계: Security Features
소프트웨어 보안은 보안 소프트웨어가 아닙니다. 여기서는 인증, 액세스 제어, 기밀성, 암호화, 권한 관리 등의 항목에 대해 설명합니다.
Access Control: Azure
Abstract
적절한 access control 없이 사용자가 제어하는 값을 사용하여 Azure 큐/Blob에 접근하는 경우 공격자가 권한 없는 큐/blob 및 해당 메시지/콘텐트를 확인/수정/삭제할 수 있습니다.
Explanation
Azure 클라우드 access control 오류는 다음 경우에 발생합니다.
1. 신뢰할 수 없는 소스에서 데이터가 프로그램에 입력됩니다.
2. 권한 없는 큐/blob 및 해당 메시지/콘텐트를 확인/수정/삭제하는 데 데이터가 사용되는 경우
예제 1: 다음 코드에서는 지정된 큐와 해당 메시지를 삭제합니다.
1. 신뢰할 수 없는 소스에서 데이터가 프로그램에 입력됩니다.
2. 권한 없는 큐/blob 및 해당 메시지/콘텐트를 확인/수정/삭제하는 데 데이터가 사용되는 경우
예제 1: 다음 코드에서는 지정된 큐와 해당 메시지를 삭제합니다.
예제 2: 다음 코드에서는 지정된 blob 컨테이너와 해당 콘텐트를 삭제합니다.
...
var queueName = queryStringData['name'];
var queueSvc;
queueSvc = azureStorage.createQueueService();
...
queueSvc.deleteQueue(queueName, option, function(error, response){
if(!error){
// all the messages has been deleted
}
});
...
...
var containerName = queryStringData['name'];
var blobSvc;
blobSvc = azureStorage.createBlobService();
...
blobSvc.deleteContainer(containerName, function (error, response) {
if (!error) {
// all the content in the given container has been deleted
}
});
...
Example 1
과 Example 2
의 코드는 현재 사용자/프로그램에 속하는 지정된 큐/blob 컨테이너 및 해당 메시지/콘텐트를 삭제하지만 공격자는 해당 Azure 계정의 모든 큐/blob를 삭제할 수 있습니다. 이 예제의 코드는 사용자/프로그램에게 요청한 큐/blob를 지울 권한이 있는지를 확인하지 않으므로 현재 사용자/프로그램에 속하지 않는 큐/blob도 지웁니다.References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 639
[2] Standards Mapping - Common Weakness Enumeration Top 25 2023 [24] CWE ID 863
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[4] Standards Mapping - FIPS200 AC
[5] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), IA-2 Identification and Authentication (Organizational Users) (P1), IA-11 Re-Authentication (P0), SC-3 Security Function Isolation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, IA-2 Identification and Authentication (Organizational Users), SC-3 Security Function Isolation, SC-11 Trusted Path
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.2 General Access Control Design (L1 L2 L3), 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3)
[9] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[10] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[11] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[12] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[13] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[14] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[15] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[16] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001540 CAT I, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001540 CAT I, APSC-DV-002360 CAT II
[50] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[51] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.dataflow.javascript.access_control_azure