950 CAT II, APSC-DV-000960 CAT II, APSC-DV-000970 CAT II, APSC-DV-001100 CAT II, APSC-DV-001110 CAT II, APSC-DV-001120 CAT II, APSC-DV-001420 CAT II, APSC-DV-001930 CAT II, APSC-DV-003360 CAT III
[49] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000340 CAT II, APSC-DV-000350 CAT II, APSC-DV-000360 CAT II, APSC-DV-000370 CAT II, APSC-DV-000420 CAT II, APSC-DV-000520 CAT II, APSC-DV-000620 CAT II, APSC-DV-000630 CAT II, APSC-DV-000640 CAT II, APSC-DV-000660 CAT II, APSC-DV-000680 CAT II, APSC-DV-000690 CAT II, APSC-DV-000700 CAT II, APSC-DV-000720 CAT II, APSC-DV-000730 CAT II, APSC-DV-000740 CAT II, APSC-DV-000750 CAT II, APSC-DV-000760 CAT II, APSC-DV-000770 CAT II, APSC-DV-000780 CAT II, APSC-DV-000790 CAT II, APSC-DV-000800 CAT II, APSC-DV-000810 CAT II, APSC-DV-000820 CAT II, APSC-DV-000830 CAT II, APSC-DV-000840 CAT II, APSC-DV-000850 CAT II, APSC-DV-000860 CAT II, APSC-DV-000870 CAT II, APSC-DV-000880 CAT II, APSC-DV-000910 CAT II, APSC-DV-000940 CAT II, APSC-DV-000950 CAT II, APSC-DV-000960 CAT II, APSC-DV-000970 CAT II, APSC-DV-001100 CAT II, APSC-DV-001110 CAT II, APSC-DV-001120 CAT II, APSC-DV-001420 CAT II, APSC-DV-001930 CAT II, APSC-DV-003360 CAT III
[50] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[51] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.config.dotnet.wcf_misconfiguration_insufficient_audit_failure_handling

WCF Misconfiguration: Insufficient Logging

Abstract
セキュリティ インシデントの後で適切な監査証跡が行われないと、フォレンジックの取り組みを妨げる可能性があります。
Explanation
Windows Communication Foundation (WCF) は、認証の試行の成功または失敗をログに記録する機能を提供します。失敗した認証の試行をログに記録することで、ブルートフォース攻撃の可能性を管理者に報告できます。同様に、成功した認証イベントをログに記録することで、正当なアカウントが侵害された場合に役立つ監査証跡を実行できます。
References
[1] Microsoft
[2] Standards Mapping - Common Weakness Enumeration CWE ID 778
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[4] Standards Mapping - FIPS200 CM
[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-9 Previous Logon (Access) Notification (P0), AU-10 Non-Repudiation (P2), AU-12 Audit Generation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-9 Previous Logon Notification, AU-10 Non-Repudiation, AU-12 Audit Record Generation
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[10] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[11] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[12] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[13] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10, Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3680.4 CAT II, APP3680.5 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3680.4 CAT II, APP3680.5 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3680.4 CAT II, APP3680.5 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3680.4 CAT II, APP3680.5 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3680.4 CAT II, APP3680.5 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3680.4 CAT II, APP3680.5 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3680.4 CAT II, APP3680.5 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000830 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000830 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000830 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000830 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000830 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000830 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000830 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000830 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000830 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000830 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000580 CAT III, APSC-DV-000590 CAT II, APSC-DV-000710 CAT II, APSC-DV-000830 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000580 CAT III, APSC-DV-000590 CAT II, APSC-DV-000710 CAT II, APSC-DV-000830 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000580 CAT III, APSC-DV-000590 CAT II, APSC-DV-000710 CAT II, APSC-DV-000830 CAT II
[51] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.config.dotnet.wcf_misconfiguration_insufficient_logging

WCF Misconfiguration: Metadata

Abstract
攻撃者はメタデータを利用してシステムの内容を知り、攻撃方法を考える際の参考にします。
Explanation
WCF サービスの設定によっては、メタデータが公開される場合があります。メタデータは、詳細なサービスに関する説明情報が含まれており、実運用環境では公開してはいけません。ServiceMetaData クラスの HttpGetEnabled / HttpsGetEnabled プロパティは、サービスがメタデータを公開するかどうかを定義します。
例 1: 次のコードは、サービスのメタデータを公開するように WCF に命令しています。


