界: Security Features

ソフトウェアのセキュリティは、セキュリティソフトウェアではありません。ここでは、認証、アクセス制御、機密性、暗号化、権限管理などのトピックについて説明します。

315 見つかった項目

脆弱性

Unauthenticated Service: Redis

Java/JSP

Abstract

アプリケーションは、認証情報を設定せずに Redis クライアントを初期化します。

Explanation

未認証の Redis サーバーは、攻撃者がサーバーのセキュリティを侵害して内部ネットワークに侵入するための標的になることがあります。

Redis サーバーに対して各種攻撃を使用し、基盤となるオペレーティングシステム上で任意のコードを実行することができます。たとえば、攻撃者は Redis コマンドを使用して Web シェルを Web ルートに書き込むことができます。また、オブジェクトを格納するためにコマンドを使用する場合、攻撃者はデシリアライズするエンドポイント上でリモートコードを実行するために、Java、Python、Ruby、PHP などの各言語のデシリアライズペイロードを格納することができます。

Redis サーバーが外部に公開されていない場合でも、外部の攻撃者は同じネットワーク上の任意のアプリケーションで Server-Side Request Forgery の脆弱性を利用してサーバーにアクセスできることに注意してください。たとえば Redis サーバーは、HTTP または Gopher プロトコルを使用して攻撃される可能性があります。

外部の攻撃から Redis ポートを保護しないと、Redis の性質上、セキュリティ上の大きな影響が発生する可能性があります。たとえば、単一の FLUSHALL コマンドを使用して、外部の攻撃者はデータセット全体を削除することができます。最近、インターネット上で実行しているオープンな Redis の安全ではないインスタンスに対する悪意のある攻撃が報告されています。攻撃者はデータベースを消去し、復元のために身代金を支払うよう要求しました。

References

[1] Nicolas Grégoire Trying to hack Redis via HTTP requests

[2] Max Chadwick curl Based SSRF Exploits Against Redis

[3] Redis Redis Security

[4] Standards Mapping - Common Weakness Enumeration CWE ID 259

[5] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287, [19] CWE ID 798

[6] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [20] CWE ID 798

[7] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [16] CWE ID 798

[8] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287, [15] CWE ID 798

[9] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287, [18] CWE ID 798

[10] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287, [22] CWE ID 798

[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199, CCI-003109

[12] Standards Mapping - FIPS200 IA

[13] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[14] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), IA-11 Re-Authentication (P0), SA-4 Acquisition Process (P1), SC-28 Protection of Information at Rest (P1)

[15] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SA-4 Acquisition Process, SC-11 Trusted Path, SC-28 Protection of Information at Rest

[16] Standards Mapping - OWASP API 2023 API2 Broken Authentication

[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 3.5.2 Token-based Session Management (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.4.1 Secret Management (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 10.2.3 Malicious Code Search (L3)

[18] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage

[19] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration

[20] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage

[21] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage

[22] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage

[23] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure

[24] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure

[25] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1

[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1

[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 1.2.6, Requirement 6.2.4, Requirement 6.5.3, Requirement 8.3.1

[34] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 1.2.6, Requirement 6.2.4, Requirement 6.5.3, Requirement 8.3.1

[35] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 2.2 - Secure Defaults, Control Objective 5.1 - Authentication and Access Control

[36] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 2.2 - Secure Defaults, Control Objective 5.1 - Authentication and Access Control

[37] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 2.2 - Secure Defaults, Control Objective 5.1 - Authentication and Access Control

[38] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 259

[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I

[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I

[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I

[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I

[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I

[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I

[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I

[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I

[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I

[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I

[56] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I

[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I

[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I

[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I

[60] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I

[61] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authentication (WASC-01)

[62] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication

desc.controlflow.java.unauthenticated_service_redis

WCF Misconfiguration: Insecure Transport

C#/VB.NET/ASP.NET

Abstract

アプリケーション設定では、機密情報へのすべてのアクセスに HTTPS が使用されるようにする必要があります。

Explanation

アプリケーションが機密情報を処理し、メッセージレベルの暗号化を使用しない場合は、暗号化されたトランスポートチャネルを介した通信のみを許可する必要があります。

References

[1] Microsoft

[2] Microsoft

[3] Standards Mapping - Common Weakness Enumeration CWE ID 311

[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001453, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123

[5] Standards Mapping - FIPS200 CM, SC

[6] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), MA-4 Nonlocal Maintenance (P2), SC-8 Transmission Confidentiality and Integrity (P1)

[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, MA-4 Nonlocal Maintenance, SC-8 Transmission Confidentiality and Integrity

[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)

[11] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection

[12] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[13] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications

[14] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection

[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[16] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[17] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography

[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications

[30] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 319

[31] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311

[32] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311

[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260.1 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[55] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)

[56] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage

desc.config.dotnet.wcf_service_provider_misconfiguration_insecure_transport

WCF Misconfiguration: Weak Class Reference

C#/VB.NET/ASP.NET

Abstract

このプログラムは、弱いクラス参照を使用するため、攻撃者が不正なコードを実行する可能性があります。

Explanation

このプログラムは、一意に識別されないユーザー定義クラスを参照します。.NET がこの識別が明確でないクラスをロードすると、CLR タイプローダーは、指定された順序で次の場所でクラスを検索します。

