계: Security Features

소프트웨어 보안은 보안 소프트웨어가 아닙니다. 여기서는 인증, 액세스 제어, 기밀성, 암호화, 권한 관리 등의 항목에 대해 설명합니다.

WCF Misconfiguration: Weak Class Reference

C#/VB.NET/ASP.NET

Abstract

이 프로그램은 약한 클래스 참조를 사용합니다. 이는 공격자가 승인되지 않은 코드를 실행하는 것을 허용할 수 있습니다.

Explanation

이 프로그램은 고유하게 식별되지 않은 사용자 정의 클래스를 참조합니다. .NET에서 이 약하게 식별된 클래스를 로드하면 CLR 유형 로더가 다음 위치에서 지정된 순서로 클래스를 검색합니다.

- 유형의 어셈블리가 알려진 경우 로더는 구성 파일의 리디렉션 위치, GAC, 구성 정보를 사용하는 현재 어셈블리 및 응용 프로그램 기본 디렉터리를 검색합니다.

- 어셈블리를 알 수 없는 경우 로더는 현재 어셈블리, mscorlib 및 TypeResolve 이벤트 처리기가 반환한 위치를 검색합니다.

이 CLR 검색 순서는 형식 전달 메커니즘 및 AppDomain.TypeResolve 이벤트와 같은 후크로 수정할 수 있습니다.

공격자가 동일한 이름을 가진 대체 클래스를 만들고 CLR이 처음으로 로드할 대체 위치에 배치하여 CLR 검색 순서를 악용하는 경우 CLR은 의도하지 않게 공격자가 제공한 코드를 실행합니다.

예제 1: 다음 WCF 구성 파일의 <behaviorExtensions/> 요소는 WCF가 특정 WCF 확장명에 사용자 지정 동작 클래스를 추가하도록 지시합니다.


<system.serviceModel>
    <extensions>
        <behaviorExtensions>
            <add name="myBehavior" type="MyBehavior" />
       </behaviorExtensions>
    </extensions>
</system.serviceModel>

References

[1] Microsoft Developer Network (MSDN)

[2] Standards Mapping - Common Weakness Enumeration CWE ID 95

[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [18] CWE ID 094

[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [17] CWE ID 094

[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [25] CWE ID 094

[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [23] CWE ID 094

[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [11] CWE ID 094

[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754

[9] Standards Mapping - FIPS200 SI

[10] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)

[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation

[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.4 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.5 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.8 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)

[15] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication

[16] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws

[17] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws

[18] Standards Mapping - OWASP Top 10 2010 A1 Injection

[19] Standards Mapping - OWASP Top 10 2013 A1 Injection

[20] Standards Mapping - OWASP Top 10 2017 A1 Injection

[21] Standards Mapping - OWASP Top 10 2021 A03 Injection

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection

[34] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 116

[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I

[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I

[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I

[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I

[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I

[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I

[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I

[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I

[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I

[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I

[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I

[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002560 CAT I

[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002560 CAT I

desc.config.dotnet.wcf_misconfiguration_weak_class_reference