    ServiceMetadataBehavior smb = new ServiceMetadataBehavior();
    smb.HttpGetEnabled = true;
    smb.HttpGetUrl = new Uri(EndPointAddress);
    Host.Description.Behaviors.Add(smb);
References
[1] Metadata Publishing Behavior Microsoft Developer Network (MSDN)
[2] Standards Mapping - Common Weakness Enumeration CWE ID 215
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[6] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-000804, CCI-002165
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), IA-8 Identification and Authentication (Non-Organizational Users) (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, IA-8 Identification and Authentication (Non-Organizational Users)
[12] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.2 Unintended Security Disclosure Requirements (L1 L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[15] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[16] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[17] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[19] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[20] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[24] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[47] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13), Fingerprinting (WASC-45)
[48] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.semantic.dotnet.wcf_misconfiguration_metadata

WCF Misconfiguration: MSMQ Anonymous Transport Client

Abstract
このプログラムは MSMQ キューに接続するときに認証を有効にできないため、攻撃者が匿名でメッセージをキューに送信する可能性があります。
Explanation
別のプログラムにメッセージを配信するために使用される MSMQ キューへの接続に認証が使用されない場合、攻撃者が悪意のある匿名メッセージを送信する可能性があります。

例 1: 次の WCF 設定ファイルの <netMsmqBinding/> 要素は、メッセージを配信する MSMQ キューに接続するときに認証を無効にするよう WCF クライアントに命令しています。


    <bindings>
      <netMsmqBinding>
        <binding>
          <security>
            <transport msmqAuthenticationMode="None" />
          </security>
        </binding>
      </netMsmqBinding>
    </bindings>
References
[1] Microsoft Developer Network (MSDN)
[2] Standards Mapping - Common Weakness Enumeration CWE ID 285
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-000804, CCI-002165
[4] Standards Mapping - FIPS200 IA
[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), IA-8 Identification and Authentication (Non-Organizational Users) (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, IA-8 Identification and Authentication (Non-Organizational Users)
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.1.4 Generic Web Service Security Verification Requirements (L2 L3)
[10] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[11] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management
[12] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[13] Standards Mapping - OWASP Top 10 2010 A3 Broken Authentication and Session Management
[14] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[15] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[16] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.3, Requirement 7.2
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7, Requirement 7.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8, Requirement 7.2
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10, Requirement 7.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10, Requirement 7.2
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10, Requirement 7.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10, Requirement 7.2
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 7.3.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 7.3.1
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[29] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285
[30] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 285
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.2 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.2 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.2 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.2 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.2 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.2 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.2 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[54] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authentication (WASC-01)
[55] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.config.dotnet.wcf_misconfiguration_msmq_anonymous_transport_client

WCF Misconfiguration: Security Not Enabled

Abstract
プログラムは、転送またはメッセージのセキュリティを定義していません。
Explanation
転送またはメッセージのセキュリティが設定されていないままメッセージを送信するプログラムでは、送信されるメッセージの完全性も機密性も保証されません。WCF セキュリティバインドが None に設定されている場合、転送セキュリティとメッセージセキュリティの両方が無効になります。

例 1: 次のコードは、偽の Widget サービスについて、WCF Basic HTTP Binding のセキュリティモードを None に設定しています。


BasicHttpBinding binding = new BasicHttpBinding();
binding.Security.Mode = BasicHttpSecurityMode.None;

ServiceHost serviceHost = new ServiceHost(typeof(Widget), baseAddress);
serviceHost.AddServiceEndpoint(typeof(Widget), binding, new URI("ExposureAddress"));
References
[1] Microsoft How to: Set the Security Mode Microsoft Developer Network (MSDN)
[2] Standards Mapping - Common Weakness Enumeration CWE ID 319
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001941, CCI-001942, CCI-002418, CCI-002420, CCI-002421, CCI-002422
[4] Standards Mapping - FIPS200 CM, SC
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), IA-2 Identification and Authentication (Organizational Users) (P1), SC-8 Transmission Confidentiality and Integrity (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, IA-2 Identification and Authentication (Organizational Users), SC-8 Transmission Confidentiality and Integrity
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[10] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[11] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[12] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[13] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications
[28] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[29] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260.1 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[53] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
[54] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.semantic.dotnet.wcf_misconfiguration_security_not_enabled