- タイプのアセンブリがわかっている場合、ローダーは、設定ファイルのリダイレクト位置、GAC、設定情報を使用する現在のアセンブリ、およびアプリケーションベースディレクトリを検索します。

- アセンブリが不明な場合、ローダーは、現在のアセンブリ、mscorlib、および TypeResolve イベントハンドラーによって返された場所を検索します。

この CLR 検索順序は、タイプ転送メカニズムや AppDomain.TypeResolve イベントなどのフックを使用して変更できます。

攻撃者が同じ名前の代替クラスを作成し、CLR が最初にロードする代替の場所に配置することで、CLR 検索順序を悪用した場合、CLR は攻撃者が提供したコードを意図せずに実行します。

例 1: 次の WCF 設定ファイルの <behaviorExtensions/> 要素は、独自の動作クラスを特定の WCF 拡張に追加するよう WCF に命令しています。


<system.serviceModel>
    <extensions>
        <behaviorExtensions>
            <add name="myBehavior" type="MyBehavior" />
       </behaviorExtensions>
    </extensions>
</system.serviceModel>

References

[1] Microsoft Developer Network (MSDN)

[2] Standards Mapping - Common Weakness Enumeration CWE ID 95

[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [18] CWE ID 094

[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [17] CWE ID 094

[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [25] CWE ID 094

[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [23] CWE ID 094

[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [11] CWE ID 094

[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754

[9] Standards Mapping - FIPS200 SI

[10] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)

[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation

[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.4 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.5 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.8 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)

[15] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication

[16] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws

[17] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws

[18] Standards Mapping - OWASP Top 10 2010 A1 Injection

[19] Standards Mapping - OWASP Top 10 2013 A1 Injection

[20] Standards Mapping - OWASP Top 10 2017 A1 Injection

[21] Standards Mapping - OWASP Top 10 2021 A03 Injection

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection

[34] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 116

[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I

[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I

[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I

[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I

[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I

[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I

[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I

[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I

[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I

[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I

[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I

[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002560 CAT I

[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002560 CAT I

desc.config.dotnet.wcf_misconfiguration_weak_class_reference

Weak Cryptographic Hash

Abstract

暗号化ハッシュが貧弱であるとデータの完全性は保証されません。また、そのような暗号化ハッシュはセキュリティが重要な場面で使用すべきではありません。

Explanation

MD2、MD4、MD5、RIPEMD-160 および SHA-1 は一般的な暗号化ハッシュアルゴリズムで、メッセージを始めとするデータの完全性を検証するのにしばしば使用されます。ただし、最近の暗号解読の研究によりこれらのアルゴリズムでの基本的な脆弱性が判明していることから、これらをセキュリティが重要な場面で使用しないでください。

MD および RIPEMD ハッシュの解読に有効な技術が一般的に入手可能なことから、セキュリティのためにこれらのアルゴリズムに頼るべきではありません。一方、現在の SHA-1 の技術を突破するには依然としてかなりのコンピュータ処理能力を要し、実装も容易ではありません。しかし、攻撃者は SHA-1 アルゴリズムの弱点をすでに発見しており、解読する技術をもとにして迅速に実行可能な攻撃が今後編み出される可能性があります。

References

[1] Xiaoyun Wang MD5 and MD4 Collision Generators

[2] Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu Finding Collisions in the Full SHA-1

[3] Xiaoyun Wang and Hongbo Yu How to Break MD5 and Other Hash Functions

[4] SDL Development Practices Microsoft

[5] Standards Mapping - Common Weakness Enumeration CWE ID 328

[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450

[7] Standards Mapping - FIPS200 MP

[8] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-10 Non-Repudiation (P2), SC-13 Cryptographic Protection (P1)

[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-10 Non-Repudiation, SC-13 Cryptographic Protection

[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.4.1 Credential Storage Requirements (L2 L3), 2.4.2 Credential Storage Requirements (L2 L3), 2.4.5 Credential Storage Requirements (L2 L3), 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 6.2.7 Algorithms (L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)

[12] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography

[13] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography

[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1

[15] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage

[16] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage

[17] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage

[18] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure

[19] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure

[20] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3, Requirement 4.1

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3, Requirement 4.1

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3, Requirement 4.1

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 4.2.1

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 4.2.1

[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design

[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002020 CAT II, APSC-DV-002030 CAT II

desc.semantic.abap.weak_cryptographic_hash

Abstract

弱い暗号学的ハッシュではデータの整合性を保証できないため、セキュリティが重要なコンテキストでは使用しないでください。

Explanation

MD2、MD4、MD5、RIPEMD-160 および SHA-1 は一般的な暗号化ハッシュアルゴリズムで、メッセージを始めとするデータの完全性を検証するのにしばしば使用されます。暗号解読の研究によりこれらのアルゴリズムでの基本的な脆弱性が判明していることから、これらをセキュリティが重要な場面で使用することは推奨されません。

セキュリティを考慮する場合は MD および RIPEMD ハッシュアルゴリズムに頼らないでください。MD および RIPEMD ハッシュの解読に有効な技術が一般的に入手可能です。一方、現在の SHA-1 の技術を突破するには依然としてかなりのコンピュータ処理能力を要し、実装も容易ではありません。しかし、攻撃者はこのアルゴリズムの弱点をすでに発見しており、解読する技術をもとにして迅速に実行可能な攻撃が今後編み出される可能性があります。