계: Encapsulation

캡슐화는 강력한 경계를 그리는 것입니다. 웹 브라우저에서는 사용자의 모바일 코드가 다른 모바일 코드에 의해 오용되지 않도록 하는 것을 의미합니다. 서버에서는 검증된 데이터와 검증되지 않은 데이터, 한 사용자의 데이터와 다른 사용자의 데이터, 데이터 사용자가 볼 수 있는 데이터와 볼 수 없는 데이터 간의 차별화를 의미할 수 있습니다.

System Information Leak: Apache Axis

Java/JSP

Abstract

시스템 데이터 또는 디버깅 정보가 노출되면 공격자가 시스템을 파악하고 공격 계획을 세우는 것이 수월해집니다.

Explanation

정보 누출은 시스템 데이터 또는 디버그 정보가 출력 스트림이나 로깅 함수를 통해 프로그램을 벗어날 때 발생합니다.

true로 설정하면 axis.enableListQuery가 WSDD(Web Service Deployment Descriptor) 목록을 활성화합니다. 이 기능은 adminservice 암호와 같은 민감한 정보가 포함된 현재 시스템 구성을 노출합니다.

References

[1] Web Service Security Apache Software Foundation

[2] Axis Reference Guide Apache Software Foundation

[3] Standards Mapping - Common Weakness Enumeration CWE ID 497

[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200

[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200

[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200

[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200

[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-002420, CCI-003272

[9] Standards Mapping - FIPS200 CM

[10] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), SA-15 Development Process and Standards and Tools (P2), SC-8 Transmission Confidentiality and Integrity (P1), SI-11 Error Handling (P2)

[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, SA-15 Development Process and Standards and Tools, SC-8 Transmission Confidentiality and Integrity, SI-11 Error Handling

[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)

[15] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[16] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[17] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling

[18] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[19] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[20] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[21] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention

[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[56] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)

[57] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage

desc.config.java.system_information_leak_apache_axis