계: Security Features
소프트웨어 보안은 보안 소프트웨어가 아닙니다. 여기서는 인증, 액세스 제어, 기밀성, 암호화, 권한 관리 등의 항목에 대해 설명합니다.
ASP.NET Bad Practices: Use of Impersonation Context
Abstract
가장된 사용자 자격 증명으로 공격자가 보호된 리소스에 무단으로 접근할 수 있습니다.
Explanation
Microsoft ASP.NET 응용 프로그램은 권한 있는 작업을 실행하기 위해서 현재 사용자의 보안 컨텍스트 또는 호출된 프로세스를 가장할 수 있습니다. 반드시 수행해야 하는 authentication의 전체 수를 줄이는 것과 같이 가장 컨텍스트를 유용한 목적으로 다양하게 사용할 수 있지만 높은 권한을 유지하는 프로그램은 방대한 보안 시스템에 대한 위험성을 불필요하게 부과하게 됩니다. 다른 보안 컨텍스트에서 프로그램을 실행하는 동안 프로그램에서 공격자가 다른 취약점을 익스플로이트하는 경우 공격자가 수행하는 모든 권한 없는 작업이 해당 권한으로 실행됩니다.
예제 1: 다음 코드 예제는
예제 1: 다음 코드 예제는
WindowsIdentity.Impersonate() 메서드를 사용하는 가장 자격 증명에 대한 전형적인 사용 패턴을 보여줍니다.
using System.Security.Principal;
...
//Get the identity of the current user
IIdentity contextId = HttpContext.Current.User.Identity;
WindowsIdentity userId = (WindowsIdentity)contextId;
//Temporarily impersonate
WindowsImpersonationContext imp = userId.Impersonate();
//Perform tasks using the caller's security context
DoSecuritySensitiveTasks();
//Clean up and restore our old security context
impersonate.Undo();
Example 1의 코드는 현재 사용자의 보안 컨텍스트를 가장하여 권한이 있는 작업을 수행합니다. DoSecuritySensitiveTasks()를 호출한 후 코드가 원래의 보안 컨텍스트를 복원하려 하지만 DoSecuritySensitiveTasks()가 예외를 일으키는 경우, Undo() 메서드는 호출되지 않으며 프로그램은 가장된 보안 컨텍스트를 계속 사용합니다.References
[1] Kirk Evans Security Practices: ASP.NET 2.0 Security Practices at a Glance Microsoft Corporation
[2] Standards Mapping - Common Weakness Enumeration CWE ID 520
[3] Standards Mapping - Common Weakness Enumeration Top 25 2023 [22] CWE ID 269
[4] Standards Mapping - Common Weakness Enumeration Top 25 2024 [15] CWE ID 269
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002038, CCI-002039, CCI-002165
[6] Standards Mapping - FIPS200 AC
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), CM-5 Access Restrictions for Change (P1), IA-11 Re-Authentication (P0)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, CM-5 Access Restrictions for Change, SC-11 Trusted Path
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 14.1.3 Build (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[12] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[13] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[14] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.3
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001410 CAT II, APSC-DV-001520 CAT II, APSC-DV-001530 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001410 CAT II, APSC-DV-001520 CAT II, APSC-DV-001530 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.controlflow.dotnet.asp_dotnet_bad_practices_use_of_impersonation_context