WCF Misconfiguration: Service Enumeration

Abstract
サービスに関する情報を一般に公開すると、サービスの悪用に役立つ情報を攻撃者に提供することになります。
Explanation
<serviceMetadata> タグはメタデータ発行機能を有効にします。サービスのメタデータには、一般アクセスを禁止する必要のある機密情報が含まれている可能性があります。
References
[1] Microsoft
[2] Standards Mapping - Common Weakness Enumeration CWE ID 651
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[6] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-000804, CCI-002165
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), IA-8 Identification and Authentication (Non-Organizational Users) (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, IA-8 Identification and Authentication (Non-Organizational Users)
[12] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.4 Sensitive Private Data (L1 L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[15] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[16] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[17] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[19] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[20] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[24] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3120 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3120 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3120 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3120 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3120 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3120 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3120 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[47] Standards Mapping - Web Application Security Consortium Version 2.00 Fingerprinting (WASC-45)
[48] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.config.dotnet.wcf_misconfiguration_service_enumeration

WCF Misconfiguration: Throttling Not Enabled

Abstract
システム リソースの使用に制限を設けないと、リソースが枯渇し、最終的に Denial of Service につながる可能性があります。
Explanation
Windows Communication Foundation (WCF) は、サービス リクエストをスロットリングする機能を提供します。許可するクライアント リクエストが多すぎると、システムが許容レベルを超え、リソースの枯渇につながる可能性があります。一方、サービスに対して許容するリクエスト数を少なくしすぎると、正当なユーザーがサービスを使用できなくなる可能性があります。各サービスは、適切な量のリソースを許可するように個別に調整および設定する必要があります。

References
[1] Microsoft
[2] Standards Mapping - Common Weakness Enumeration CWE ID 400, CWE ID 770
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [20] CWE ID 400
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [23] CWE ID 400
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [23] CWE ID 400
[6] Standards Mapping - Common Weakness Enumeration Top 25 2024 [24] CWE ID 400
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[8] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[11] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.1.4 General Data Protection (L2 L3), 11.1.3 Business Logic Security Requirements (L1 L2 L3), 11.1.4 Business Logic Security Requirements (L1 L2 L3), 12.1.1 File Upload Requirements (L1 L2 L3), 12.1.3 File Upload Requirements (L2 L3), 13.2.4 RESTful Web Service Verification Requirements (L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[14] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[19] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 770
[20] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II, APP3760 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II, APP3760 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II, APP3760 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II, APP3760 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II, APP3760 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II, APP3760 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002400 CAT II
[43] Standards Mapping - Web Application Security Consortium Version 2.00 Brute Force (WASC-11), Insufficient Anti-automation (WASC-21)
[44] Standards Mapping - Web Application Security Consortium 24 + 2 Brute Force, Insufficient Anti-automation
desc.config.dotnet.wcf_misconfiguration_throttling_not_enabled

WCF Misconfiguration: Transport Security Enabled

Abstract
アプリケーションは、トランスポートモードの転送セキュリティに依存する WCF エンドポイントを使用しています。トランスポートモードは、最もセキュリティが低いオプションであり、その使用は避ける必要があります。
Explanation
トランスポートセキュリティにより、機密性、完全性、および認証がトランスポートレイヤ機構 (HTTPS など) により提供されるようになります。HTTPS のようなトランスポートを使用している場合、このモードにはパフォーマンス効率上の利点があります。また、インターネットで広く利用されており、よく理解されています。このタイプのセキュリティは、コミュニケーション パスにおける各ホップで別々に適用されるため、コミュニケーションが「中間者(man in the middle)」攻撃を受ける可能性があります。WCFには、他にも 2 つの転送セキュリティモード、メッセージとメッセージ証明書付きトランスポートとがあり、どちらも推奨されます。メッセージセキュリティでは、WS-Security 仕様によって、機密性、完全性、および認証をメッセージレベルで確保します。ここではトランスポートメソッドでエンドツーエンドのセキュリティと柔軟性を実現しますが、パフォーマンスは劣ります。

