계: Encapsulation

캡슐화는 강력한 경계를 그리는 것입니다. 웹 브라우저에서는 사용자의 모바일 코드가 다른 모바일 코드에 의해 오용되지 않도록 하는 것을 의미합니다. 서버에서는 검증된 데이터와 검증되지 않은 데이터, 한 사용자의 데이터와 다른 사용자의 데이터, 데이터 사용자가 볼 수 있는 데이터와 볼 수 없는 데이터 간의 차별화를 의미할 수 있습니다.

GraphQL Bad Practices: Schema Printer Enabled

Abstract
GraphQL 끝점은 스키마 프린터를 활성화하도록 구성되어 있습니다.
Explanation
Spring GraphQL 응용 프로그램에는 스키마 프린터를 활성화하는 옵션이 있습니다. 이 스키마 프린터는 GraphQL 스키마에 대한 전체 보기를 제공하는 자동 생성 끝점으로, 내부 테스트 및 개발을 위해 편리한 액세스를 제공하기 위한 것이지만 프로덕션에서 활성화되는 경우 전반적인 보안 태세에 위험을 초래합니다.

프로덕션 환경에서 스키마 프린터 끝점이 활성화되면 공격자는 구현 세부 정보를 확보하여 더욱 구체적인 공격을 수행할 수 있게 됩니다. GraphQL 스키마는 내부적으로 사용되는 필드, 설명, 공개 사용을 목적으로 하지 않을 수 있는 지원 중단 메모와 같은 정보를 누출할 수 있습니다.

예제 1: 다음 Spring GraphQL 응용 프로그램 구성 파일은 스키마 프린터 끝점을 활성화합니다.

spring.graphql.schema.printer.enabled=true
References
[1] OWASP OWASP Cheat Sheet Series: GraphQL Cheat Sheet
[2] Standards Mapping - Common Weakness Enumeration CWE ID 94
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [18] CWE ID 094
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [17] CWE ID 094
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [25] CWE ID 094
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [23] CWE ID 094
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [11] CWE ID 094
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[9] Standards Mapping - FIPS200 CM
[10] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.5 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.8 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[16] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[18] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[19] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[20] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[21] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[32] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 094
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3600 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3600 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3600 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3600 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3600 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3600 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3600 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-003300 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-003300 CAT II
[56] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.config.java.graphql_bad_practices_schema_printer_enabled