계: Environment
이 섹션에는 소스 코드 외부에 있지만 제작 중인 제품의 보안에는 여전히 중요한 내용이 모두 포함되어 있습니다. 이 섹션에서 다루는 문제들은 소스 코드와 직접적으로 관련이 없기 때문에 나머지 섹션과 분리했습니다.
Web Server Misconfiguration: HTTP Basic Authentication
Abstract
안전하지 않은 채널을 통해 HTTP 기본 인증 체계를 사용하면 공격자가 자격 증명을 도용할 수 있습니다.
Explanation
자격 증명 도용은 다음으로 인해 발생할 수 있습니다.
1. HTTP 기본 인증에서 사용자 자격 증명을 인코딩하는 데 사용하는 약한 인코딩 체계. Base64로 인코딩된 텍스트를 쉽게 디코딩하여 원본 정보에 액세스할 수 있습니다.
2. 안전하지 않은 채널을 통한 HTTP 기본 인증 사용. 공격자가 트래픽을 가로채고 사용자 자격 증명에 액세스할 수 있습니다.
1. HTTP 기본 인증에서 사용자 자격 증명을 인코딩하는 데 사용하는 약한 인코딩 체계. Base64로 인코딩된 텍스트를 쉽게 디코딩하여 원본 정보에 액세스할 수 있습니다.
2. 안전하지 않은 채널을 통한 HTTP 기본 인증 사용. 공격자가 트래픽을 가로채고 사용자 자격 증명에 액세스할 수 있습니다.
References
[1] HTTP Authentication Scheme Registry
[2] Standards Mapping - Common Weakness Enumeration CWE ID 319
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958
[4] Standards Mapping - FIPS200 CM
[5] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-3 Device Identification and Authentication (P1), IA-8 Identification and Authentication (Non-Organizational Users) (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-3 Device Identification and Authentication, IA-8 Identification and Authentication (Non-Organizational Users)
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.9.1 Communications Architectural Requirements (L2 L3), 2.2.5 General Authenticator Requirements (L3), 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.3.1 Sensitive Private Data (L1 L2 L3), 8.1.6 General Data Protection (L3), 9.1.1 Communications Security Requirements (L1 L2 L3), 9.2.2 Server Communications Security Requirements (L2 L3), 14.4.5 HTTP Security Headers Requirements (L1 L2 L3)
[10] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[11] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[12] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[13] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[28] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3260.1 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3260 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3260 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3260 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3260 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3260 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3260 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001650 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001650 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001650 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001650 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001650 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001650 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001650 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001650 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001650 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001650 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001650 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001650 CAT II
[51] Standards Mapping - Web Application Security Consortium Version 2.00 Server Misconfiguration (WASC-14)
desc.structural.java.web_server_misconfiguration_http_basic_authentication