最後の方法であるメッセージ資格情報を使用したトランスポートは、トランスポートとメソッドの混合です。メッセージ セキュリティはクライアントの認証に使用され、トランスポート セキュリティはサーバーの認証に使用され、機密性と整合性を提供します。これは純粋なトランスポート セキュリティとほぼ同じくらい効率的です。
References
[1] J.D. Meier, Carlos Farre, Jason Taylor, Prashant Bansode, Steve Gregersen, Madhu Sundararajan, Rob Boucher Improving Patterns and Practices: Improving Web Services Security Guide Microsoft
[2] Microsoft Delivery Network (MSDN) Microsoft
[3] Standards Mapping - Common Weakness Enumeration CWE ID 285
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001941, CCI-001942, CCI-002418, CCI-002420, CCI-002421, CCI-002422
[5] Standards Mapping - FIPS200 IA
[6] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), IA-2 Identification and Authentication (Organizational Users) (P1), SC-8 Transmission Confidentiality and Integrity (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, IA-2 Identification and Authentication (Organizational Users), SC-8 Transmission Confidentiality and Integrity
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.1.4 Generic Web Service Security Verification Requirements (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[12] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management
[13] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[14] Standards Mapping - OWASP Top 10 2010 A3 Broken Authentication and Session Management
[15] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[16] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[17] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.3, Requirement 7.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7, Requirement 7.2
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8, Requirement 7.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10, Requirement 7.2
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10, Requirement 7.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10, Requirement 7.2
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10, Requirement 7.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 4.2.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 4.2.1
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[30] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285
[31] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 285
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.2 CAT II, APP3260.1 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.2 CAT II, APP3260 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.2 CAT II, APP3260 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.2 CAT II, APP3260 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.2 CAT II, APP3260 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.2 CAT II, APP3260 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.2 CAT II, APP3260 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authentication (WASC-01)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.semantic.dotnet.wcf_misconfiguration_transport_security_enabled

WCF Misconfiguration: Unauthorized Access

Abstract
このサービスは、認証制御を使用していません。
Explanation
クライアントが特定の WCF サービスをコールしている場合、WCF は、コーラーがサーバーでサービスメソッドを実行する許可があることを検証するさまざまな認証スキームを提供します。認証制御が、WCF サービスで有効になっていない場合、認証されたユーザーが権限を昇格する可能性があります。

例 1: 次のコードは、サービスを実行するときにクライアントの認証レベルをチェックしないように WCF に命令しています。


    ServiceHost myServiceHost = new ServiceHost(typeof(Calculator), baseUri);
    ServiceAuthorizationBehavior myServiceBehavior =
    myServiceHost.Description.Behaviors.Find<ServiceAuthorizationBehavior>();
    myServiceBehavior.PrincipalPermissionMode =
        PrincipalPermissionMode.None;

References
[1] Microsoft Authorizing Access to Operations Microsoft Developer Network (MSDN)
[2] Standards Mapping - Common Weakness Enumeration CWE ID 862
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001495, CCI-002165
[4] Standards Mapping - FIPS200 CM, SC
[5] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), AU-9 Protection of Audit Information (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, AU-9 Protection of Audit Information
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[10] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[11] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[12] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[13] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[28] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[29] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001280 CAT II, APSC-DV-001290 CAT II, APSC-DV-001300 CAT II, APSC-DV-001310 CAT II, APSC-DV-001320 CAT II, APSC-DV-001330 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001280 CAT II, APSC-DV-001290 CAT II, APSC-DV-001300 CAT II, APSC-DV-001310 CAT II, APSC-DV-001320 CAT II, APSC-DV-001330 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001280 CAT II, APSC-DV-001290 CAT II, APSC-DV-001300 CAT II, APSC-DV-001310 CAT II, APSC-DV-001320 CAT II, APSC-DV-001330 CAT II
[53] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[54] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.semantic.dotnet.wcf_misconfiguration_unauthorized_access